Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide November 28, 201

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76spasw.pdf Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide November 28, 2011 OL-5070-30THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: • Turn the television or radio antenna until the interference stops. • Move the equipment to one side or the other of the television or radio. • Move the equipment farther away from the television or radio. • Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide Copyright © 2011, Cisco Systems, Inc. All rights reserved. iii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 C O N T E N T S Preface xxix Objectives xxix Document Revision History xxix Organization xlv Related Documentation xlvii Cisco 7600 Series Router Documentation xlvii Other Cisco IOS Software Publications xlviii Document Conventions xlviii Obtaining Documentation, Obtaining Support, and Security Guidelines l Using Cisco IOS Software 1-1 Accessing the CLI Using a Router Console 1-1 Accessing the CLI Using a Directly-Connected Console 1-1 Accessing the CLI from a Remote Console Using Telnet 1-3 Accessing the CLI from a Remote Console Using a Modem 1-5 Using Keyboard Shortcuts 1-6 Using the History Buffer to Recall Commands 1-6 Understanding Command Modes 1-6 Getting Help 1-8 Finding Command Options Example 1-8 Using the no and default Forms of Commands 1-11 Saving Configuration Changes 1-12 Filtering Output from the show and more Commands 1-12 Finding Support Information for Platforms and Cisco Software Images 1-13 Using Cisco Feature Navigator 1-13 Using Software Advisor 1-13 Using Software Release Notes 1-13 SIP, SSC, and SPA Product Overview 2-1 Introduction to SIPs, SSCs, and SPAs 2-1 SPA Interface Processors 2-1 SPA Services Cards 2-2 Shared Port Adapters 2-2 Contents iv Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 SIP, SSC, and SPA Compatibility 2-4 Modular Optics Compatibility 2-6 Overview of the SIPs and SSC 3-1 Release History 3-1 Supported SIP Features 3-5 Cisco 7600 SIP-200 Features 3-5 Cisco 7600 SIP-400 Features 3-11 Cisco 7600 SIP-600 Features 3-16 Supported SSC Features 3-19 Cisco 7600 SSC-400 Features 3-19 Restrictions 3-19 Cisco 7600 SIP-200 Restrictions 3-19 Cisco 7600 SIP-400 Restrictions 3-20 Cisco 7600 SIP-600 Restrictions 3-23 Cisco 7600 SSC-400 Restrictions 3-24 Supported MIBs 3-24 Displaying the SIP and SSC Hardware Type 3-26 Example of the show module Command 3-26 Example of the show idprom Command 3-26 SIP-200 and SIP-400 Network Clock Distribution 3-27 Configuring the SIPs and SSC 4-1 Configuration Tasks 4-1 Required Configuration Tasks 4-2 Identifying Slots and Subslots for SIPs, SSCs, and SPAs 4-2 Configuring Compressed Real-Time Protocol 4-5 Configuring Frame Relay Features 4-7 Frame Relay Fragmentation (FRF.12) 4-22 Configuring Layer 2 Interworking Features on a SIP 4-32 Verification 4-44 Configuring Private Hosts over Virtual Private LAN Service (VPLS) 4-54 Configuring BFD over VCCV on SIP-400 4-75 Configuring MPLS Features on a SIP 4-79 Configuring QoS Features on a SIP 4-94 Configuring NAT 4-129 Configuring Lawful Intercept on a Cisco 7600 SIP-400 4-129 Configuring Security ACLs on an Access Interface on a Cisco 7600 SIP-400 4-131 Contents v Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Configuring CoPP on the Cisco 7600 SIP-400 4-132 Configuring DBUS COS Queuing on SIP-400 4-138 Configuring IPv6 Hop-by-Hop Header Security on SIP-200 or SIP-400 4-142 Triple Nesting QoS Support on SIP400 4-147 Configuration and Restrictions 4-150 Configuration procedure 4-150 Configuration Samples 4-151 Configuring IGMP Snooping on a SIP-200 4-153 Configuring ACFC and PFC Support on Multilink Interfaces 4-154 Configuring PPPoEoE on a Cisco 7600 SIP-400 4-159 Configuring Source IPv4 and Source MAC Address Binding on the SIP-400 4-164 Resetting a SIP 4-170 Configuration Examples 4-170 Layer 2 Interworking Configuration Examples 4-170 MPLS Configuration Examples 4-172 QoS Configuration Examples 4-173 Private Hosts SVI (Interface VLAN) Configuration Example 4-178 Troubleshooting 4-179 Troubleshooting the SIPs and SSC 5-1 General Troubleshooting Information 5-1 Interpreting Console Error Messages 5-1 Using debug Commands 5-2 Using show Commands 5-2 Using the Cisco IOS Event Tracer to Troubleshoot Problems 5-2 Troubleshooting Oversubscription on the Cisco 7600 SIP-400 5-3 Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs 5-3 Preparing for Online Removal of a SIP or SSC 5-4 Verifying Deactivation and Activation of a SIP or SSC 5-5 Preparing for Online Removal of a SPA 5-6 Verifying Deactivation and Activation of a SPA 5-7 Deactivation and Activation Configuration Examples 5-8 Overview of the ATM SPAs 6-1 Release History 6-2 Overview 6-3 ATM Overview 6-4 Contents vi Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 PVC and SVC Encapsulations 6-4 PVC and SVC Service Classes 6-5 Advanced Quality of Service 6-6 Supported Features 6-7 SIP-Dependent Features 6-7 Basic Features 6-8 SONET/SDH Error, Alarm, and Performance Monitoring 6-9 Layer 2 Features 6-10 Layer 3 Features 6-11 High-Availability Features 6-12 Enhancements to RFC 1483 Spanning Tree Interoperability 6-12 Supported Supervisor Engines and Line Cards 6-13 Interoperability Problem 6-13 BPDU Packet Formats 6-13 Unsupported Features 6-15 Prerequisites 6-16 Restrictions 6-16 Restrictions for SPA-1xOC3-ATM-V2, SPA-3xOC3-ATM-V2, and SPA-1xOC12-ATM-V2 6-17 Supported MIBs 6-17 SPA Architecture 6-18 Path of Cells in the Ingress Direction 6-19 Path of Packets in the Egress Direction 6-19 Displaying the SPA Hardware Type 6-20 Example of the show interfaces Command 6-20 Example of the show diag Command 6-21 Example of the show controllers Command 6-21 Configuring the ATM SPAs 7-1 Configuration Tasks 7-1 Required Configuration Tasks 7-2 Specifying the Interface Address on a SPA 7-3 Modifying the Interface MTU Size 7-3 Creating a Permanent Virtual Circuit 7-8 Creating a PVC on a Point-to-Point Subinterface 7-10 Configuring a PVC on a Multipoint Subinterface 7-12 Configuring RFC 1483 Bridging for PVCs 7-14 Configuring Layer 2 Protocol Tunneling Topology 7-17 Configuring Layer 2 Tunneling Protocol Version 3 (L2TPv3) 7-17 Contents vii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Configuring RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling 7-18 Configuring ATM RFC 1483 Half-Bridging 7-20 Configuring ATM Routed Bridge Encapsulation 7-23 Configuring RFC 1483 Bridging of Routed Encapsulations 7-25 Configuring the Bridged Routed Encapsulation within an Automatic Protection Switching Group 7-28 Configuring MPLS over RBE 7-29 Configuring Aggregate WRED for PVCs 7-30 Configuring Non-aggregate WRED 7-36 Creating and Configuring Switched Virtual Circuits 7-42 Configuring Traffic Parameters for PVCs or SVCs 7-46 Configuring Virtual Circuit Classes 7-50 Configuring Virtual Circuit Bundles 7-51 Configuring Multi-VLAN to VC Support 7-54 Configuring Link Fragmentation and Interleaving with Virtual Templates 7-54 Configuring the Distributed Compressed Real-Time Protocol 7-58 Configuring Automatic Protection Switching 7-60 Configuring Access Circuit Redundancy on SIP-400 ATM SPA s 7-65 Configuring SONET and SDH Framing 7-76 Configuring for Transmit-Only Mode 7-78 Configuring AToM Cell Relay VP Mode 7-79 Configuring Packed Cell Relay over Multi-Protocol Label Switching (PCRoMPLS) on SIP-400 for CeOP and 1-Port OC-48c/STM-16 ATM SPA 7-80 Configuring AToM Cell Relay Port Mode 7-85 Configuring QoS Features on ATM SPAs 7-87 Phase 2 Local Switching Redundancy 7-87 Saving the Configuration 7-88 Multi Router Automatic Protection Switching (MR-APS) Integration with Hot Standby Pseudowire 7-89 Failover Operations 7-90 Restrictions 7-91 Verification 7-98 N:1 PVC Mapping to Pseudowires with Non-Unique VPI 7-101 Examples 7-104 Verification 7-105 Shutting Down and Restarting an Interface on a SPA 7-105 Shutting Down an ATM Shared Port Adapter 7-107 Verifying the Interface Configuration 7-108 Contents viii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Verifying Per-Port Interface Status 7-109 Monitoring Per-Port Interface Statistics 7-110 Configuration Examples 7-111 Basic Interface Configuration Example 7-112 MTU Configuration Example 7-112 Permanent Virtual Circuit Configuration Example 7-112 PVC on a Point-to-Point Subinterface Configuration Example 7-113 PVC on a Multipoint Subinterface Configuration Example 7-114 RFC 1483 Bridging for PVCs Configuration Example 7-115 RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling Configuration Example 7-116 ATM RFC 1483 Half-Bridging Configuration Example 7-116 ATM Routed Bridge Encapsulation Configuration Example 7-116 Precedence-Based Aggregate WRED Configuration Example 7-116 DSCP-Based Aggregate WRED Configuration Example 7-118 Switched Virtual Circuits Configuration Example 7-118 Traffic Parameters for PVCs or SVCs Configuration Example 7-119 Virtual Circuit Classes Configuration Example 7-120 Virtual Circuit Bundles Configuration Example 7-120 Link Fragmentation and Interleaving with Virtual Templates Configuration Example 7-121 Distributed Compressed Real-Time Protocol Configuration Example 7-122 Automatic Protection Switching Configuration Example 7-123 SONET and SDH Framing Configuration Example 7-123 Layer 2 Protocol Tunneling Topology with a Cisco 7600, Catalyst 5500, and Catalyst 6500 Configuration Example 7-124 Layer 2 Protocol Tunneling Topology with a Cisco 7600 and Cisco 7200 Configuration Example 7-125 Cisco 7600 Basic Back-to-Back Scenario Configuration Example 7-126 Catalyst 5500 Switch and Cisco 7600 Series Routers in Back-to-Back Topology Configuration Example 7-126 Cisco 7600 and Cisco 7200 in Back-to-Back Topology Configuration Example 7-127 Troubleshooting the ATM SPAs 8-1 General Troubleshooting Information 8-1 Interpreting Console Error and System Messages 8-1 Using debug Commands 8-2 Using show Commands 8-2 Monitoring the ATM SPA 8-2 Displaying Hardware Information 8-2 Contents ix Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Displaying Information About ATM Interfaces 8-5 Displaying Information About PVCs and SVCs 8-7 Displaying Information About Automatic Protection Switching 8-13 Troubleshooting the ATM Shared Port Adapter 8-15 Understanding Line Coding Errors 8-16 Using the Ping Command to Verify Network Connectivity 8-16 Using Loopback Commands 8-17 Using ATM Debug Commands 8-26 Using the Cisco IOS Event Tracer to Troubleshoot Problems 8-26 Preparing for Online Insertion and Removal of a SPA 8-27 Overview of the CEoP and Channelized ATM SPAs 9-1 Release History 9-1 Overview 9-2 CEoP Frame Formats 9-2 Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP 9-4 Restrictions and Usage Guidelines 9-5 Configuring CESoPSN with UDP Encapsulation 9-5 Troubleshooting the CESoPSN with UDP Encapsulation Configuration 9-8 Supported Features 9-9 Basic Features 9-9 SONET/SDH Error, Alarm, and Performance Monitoring 9-11 Layer 2 Features 9-13 Layer 3 Features 9-14 High Availability Features 9-15 Unsupported Features 9-15 Prerequisites 9-15 Restrictions 9-16 Supported MIBs 9-16 Displaying the SPA Hardware Type 9-17 Example of the show interfaces cem Command 9-17 Configuring the CEoP and Channelized ATM SPAs 10-1 Configuration Tasks 10-2 Specifying the Interface Address on a SPA 10-2 Configuring Port Usage (Overview) 10-2 Configuring Circuit Emulation 10-13 Contents x Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Configuring a CEM Group 10-14 Configuring a CEM Class (Optional) 10-15 Configuring a CEM Pseudowire 10-17 Configuring TDM Local Switching 10-18 Local Switching Redundancy 10-19 Configuring ATM 10-20 Configuring VC QoS on VP-PW CEoP SPAs 10-21 Configuring an ATM Pseudowire 10-22 Configuring Pseudowire Redundancy (Optional) 10-23 Configuring T1 10-24 Configuring E1 10-24 Configuring T3 10-25 T3 Configuration Guidelines 10-25 Configuring Port Usage 10-25 Configuring the SPA for Clear-Channel ATM 10-27 Configuring SONET (OC-3) 10-28 Configuring Inverse Multiplexing over ATM 10-29 IMA Configuration Guidelines 10-30 Configuring an IMA Link Bundle 10-33 Configuring IMA Group Parameters 10-34 Verifying the IMA Configuration 10-36 Configuring Clocking 10-37 BITS Clock Support—Receive and Distribute—CEoP SPA on SIP-400 10-37 Configuring Clock Recovery 10-40 Verifying Clock Recovery 10-41 Configuring Out-of-Band Clocking 10-42 Configuring CEM Parameters 10-50 Configuring Payload Size (Optional) 10-50 Setting the Dejitter Buffer Size 10-51 Setting the Idle Pattern (Optional) 10-51 Enabling Dummy Mode 10-51 Setting the Dummy Pattern 10-51 Shutting Down a CEM Channel 10-51 Configuring Access Circuit Redundancy on CEoP and ATM SPAs 10-51 Restrictions and Usage Guidelines 10-51 Configuring the ACR Group 10-52 Show Commands 10-56 Contents xi Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Troubleshooting the ACR configuration 10-56 Configuring Layer 3 QoS on CEoP SPAs 10-57 Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs 10-61 Configuring SONET Mode 10-62 Configuring SDH AU-4 Mode 10-62 Configuring SDH AU-3 Mode 10-63 Configuring T1 Mode 10-63 Configuring E1 Mode 10-63 Configuration Restrictions 10-64 MR-APS Integration with Hot Standby Pseudowire 10-64 Failover Operations 10-65 Restrictions 10-66 Configuring MR-APS Integration with Hot Standby Pseudowire 10-67 Verification 10-81 Troubleshooting Tips 10-82 Verifying the Interface Configuration 10-82 Overview of the Ethernet SPAs 11-1 Release History 11-1 Supported Ethernet SPA 11-2 2-Port Gigabit Synchronous Ethernet SPA 11-2 Supported Features 11-3 1588V2 Overview 11-4 Time of Day (TOD) 11-6 Precision Time Protocol (PTP) 11-8 Synchronous Ethernet 11-16 SSM and ESMC 11-18 Restrictions 11-19 Supported MIBs 11-20 SPA Architecture 11-21 Path of a Packet in the Ingress Direction 11-21 Path of a Packet in the Egress Direction 11-21 Displaying the SPA Hardware Type 11-22 Example of the show hw-module subslot transceiver Command 11-22 Example of the show interfaces Command 11-22 Contents xii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Configuring the Fast Ethernet and Gigabit Ethernet SPAs 12-1 Configuration Tasks 12-1 Required Configuration Tasks 12-2 Specifying the Interface Address on a SPA 12-4 Modifying the MAC Address on the Interface 12-5 Configuring HSRP 12-6 Customizing VRRP 12-6 Modifying the Interface MTU Size 12-9 Configuring the Encapsulation Type 12-11 Configuring Autonegotiation on an Interface 12-11 Configuring an Ethernet VLAN 12-13 Configuring a Subinterface on a VLAN 12-13 Configuring Layer 2 Switching Features 12-15 Configuring Flow Control Support on the Link 12-21 Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Mode 12-23 Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Neg Mode 12-24 Configuring 2-Port Gigabit Synchronous Ethernet SPA in Multicast Mode 12-25 Configuring ToD on 1588V2 Master 12-26 Configuring ToD on 1588V2 Slave 12-27 Configuring Boundary Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400 12-29 Configuring Network Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400 12-29 Configuring EtherChannels 12-46 Configuring Virtual Private LAN Service (VPLS) and Hierarchical VPLS 12-46 Configuring Connectivity Fault Management (CFM) 12-46 Configuring Maintenance Domains and Maintenance Points 12-49 Configuring CFM in the EVC 12-51 Sample Configuration 12-53 Verifying Ethernet CFM Configuration 12-55 Debugging the Ethernet CFM Configuration 12-56 Configuring Ethernet Operations, Administration, and Maintenance 12-60 Configuring IP Subscriber Awareness over Ethernet 12-78 Configuring a Backup Interface for Flexible UNI 12-79 Flexible QinQ Mapping and Service Awareness on the 1-Port 10-Gigabit Ethernet SPA 12-85 Troubleshooting 12-92 Configuring MultiPoint Bridging over Ethernet on the 1-Port 10-Gigabit Ethernet SPA 12-93 Contents xiii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Configuring QoS on Ethernet SPAs 12-99 Saving the Configuration 12-103 Shutting Down and Restarting an Interface on a SPA 12-103 Verifying the Interface Configuration 12-104 Configuration Examples 12-105 Basic Interface Configuration Example 12-105 MAC Address Configuration Example 12-105 MAC Address Accounting Configuration Example 12-106 HSRP Configuration Example 12-106 MTU Configuration Example 12-108 VLAN Configuration Example 12-108 AToM over GRE Configuration Example 12-109 mVPNoGRE Configuration Examples 12-110 EoMPLS Configuration Example 12-111 Backup Interface for Flexible UNI Configuration Example 12-111 Changing the Speed of a Fast Ethernet SPA Configuration Example 12-114 Ethernet OAM Configuration Example 12-116 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs 13-1 General Troubleshooting Information 13-1 Using debug Commands 13-1 Using show Commands 13-2 Performing Basic Interface Troubleshooting 13-2 Verifying the Interface Is Up 13-5 Verifying the Line Protocol Is Up 13-6 Verifying Output Hang Status 13-6 Verifying the CRC Counter 13-6 Verifying Late Collisions 13-6 Verifying the Carrier Signal 13-7 Understanding SPA Automatic Recovery 13-7 When Automatic Recovery Occurs 13-7 If Automatic Recovery Fails 13-7 Configuring the Interface for Internal and External Loopback 13-8 Configuring the Interface for Internal Loopback 13-8 Configuring the Interface for External Loopback 13-8 Verifying Loopback Status 13-8 Using the Cisco IOS Event Tracer to Troubleshoot Problems 13-9 Contents xiv Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preparing for Online Insertion and Removal of a SPA 13-10 Overview of the POS SPAs 14-1 Release History 14-1 POS Technology Overview 14-2 Supported Features 14-2 SONET/SDH Compliance Features 14-3 SONET/SDH Error, Alarm, and Performance Monitoring Features 14-3 SONET/SDH Synchronization Features 14-4 WAN Protocol Features 14-4 Network Management Features 14-5 Restrictions 14-5 Supported MIBs 14-6 SPA Architecture 14-7 4-Port OC-3c/STM-1 POS SPA Architecture 14-7 1-Port OC-192c/STM-64 POS/RPR XFP SPA Architecture 14-8 2-Port OC-48c/STM-16 POS SPA Architecture 14-9 Displaying the SPA Hardware Type 14-10 Example of the show idprom Command 14-11 Example of the show interfaces Command 14-12 Example of the show controllers Command 14-12 Configuring the POS SPAs 15-1 Configuration Tasks 15-1 Specifying the Interface Address on a SPA 15-2 Modifying the Interface MTU Size 15-2 Modifying the POS Framing 15-3 Modifying the Keepalive Interval 15-5 Modifying the CRC Size 15-6 Modifying the Clock Source 15-6 Modifying SONET Payload Scrambling 15-8 Configuring the Encapsulation Type 15-8 Configuring APS 15-9 Configuring POS Alarm Trigger Delays 15-10 Configuring SDCC 15-13 Saving the Configuration 15-14 Shutting Down and Restarting an Interface on a SPA 15-15 Contents xv Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Verifying the Interface Configuration 15-15 Verifying Per-Port Interface Status 15-15 Monitoring Per-Port Interface Statistics 15-16 Configuration Examples 15-16 Basic Interface Configuration Example 15-17 MTU Configuration Example 15-17 POS Framing Configuration Example 15-18 Keepalive Configuration Example 15-18 CRC Configuration Example 15-18 Clock Source Configuration Example 15-19 SONET Payload Scrambling Configuration Example 15-19 Encapsulation Configuration Example 15-19 APS Configuration Example 15-19 POS Alarm Trigger Delays Configuration Example 15-21 SDCC Configuration Example 15-21 Overview of the Serial SPAs 16-1 Release History 16-1 Supported Features 16-2 Restrictions 16-2 SPA Features 16-3 Supported MIBs 16-6 Displaying the SPA Hardware Type 16-8 Virtual Tributary Alarms 16-8 Examples of the show interface Command 16-9 Examples of the show controllers Command 16-10 Configuring the 8-Port Channelized T1/E1 SPA 17-1 Configuration Tasks 17-1 Required Configuration Tasks 17-1 Specifying the Interface Address on a SPA 17-6 Optional Configurations 17-6 Saving the Configuration 17-20 Verifying the Interface Configuration 17-20 Verifying Per-Port Interface Status 17-21 Configuration Examples 17-21 Framing and Encapsulation Configuration Example 17-21 Contents xvi Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 CRC Configuration Example 17-22 Facility Data Link Configuration Example 17-22 MLPPP Configuration Example 17-23 MFR Configuration Example 17-23 Invert Data on the T1/E1 Interface Example 17-24 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs 18-1 Configuration Tasks 18-1 Required Configuration Tasks 18-2 Specifying the Interface Address on a SPA 18-5 Optional Configurations 18-5 Verifying the Interface Configuration 18-17 Verifying Per-Port Interface Status 18-18 Monitoring Per-Port Interface Statistics 18-18 Configuration Examples 18-19 DSU Configuration Example 18-19 MDL Configuration Example 18-20 Scrambling Configuration Example 18-20 Framing Configuration Example 18-20 Encapsulation Configuration Example 18-21 Cable Length Configuration Example 18-21 Invert Data Configuration Example 18-21 Trace Trail Buffer Configuration Example 18-21 Configuring the 2-Port and 4-Port Channelized T3 SPAs 19-1 Configuration Tasks 19-1 Required Configuration Tasks 19-2 Specifying the Interface Address on a SPA 19-7 Optional Configurations 19-8 Saving the Configuration 19-25 Verifying the Interface Configuration 19-25 Verifying Per-Port Interface Status 19-26 Configuration Examples 19-28 DSU Configuration Example 19-28 MDL Configuration Example 19-28 Encapsulation Configuration Example 19-29 Framing—Unchannelized Mode Configuration Example 19-29 Facility Data Link Configuration Example 19-29 Contents xvii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Scrambling Configuration Example 19-29 Creating a Multilink Bundle Configuration Example 19-30 Assigning a T1 Interface to a Multilink Bundle Configuration Example 19-30 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs 20-1 Configuration Tasks 20-1 Required Configuration Tasks 20-2 Selection of Physical Port and Controller Configuration 20-2 Optional Configurations 20-15 Saving the Configuration 20-26 Verifying the Interface Configuration 20-26 Verifying Per-Port Interface Status 20-26 Configuration Tasks 20-27 Configuring CRTP 20-27 Stateful MLPPP MR-APS 20-27 MR-APS Deployment 20-28 Inter Chassis Redundancy Manager 20-28 Automatic Protection Switching 20-29 Failure Protection Scenarios 20-29 Restrictions for Stateful MLPPP with MR-APS Inter-Chassis Redundancy 20-33 Configuring Stateful MLPPP with MR-APS Inter-Chassis Redundancy 20-33 Removing Stateful MLPPP with MR-APS Inter-Chassis Redundancy 20-53 Verification 20-56 Troubleshooting Tips 20-59 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA 21-1 Modes and Sub-modes Supported on the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA 21-1 Interface Naming 21-2 LED States 21-2 Restrictions for Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA 21-3 Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA 21-3 Configuring Interfaces Using SONET Framing 21-3 Configuring Interfaces with SDH Framing 21-7 Configuring BER Testing 21-17 Sending a BERT Pattern on a DS3/E3 Interface 21-18 Inserting Errors in BERT 21-18 Displaying a BERT 21-18 Contents xviii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Terminating a BERT 21-20 Verification 21-20 Configuring the 4-Port Serial Interface SPA 22-1 Configuration Tasks 22-1 Configuring the 4-Port Serial Interface SPA 22-1 Specifying the Interface Address on a SPA 22-2 Verifying the Configuration 22-3 Optional Configurations 22-9 Saving the Configuration 22-22 Verifying the Interface Configuration 22-22 Verifying Per-Port Interface Status 22-22 Configuration Examples 22-23 Inverting the Clock Signal Configuration Example 22-23 NRZI Format Configuration Example 22-23 Cyclic Redundancy Checks Configuration Example 22-24 Encapsulation Configuration Example 22-24 Distributed Multilink PPP Configuration Example 22-24 MLFR Configuration Example 22-24 Bridging Control Protocol Support Configuration Example 22-24 BCP on MLPPP Configuration Example 22-25 Troubleshooting the Serial SPAs 23-1 General Troubleshooting Information 23-1 Interpreting Console Error Messages 23-1 Using debug Commands 23-2 Using show Commands 23-2 Performing Basic Interface Troubleshooting 23-2 Serial Lines: show interfaces serial Status Line Conditions 23-3 Serial Lines: Increasing Output Drops on Serial Link 23-7 Serial Lines: Increasing Input Drops on Serial Link 23-8 Serial Lines: Increasing Input Errors in Excess of 1 Percent of Total Interface Traffic 23-9 Serial Lines: Troubleshooting Serial Line Input Errors 23-9 Serial Lines: Increasing Interface Resets on Serial Link 23-12 Serial Lines: Increasing Carrier Transitions Count on Serial Link 23-13 Using Bit Error Rate Tests 23-14 Configuring a BER Test 23-15 Contents xix Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Viewing a BER Test 23-15 Interpreting BER Test Results 23-15 Using loopback Commands 23-16 Using the Cisco IOS Event Tracer to Troubleshoot Problems 23-18 Preparing for Online Insertion and Removal of a SPA 23-18 Overview of the IPSec VPN SPA 24-1 Release History 24-1 Overview of the IPSec VPN SPAs 24-4 Overview of Basic IPSec and IKE Configuration Concepts 24-5 Information About IPSec Configuration 24-5 Information About IKE Configuration 24-6 Configuring VPNs with the IPSec VPN SPAs 24-7 Crypto-Connect Mode 24-7 VRF Mode 24-8 IPSec Feature Support 24-8 IPSec Features Common To All VPN Modes 24-9 IPSec Features in Crypto-Connect Mode 24-17 IPSec Features in VRF Mode 24-18 Interoperability for SPA-IPSEC-2G IPSEC VPN SPA 24-20 Restrictions 24-23 Supported MIBs 24-24 IPSec VPN SPA Hardware Configuration Guidelines 24-25 Displaying the SPA Hardware Type 24-25 Example of the show module Command 24-26 Example of the show crypto eli Command 24-26 Configuring VPNs in Crypto-Connect Mode 25-1 Configuring Ports in Crypto-Connect Mode 25-2 Understanding Port Types in Crypto-Connect Mode 25-2 Crypto-Connect Mode Configuration Guidelines and Restrictions 25-5 Configuring the IPSec VPN SPA Inside Port and Outside Port 25-7 Configuring an Access Port 25-8 Configuring a Routed Port 25-11 Configuring a Trunk Port 25-15 Configuring IPSec VPN SPA Connections to WAN Interfaces 25-20 Contents xx Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Displaying the VPN Running State 25-21 Configuring GRE Tunneling in Crypto-Connect Mode 25-21 Understanding GRE Tunneling in Crypto-Connect Mode 25-21 Configuring the GRE Takeover Criteria 25-23 Configuring IP Multicast over a GRE Tunnel 25-26 Configuration Examples 25-28 Access Port in Crypto-Connect Mode Configuration Example 25-29 Routed Port in Crypto-Connect Mode Configuration Example 25-31 Trunk Port in Crypto-Connect Mode Configuration Example 25-34 IPSec VPN SPA Connections to WAN Interfaces Configuration Examples 25-36 GRE Tunneling in Crypto-Connect Mode Configuration Example 25-40 GRE Takeover Criteria Configuration Examples 25-42 IP Multicast over a GRE Tunnel Configuration Example 25-43 Configuring VPNs in VRF Mode 26-1 Configuring VPNs in VRF Mode 26-1 Understanding VPN Configuration in VRF Mode 26-3 VRF Mode Configuration Guidelines and Restrictions 26-4 Configuring VPNs in VRF Mode without Tunnel Protection 26-6 Configuring VPNs in VRF Mode with Tunnel Protection (GRE) 26-11 Configuring an IPSec Virtual Tunnel Interface 26-16 IPSec Virtual Tunnel Interface Configuration Guidelines and Restrictions 26-16 Configuring an IPSec Static Tunnel 26-17 Verifying the IPSec Virtual Tunnel Interface Configuration 26-20 Configuring VTI in the Global Context 26-21 Configuration Examples 26-21 VRF Mode Basic Configuration Example 26-22 VRF Mode Remote Access Using Easy VPN Configuration Example 26-25 VRF Mode PE Configuration Example 26-27 VRF Mode CE Configuration Example 26-30 VRF Mode Tunnel Protection Configuration Example 26-32 IP Multicast in VRF Mode Configuration Example 26-33 IPSec Virtual Tunnel Interfaces Configuration Examples 26-35 Contents xxi Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Configuring IPSec VPN Fragmentation and MTU 27-1 Understanding IPSec VPN Fragmentation and MTU 27-1 Overview of Fragmentation and MTU 27-1 IPSec Prefragmentation 27-3 Fragmentation in Different Modes 27-3 Configuring IPSec Prefragmentation 27-9 IPSec Prefragmentation Configuration Guidelines 27-9 Configuring IPSec Prefragmentation Globally 27-10 Configuring IPSec Prefragmentation at the Interface 27-11 Verifying the IPSec Prefragmentation Configuration 27-11 Configuring MTU Settings 27-12 MTU Settings Configuration Guidelines and Restrictions 27-12 Changing the Physical Egress Interface MTU 27-13 Changing the Tunnel Interface MTU 27-13 Changing the Interface VLAN MTU 27-13 Verifying the MTU Size 27-13 Configuring IKE Features Using the IPSec VPN SPA 28-1 Overview of IKE 28-2 Configuring Advanced Encryption Standard in an IKE Policy Map 28-2 Verifying the AES IKE Policy 28-3 Configuring ISAKMP Keyrings 28-4 ISAKMP Keyrings Configuration Guidelines and Restrictions 28-4 Limiting an ISAKMP Profile to a Local Termination Address or Interface 28-4 Limiting a Keyring to a Local Termination Address or Interface 28-5 Configuring Certificate to ISAKMP Profile Mapping 28-6 Certificate to ISAKMP Profile Mapping Configuration Guidelines and Restrictions 28-6 Mapping the Certificate to the ISAKMP Profile 28-6 Verifying the Certificate to ISAKMP Profile Mapping Configuration 28-6 Assigning the Group Name to the Peer 28-12 Verifying the Group Name to Peer Assignation Configuration 28-12 Configuring an Encrypted Preshared Key 28-13 Encrypted Preshared Key Configuration Guidelines and Restrictions 28-13 Configuring an Encrypted Preshared Key 28-14 Verifying the Encrypted Preshared Key Configuration 28-14 Configuring Call Admission Control for IKE 28-15 Configuring the IKE Security Association Limit 28-16 Contents xxii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Configuring a System Resource Limit 28-16 Clearing Call Admission Statistics 28-16 Verifying the Call Admission Control for IKE Configuration 28-17 Configuring Dead Peer Detection 28-17 DPD Configuration Guidelines and Restrictions 28-18 Configuring a Dead Peer Detection Message 28-19 Verifying the DPD Configuration 28-19 Understanding IPSec NAT Transparency 28-19 IPSec NAT Transparency Configuration Guidelines and Restrictions 28-20 Configuring NAT Transparency 28-20 Disabling NAT Transparency 28-20 Configuring NAT Keepalives 28-20 Verifying the NAT Configuration 28-21 Configuration Examples 28-22 Advanced Encryption Standard Configuration Example 28-22 ISAKMP Keyrings Configuration Examples 28-22 Certificate to ISAKMP Profile Mapping Configuration Examples 28-23 Encrypted Preshared Key Configuration Example 28-23 Call Admission Control for IKE Configuration Examples 28-24 Dead Peer Detection Configuration Examples 28-24 ISAKMP NAT Keepalive Configuration Example 28-24 Configuring Enhanced IPSec Features Using the IPSec VPN SPA 29-1 Overview of Enhanced IPSec Features 29-2 Configuring Advanced Encryption Standard in a Transform Set 29-2 Verifying the AES Transform Set 29-2 Configuring Reverse Route Injection 29-3 RRI Configuration Guidelines and Restrictions 29-3 Configuring RRI Under a Static Crypto Map 29-4 Configuring RRI Under a Dynamic Crypto Map 29-5 Configuring the IPSec Anti-Replay Window Size 29-6 Expanding the IPSec Anti-Replay Window Size Globally 29-6 Expanding the IPSec Anti-Replay Window at the Crypto Map Level 29-7 Verifying the IPSec Anti-Replay Window Size Configuration at the Crypto Map Level 29-7 Disabling the IPSec Anti-Replay Checking 29-8 Configuring an IPSec Preferred Peer 29-8 IPSec Preferred Peer Configuration Guidelines and Restrictions 29-9 Contents xxiii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Configuring a Default Peer 29-10 Configuring the IPSec Idle Timer with a Default Peer 29-11 Configuring IPSec Security Association Idle Timers 29-12 IPSec Security Association Idle Timer Configuration Guidelines 29-12 Configuring the IPSec SA Idle Timer Globally 29-12 Configuring the IPSec SA Idle Timer per Crypto Map 29-13 Configuring Distinguished Name-Based Crypto Maps 29-13 Distinguished Name-Based Crypto Map Configuration Guidelines and Restrictions 29-14 Configuring QoS on the SPA-IPSEC-2G IPSEC VPN SPA 29-15 QoS Configuration Guidelines and Restrictions 29-16 Configuring QoS on the WS-IPSEC-3 IPSEC VSPA 29-17 Using the Module QoS Features of the WS-IPSEC-3 IPSEC VSPA 29-18 Using the Carrier QoS Features of the SSC-600 29-22 QoS Configuration Examples 29-24 Configuring Sequenced Crypto ACLs 29-33 Configuring Deny Policy Enhancements for Crypto ACLs 29-33 Deny Policy Enhancements for Crypto ACLs Configuration Guidelines and Restrictions 29-33 Configuration Examples 29-34 Advanced Encryption Standard Configuration Example 29-34 Reverse Route Injection Configuration Examples 29-34 IPSec Anti-Replay Window Size Configuration Examples 29-36 IPSec Preferred Peer Configuration Examples 29-38 IPSec Security Association Idle Timer Configuration Examples 29-38 Distinguished Name-Based Crypto Maps Configuration Example 29-39 QoS Configuration Example 29-40 Deny Policy Enhancements for ACLs Configuration Example 29-40 Configuring PKI Using the IPSec VPN SPA 30-1 Overview of PKI 30-2 Configuring Multiple RSA Key Pairs 30-3 Multiple RSA Key Pairs Configuration Guidelines and Restrictions 30-3 Removing RSA Key Pair Settings 30-4 Verifying RSA Key Information 30-4 Configuring Protected Private Key Storage 30-5 Protected Private Key Storage Configuration Guidelines and Restrictions 30-6 Configuring Private Keys 30-6 Verifying the Protected and Locked Private Keys 30-8 Contents xxiv Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Configuring a Trustpoint CA 30-8 Trustpoint CA Configuration Guidelines and Restrictions 30-9 Verifying a Trustpoint CA 30-10 Configuring Query Mode Definition Per Trustpoint 30-11 Query Mode Definition Per Trustpoint Configuration Guidelines and Restrictions 30-12 Verifying Query Mode Definition Per Trustpoint CA 30-13 Configuring a Local Certificate Storage Location 30-14 Local Certificate Storage Location Configuration Guidelines and Restrictions 30-14 Specifying a Local Storage Location for Certificates 30-15 Verifying the Local Certificate Storage Location Configuration 30-15 Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates) 30-16 Direct HTTP Enroll with CA Servers Configuration Guidelines and Restrictions 30-16 Configuring an Enrollment Profile for a Client Router 30-17 Configuring an Enrollment Profile for a Client Router Enrolled with a Third-Party Vendor CA 30-18 Configuring the CA to Accept Enrollment Requests from Clients of a Third-Party Vendor CA 30-20 Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste) 30-22 Manual Certificate Enrollment (TFTP and Cut-and-Paste) Configuration Guidelines and Restrictions 30-22 Configuring Manual Enrollment Using TFTP 30-22 Configuring Certificate Enrollment Using Cut-and-Paste 30-24 Verifying the Manual Certificate Enrollment Configuration 30-24 Configuring Certificate Autoenrollment 30-26 Preloading Root CAs 30-28 Verifying CA Information 30-29 Configuring Key Rollover for Certificate Renewal 30-30 Key Rollover for Certificate Renewal Configuration Guidelines and Restrictions 30-30 Configuring Automatic Certificate Enrollment with Key Rollover 30-31 Configuring Manual Certificate Enrollment with Key Rollover 30-33 Configuring PKI: Query Multiple Servers During Certificate Revocation Check 30-36 Configuring the Online Certificate Status Protocol 30-37 OCSP Configuration Guidelines and Restrictions 30-37 Verifying the OCSP Configuration 30-38 Configuring Optional OCSP Nonces 30-41 Disabling OCSP Nonces 30-41 Configuring Certificate Security Attribute-Based Access Control 30-41 Certificate Security Attribute-Based Access Control Configuration Guidelines and Restrictions 30-42 Contents xxv Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Verifying Certificate-Based ACLs 30-44 Configuring PKI AAA Authorization Using the Entire Subject Name 30-45 PKI AAA Authorization Using the Entire Subject Name Configuration Guidelines and Restrictions 30-45 Configuring Source Interface Selection for Outgoing Traffic with Certificate Authority 30-47 Configuring Persistent Self-Signed Certificates 30-48 Persistent Self-Signed Certificates Configuration Guidelines and Restrictions 30-49 Configuring a Trustpoint and Specifying Self-Signed Certificate Parameters 30-50 Enabling the HTTPS Server 30-51 Verifying the Persistent Self-Signed Certificate Configuration 30-51 Configuring Certificate Chain Verification 30-52 Certificate Chain Verification Configuration Guidelines and Restrictions 30-52 Configuration Examples 30-53 Multiple RSA Key Pairs Configuration Example 30-53 Protected Private Key Storage Configuration Examples 30-54 Trustpoint CA Configuration Example 30-54 Query Mode Definition Per Trustpoint Configuration Example 30-54 Local Certificate Storage Location Configuration Example 30-55 Direct HTTP Enrollment with CA Servers Configuration Examples 30-55 Manual Certificate Enrollment Configuration Examples 30-56 Certificate Autoenrollment Configuration Example 30-59 Key Rollover for Certificate Renewal Configuration Examples 30-60 PKI: Query Multiple Servers During Certificate Revocation Check (CDP Override) Configuration Example 30-61 Online Certificate Status Protocol Configuration Examples 30-61 Optional OCSP Nonces Configuration Example 30-62 Certificate Security Attribute-Based Access Control Configuration Example 30-62 PKI AAA Authorization Using the Entire Subject Name Configuration Example 30-63 Source Interface Selection for Outgoing Traffic with Certificate Authority Configuration Example 30-63 Persistent Self-Signed Certificates Configuration Examples 30-64 Certificate Chain Verification Configuration Examples 30-65 Configuring Advanced VPNs Using the IPSec VPN SPA 31-1 Overview of Advanced VPNs 31-2 Configuring DMVPN 31-2 DMVPN Configuration Guidelines and Restrictions 31-2 DMVPN Prerequisites 31-3 Contents xxvi Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Configuring an IPSec Profile 31-4 Configuring the Hub for DMVPN in VRF Mode 31-5 Configuring the Hub for DMVPN in Crypto-Connect Mode 31-7 Configuring the Spoke for DMVPN in VRF Mode 31-8 Configuring the Spoke for DMVPN in Crypto-Connect Mode 31-10 Verifying the DMVPN Configuration 31-12 Configuring the Easy VPN Server 31-15 Easy VPN Server Configuration Guidelines and Restrictions 31-15 Configuring the Easy VPN Remote 31-16 Easy VPN Remote Configuration Guidelines 31-16 Configuring Easy VPN Remote RSA Signature Storage 31-16 Easy VPN Remote RSA Signature Support Configuration Guidelines and Restrictions 31-17 Configuring Easy VPN Remote RSA Signature Support 31-17 Configuration Examples 31-17 DMVPN Configuration Examples 31-18 Easy VPN Server (Router Side) Configuration Example 31-22 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA 32-1 Overview of Duplicate Hardware Configurations and IPSec Failover 32-2 Configuring Multiple IPSec VPN SPAs in a Chassis 32-2 Understanding Stateless Failover Using HSRP 32-3 Understanding Stateful Failover Using HSRP and SSP 32-3 Configuring IPSec Failover 32-4 Configuring IPSec Stateless Failover Using HSRP with Crypto-Connect Mode 32-5 Configuring IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode 32-11 Configuring IPSec Stateless and Stateful Failover with VRF Mode 32-18 Verifying HSRP Configurations 32-18 Displaying SSP Information 32-21 Configuring Intrachassis IPSec Stateful Failover Using a Blade Failure Group 32-22 IPSec Stateful Failover Using a BFG Configuration Guidelines and Restrictions 32-22 Configuring a BFG for IPSec Stateful Failover 32-23 Verifying the IPSec Stateful Failover Using a BFG Configuration 32-23 Configuration Examples 32-24 Multiple IPSec VPN SPAs in a Chassis Configuration Example 32-24 IPSec Stateless Failover Using HSRP with Crypto-Connect Mode Configuration Examples 32-27 IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode Configuration Example 32-29 IPSec Stateless Failover Using HSRP with VRF Mode Configuration Example 32-33 Contents xxvii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 IPSec Stateful Failover Using HSRP with VRF Mode Configuration Example 32-34 IPSec Stateful Failover Using a Blade Failure Group Configuration Example 32-38 Configuring Monitoring and Accounting for the IPSec VPN SPA 33-1 Overview of Monitoring and Accounting for the IPSec VPN SPA 33-2 Monitoring and Managing IPSec VPN Sessions 33-2 Adding the Description of an IKE Peer 33-2 Verifying Peer Descriptions 33-3 Getting a Summary Listing of Crypto Session Status 33-3 Syslog Notification for Crypto Session Up or Down Status 33-4 Clearing a Crypto Session 33-4 Configuring IPSec VPN Accounting 33-5 Configuring IPSec and IKE MIB Support for Cisco VRF-Aware IPSec 33-9 MIBs Supported by the IPSec and IKE MIB Support for Cisco VRF-Aware IPSec Feature 33-9 Configuring IPSec and IKE MIB Support for Cisco VRF-Aware IPSec 33-9 Configuration Examples 33-10 IPSec VPN Accounting Configuration Example 33-10 IPSec VPN Monitoring Configuration Example 33-11 Troubleshooting the IPSec VPN SPA 34-1 General Troubleshooting Information 34-1 Interpreting Console Error Messages 34-2 Using debug Commands 34-2 Using show Commands 34-2 Monitoring the IPSec VPN SPA 34-3 Displaying IPSec VPN SPA Hardware and System Information 34-3 Displaying IPSec VPN SPA Configuration Information 34-6 Troubleshooting Specific Problems on the IPSec VPN SPA 34-24 Clearing IPsec Security Associations 34-24 Troubleshooting Trunk Port Configurations 34-24 Troubleshooting IPsec Stateful Failover (VPN High Availability) 34-25 Troubleshooting a Blade Failure Group 34-27 Troubleshooting IKE Policy and Transform Sets 34-27 Using Crypto Conditional Debug 34-27 Crypto Conditional Debug Configuration Guidelines and Restrictions 34-29 Enabling Crypto Conditional Debug Filtering 34-29 Contents xxviii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Disabling Crypto Conditional Debugging 34-29 Enabling Crypto Error Debug Messages 34-30 Preparing for Online Insertion and Removal of a SPA 34-30 Upgrading Field-Programmable Devices 35-1 Release History 35-1 FPD Quick Upgrade 35-2 FPD Quick Upgrade Before Upgrading your Cisco IOS Release (Recommended) 35-2 FPD Quick Upgrade After Upgrading your Cisco IOS Release 35-2 Overview of FPD Images and Packages 35-3 Upgrading FPD Images 35-3 Migrating to a Newer Cisco IOS Release 35-3 Upgrading FPD Images in a Production System 35-5 Upgrading FPD Images Using Fast Software Upgrade 35-6 Optional FPD Procedures 35-6 FPD Image Upgrade Examples 35-13 Troubleshooting Problems with FPD Image Upgrades 35-16 Power Failure or Removal of a SIP or SPA During an FPD Image Upgrade 35-16 I N D E X xxix Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface This preface describes the objectives and organization of this document and explains how to find additional information on related products and services. This preface contains the following sections: • Objectives • Document Revision History • Organization • Related Documentation • Document Conventions • Obtaining Documentation, Obtaining Support, and Security Guidelines Objectives This document describes the configuration and troubleshooting of SPA interface processors (SIPs), SPA services cards (SSCs), and shared port adapters (SPAs) that are supported on a Cisco 7600 series router. Document Revision History The Document Revision History records technical changes to this document. The table shows the Cisco IOS software release number and document revision number for the change, the date of the change, and a brief summary of the change. xxx Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface Release No. Revision Date Change Summary 15.2(1)S OL-5070-30 November 2011 Added support for the following features: • Frame Relay Fragmentation (FRF.12), page 4-22 in Chapter 4, “Configuring the SIPs and SSC”. • Added Chapter 21, “Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA.” • N:1 PVC Mapping to Pseudowires with Non-Unique VPI, page 7-101 in Chapter 7, “Configuring the ATM SPAs” • Multi Router Automatic Protection Switching (MR-APS) Integration with Hot Standby Pseudowire, page 7-89 in Chapter 7, “Configuring the ATM SPAs.” • Updated Configuring Multipoint Bridging, page 4-36 in Chapter 4, “Configuring the SIPs and SSC”. 15.1(3) S1 OL-5070-29 October 2011 • Updated Chapter 24, “Overview of the IPSec VPN SPA” with support information for WS-IPSEC-3 SPA and also Chapter 29, “Configuring Enhanced IPSec Features Using the IPSec VPN SPA”. • Updated the configuration steps in Chapter 4, “Configuring IPv6 Hop-by-Hop Header Security on SIP-200 or SIP-400.” 12.2(33) SRE5 OL-5070-28 September 2011 Updated Cisco 7600 SIP 200 configuration restrictions in Chapter 16, “Overview of the Serial SPAs”. 15.1(2) S2 OL-5070-27 August 2011 Updated Cisco 7600 SIP 200 configuration restrictions in Chapter 16, “Overview of the Serial SPAs”. 15.1(3)S OL-5070-26 July 2011 Added support for the following features: • L2TPv3 configuration in Chapter 7, “Configuring the ATM SPAs”. • Stateful MLPPP MR-APS feature in Chapter 20, “Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs,”. 15.0(1)S3a OL-5070-25 April 2011 Support added to disable Network Processor crashinfo for all the Network Processor exception in Chapter 3, “Overview of the SIPs and SSC.” xxxi Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 15.1(2)S OL-5070-24 March 2011 Added support for the following features: • Circuit Emulation Service over UDP in Chapter 9, “Overview of the CEoP and Channelized ATM SPAs” • L3 QoS on CEoP SPAs in Chapter 10, “Configuring the CEoP and Channelized ATM S PAs ” 15.1(1)S1 OL-5070-23 February 2011 • Extended support for the limitation to avoid console flooding in Chapter 5, “Troubleshooting the SIPs and SSC” • Added new CLI options for configuring hardware timer to bring up controller in SONET/SDH Error, Alarm, and Performance Monitoring section in the Chapter 9, “Overview of the CEoP and Channelized ATM S PAs .” 12.2 (33) SRE3 OL-5070-22 January 2011 • Added new CLI options for configuring hardware timer to bring up controller in SONET/SDH Error, Alarm, and Performance Monitoring section in the Chapter 9, “Overview of the CEoP and Channelized ATM S PAs .” • Support added to disable Network Processor crashinfo for all the Network Processor exception in Chapter 3, “Overview of the SIPs and SSC.” 12.2 (33) SRD6 OL-5070-21 December 2010 Extended support for the limitation to avoid console flooding in Chapter 5, “Troubleshooting the SIPs and SSC” 15.0(1) S2 OL-5070-20 December 2010 Added limitation to avoid console flooding in Chapter 5, “Troubleshooting the SIPs and SSC” xxxii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 15.1(1)S OL-5070-19 November 2010 • Added adaptive clock recovery support for 2XT3E3 CE/ATM SPA in Configuring Clocking, page 37. • Updated Chapter 3, Overview of the SIPs and SSC. Added support for the HSPW feature. • Updated Chapter 10, Configuring the CEoP and Channelized ATM SPAs to include the IMA Scalability, configuring access circuit redundancy on CEoP and ATM SPAs, and E3 and Channelization support for SPA-2CHT3-CE-ATM feature. • Updated Chapter 11, Overview of the Ethernet SPAs with 1588-V2 feature enhancements feature. • Updated Chapter 14, Overview of the POS SPAs and Chapter 16, Overview of the SIPs and SSC with SSM support on SPA-1XCHOC12/DS0 and SPA-1XOC48POS/RPR feature • Updated Chapter 20, Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs with SDH support for SPA-1XCHSTM4/OC12 feature. 12.2(33)SRD5 OL-5070-18 October 2010 Added troubleshooting information for: • Layer 2 features in Chapter 12, “Configuring the Fast Ethernet and Gigabit Ethernet SPAs”. • MPLS VPN 15.0(1) S OL-5070-17 July 2010 Added support for: • ONS-SC-OC3-EL support on POS OC3 SPAs to Modular Optics Compatibility, page 6 and SIP, SSC, and SPA Compatibility, page 4. • SPA-1xOC3-ATM-V2, SPA-3xOC3-ATM-V2 and SPA-1xOC12-ATM-V2 Support on Cisco 7600 SIP-400 • Non-Aggregate WRED ATM SPA • 2-Port Gigabit Synchronous Ethernet SPA • Added support for feature Configuring BFD over VCCV on SIP-400, page 75 in Chapter 4. • Added restriction for the 2-Port Gigabit Ethernet SPA. xxxiii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2 (33) SRE1 OL-5070-16 June 2010 • Added information that Priority percent is not supported for ATM SPAs in Table 4-15QoS Congestion Management and Avoidance Feature Compatibility by SIP and SPA Combination. 12.2 (33) SRE1 OL-5070-16 April 2010 • Added information indicating that SVI is not supported with MPLSoGRE. 12.2 (33) SRE1 OL-5070-16 April 2010 • Extended support for the following features: – Private Host on Pseudoport on CWAN cards in Chapter 4, “Configuration Tasks”. – Bridged Routing Encapsulation on Automatic Protection Service Group in Chapter 7, “Configuration Tasks”. 12.2 (33) SRD4 OL-5070-15 Februray 2010 • Support for the following features were introduced: – Private Host on Pseudoport on CWAN cards in Chapter 4, “Configuration Tasks”. Private Host on Pseudoport on CWAN cards was previously shared as a hidden documentation. For SRD4, it has been brought to the mainline documentation. – Bridged Routing Encapsulation on Automatic Protection Service Group in Chapter 7, “Configuration Tasks”. 12.2 (33) SRE OL-5070-14 December 2009 • Supervisor Engine Support for the IPSec VPN SPA was added. • Note added under the session Information About IPSec Configuration in the chapter Overview of the IPSec VPN SPA. xxxiv Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2(33)SRE OL-5070-14 November 2009 Support was added for: • STM1 Electrical SFP to SPA-1ChOC3-CE-ATM and SPA-1xCHSTM1/OC3 on 7600 in Modular Optics Compatibility, page 6 of Chapter 2, “SIP, SSC, and SPA Product Overview”. • XFP-10F-MM-SR for 10GE SPAs on the SIP400 and SIP600 in Modular Optics Compatibility, page 6 of Chapter 2, “SIP, SSC, and SPA Product Overview” • X2-DWDM and X2-10GB-LRM/ZR support on RSP720-10GE in Modular Optics Compatibility, page 6 of Chapter 2, “SIP, SSC, and SPA Product Overview”. • Access Circuit Redundancy on SIP400 2-Port and 4-Port OC-3c/STM-1 ATM SPA and QoS support (Chapter 7, “Configuring the ATM SPAs” added section Configuring Access Circuit Redundancy on SIP-400 ATM SPA s, page 65 • VC QoS on VP pseudowire. Added support for match atm-vci command to ATM VP interface in Cisco 7600 SIP-400 Classification Into a Queue, page 13 • Triple nesting QoS support on SIP-400 to add support for an additional level of policy-map nesting to Cisco 7600 SIP-400 Policing and Dropping, page 13 • RSP720-10GE on Cisco 7600-SSC-400 to SPA Services Cards, page 2 • VP and VC mode support on 7600/SIP400 for CEoP and 1-Port OC-48c/STM-16 ATM SPA to Chapter 9, “Overview of the CEoP and Channelized ATM SPAs” • IEEE IEEE 802.1ag Draft 8.1compliant Connectivity Fault Management on EVC (VPLS and pseudowire) on SIP-400 and SIP-600 in Cisco 7600 SIP-400 Features, page 11 and Cisco 7600 SIP-600 Features, page 16 • Updates to IPv6 Hop-by-Hop on SIP-200 to Cisco 7600 SIP-200 Other QoS Features, page 9 and Configuring IPv6 Hop-by-Hop Header Security on SIP-200 or SIP-400, page 142 xxxv Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2 (33) SRD3 OL-5070-13 September 2009 Support is added for Private Hosts SVI on CWAN linecards in Private Hosts SVI (Interface VLAN) Configuration Example, page 178 This version of the document with the Private Hosts feature is available only to a select set of customers. 12.2 (33) SRD3 OL-5070-12 September 2009 Support is added for: • IPv6 Hop-by-Hop Policing for SIP-200 in Configuring IPv6 Hop-by-Hop Header Security on SIP-200 or SIP-400, page 142 • AIS and RAI alarm forwarding in CESoPSN mode on CEoP SPA in Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs, page 61 • CeOP SPA updates in Chapter 9, “Overview of the CEoP and Channelized ATM SPAs” and Chapter 10, “Configuring the CEoP and Channelized ATM SPAs” 12.2 (33) SRD 2 OL-5070-11 May 2009 • Support was added for: – PPP/MLPPP APS performance enhancement in Chapter 20, “Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs” section Configuring APS, page 20 and Verifying the APS Configuration, page 22 – Support for new pluggable SFP ONS-SC-155-ELthe section Modular Optics Compatibility, page 6 of Chapter 2, “SIP, SSC, and SPA Compatibility” 12.2 (33) SRD1 OL-5050-10 February 2009 • Support was added for: – 1xCHOC12STM4 SPA – IPv6 Hop-by-Hop xxxvi Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2 (33) SRD OL-5050-10 October, 2008 • Support was added for the following features: – IMA on SIP-400 for 24xT1/E1 CEOP and 1xOC3 CEOP SPAs – Private Host SVI (interface VLAN) – SPA-8X1FE-TX-V2 & SPA-4X1FE-TX-V2 Support on SIP400 – Port Mode Cell Relay support on Cisco 7600 SIP400 ATM SPA – DBUS CoS API on SIP-400 – SIP-400 Hierarchical Queuing Framework (HQF) – L2VPN Interworking- Ethernet VLAN to ATM AAL5 – Bridging Routed Encapsulations (BRE) on Cisco SIP-400 – Asymmetric Carrier Delay 12.2 (33) SRC 1 OL-5050-09 May 27, 2008 Support was added for the following features: • SPA-4XT-Serial (Cisco 4-Port Serial Shared Port Adapter) support on 7600/SIP200- Added Chapter 21, “Configuring the 4-Port Serial Interface SPA” • Updated Restrictions in Chapter 23 to add the limitation that TCP ADJUST-MSS is NOT supported on VTI tunnel. xxxvii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2(33)SRC OL-5050-08 Jan 2008 Support was added for the following features: • CT3 CEoP on c7600-SIP-400 • Accelerated Lawful Intercept on Cisco 7600 SIP-400 • CoPP Enhancements of Cisco 7600 SIP-400 • PPPoEoE on Cisco 7600 SIP-400 • Source IPv4 and Source MAC Address Binding on Cisco 7600 SIP-400 • IMA on SIP-400 for 24xT1/E1 CEOP and 1xOC3 CEOP SPAs • IGMP Snooping support on SIP-200 • AFC and PFC support on Multilink Interface on SIP-200 for 2- and 4-port CT3, 8-port channelized T1/E1 channelized, and 1-port channelized OC3/STM-1 SPAs • Programmable BERT patterns enhancement on SIP-200 for 2- and 4-port channelized T3 and 1-port channelized OC3/STM-1 SPAs • TDM Local switching • Phase 2 Local Switching Redundancy • SPA-1xCHSTM1/OC3 • Cisco Channelized T3 to DS0 Shared Port Adapter (SPA-2XCT3/DS0, SPA-4XCT3/DS0) • Cisco 8-Port Channelized T1/E1 Shared Port Adapter (SPA-8XCHT1/E1) • Cisco Clear Channel T3/E3 Shared Port Adapter (SPA-2XT3/E3, SPA-4XT3/E3) 12.2(33)SRB1 OL-5070-07 June 4, 2007 Support for the following features was introduced: • Backup interface for Flexible UNI (for Gigabit Ethernet SPAs) on a Cisco 7600 SIP-400 • Any Transport over MPLS over GRE (AToM over GRE) on a Cisco 7600 SIP-400 • MTU support on MLPPP interfaces on a Cisco 7600 SIP-200 • ATM pseudowire redundancy for the CEoP SPA • Out-of-band clocking for the CEoP SPA • Support for XFP-10GZR-OC192LR xxxviii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2(33)SRB OL-5070-06 February 27, 2007 Sixth release. Support for the following features was introduced: • Software-based MLP bundles from 256 to 1024 on a Cisco 7600 SIP-200 • Network clock support on a Cisco 7600 SIP-200 • Lawful Intercept on a Cisco 7600 SIP-400 • Per-subscriber/per-protocol CoPP support on a Cisco 7600 SIP-400 • Security ACLs on a Cisco 7600 SIP-400 • Percent priority/percent bandwidth support on a Cisco 7600 SIP-400 • IGMP/PIM snooping for VPLS pseudowire on a Cisco 7600 SIP-400 • Dual-priority queue support on a Cisco 7600 SIP-400 • 24-Port Channelized T1/E1 ATM CEoP SPA, 1-Port Channelized OC-3 STM1 ATM CEoP SPAs, and 2-Port Copper and Optical Gigabit Ethernet SPAs. xxxix Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2(33)SRA OL-5070-05 June 5, 2006 Fifth release. The following modifications were made: • Support was added for the following SPAs on the Cisco 7600 SIP-200: – 1-Port Channelized OC-3/STM-1 SPA – 4-Port and 8-Port Fast Ethernet SPA • Support was added for the 1-Port OC-48c/STM-16 POS SPA on the Cisco 7600 SIP-400 • Support was added for the 2-Port and 4-Port OC-48c/STM-16 POS SPA on the Cisco 7600 SIP-600 • The following features were introduced for the IPSec VPN SPA: – Front-side VRF – IPSec Virtual Tunnel Interface (VTI) – Certificate to ISAKMP Profile Mapping – Call Admission Control – Periodic Message Option (now supported in Dead Peer Detection) – Reverse Route Injection (RRI) – IPSec Anti-replay Windowsize – IPSec Preferred Peer – Local Certificate Storage Location – Optional OCSP Nonces – Persistent Self-signed Certificates – Certificate Chain Verification – Easy VPN Remote RSA Signature Storage – IPSec and IKE MIB support for Cisco VRF-Aware IPSec Note Support is not included for IPSec stateful failover using HSRP and SSP. xl Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2(33)SRA OL-5070-05 June 5, 2006 • The single configuration chapter for the IPSec VPN SPA has been restructured into seven smaller chapters. • Support for the following features was introduced on the Cisco 7600 SIP-200: – AToM VP Mode Cell Relay—ATM SPAs – BCP over dMLPPP (Trunk Mode)—Channelized SPAs – MPLS over RBE—ATM SPAs – Multi-VC to VLAN scalability – QoS support on bridging features – Software-based MLPPP – Software-based MLFR • Support for the following features was introduced on the Cisco 7600 SIP-400: – AToM VP Mode Cell Relay—ATM SPAs – Ethernet over MPLS (EoMPLS) VC Scaling—Increase from 4K to 10K VCs – Ingress/Egress CoS classification with ingress policing per VLAN or EoMPLS VC – Hierarchical VPLS (H-VPLS) with MPLS Edge – Hierarchical QoS support for EoMPLS VCs – Multipoint Bridging (MPB) for Gigabit Ethernet SPA – Multi-VC to VLAN scalability – Multi-VLAN to VC—ATM SPAs – QoS support on bridging features – Tag-Native Mode for Trunk BCP xli Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2(18)SXF2 OL-5070-04 February 28, 2006 The following updates were made to the documentation: • Removed the restriction of “Mapping DSCP values to MPLS EXP bits is not supported” from the Cisco 7600 SIP-600 list of restrictions. • Added the following VPLS scalability support information for the Cisco 7600 SIP-600: – Up to 4000 VPLS domains – Up to 60 VPLS peers per domain – Up to 30,000 pseudowires, used in any combination of domains and peers up to the 4000-domain or 60-peer maximums. For example, support of up to 4000 domains with 7 peers or up to 60 peers in 500 domains. • Added H-VPLS with Q-in-Q edge feature support on Cisco 7600 SIP-600—Requires Cisco 7600 SIP-600 in the uplink, and any LAN port or Cisco 7600 SIP-600 on the downlink • Removed VPLS pseudowire redundancy feature support for the Cisco 7600 SIP-600 • Removed the “Cisco 7600 SIP-600 MPLS Marking” section • Modified the encapsulations supported in the ATM chapters to “aal5snap” only • Corrected the note in the “Configuring Compressed Real-Time Protocol” section of Chapter 4, “Configuring the SIPs and SSC” to state: “cRTP is supported only on the Cisco 7600 SIP-200 with the 8-Port Channelized T1/E1 SPA and 2-Port and 4-Port Channelized T3 SPA.” 12.2(18)SXF2 OL-5070-04 January 27, 2006 The following update to the hardware-based MLPPP LFI guidelines was made in Chapter 17, “Configuring the 8-Port Channelized T1/E1 SPA,” and Chapter 19, “Configuring the 2-Port and 4-Port Channelized T3 SPAs”: When hardware-based LFI is enabled, fragmentation counters are not displayed. xlii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2(18)SXF2 OL-5070-04 January 20, 2006 Fourth release. The following modifications were made: • The 1-Port OC-192c/STM-64 POS/RPR VSR Optics SPA was introduced on the Cisco 7600 SIP-600. • Support was introduced for the configuration of IP multicast over a GRE tunnel on the IPSec VPN SPA. • Support for the “Enhancements to RFC 1483 Spanning Tree Interoperability” feature was added for ATM SPAs on the Cisco 7600 SIP-200. • Documentation of a workaround for ATM SPA configuration on the Cisco 7600 SIP-200 was added in Chapter 7, “Configuring the ATM S PAs ” to address a Routed Bridge Encapsulation (RBE) limitation where only one remote MAC address is supported. 12.2(18)SXF OL-5070-03 January 12, 2006 The following modifications were made: • Adjusted ATM SPA PVC restriction (correctly noted elsewhere in the documentation) from “A maximum number of 400 PVCs or SVCs...” to “A maximum number of 1000 PVCs or 400 SVCs configured with MQC policy maps.” • Added cross-references throughout Chapter 3, “Overview of the SIPs and SSC” to the Cisco IOS Release SX Supervisor Engine release notes. • Updated the Cisco 7600 SIP-400 restrictions to clarify that the SIP does not work with the Supervisor Engine PFC3A or in PFC3A mode. • Updated the Cisco 7600 SIP-600 restrictions to clarify lack of support for the Supervisor Engine 720 PFC3A or PFC3A mode: “The Cisco 7600 SIP-600 is not supported by the Supervisor Engine 32. The Cisco 7600 SIP-600 is supported by the Supervisor Engine 720 PFC3B and Supervisor Engine 720 PFC3BXL. It is not supported with a Supervisor Engine 720 PFC3A or in PFC3A mode.” xliii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2(18)SXF OL-5070-03 January 12, 2006 • Added a cross-reference to Chapter 3, “Overview of the SIPs and SSC” in each of the SPA overview chapters to ease location of additional features and restrictions that are SIP- or SSC-specific. • Removed the list of supported modules from Chapter 24, “Overview of the IPSec VPN SPA”. Any unsupported modules will be documented in the “Restrictions” section. • Further qualified Cisco 7600 SIP-200 Any Transport over MPLS (AToM) support for ATM in Chapter 3, “Overview of the SIPs and SSC” to state: “Any Transport over MPLS (AToM) support, including: – ATM over MPLS (ATMoMPLS)—AAL5 VC mode – Ethernet over MPLS (EoMPLS)—(Single cell relay) VC mode” • Removed references to “1-Port 10-Gigabit Ethernet SPA and 10-Port Gigabit Ethernet SPA on a SIP-400” in the “Enabling Autonegotiation” and “Disabling Autonegotiation” sections of Chapter 12, “Configuring the Fast Ethernet and Gigabit Ethernet SPAs.” • Qualified AToM core-facing restriction for the Cisco 7600 SIP-200 as follows: – AToM (ATMoMPLS, FRoMPLS, HDLCoMPLS, and PPPoMPLs) on a SPA requires a Cisco 7600 SIP-200, FlexWAN, Enhanced FlexWAN, or OSM PXF interface as the core-facing interface. – AToM (ATMoMPLS, FRoMPLS) on a Cisco 7600 SIP-200 also is supported with a Cisco 7600 SIP-400 as the core-facing interface. • Documentation of the Fast Software Upgrade (FSU) procedure supported by Route Processor Redundancy (RPR) for supervisor engines was added to Chapter 35, “Upgrading Field-Programmable Devices.” xliv Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface 12.2(18)SXF OL-5070-03 September 19, 2005 Third release. The following hardware was introduced: • 1-Port OC-48c/STM-16 ATM SPA • 2-Port Gigabit Ethernet SPA • 5-Port Gigabit Ethernet SPA • 10-Port Gigabit Ethernet SPA • 1-Port 10-Gigabit Ethernet SPA • 1-Port OC-192c/STM-64 POS/RPR SPA • 1-Port OC-192c/STM-64 POS/RPR XFP SPA For specific feature changes, see the Release History tables in the “Overview” chapters of this book. 12.2(18)SXE2 OL-5070-02 August 17, 2005 The following modifications were made: • Chapter 17, “Configuring the 8-Port Channelized T1/E1 SPA” and Chapter 19, “Configuring the 2-Port and 4-Port Channelized T3 SPAs” were modified to clarify support of MLPPP and MLFR for both E1 and T1 links. • Added cRTP to the supported features list for the serial SPAs in Chapter 16, “Overview of the Serial SPAs.” • Document was modified with the following updates in Chapter 4, “Configuring the SIPs and SSC”: – Removed references to support of software-based MLFR. – In the “Assigning an Interface to an MLPPP Bundle,” moved step order of the ppp multilink command and qualified it as optional. – Under “MLPPP Configuration Guidelines,” added guidelines for distributed links on the Cisco 7600 SIP-200 and restrictions. – Under “MLPPP Configuration Tasks” and “MLFR Configuration Tasks,” added task to emphasize that distributed CEF is required for these features; however, dCEF is automatically enabled on the Cisco 7600 series router. 12.2(18)SXE2 OL-5070-02 July 25, 2005 Second release. The Cisco 7600 SSC-400 and IPSec VPN SPA were introduced. 12.2(18)SXE OL-5070-01 March 28, 2005 First release. xlv Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface Organization This document contains the following chapters: Chapter Title Description Chapter 1 Using Cisco IOS Software Provides an introduction to accessing the command-line interface (CLI) and using the Cisco IOS software and related tools. Chapter 2 SIP, SSC, and SPA Product Overview Provides a brief introduction to the SIP and SPA products on the Cisco 7600 series router, and information about SIP, SSC, SPA, and optics compatibility. Chapter 3 Overview of the SIPs and SSC Describes release history, and feature and Management Information Base (MIB) support for the SIPs and SSCs on the Cisco 7600 series router. Chapter 4 Configuring the SIPs and SSC Describes related configuration and verification information for the SIPs and SSCs on the Cisco 7600 series router. Chapter 5 Troubleshooting the SIPs and SSC Describes techniques that you can use to troubleshoot the operation of the SIPs and SSCs on the Cisco 7600 series router. Chapter 6 Overview of the ATM SPAs Describes release history, feature and Management Information Base (MIB) support, and an introduction to the ATM SPA architecture on the Cisco 7600 series router. Chapter 7 Configuring the ATM SPAs Describes the related configuration and verification information for the ATM SPAs on the Cisco 7600 series router. Chapter 8 Troubleshooting the ATM SPAs Describes techniques that you can use to troubleshoot the operation of the ATM SPAs on the Cisco 7600 series router. Chapter 9 Overview of the CEoP and Channelized ATM SPAs Describes release history, feature and Management Information Base (MIB) support, and an introduction to the CEoP SPA architecture on the Cisco 7600 series router. Chapter 10 Configuring the CEoP and Channelized ATM SPAs Describes the related configuration and verification information for the CEoP and Channelized SPAs on the Cisco 7600 series router. Chapter 11 Overview of the Ethernet SPAs Describes release history, feature and Management Information Base (MIB) support, and an introduction to the Gigabit Ethernet SPA architecture on the Cisco 7600 series router. Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Describes the related configuration and verification information for the Gigabit Ethernet SPAs on the Cisco 7600 series router. xlvi Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface Chapter 13 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs Describes techniques that you can use to troubleshoot the operation of the Gigabit Ethernet SPAs on the Cisco 7600 series router. Chapter 14 Overview of the POS SPAs Describes release history, feature and Management Information Base (MIB) support, and an introduction to the POS SPA architecture on the Cisco 7600 series router. Chapter 15 Configuring the POS SPAs Describes the related configuration and verification information for the POS SPAs on the Cisco 7600 series router. Chapter 16 Overview of the Serial SPAs Describes release history, feature and Management Information Base (MIB) support, and an introduction to the serial SPA architecture on the Cisco 7600 series router. Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Describes the related configuration and verification information for the 8-Port Channelized T1/E1 SPAs on the Cisco 7600 series router. Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Describes the related configuration and verification information for the 2-Port and 4-Port Clear Channel T3/E3 SPAs on the Cisco 7600 series router. Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Describes the related configuration and verification information for the 2-Port and 4-Port Channelized T3 SPAs on the Cisco 7600 series router. Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Describes the related configuration and verification information for the 1-Port Channelized OC-3/STM-1 SPA on the Cisco 7600 series router. Chapter 21 Configuring the 4-Port Serial Interface SPA Describes information about configuring the 4-Port Serial Interface Shared Port Adapter (SPA) on the Cisco 7600 series router. Chapter 22 Troubleshooting the Serial SPAs Describes techniques that you can use to troubleshoot the operation of the serial SPAs on the Cisco 7600 series router. Chapter 23 Overview of the IPSec VPN SPA Describes release history, feature and Management Information Base (MIB) support, and an introduction to the IPSec VPN SPA architecture on the Cisco 7600 series router. Chapter 24 Configuring VPNs in Crypto-Connect Mode Describes the related configuration and verification information for IPSec VPNs using the IPSec VPN SPA on the Cisco 7600 series router. Chapter 25 Configuring VPNs in VRF Mode Describes information about configuring IPSec VPNs in Virtual Routing and Forwarding (VRF) mode using the IPSec VPN SPA on the Cisco 7600 series router. Chapter Title Description xlvii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface Related Documentation This section refers you to other documentation that also might be useful as you configure your Cisco 7600 series router. The documentation listed below is available online. Cisco 7600 Series Router Documentation As you configure your Cisco 7600 series router, you should also refer to the following companion publication for important hardware installation information: • Cisco 7600 Series Ethernet Services 20G Line Card Hardware Installation Guide Chapter 26 Configuring IPSec VPN Fragmentation and MTU Describes information about configuring IPSec VPN fragmentation and the maximum transmission unit (MTU) using the IPSec VPN SPA on the Cisco 7600 series router. Chapter 27 Configuring IKE Features Using the IPSec VPN SPA Describes the related configuration and verification information for Internet Key Exchange (IKE) features using the IPSec VPN SPA on the Cisco 7600 series router. Chapter 28 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Describes the related configuration and verification information for enhanced IPSec features using the IPSec VPN SPA on the Cisco 7600 series router. Chapter 29 Configuring PKI Using the IPSec VPN SPA Describes the related configuration and verification information for Public Key Infrastructure (PKI) features using the IPSec VPN SPA on the Cisco 7600 series router. Chapter 30 Configuring Advanced VPNs Using the IPSec VPN SPA Describes the related configuration and verification information for advanced IPSec VPNs using the IPSec VPN SPA on the Cisco 7600 series router. Chapter 31 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Describes the related configuration and verification information for duplicate hardware configurations and IPSec failover using the IPSec VPN SPA on the Cisco 7600 series router. Chapter 32 Configuring Monitoring and Accounting for the IPSec VPN SPA Describes the related configuration and verification information for monitoring and accounting using the IPSec VPN SPA on the Cisco 7600 series router. Chapter 33 Troubleshooting the IPSec VPN SPA Describes techniques that you can use to troubleshoot the operation of the IPSec VPN SPA on the Cisco 7600 series router. Chapter 34 Upgrading Field-Programmable Devices Provides information about upgrading the field-programmable devices on the Cisco 7600 series router. Chapter Title Description xlviii Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface An overview of the Cisco 7600 series router features, benefits, and applications can be found in the Cisco 7600 Series Internet Router Essentials document located at the following URL: http://www.cisco.com/en/US/products/hw/routers/ps368/products_quick_start09186a0080092248.html Some of the following other Cisco 7600 series router publications might be useful to you as you configure your Cisco 7600 series router. • Cisco 7600 Series Cisco IOS Software Configuration Guide http://www.cisco.com/en/US/products/hw/routers/ps368/products_installation_and_configuration_ guides_list.html • Cisco 7600 Series Cisco IOS Command Reference http://www.cisco.com/en/US/products/hw/routers/ps368/prod_command_reference_list.html • Cisco 7600 Series Cisco IOS System Message Guide http://www.cisco.com/en/US/products/hw/routers/ps368/products_system_message_guides_list.ht ml • Cisco 7600 Series Internet Router MIB Specifications Guide http://www.cisco.com/en/US/products/hw/routers/ps368/prod_technical_reference_list.html Several other publications are also related to the Cisco 7600 series router. For a complete reference of related documentation, refer to the Cisco 7600 Series Routers Documentation Roadmap located at the following URL: http://www.cisco.com/en/US/products/hw/routers/ps368/products_documentation_roadmaps_list.html Other Cisco IOS Software Publications Your router and the Cisco IOS software running on it contain extensive features. You can find documentation for Cisco IOS software features at the following URL: http://www.cisco.com/cisco/web/psa/default.html?mode=prod Cisco IOS Release 12.2SR Software Publications Documentation for Cisco IOS Release 12.2SR, including command reference and system error messages, can be found at the following URL: http://www.cisco.com/en/US/products/ps6922/tsd_products_support_series_home.html Document Conventions Within the SIP and SPA software configuration guides, the term router is generally used to refer to a variety of Cisco products (for example, routers, access servers, and switches). Routers, access servers, and other networking devices that support Cisco IOS software are shown interchangeably within examples. These products are used only for illustrative purposes; that is, an example that shows one product does not necessarily indicate that other products are not supported. This documentation uses the following conventions: xlix Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface Command syntax descriptions use the following conventions: Nested sets of square brackets or braces indicate optional or required choices within optional or required elements. For example: Examples use the following conventions: The following conventions are used to attract the attention of the reader: Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Convention Description ^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D means hold down the Control key while you press the D key. Keys are indicated in capital letters but are not case sensitive. string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP community string to public, do not use quotation marks around the string or the string will include the quotation marks. Convention Description bold Bold text indicates commands and keywords that you enter exactly as shown. italics Italic text indicates arguments for which you supply values. [x] Square brackets enclose an optional element (keyword or argument). | A vertical line indicates a choice within an optional or required set of keywords or arguments. [x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional choice. {x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice. Convention Description [x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element. Convention Description screen Examples of information displayed on the screen are set in Courier font. bold screen Examples of text that you must enter are set in Courier bold font. < > Angle brackets enclose text that is not printed to the screen, such as passwords. ! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also displayed by the Cisco IOS software for certain processes.) [ ] Square brackets enclose default responses to system prompts. l Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Preface Note Means reader take note. Notes contain helpful suggestions or references to materials that may not be contained in this manual. Tip Means the following information will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information, similar to a Timesaver. Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0. P A R T 1 Introduction C H A P T E R 1-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 1 Using Cisco IOS Software This chapter provides information to prepare you to configure a SPA interface processor (SIP) or shared port adapter (SPA) using the Cisco IOS software. It includes the following sections: • Accessing the CLI Using a Router Console, page 1-1 • Using Keyboard Shortcuts, page 1-6 • Using the History Buffer to Recall Commands, page 1-6 • Understanding Command Modes, page 1-6 • Getting Help, page 1-8 • Using the no and default Forms of Commands, page 1-11 • Saving Configuration Changes, page 1-12 • Filtering Output from the show and more Commands, page 1-12 • Finding Support Information for Platforms and Cisco Software Images, page 1-13 Accessing the CLI Using a Router Console The following sections describe how to access the command-line interface (CLI) using a directly-connected console or by using Telnet or a modem to obtain a remote console: • Accessing the CLI Using a Directly-Connected Console, page 1-1 • Accessing the CLI from a Remote Console Using Telnet, page 1-3 • Accessing the CLI from a Remote Console Using a Modem, page 1-5 For more detailed information about configuring and accessing a router through various services, refer to the Cisco IOS Terminal Services Configuration Guide and Cisco IOS Terminal Services Command Reference publications. For more information about making the console cable connections, refer to the Cisco 7600 Series Router Module Installation Guide. Accessing the CLI Using a Directly-Connected Console This section describes how to connect to the console port on the router and use the console interface to access the CLI. 1-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Accessing the CLI Using a Router Console The console port on a Cisco 7600 series router is an EIA/TIA-232 asynchronous, serial connection with hardware flow control and an RJ-45 connector. The console port is located on the front panel of the supervisor engine, as shown in Figure 1-1 and Figure 1-2. Figure 1-1 Supervisor Engine 720 Console Port Connector Figure 1-2 Supervisor Engine 32 Console Port Connector Connecting to the Console Port Before you can use the console interface on the router using a terminal or PC, you must perform the following steps: Step 1 Configure your terminal emulation software with the following settings: • 9600 bits per second (bps) • 8 data bits • No parity • 2 stop bits Note These are the default serial communication parameters on the router. For information about how to change the default settings to meet the requirements of your terminal or host, refer to the Cisco IOS Terminal Services Configuration Guide. Step 2 Connect a terminal or PC to the console port using one of the following methods: a. To connect to the console port using the cable and adapters provided in the accessory kit that shipped with your Cisco 7600 series router: – Place the console port mode switch in the in position (factory default). 122989 Console port 138281 Console port CATALYST 6500 SUPERVISOR ENGINE 32 WS-SUP32-GE-3B STATUS SYSTEM ACTIVE PWR MGMT RESET CONSOLE 1-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Accessing the CLI Using a Router Console – Connect to the port using the RJ-45-to-RJ-45 cable and RJ-45-to-DB-25 DTE adapter or using the RJ-45-to-DB-9 DTE adapter (labeled “Terminal”). b. To connect to the console port using a Catalyst 5000 family Supervisor Engine III console cable: – Place the console port mode switch in the out position. – Connect to the port using the Supervisor Engine III cable and the appropriate adapter for the terminal connection. Using the Console Interface To access the CLI using the console interface, complete the following steps: Step 1 After you attach the terminal hardware to the console port on the router and you configure your terminal emulation software with the proper settings, the following prompt appears: Press Return for Console prompt Step 2 Press Return to enter user EXEC configuration mode. The following prompt appears: Router> Step 3 From user EXEC configuration mode, enter the enable command as shown in the following example: Router> enable Step 4 At the password prompt, enter your system’s password. (The following example shows entry of the password called “enablepass”): Password: enablepass Step 5 When your enable password is accepted, the privileged EXEC configuration mode prompt appears: Router# Step 6 You now have access to the CLI in privileged EXEC configuration mode and you can enter the necessary commands to complete your desired tasks. Step 7 To exit the console session, enter the quit command as shown in the following example: Router# quit Accessing the CLI from a Remote Console Using Telnet This section describes how to connect to the console interface on a router using Telnet to access the CLI. Preparing to Connect to the Router Console Using Telnet Before you can access the router remotely using Telnet from a TCP/IP network, you need to configure the router to support virtual terminal lines (vtys) using the line vty global configuration command. You also should configure the vtys to require login and specify a password. 1-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Accessing the CLI Using a Router Console Note To prevent disabling login on the line, be careful that you specify a password with the password command when you configure the login line configuration command. If you are using authentication, authorization, and accounting (AAA), you should configure the login authentication line configuration command. To prevent disabling login on the line for AAA authentication when you configure a list with the login authentication command, you must also configure that list using the aaa authentication login global configuration command. For more information about AAA services, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference publications. In addition, before you can make a Telnet connection to the router, you must have a valid host name for the router or have an IP address configured on the router. For more information about requirements for connecting to the router using Telnet, information about customizing your Telnet services, and using Telnet key sequences, refer to the Cisco IOS Terminal Services Configuration Guide. Using Telnet to Access a Console Interface To access a console interface using Telnet, complete the following steps: Step 1 From your terminal or PC, enter one of the following commands: • connect host [port] [keyword] • telnet host [port] [keyword] In this syntax, host is the router host name or an IP address, port is a decimal port number (23 is the default), and keyword is a supported keyword. For more information, refer to the Cisco IOS Terminal Services Command Reference. Note If you are using an access server, then you will need to specify a valid port number such as telnet 172.20.52.40 2004, in addition to the host name or IP address. The following example shows the telnet command to connect to the router named router: unix_host% telnet router Trying 172.20.52.40... Connected to 172.20.52.40. Escape character is '^]'. unix_host% connect Step 2 At the password prompt, enter your login password. The following example shows entry of the password called “mypass”: User Access Verification Password: mypass Note If no password has been configured, press Return. Step 3 From user EXEC configuration mode, enter the enable command as shown in the following example: Router> enable 1-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Accessing the CLI Using a Router Console Step 4 At the password prompt, enter your system’s password. (The following example shows entry of the password called “enablepass”): Password: enablepass Step 5 When the enable password is accepted, the privileged EXEC configuration mode prompt appears: Router# Step 6 You now have access to the CLI in privileged EXEC configuration mode and you can enter the necessary commands to complete your desired tasks. Step 7 To exit the Telnet session, use the exit or logout command as shown in the following example: Router# logout Accessing the CLI from a Remote Console Using a Modem To access the router remotely using a modem through an asynchronous connection, connect the modem to the console port. The console port on a Cisco 7600 series router is an EIA/TIA-232 asynchronous, serial connection with hardware flow control and an RJ-45 connector. The console port is located on the front panel of the supervisor engine, as shown in Figure 1-3 and Figure 1-4. Figure 1-3 Supervisor Engine 720 Console Port Connector Figure 1-4 Supervisor Engine 32 Console Port Connector To connect a modem to the console port, place the console port mode switch in the in position. Connect to the port using the RJ-45-to-RJ-45 cable and the RJ-45-to-DB-25 DCE adapter (labeled “Modem”). 122989 Console port 138281 Console port CATALYST 6500 SUPERVISOR ENGINE 32 WS-SUP32-GE-3B STATUS SYSTEM ACTIVE PWR MGMT RESET CONSOLE 1-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Using Keyboard Shortcuts Using Keyboard Shortcuts Commands are not case sensitive. You can abbreviate commands and parameters if the abbreviations contain enough letters to be different from any other currently available commands or parameters. Table 1-1 lists the keyboard shortcuts for entering and editing commands. Using the History Buffer to Recall Commands The history buffer stores the last 20 commands you entered. History substitution allows you to access these commands without retyping them, by using special abbreviated commands. Table 1-2 lists the history substitution commands. Understanding Command Modes You use the CLI to access Cisco IOS software. Because the CLI is divided into many different modes, the commands available to you at any given time depend on the mode that you are currently in. Entering a question mark (?) at the CLI prompt allows you to obtain a list of commands available for each command mode. Table 1-1 Keyboard Shortcuts Keystrokes Purpose Ctrl-B or the Left Arrow key 1 Move the cursor back one character Ctrl-F or the Right Arrow key1 Move the cursor forward one character Ctrl-A Move the cursor to the beginning of the command line Ctrl-E Move the cursor to the end of the command line Esc B Move the cursor back one word Esc F Move the cursor forward one word 1. The arrow keys function only on ANSI-compatible terminals such as VT100s. Table 1-2 History Substitution Commands Command Purpose Ctrl-P or the Up Arrow key 1 Recall commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands. Ctrl-N or the Down Arrow key1 Return to more recent commands in the history buffer after recalling commands with Ctrl-P or the Up Arrow key. Router# show history While in EXEC mode, list the last several commands you have just entered. 1. The arrow keys function only on ANSI-compatible terminals such as VT100s. 1-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Understanding Command Modes When you log in to the CLI, you are in user EXEC mode. User EXEC mode contains only a limited subset of commands. To have access to all commands, you must enter privileged EXEC mode, normally by using a password. From privileged EXEC mode you can issue any EXEC command—user or privileged mode—or you can enter global configuration mode. Most EXEC commands are one-time commands. For example, show commands show important status information, and clear commands clear counters or interfaces. The EXEC commands are not saved when the software reboots. CLI configurations are not visible in the running configuration displays when the DBUS Class Of Service (CoS) bits are set to the default values 5, 6, or 7. The IOS is designed this way to prevent simple configurations from becoming huge if each default setting is displayed. For example, if you specify load-interval 300 on an interface, which is equivalent to no load-interval, the default setting is not shown in the running configuration display. Configuration modes allow you to make changes to the running configuration. If you later save the running configuration to the startup configuration, these changed commands are stored when the software is rebooted. To enter specific configuration modes, you must start at global configuration mode. From global configuration mode, you can enter interface configuration mode and a variety of other modes, such as protocol-specific modes. ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a valid software image is not found when the software boots or if the configuration file is corrupted at startup, the software might enter ROM monitor mode. Table 1-3 describes how to access and exit various common command modes of the Cisco IOS software. It also shows examples of the prompts displayed for each mode. For more information on command modes, refer to the “Using the Command-Line Interface” chapter in the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide. Table 1-3 Accessing and Exiting Command Modes Command Mode Access Method Prompt Exit Method User EXEC Log in. Router> Use the logout command. Privileged EXEC From user EXEC mode, use the enable EXEC command. Router# To return to user EXEC mode, use the disable command. Global configuration From privileged EXEC mode, use the configure terminal privileged EXEC command. Router(config)# To return to privileged EXEC mode from global configuration mode, use the exit or end command. Interface configuration From global configuration mode, specify an interface using an interface command. Router(config-if)# To return to global configuration mode, use the exit command. To return to privileged EXEC mode, use the end command. ROM monitor From privileged EXEC mode, use the reload EXEC command. Press the Break key during the first 60 seconds while the system is booting. > To exit ROM monitor mode, use the continue command. 1-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Getting Help Getting Help Entering a question mark (?) at the CLI prompt displays a list of commands available for each command mode. You can also get a list of keywords and arguments associated with any command by using the context-sensitive help feature. To get help specific to a command mode, a command, a keyword, or an argument, use one of the following commands: Finding Command Options Example This section provides an example of how to display syntax for a command. The syntax can consist of optional or required keywords and arguments. To display keywords and arguments for a command, enter a question mark (?) at the configuration prompt or after entering part of a command followed by a space. The Cisco IOS software displays a list and brief description of available keywords and arguments. For example, if you were in global configuration mode and wanted to see all the keywords or arguments for the arap command, you would type arap ?. The symbol in command help output stands for “carriage return.” On older keyboards, the carriage return key is the Return key. On most modern keyboards, the carriage return key is the Enter key. The symbol at the end of command help output indicates that you have the option to press Enter to complete the command and that the arguments and keywords in the list preceding the symbol are optional. The symbol by itself indicates that no more arguments or keywords are available and that you must press Enter to complete the command. Table 1-5 shows examples of how you can use the question mark (?) to assist you in entering commands. Table 1-4 Help Commands and Purpose Command Purpose help Provides a brief description of the help system in any command mode. abbreviated-command-entry? Provides a list of commands that begin with a particular character string. (No space between command and question mark.) abbreviated-command-entry Completes a partial command name. ? Lists all commands available for a particular command mode. command ? Lists the keywords or arguments that you must enter next on the command line. (Space between command and question mark.) 1-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Getting Help Table 1-5 Finding Command Options Command Comment Router> enable Password: Router# Enter the enable command and password to access privileged EXEC commands. You are in privileged EXEC mode when the prompt changes to a “#” from the “>”; for example, Router> to Router#. Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# Enter the configure terminal privileged EXEC command to enter global configuration mode. You are in global configuration mode when the prompt changes to Router(config)#. Router(config)# interface serial ? <0-6> Serial interface number Router(config)# interface serial 4 ? / Router(config)# interface serial 4/ ? <0-3> Serial interface number Router(config)# interface serial 4/0 ? Router(config)# interface serial 4/0 Router(config-if)# Enter interface configuration mode by specifying the serial interface that you want to configure using the interface serial global configuration command. Enter ? to display what you must enter next on the command line. In this example, you must enter the serial interface slot number and port number, separated by a forward slash. When the symbol is displayed, you can press Enter to complete the command. You are in interface configuration mode when the prompt changes to Router(config-if)#. 1-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Getting Help Router(config-if)# ? Interface configuration commands: . . . ip Interface Internet Protocol config commands keepalive Enable keepalive lan-name LAN Name command llc2 LLC2 Interface Subcommands load-interval Specify interval for load calculation for an interface locaddr-priority Assign a priority group logging Configure logging for interface loopback Configure internal loopback on an interface mac-address Manually set interface MAC address mls mls router sub/interface commands mpoa MPOA interface configuration commands mtu Set the interface Maximum Transmission Unit (MTU) netbios Use a defined NETBIOS access list or enable name-caching no Negate a command or set its defaults nrzi-encoding Enable use of NRZI encoding ntp Configure NTP . . . Router(config-if)# Enter ? to display a list of all the interface configuration commands available for the serial interface. This example shows only some of the available interface configuration commands. Router(config-if)# ip ? Interface IP configuration subcommands: access-group Specify access control for packets accounting Enable IP accounting on this interface address Set the IP address of an interface authentication authentication subcommands bandwidth-percent Set EIGRP bandwidth limit broadcast-address Set the broadcast address of an interface cgmp Enable/disable CGMP directed-broadcast Enable forwarding of directed broadcasts dvmrp DVMRP interface commands hello-interval Configures IP-EIGRP hello interval helper-address Specify a destination address for UDP broadcasts hold-time Configures IP-EIGRP hold time . . . Router(config-if)# ip Enter the command that you want to configure for the interface. This example uses the ip command. Enter ? to display what you must enter next on the command line. This example shows only some of the available interface IP configuration commands. Table 1-5 Finding Command Options (continued) Command Comment 1-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Using the no and default Forms of Commands Using the no and default Forms of Commands Almost every configuration command has a no form. In general, use the no form to disable a function. Use the command without the no keyword to re-enable a disabled function or to enable a function that is disabled by default. For example, IP routing is enabled by default. To disable IP routing, use the no ip routing command; to re-enable IP routing, use the ip routing command. The Cisco IOS software command reference publications provide the complete syntax for the configuration commands and describe what the no form of a command does. Router(config-if)# ip address ? A.B.C.D IP address negotiated IP Address negotiated over PPP Router(config-if)# ip address Enter the command that you want to configure for the interface. This example uses the ip address command. Enter ? to display what you must enter next on the command line. In this example, you must enter an IP address or the negotiated keyword. A carriage return () is not displayed; therefore, you must enter additional keywords or arguments to complete the command. Router(config-if)# ip address 172.16.0.1 ? A.B.C.D IP subnet mask Router(config-if)# ip address 172.16.0.1 Enter the keyword or argument that you want to use. This example uses the 172.16.0.1 IP address. Enter ? to display what you must enter next on the command line. In this example, you must enter an IP subnet mask. A is not displayed; therefore, you must enter additional keywords or arguments to complete the command. Router(config-if)# ip address 172.16.0.1 255.255.255.0 ? secondary Make this IP address a secondary address Router(config-if)# ip address 172.16.0.1 255.255.255.0 Enter the IP subnet mask. This example uses the 255.255.255.0 IP subnet mask. Enter ? to display what you must enter next on the command line. In this example, you can enter the secondary keyword, or you can press Enter. A is displayed; you can press Enter to complete the command, or you can enter another keyword. Router(config-if)# ip address 172.16.0.1 255.255.255.0 Router(config-if)# In this example, Enter is pressed to complete the command. Table 1-5 Finding Command Options (continued) Command Comment 1-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Saving Configuration Changes Many CLI commands also have a default form. By issuing the command default command-name, you can configure the command to its default setting. The Cisco IOS software command reference publications describe the function of the default form of the command when the default form performs a different function than the plain and no forms of the command. To see what default commands are available on your system, enter default ? in the appropriate command mode. Saving Configuration Changes Use the copy running-config startup-config command to save your configuration changes to the startup configuration so that the changes will not be lost if the software reloads or a power outage occurs. For example: Router# copy running-config startup-config Building configuration... It might take a minute or two to save the configuration. After the configuration has been saved, the following output appears: [OK] Router# On most platforms, this task saves the configuration to NVRAM. On the Class A Flash file system platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment variable. The CONFIG_FILE variable defaults to NVRAM. Filtering Output from the show and more Commands You can search and filter the output of show and more commands. This functionality is useful if you need to sort through large amounts of output or if you want to exclude output that you need not see. To use this functionality, enter a show or more command followed by the “pipe” character (|); one of the keywords begin, include, or exclude; and a regular expression on which you want to search or filter (the expression is case sensitive): show command | {begin | include | exclude} regular-expression The output matches certain lines of information in the configuration file. The following example illustrates how to use output modifiers with the show interface command when you want the output to include only lines in which the expression “protocol” appears: Router# show interface | include protocol FastEthernet0/0 is up, line protocol is up Serial4/0 is up, line protocol is up Serial4/1 is up, line protocol is up Serial4/2 is administratively down, line protocol is down Serial4/3 is administratively down, line protocol is down For more information on the search and filter functionality, refer to the “Using the Command-Line Interface” chapter in the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide. 1-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Finding Support Information for Platforms and Cisco Software Images Finding Support Information for Platforms and Cisco Software Images Cisco IOS software is packaged in feature sets consisting of software images that support specific platforms. The feature sets available for a specific platform depend on which Cisco IOS software images are included in a release. To identify the set of software images available in a specific release or to find out if a feature is available in a given Cisco IOS software image, you can use Cisco Feature Navigator or the software release notes. Using Cisco Feature Navigator Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear. Using Software Advisor To see if a feature is supported by a Cisco IOS release, to locate the software document for that feature, or to check the minimum software requirements of Cisco IOS software with the hardware installed on your router, Cisco maintains the Software Advisor tool on Cisco.com at http://tools.cisco.com/Support/Fusion/FusionHome.do You must be a registered user on Cisco.com to access this tool. Using Software Release Notes Cisco IOS software releases include release notes that provide the following information: • Platform support information • Memory recommendations • New feature information • Open and resolved severity 1 and 2 caveats for all platforms Release notes are intended to be release-specific for the most current release, and the information provided in these documents may not be cumulative in providing information about features that first appeared in previous releases. Refer to Cisco Feature Navigator for cumulative feature information. 1-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 1 Using Cisco IOS Software Finding Support Information for Platforms and Cisco Software ImagesC H A P T E R 2-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 2 SIP, SSC, and SPA Product Overview This chapter provides an introduction to SPA interface processors (SIPs), SPA services cards (SSCs), and shared port adapters (SPAs). It includes the following sections: • Introduction to SIPs, SSCs, and SPAs, page 2-1 • SIP, SSC, and SPA Compatibility, page 2-4 • Modular Optics Compatibility, page 2-6 For more hardware details for the specific SIPs, SSCs, and SPAs that are supported on the Cisco 7600 series router, refer to the companion publication, Cisco 7600 Series Router SIP, SSC, and SPA Hardware Installation Guide. Introduction to SIPs, SSCs, and SPAs SIPs, SSCs, and SPAs are a new carrier card and port adapter architecture to increase modularity, flexibility, and density across Cisco Systems routers for network connectivity. This section describes the SIPs, SSCs, and SPAs and provides some guidelines for their use. SPA Interface Processors The following list describes some of the general characteristics of a SIP: • A SIP is a carrier card that inserts into a router slot like a line card. It provides no network connectivity on its own. • A SIP contains one or more subslots, which are used to house one or more SPAs. The SPA provides interface ports for network connectivity. • During normal operation the SIP should reside in the router fully populated either with functional SPAs in all subslots, or with a blank filler plate (SPA-BLANK=) inserted in all empty subslots. • SIPs support online insertion and removal (OIR) with SPAs inserted in their subslots. SPAs also support OIR and can be inserted or removed independently from the SIP.2-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 2 SIP, SSC, and SPA Product Overview Introduction to SIPs, SSCs, and SPAs SPA Services Cards The following list describes some of the general charateristics of an SSC: • An SSC is a carrier card that inserts into a router slot like a line card. It provides no network connectivity. • An SSC provides one or more subslots, which are used to house one or more SPAs. The supported SPAs do not provide interface ports for network connectivity, but provide certain services. • During normal operation the SSC should reside in the router fully populated either with functional SPAs in all subslots, or with a blank filler plate (SPA-BLANK=) inserted in all empty subslots. • SSCs support online insertion and removal (OIR) with SPAs inserted in their subslots. SPAs also support OIR and can be inserted or removed independently from the SSC. • Cisco IOS Release 12.2(33) SRE adds support for Route Switch Processor 720 10GE to the Cisco 7600 SSC-400. Shared Port Adapters The following list describes some of the general characteristics of a SPA: • A SPA is a modular type of port adapter that inserts into a subslot of a compatible SIP carrier card to provide network connectivity and increased interface port density. A SIP can hold one or more SPAs, depending on the SIP type. • Some SPAs provide services rather than network connectivity, and insert into subslots of compatible SSCs. For example, the IPSec VPN SPA provides services such as IP Security (IPSec) encryption/decryption, generic routing encapsulation (GRE ), and Internet Key Exchange (IKE) key generation. • SPAs are available in the following sizes, as shown in Figure 2-1 and Figure 2-2: – Single-height SPA—Inserts into one SIP subslot. – Double-height SPA—Inserts into two single, vertically aligned SIP subslots. Figure 2-1 Single-Height and Double-Height SPA Sizes Single-height SPA Double-height SPA Front of SIP 1168862-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 2 SIP, SSC, and SPA Product Overview Introduction to SIPs, SSCs, and SPAs Figure 2-2 Horizontal and Vertical Chassis Slot Orientation for SPAs • Each SPA provides a certain number of connectors, or ports, that are the interfaces to one or more networks. These interfaces can be individually configured using the Cisco IOS command-line interface (CLI). • Either a blank filler plate or a functional SPA should reside in every subslot of an SIP during normal operation to maintain cooling integrity. Blank filler plates are available in single-height form only. • SPAs support online insertion and removal (OIR). They can be inserted or removed independently from the SIP. SIPs also support online insertion and removal (OIR) with SPAs inserted in their subslots. SPA 0 SPA 1 SPA 2 SPA 3 Front of SIP, horizontal chassis slots SPA 0 SPA 1 SPA 2 SPA 3 Vertical slot orientation SPA 0 SPA 1 Double-height SPA SPA 3 SPA 1 Double-height SPA 116887 SPA 0 SPA 22-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 2 SIP, SSC, and SPA Product Overview SIP, SSC, and SPA Compatibility SIP, SSC, and SPA Compatibility The following tables show SIP and SPA compatibility by SPA technology area on the Cisco 7600 series router. Note For more information about the introduction of support for different SIPs and SPAs, refer to the “Release History” sections in the overview chapters of this document Table 2-1 SIP and SPA Compatibility Table for ATM SPAs SPA Product ID SIP Type Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Cisco 7600 SSC-400 1-Port, 2-Port and 4-Port OC-3c/STM-1 ATM SPA SPA-1xOC3-ATM-v 2 SPA-2XOC3-ATM, SPA-3XOC3-ATMv2 SPA-4XOC3-ATM Yes Yes No No 1-Port OC-12c/STM-4 ATM SPA SPA-1XOC12-ATM No Yes No No 1-Port OC-48c/STM-16 ATM SPA SPA-1XOC48-ATM No Yes No No Table 2-2 SIP and SPA Compatibility Table for Ethernet SPAs SPA Product ID SIP Type Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Cisco 7600 SSC-400 1-Port 10-Gigabit Ethernet SPA 1 1. Only one 1-Port 10-Gigabit Ethernet SPA can be installed in a SIP-400 at a time; no other SPAs can be installed in the same SIP-400. Only one 1-Port 10-Gigabit or one 10-port 1-Gigabit Ethernet SPA can be installed on a SIP-600 at a time; no other SPAs can be installed on the same SIP-600. SPA-1XTENGE-XFP, No No Yes No SPA-1X10GE-L-V2 No Yes Yes No 2-Port Gigabit Ethernet SPA SPA-2X1GE, SPA-2X1GE-V2 No Yes No No 5-Port Gigabit Ethernet SPA SPA-5X1GE No No Yes No SPA-5X1GE-V2 No Yes Yes No 10-Port Gigabit Ethernet SPA SPA-10X1GE, SPA-10X1GE-V2 No No Yes No 4-Port and 8-Port Fast Ethernet SPA SPA-4X1FE-TX-V2, SPA-8X1FE-TX-V2 Yes Yes No No2-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 2 SIP, SSC, and SPA Product Overview SIP, SSC, and SPA Compatibility Certain restrictions apply while using the SIP-600 and the IPSec VPN SPA on the same chassis: • The SIP-600 should not be installed in the same chassis with an IPSec VPN SPA when running SXF. • The SIP-600 is not supported in 12.2(33)SRA. • Starting with 12.2(33)SRB, the SIP-600 and IPSec VPN SPA can be present in the same chassis. However, SIP-600 subinterfaces cannot be used when VPN crypto-connect mode is configured. Table 2-3 SIP and SPA Compatibility Table for the IPSec VPN SPA SPA Product ID SIP Type Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Cisco 7600 SSC-400 IPSec VPN SPA SPA-IPSEC-2G No No No Yes Table 2-4 SIP and SPA Compatibility Table for POS SPAs SPA Product ID SIP Type Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Cisco 7600 SSC-400 2-Port and 4-Port OC-3c/STM-1 POS SPA SPA-2XOC3-POS, SPA-4XOC3-POS Yes Yes No No 1-Port OC-12c/STM-4 POS SPA SPA-1XOC12-POS No Yes No No 1-Port OC-48c/STM-16 POS SPA SPA-1XOC48-POS/RPR No Yes No No 2-Port and 4-Port OC-48c/STM-16 POS SPA SPA-2XOC48-POS/RPR, SPA-4XOC48-POS/RPR No No Yes No 1-Port OC-192c/STM-64 POS/RPR SPA SPA-OC192POS-LR, SPA-OC192POS-VSR, SPA-OC192POS-XFP No No Yes No 1-Port Channelized OC-12/STM-4 SPA SPA-1XCHOC12/DS0 No Yes No No Table 2-5 SIP and SPA Compatibility Table for Serial SPAs SPA Product ID SIP Type Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Cisco 7600 SSC-400 1-Port Channelized OC-3/STM-1 SPA SPA-1XCHSTM1/OC3 Yes Yes No No 2-Port and 4-Port Channelized T3 SPA SPA-2XCT3/DS0, SPA-4XCT3/DS0 Yes Yes No No 2-Port and 4-Port Clear Channel T3/E3 SPA SPA-2XT3/E3, SPA-4XT3/E3 Yes Yes No No 8-Port Channelized T1/E1 SPA SPA-8XCHT1/E1 Yes Yes No No 1-Port Channelized OC-12/STM-4 SPA SPA-1XCHOC12/DS0 No Yes No No2-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 2 SIP, SSC, and SPA Product Overview Modular Optics Compatibility Modular Optics Compatibility Some SPAs implement small form-factor pluggable (SFP) optical transceivers to provide network connectivity. An SFP module is a transceiver device that mounts into the front panel to provide network connectivity. Cisco Systems qualifies the SFP modules that can be used with SPAs. Note The SPAs will only accept the SFP modules listed as supported in this document. An SFP check is run every time an SFP module is inserted into a SPA and only SFP modules that pass this check will be usable. Table 2-7 shows the optics modules qualified for use with a SPA. Table 2-6 SIP and SPA Compatibility Table for CEoP SPAs SPA Product ID SIP Type Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Cisco 7600 SSC-400 1-Port Channelized OC-3 STM1 ATM CEoP SPA SPA-1CHOC3-CE-ATM No Yes No No 24-Port Channelized T1/E1 ATM CEoP SPA SPA-24CHT1-CE-ATM No Yes No No 2-Port Channelized T3/E3 ATM CEoP SPA SPA-2CHT3-CE-ATM No Yes No No Table 2-7 SPA Optics Compatibility SPA Qualified Optics Modules (Cisco Part Numbers) 1-port and 3 port ATM V2 SPA 2-Port and4-Port OC-3c/STM-1 ATM-SPA ONS-SC-155-EL 1-Port and 3-port OC-3c/STM-1 ATM S PA - v 2 • SFP-OC3-MM • SFP-OC3-SR • SFP-OC3-IR1 • SFP-OC3-LR1 • SFP-OC3-LR2 • ONS-SC-155-EL 1-Port OC-12c/STM-4 ATM SPA • SFP-OC12-MM • SFP-OC12-SR • SFP-OC12-IR1 • SFP-OC12-LR1 • SFP-OC12-LR2 1-Port OC-48c/STM-16 ATM SPA • SFP-OC48-IR1 • SFP-OC48-SR2-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 2 SIP, SSC, and SPA Product Overview Modular Optics Compatibility 1-Port 10-Gigabit Ethernet SPA • XFP-10GLR-OC192SR • XFP-10GER-OC192IR • XFP-10GZR-OC192LR • XFP-10F-MM-SR (Supported only on SIP-400 and SIP-600 from Cisco IOS release 12.2(33)SRE) • X2-DWDM on on RSP720 • X2-10GB-LRM/ZR on RSP720 2-Port Gigabit Ethernet SPA • SFP-GE-S • SFP-GE-L • SFP-GE-Z • SFP-GE-T 5-Port Gigabit Ethernet SPA • SFP-GE-S • SFP-GE-L • SFP-GE-Z • SFP-GE-T 10-Port Gigabit Ethernet SPA • SFP-GE-S • SFP-GE-L • SFP-GE-Z • SFP-GE-T 2-Port and 4-Port OC-3c/STM-1 POS SPA • SFP-OC3-MM • SFP-OC3-SR • SFP-OC3-IR1 • SFP-OC3-LR1 • SFP-OC3-LR2 • ONS-SC-155-EL 1-Port OC-12c/STM-4 POS SPA • SFP-OC12-MM • SFP-OC12-SR • SFP-OC12-IR1 • SFP-OC12-LR1 • SFP-OC12-LR2 1-Port OC-48c/STM-16 POS SPA • SFP-OC48-SR • SFP-OC48-IR1 • SFP-OC48-LR2 Table 2-7 SPA Optics Compatibility (continued) SPA Qualified Optics Modules (Cisco Part Numbers)2-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 2 SIP, SSC, and SPA Product Overview Modular Optics Compatibility 5-Port Gigabit Ethernet SPA • SFP-GE-S • SFP-GE-L • SFP-GE-Z • SFP-GE-T 10-Port Gigabit Ethernet SPA • SFP-GE-S • SFP-GE-L • SFP-GE-Z • SFP-GE-T 2-Port and 4-Port OC-3c/STM-1 POS SPA • SFP-OC3-MM • SFP-OC3-SR • SFP-OC3-IR1 • SFP-OC3-LR1 • SFP-OC3-LR2 • ONS-SC-155-EL 1-Port OC-12c/STM-4 POS SPA • SFP-OC12-MM • SFP-OC12-SR • SFP-OC12-IR1 • SFP-OC12-LR1 • SFP-OC12-LR2 1-Port OC-48c/STM-16 POS SPA • SFP-OC48-SR • SFP-OC48-IR1 • SFP-OC48-LR2 Table 2-7 SPA Optics Compatibility (continued) SPA Qualified Optics Modules (Cisco Part Numbers)2-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 2 SIP, SSC, and SPA Product Overview Modular Optics Compatibility 1-Port Channelized OC-3 STM1 ATM CEoP SPA • SFP-OC3-MM • SFP-OC3-SR • SFP-OC3-IR1 • SFP-OC3-LR1 • SFP-OC3-LR2 • ONS-SC-155-EL • STM1E-SFP 1-Port Channelized OC-12/STM-4 SPA (Supported on SIP-400 from 12.2(33)SRD 1) • SFP-OC12-MM • SFP-OC12-SR • SFP-OC12-IR1 • SFP-OC12-LR1 • SFP-OC12-LR2 Table 2-7 SPA Optics Compatibility (continued) SPA Qualified Optics Modules (Cisco Part Numbers)2-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 2 SIP, SSC, and SPA Product Overview Modular Optics Compatibility P A R T 2 SPA Interface Processors and SPA Services Cards C H A P T E R 3-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 3 Overview of the SIPs and SSC This chapter provides an overview of the release history, and feature and Management Information Base (MIB) support for the Cisco 7600 SIP-200, Cisco 7600 SIP-400, Cisco 7600 SIP-600, and Cisco 7600 SSC-400. This chapter includes the following sections: • Release History, page 3-1 • Supported SIP Features, page 3-5 • Supported SSC Features, page 3-19 • Restrictions, page 3-19 • Supported MIBs, page 3-24 • Displaying the SIP and SSC Hardware Type, page 3-26 • SIP-200 and SIP-400 Network Clock Distribution, page 3-27 Release History Note For release history information about the introduction of SPA support on the SIPs, refer to the corresponding “Overview” chapters in the SPA technology sections of this document. In addition, features specific to certain SPA technologies are documented in the corresponding SPA sections of this document.3-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Release History Release Modification Cisco IOS Release 12.2(33)SRE3 Support added to disable Network Processor crashinfo for all the Network Processor exception Cisco IOS Release 15.0(1)S Support for the following features was introduced: • 1-Port Clear Channel OC-3 ATM SPA Version 2 • 3-Port Clear Channel OC-3 ATM SPA Version 2 • 1-Port Clear Channel OC-12 ATM SPA Version 2 Cisco IOS Release 12.2(33)SRE Support for the following features was added: • RSP720-10GE supervisor engine was added for SSC-400 • IPv6 Hop-by-Hop Header Security on SIP-200 • Access Circuit Redundancy on 2-Port OC-3c/STM-1 ATM SPA on SIP-400 • VC QoS on VP-PW on SIP-400 Cisco IOS Release 12.2(33)SRD1 Support for IPv6 Hop-by-Hop Header Security and 1xCHOC12STM4 SPA on SIP-400 was introduced Cisco IOS Release 12.2(33)SRD Support for the following features was introduced: • AToM - ATM Cell Relay over MPLS, Port Mode on SIP400/SIP200 • SPA-8X1FE-TX-V2 & SPA-4X1FE-TX-V2 on SIP400 • Hierarchical Queuing Framework (HQF) • CLI to control DBUS CoS priority on SIP400 • Private host SVI (Interface VLAN) • Asymmetric Carrier Delay on SIP-200/400/6003-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Release History Cisco IOS Release 12.2(33)SRC Support for the following features was introduced: • CT3 CEoP on c7600-SIP-400 • Accelerated Lawful Intercept on Cisco 7600 SIP-400 • CoPP Enhancements of Cisco 7600 SIP-400 • PPPoEoE on Cisco 7600 SIP-400 • Source IPv4 and Source MAC Address Binding on Cisco 7600 SIP-400 • 12in1 Serial SPA support on 7600/SIP200 • IMA on SIP-400 for 24xT1/E1 CEOP and 1xOC3 CEOP SPAs • IGMP Snooping support on SIP-200 • AFC and PFC support on Multilink Interface on SIP-200 for 2- and 4-port CT3, 8-port channelized T1/E1 channelized, 1-port channelized OC3/STM-1 SPAs • Programmable BERT patterns enhancement on SIP-200 for 2- and 4-port channelized T3 and 1-port channelized OC3/STM-1 SPAs • TDM Local switching • Phase 2 Local Switching Redundancy • SPA-1xCHSTM1/OC3 • Cisco Channelized T3 to DS0 Shared Port Adapter (SPA-2XCT3/DS0, SPA-4XCT3/DS0) • Cisco 8-Port Channelized T1/E1 Shared Port Adapter (SPA-8XCHT1/E1) • Cisco Clear Channel T3/E3 Shared Port Adapter (SPA-2XT3/E3, SPA-4XT3/E3) Cisco IOS Release 12.2(33)SRB1 Support for the following feature was introduced: • MTU support on MLPPP interfaces on a Cisco 7600 SIP-200 • Any Transport over MPLS over GRE (AToM over GRE) on a Cisco 7600 SIP-400 Cisco IOS Release 12.2(33)SRB Support for the following features was introduced: • Software-based MLP bundles from 256 to 1024 on a Cisco 7600 SIP-200 • Lawful Intercept on a Cisco 7600 SIP-400 • Per-subscriber/per-protocol CoPP support on a Cisco 7600 SIP-400 • Security ACLs on a Cisco 7600 SIP-400 • Percent priority/percent bandwidth support on a Cisco 7600 SIP-400 • Network Clock Support on a Cisco 7600 SIP-200 • IGMP/PIM snooping for VPLS pseudowire on a Cisco 7600 SIP-400 • Dual-priority queue support on a Cisco 7600 SIP-4003-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Release History Cisco IOS Release 12.2(33)SRA Support for the following features was introduced on the Cisco 7600 SIP-200: • Bridge Control Protocol (BCP) over dMLPPP • MPLS over RBE • Multi-VC to VLAN Scalability • QoS support on bridging features • Software-based dMLPPP • Software-based dMLFR • Tag-Native Mode for Trunk BCP Support for the following features was introduced on the Cisco 7600 SIP-400: • Ethernet over MPLS (EoMPLS) VC Scaling • Ingress/Egress CoS classification with ingress policing per VLAN or EoMPLS VC • Hierarchical VPLS (H-VPLS) with MPLS Edge • Hierarchical QoS support for Ethernet over MPLS (EoMPLS) VCs • Multipoint Bridging (MPB) • Multi-VC to VLAN scalability • Multi-VLAN to VC support • QoS support on bridging features • Tag-Native Mode for Trunk BCP Cisco IOS Release 12.2(18)SXF Support for the following SIP hardware was introduced on the Cisco 7600 series router and Catalyst 6500 series switch: • Cisco 7600 SIP-600 Support for the following features was introduced on the Cisco 7600 SIP-400: • Policing by committed information rate (CIR) percentage • QoS matching on class of service (CoS)—2-Port Gigabit Ethernet SPA only Cisco IOS Release 12.2(18)SXE2 Support for the following SPA services card (SSC) was introduced on the Cisco 7600 series router and Catalyst 6500 series switch: • Cisco 7600 SSC-400 Cisco IOS Release 12.2(18)SXE Support for the following SPA interface processor (SIP) hardware was introduced on the Cisco 7600 series router and Catalyst 6500 series switch: • Cisco 7600 SIP-200 • Cisco 7600 SIP-4003-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features Supported SIP Features The Cisco 7600 SIP-200, Cisco 7600 SIP-400, and Cisco 7600 SIP-600 are high-performance, feature-rich SPA interface processors that function as carrier cards for shared port adapters (SPAs) on the Cisco 7600 series router. These SIPs are supported on the Cisco 7600 series router and Catalyst 6500 series switch, and are compatible with one or more platform-independent SPAs. For more information on SPA compatibility, see the “SIP, SSC, and SPA Compatibility” section on page 2-4. The Cisco 7600 series router is an edge aggregation router, and the SIPs provide a cost-effective solution for customers seeking moderate- to high-port density and line rate services: • The Cisco 7600 SIP-200 provides WAN edge aggregation through lower-speed and low-density SPAs for network environments requiring regional office connectivity to headquarters, or collapsed LAN/WAN deployment. • The Cisco 7600 SIP-400 provides higher-speed, high-density link aggregation for network environments requiring leased line and metro aggregation. • The Cisco 7600 SIP-600 provides a high-speed interface for WANs and metro aggregation. This section provides a list of some of the primary features supported by the SIP hardware and software. For feature compatibility information by SIP and SPA combination, and information about configuring these features, see Chapter 4, “Configuring the SIPs and SSC.” Cisco 7600 SIP-200 Features • Field-programmable device (FPD) upgrade support The Cisco 7600 SIP-200 supports the standard FPD upgrade methods for the Cisco 7600 series router. For more information about FPD support, see Chapter 35, “Upgrading Field-Programmable Devices.” Cisco 7600 SIP-200 High-Availability Features • Automatic protection switching (APS)—ATM and POS SPAs • Multilink PPP APS performance improvements to decrease switchover time • Online insertion and removal (OIR) of the SIP and SPAs • Nonstop Forwarding (NSF) • Stateful switchover (SSO)—Not supported with dMLFR feature (dMLFR only supports RPR+) Cisco 7600 SIP-200 ATM Features • Aggregate Weighted Random Early Detection (WRED) • ATM Adaptation Layer 5 (AAL5) Subnetwork Access Protocol (SNAP) • AAL5 over Multiprotocol Label Switching (MPLS) • ATM Cell Relay over MPLS in Port Mode • ATM virtual circuit (VC) bundles • RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5, Multipoint Bridging (MPB) on the 2-Port and 4-Port OC-3c/STM-1 ATM SPA3-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features • VC bundle Class of Service (CoS) precedence mapping For a comprehensive list of supported and unsupported ATM features, SIP-dependent features, and restrictions see Chapter 6, “Overview of the ATM SPAs.” Cisco 7600 SIP-200 Frame Relay Features For additional Frame Relay features, see also the MPLS and Quality of Service (QoS) feature sections. Note Based on your link configuration, Multilink PPP (MLPPP) and Multilink Frame Relay (MLFR) are either software-based on the Cisco 7600 SIP-200, or hardware-based on the 8-Port Channelized T1/E1 SPA, 2-Port and 4-Port Channelized T3 SPA, and 1-Port Channelized OC-3/STM-1 SPA. For more information, see the corresponding configuration chapters for the SIPs and the serial SPAs. • Distributed Multilink Frame Relay (dMLFR) (FRF.16) • Frame Relay over MPLS (FRoMPLS) • Frame Relay VC bundles • Frame Relay switching • RFC 1490, Multiprotocol Interconnect over Frame Relay, Multipoint Bridging (MPB) on the 2-Port and 4-Port Clear Channel T3/E3 SPA, 2-Port and 4-Port Channelized T3 SPA, and the 8-Port Channelized T1/E1 SPA • VC bundle Class of Service (CoS) precedence mapping Cisco 7600 SIP-200 MPLS Features • Explicit null • Label disposition • Label imposition • Label swapping • QoS tunneling • Virtual private network (VPN) routing and forwarding (VRF) instance description • dMLPPP with MPLS on VPN—Supported between the customer edge (CE) and provider edge (PE) devices • Any Transport over MPLS (AToM) support, including: – ATM over MPLS (ATMoMPLS)—AAL5 VC mode – ATM Cell Relay over MPLS —Port Mode – Ethernet over MPLS (EoMPLS)—(Single cell relay) VC mode – Frame Relay over MPLS (FRoMPLS) – FRoMPLS with dMLFR—Supported between the CE and PE devices – High-Level Data Link Control (HDLC) over MPLS (HDLCoMPLS) – PPP over MPLS (PPPoMPLS)—Not supported with dMLPPP or dLFI • Hierarchical QoS for EoMPLS VCs3-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-200 adds the following MPLS feature support: • MPLS over RBE—ATM SPAs only Beginning in Cisco IOS Release 12.2(33)SRB, the Cisco 7600 SIP-200 adds the following support: • Software-based MLP bundles from 256 to 1024 Cisco 7600 SIP-200 MPLS Classification • Default copy of IP precedence to MPLS experimental (EXP) bit • Match on MPLS EXP bit using Modular QoS CLI (MQC) Cisco 7600 SIP-200 MPLS Congestion Management • Low latency queueing (LLQ) • Class-based weighted fair queueing (CBWFQ) Cisco 7600 SIP-200 MPLS Encapsulations • ATM AAL5 SNAP • Frame Relay • HDLC • MLPPP • PPP Cisco 7600 SIP-200 MPLS Marking • Set MPLS EXP bit using MQC Cisco 7600 SIP-200 MPLS Traffic Shaping • Traffic shaping using MQC Cisco 7600 SIP-200 Multiservice Features • Compressed Real-Time Protocol (CRTP) • FRF.11—Supported only in Cisco IOS Release 12.2(18)SXE and Cisco IOS Release 12.2(18)SXE2; Support for this feature was removed in Cisco IOS Release 12.2(18)SXF3-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features Cisco 7600 SIP-200 QoS Features This section provides a list of the Quality of Service (QoS) features that are supported by the Cisco 7600 SIP-200. Cisco 7600 SIP-200 ATM SPA QoS Implementation For the 2-Port and 4-Port OC-3c/STM-1 ATM SPA, the following applies: • In the ingress direction, all Quality of Service (QoS) features are supported by the Cisco 7600 SIP-200. • In the egress direction: – All queueing based features (such as class-based weighted fair queueing [CBWFQ], and ATM per-VC WFQ) are implemented on the Segmentation and Reassembly (SAR) processor on the SPA. – Policing is implemented on the SIP. – Class queue shaping is not supported. Cisco 7600 SIP-200 Packet Marking • IP precedence • Differentiated Services Code Point (DSCP) • Class-based marking • ATM cell loss priority (CLP) to EXP marking/Type of Service (ToS)/DSCP • Frame relay discard eligibility (DE) to EXP marking/ToS/DSCP Cisco 7600 SIP-200 Policing and Dropping • Aggregate • Dual rate • Hierarchical • DSCP Markdown • Policing—Precedence, DSCP marking • Policing—EXP marking • Policing - Setting priority percent on a policy map • Explicit Drop in Class • Matching packet length • IPv6 Hop-by-Hop Header Security on SIP-200 Cisco 7600 SIP-200 Classification Into a Queue • MPLS EXP • ACL number • Configurable queue size3-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features • Network-based application recognition (NBAR)/dSTILE (NBAR feature is not supported in Release 15.0(1)S and later Releases) Cisco 7600 SIP-200 Congestion Management • Weighted fair queueing (WFQ) • Class-based weighted fair queueing (CBWFQ) • Per-VC CBWFQ • Allocation, DSCP, EXP and precedence matching • LLQ or priority queueing (strict priority only) • Configurable LLQ burst size Cisco 7600 SIP-200 Congestion Avoidance • Random early detection (RED) • Weighted random early detection (WRED) • DiffServ-compliant WRED • Aggregate WRED—ATM SPAs only Cisco 7600 SIP-200 Shaping • Generic traffic shaping (GTS)/Distributed traffic shaping (DTS) • Hierarchical service policy with GTS • Hierarchical traffic shaping with Frame Relay (FR) • Hierarchical traffic shaping FR adaptive to FECN, BECN (Cisco 7600 SIP-200 only) • Hierarchical traffic shaping for PPP and HDLC • Ingress shaping • Egress shaping Note Egress shaping is not supported on the Cisco 7600 SIP-200 for the 2-Port and 4-Port OC-3c/STM-1 ATM SPA. • Shaping by percentage Cisco 7600 SIP-200 Other QoS Features • Hierarchical QoS for EoMPLS VCs • QoS with MLPPP Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-200 adds the following QoS feature support: • QoS on bridging features3-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features Cisco 7600 SIP-200 Fragmentation Features • FRF.12 Cisco 7600 SIP-200 Layer 2 Protocols and Encapsulation • AAL5 Network Layer Protocol ID (NLPID) • AAL5 SNAP • Cisco Frame Relay • IETF Frame Relay • Frame Relay two-octet header • Frame Relay BECN/FECN • Frame Relay PVC • Frame Relay UNI • HDLC • MLPPP • PPP Cisco 7600 SIP-200 Layer 2 Interworking • ATM VC trunk emulation • Bridged and routed RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5 • RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5, Multipoint Bridging (MPB) • RFC 1490, Multiprotocol Interconnect over Frame Relay, Multipoint Bridging (MPB) • Bridging of Routed Encapsulations (BRE) • Routed bridged encapsulation (RBE) Note RBE is not supported when using the Intermediate System-to-Intermediate System (IS-IS) routing protocol. • RFC 3518, Point-to-Point Protocol (PPP) Bridging Control Protocol (BCP) Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-200 adds the following Layer 2 interworking feature support: • BCP support on 8-Port Channelized T1/E1 SPA, 2-Port and 4-Port Channelized T3 SPAs, 1-Port Channelized OC-3/STM-1 SPA, 2-Port and 4-Port Clear Channel T3/E3 SPAs, and 2-Port and 4-Port OC-3c/STM-1 POS SPAs • BCP (trunk mode) support over MLPPP on 8-Port Channelized T1/E1 SPA, 2-Port and 4-Port Channelized T3 SPAs, and 1-Port Channelized OC-3/STM-1 SPA • Multi-VC to VLAN scalability • QoS support on bridging • Software-based MLPPP • Software-based MLFR3-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features • Asymmetric Carrier Delay Cisco 7600 SIP-400 Features • FPD upgrade support—The Cisco 7600 SIP-400 supports the standard FPD upgrade methods for the Cisco 7600 series router. For more information about FPD support, see Chapter 35, “Upgrading Field-Programmable Devices.” • Lawful Intercept—The Cisco 7600 SIP-400 supports Lawful Intercept in Cisco IOS Release 12.2(33)SRB and later releases. • Starting in Cisco IOS Release 12.2(33)SRE, SIP-400 supports IEEE 802.1ag Draft 8.1 compliant Connectivity Fault Management (CFM) on EVC (VPLS and pseudowire). This includes the ability to configure 802.1ag on an EVC that is configured with xconnect as well as for monitoring the VPLS core as listed below: – Support for CFM on an EFP that is configured forEoMPLS using xconnect (scalable EoMPLS) or is connected to a bridge domain with VPLS uplink – Support for monitoring the VPLS core using CFM on the VFI See details of CFM and 802.1ag configuration on http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srethcfm.html Note Network Processor crashinfo also known as eventinfo is disabled for all Network Processor exception by default. Cisco 7600 SIP-400 High-Availability Features • Automatic protection switching (APS)—ATM and POS SPAs • Multi Link PPP APS performance improvements to decrease switchover time with PPP/MLPPP bundles • Online insertion and removal (OIR) of the SIP and SPAs • Stateful switchover (SSO) • Access Circuit Redundancy (ACR) and ACR QoS on all the following ATM SPAs on SIP-400: – 2-Port OC-3c/STM-1 ATM SPA – 1-Port OC-12c/STM-4 ATM SPA – 1-Port OC-48c/STM-16 ATM SPA Cisco 7600 SIP-400 MPLS Features Note For the Cisco 7600 SIP-400, the following MPLS features are implemented on the Supervisor Engine 720 (PFC3B and PFC3BXL) and the Route Switch Processor 720 (PFC3C and PFC3CXL): Label imposition, label swapping, label disposition, explicit null, default copy of IP precedence to EXP bit classification, and QoS tunneling. For more information about the requirements for Policy Feature Cards (PFCs) on the Cisco 7600 series router, refer to the Release Notes for Cisco IOS Release 12.2SX 3-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features on the Supervisor Engine 720, Supervisor Engine 32, and Supervisor Engine 2 at the following URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_416 4.html • VRF description • Any Transport over MPLS (AToM) support, including: – ATMoMPLS—AAL0 mode (single cell relay only) – ATMoMPLS—AAL5 mode – ATMoMPLS—Port Mode – EoMPLS—Port mode – EoMPLS—VLAN mode – FRoMPLS—DLCI mode Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-400 adds the following MPLS feature support: • Ethernet over MPLS (EoMPLS) VC scaling • Ingress/Egress CoS classification with ingress policing per VLAN or EoMPLS VC • Hierarchical VPLS (H-VPLS) with MPLS Edge • Hierarchical QoS support for Ethernet over MPLS (EoMPLS) VCs Effective from Cisco IOS Release 15.1(01)S, the Cisco 7600 SIP-400 adds support for: • Hot-Standby PsuedoWire (HSPW) Support for Ethernet, ATM and TDM ACs Cisco 7600 SIP-400 MPLS Congestion Management • LLQ • CBWFQ Cisco 7600 SIP-400 MPLS Encapsulations • ATM AAL5 SNAP • Ethernet with 802.1q • Frame Relay • HDLC • Generic Routing Encapsulation (GRE) • PPP Cisco 7600 SIP-400 MPLS Marking • Set MPLS EXP bits at tag imposition using MQC (set mpls-experiment command)—Input IP interface • Set MPLS EXP bits on topmost label (set EXP topmost) using MQC (set mpls-experiment topmost command)—Input and output MPLS interface • Mapping Ethernet 802.1q priority bits to MPLS EXP bits for EoMPLS3-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features Cisco 7600 SIP-400 QoS Features This section provides a list of the Quality of Service (QoS) features that are supported by the Cisco 7600 SIP-400. Cisco 7600 SIP-400 Packet Marking • IP precedence (set ip precedence command)—Input and output • DSCP (set dscp command)—Input and output • Class-based marking • DE to EXP marking/ToS/DSCP • CLP to EXP marking/ToS/DSCP • Ethernet 802.1q priority bits to EXP marking (EoMPLS) Cisco 7600 SIP-400 Policing and Dropping • Dual rate • Hierarchical • Dual-rate policer with three-color marker • Policing—Percent • Policing—Precedence, DSCP marking • Policing—EXP marking • Policing—Set ATM CLP, FR DE • Policing—Set MPLS EXP bits on topmost label (set EXP topmost) • Policing - Setting priority percent on a policy map • Explicit Drop in Class • IPv6 Hop-by-Hop Header Security • Triple nesting QoS on policy-maps Cisco 7600 SIP-400 Classification Into a Queue • Access control lists (IPv4 and IPv6) – Access group (match access-group command)—Input and output – Address (IPv6 compress mode only) – Name – Number – Source and destination port – TCP flag (IPv4 only) • ATM CLP (match atm clp command)—Input ATM interface • Configurable queue size • CoS (match cos command)—Input and output dot1q tagged frames • Frame Relay DE (match fr-de command)—Input Frame Relay interface3-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features • Inner CoS (match cos inner command) • IP DSCP (match dscp command)—Input and output • IP precedence (match ip precedence command)—Input and output • MPLS EXP (match mpls experimental command)—Input and output MPLS interface • Multiple matches per class map (up to 8) Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-400 adds the following QoS classification feature support: • Ingress/Egress CoS classification with ingress policing per VLAN or EoMPLS VC Beginning in Cisco IOS Release12.2(33)SRE support is added for: • Modular QoS CLI (MQC) policy support existing on ATM VC is extended to the ATM PVP on 2-Port and 4-Port OC-3c/STM-1 ATM SPA and the below three flavors of CEoP SPA: – SPA-24XT1E1-CE – SPA-1XOC3-CE – SPA-2XT3E3-CE • ATM VCI (match atm-vci command)—Input ATM PVP Interface is added to the ATM VP Cisco 7600 SIP-400 Congestion Management • CBWFQ • Per-VC CBWFQ • DSCP, EXP and Precedence matching • LLQ or priority queueing (strict priority only) Note For the 12.2(33) SRD a parent shaper or conditional policer has no effect when only LLQ traffic is flowing through a physical port. For example, if only 200 Mbps of LLQ traffic is flowing, a 100-Mbps parent shaper gives the full 200-Mbps output. However, if the ratio of LLQ to non-LLQ traffic on a subinterface is such that the LLQ rate is higher than the non-LLQ rate, the shaper output is inaccurate. (For example, on a system configured for 200 Mbps of LLQ and 500 kbps of non-LLQ, a 100-Mbps parent shaper gives 165-Mbps output. Therefore, we recommend that customers configure an explicit policer if the LLQ traffic rate might exceed the parent shape rate, which could starve regular traffic significantly. • Hierarchical Queuing Framework (HQF) • Dual-priority queuing • CLI to control DBUS CoS queuing This feature allows users to configure which DBUS CoS values are mapped to the high-priority queue in the SIP-400 switch. The hw-module slot slot queue priority switch-fpga output cos values|none command is used on the Routing Processor (RP) to configure the priority values. Cisco 7600 SIP-400 Congestion Avoidance • RED • WRED 3-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features • DiffServ-compliant WRED • Aggregate WRED—ATM SPAs only Cisco 7600 SIP-400 Shaping • Hierarchical traffic shaping using class-default (not supported for user-defined class) • Hierarchical traffic shaping FR • Hierarchical traffic shaping for PPP and HDLC • Egress shaping Cisco 7600 SIP-400 Fragmentation Features • dLFI with ATM Cisco 7600 SIP-400 Layer 2 Protocols and Encapsulation • PPP • AAL5 SNAP • HDLC • Cisco Frame Relay • IETF Frame Relay • Frame Relay two-octet header • Frame Relay BECN/FECN • Frame Relay PVC • Frame Relay UNI Cisco 7600 SIP-400 Layer 2 Interworking • Bridged and routed RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5 • RFC 3518, Point-to-Point Protocol (PPP) Bridging Control Protocol (BCP), on the 2-Port and 4-Port OC-3c/STM-1 POS SPA and 1-Port OC-12c/STM-4 POS SPA. Beginning in Cisco IOS Release 12.2(33)SRB1, the Cisco 7600 SIP-400 supports: • Backup Interface for Flexible UNI (for Gigabit Ethernet SPAs) Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-400 supports: • BCP on POS SPAs (OC-3c/STM-1, OC-12c/STM-4, OC-48c/STM-16, and OC-192c/STM-64) • Multipoint Bridging (MPB) • Multi-VC to VLAN scalability • QoS support on bridging features • L2VPN Interworking (Ethernet VLAN to ATM AAL5) Six types of configurations for L2VPN Interworking (Ethernet VLAN to ATM AAL5) are supported on the SIP-400. For configuration procedures, refer to the following URL: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_l2vpn_intrntwkg.html 3-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features • Asymmetric Carrier Delay • BFD for VCCV (Phase 1) Type1 Support on SIP-400 to verify and diagnose the forwarding path of pseudowires Cisco 7600 SIP-600 Features • FPD upgrade support—The Cisco 7600 SIP-600 supports the standard FPD upgrade methods for the Cisco 7600 series router. For more information about FPD support, see Chapter 35, “Upgrading Field-Programmable Devices.” • Layer 2 switch port • EtherChannel and Link Aggregate Control Protocol (IEEE 802.3ad) • Control Plane Policing (CoPP) • Cisco IOS Release 12.2(33)SRE and later releases introduce support for IEEE 802.1ag Draft 8.1 compliant Connectivity Fault Management (CFM) on EVC on SIP-600. This includes the ability to configure 802.1ag to monitor the VPLS core using CFM on the VFI. See details of CFM and 802.1ag configuration on http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srethcfm.html. Cisco 7600 SIP-600 High Availability Features • Automatic protection switching (APS) • Online insertion and removal (OIR) of the SIP and SPAs • Nonstop Forwarding (NSF) • Stateful switchover (SSO) Cisco 7600 SIP-600 MPLS Features • Unicast switching, with specific support for up to six label push operations, one label pop operation (two label pop operations in case of Explicit Null), or one label swap with up to five label push operations, at each MPLS switch node • Support for Explicit Null label to preserve CoS information when forwarding packets from provider (P) to provider edge (PE) routers • Support for Implicit Null label to request that penultimate hop router forward IP packets without labels to the router at the end of the label switch path (LSP) • VRF • Traffic engineering • Any Transport over MPLS (AToM) support—EoMPLS only, including: – PFC-based (No MAC address learning) – SIP-based (MAC address learning, requires SIP as uplink) – Up to 4000 EoMPLS VCs per system3-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features • Virtual Private LAN Service (VPLS) support, including: – H-VPLS with MPLS edge—H-VPLS with MPLS edge requires either an OSM or Cisco 7600 SIP-600 in both the downlink (facing UPE) and uplink (MPLS core). For more information about configuring H-VPLS, see Chapter 12, “Configuring the Fast Ethernet and Gigabit Ethernet SPAs.” – H-VPLS with Q-in-Q edge—Requires Cisco 7600 SIP-600 in the uplink, and any LAN port or Cisco 7600 SIP-600 on the downlink – Up to 4000 VPLS domains – Up to 60 VPLS peers per domain – Up to 30,000 pseudowires, used in any combination of domains and peers up to the 4000-domain or 60-peer maximums; for example, support of up to 4000 domains with 7 peers or up to 60 peers in 500 domains • MPLS Operation, Administration, and Maintenance (OAM) support, including: – LSP ping and traceroute – Virtual Circuit Connection Verification (VCCV) Cisco 7600 SIP-600 Layer 2 Protocols and Encapsulation • HDLC (Cisco Systems) • PPP • PPP over SONET/SDH • Layer 2 Gigabit Ethernet support, including: – IEEE 802.3z 1000 Mbps Gigabit Ethernet – IEEE 802.3ab 1000BaseT Gigabit Ethernet – IEEE 802.3ae 10 Gbps Ethernet (1-Port 10-Gigabit Ethernet SPA only) – Jumbo frame (up to 9216 bytes) – ARPA, IEEE 802.3 SAP, IEEE 802.3 SNAP, Q-in-Q – IEEE 802.1q VLANs – Autonegotiation support including IEEE 802.3 flow control and pause frames – Gigabit Ethernet Channel (GEC) – IEEE 802.3ad link aggregation – Address Resolution Protocol (ARP)/Reverse ARP (RARP) – Hot Standby Router Protocol (HSRP) – Virtual Router Redundancy Protocol (VRRP)3-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SIP Features Cisco 7600 SIP-600 QoS Features This section provides a list of the Quality of Service (QoS) features that are supported by the Cisco 7600 SIP-600. • MQC Cisco 7600 SIP-600 Packet Marking • IP precedence (set ip precedence command) • DSCP (set dscp command) • MPLS EXP (match mpls experimental command) Note Mapping 802.1p CoS values to MPLS EXP bits is supported using EoMPLS only. Cisco 7600 SIP-600 Policing and Dropping • Input policing on a per-port and per-VLAN basis Cisco 7600 SIP-600 Classification Into a Queue • Input and output ACLs on a per-port and per-VLAN basis • Input VLAN (match input vlan command) • IP DSCP (match dscp command) • IP precedence (match ip precedence command) • MPLS EXP (match mpls experimental command) • QoS group (match qos-group command) • VLAN (match vlan command) Cisco 7600 SIP-600 Congestion Management • CBWFQ • LLQ Cisco 7600 SIP-600 Congestion Avoidance • WRED Cisco 7600 SIP-600 Shaping • Output shaping on a per-port and per-VLAN basis • Output hierarchical traffic shaping—Two levels of shaping on an interface, subinterface, or group of subinterfaces 3-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported SSC Features Supported SSC Features The Cisco 7600 SSC-400 is a streamlined services card that provides a very high bandwidth data path between the Cisco 7600 series router platform backplane and the high-speed interconnects on the IPSec VPN SPA. For more information about the features and configuration supported by the IPSec VPN SPA with the Cisco 7600 SSC-400, see the related chapters in the IPSec VPN Shared Port Adapter part of this book. Cisco 7600 SSC-400 Features • Support of up to two IPSec VPN SPAs per slot • Online insertion and removal (OIR) of the SSC and SPAs • Support for RSP720-10GE supervisor engine is added for SSC-400 beginning with Cisco IOS Release 12.2(33)SRE Restrictions This section documents unsupported features and feature restrictions for the SIPs and SSC on the Cisco 7600 series router. Cisco 7600 SIP-200 Restrictions As of Cisco IOS Release 12.2(18)SXE, the Cisco 7600 SIP-200 has the following restrictions: • The Cisco 7600 SIP-200 is not supported with a Supervisor Engine 1, Supervisor Engine 1A, Supervisor Engine 2, or Supervisor Engine 720A. • A maximum number of 200 PVCs or SVCs using Link Fragmentation and Interleaving (LFI) is supported for all ATM SPAs (or other ATM modules) in a Cisco 7600 series router. • The following features are not supported: – ATM LAN Emulation (LANE) – dLFI over Frame Relay (dLFIoFR) – PPP over Frame Relay (PPPoFR) – MLP over Frame Relay (MLPoFR) – dLFI with MPLS – Layer 2 Tunneling Protocol (L2TP) version 2 – L2TP version 3 – Legacy Priority Queueing and Custom Queueing – PPP over Ethernet (PPPoE) – Reliable PPP (RFC 1663, PPP Reliable Transmission) – Stacker Compression (STAC) – X.25, Link Access Procedure, Balanced (LAPB)3-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Restrictions • PPP over MPLS (PPPoMPLS) is not supported with dMLPPP or dLFI. • High availability (HA) features have some restrictions when configured with the following distributed features on the Cisco 7600 SIP-200: – When you configure HA with dMLFR, the Cisco 7600 SIP-200 only supports RPR+. – HA features with dLFI over ATM (dLFIoATM) are not supported. – HA features with dLFI over Frame Relay (dLFIoFR) are not supported. • NBAR feature is not supported in Release 15.0(1)S and later Releases. Cisco 7600 SIP-400 Restrictions In Cisco IOS Release 12.2(18)SXE and later, the Cisco 7600 SIP-400 has the following restrictions: • The Cisco 7600 SIP-400 is not supported with a Supervisor Engine 1, Supervisor Engine 1A, or Supervisor Engine 2. It is also not supported with a Supervisor Engine 720 PFC3A, or in PFC3A mode. For more information about the requirements for Policy Feature Cards (PFCs) on the Cisco 7600 series router, refer to the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, Supervisor Engine 32, and Supervisor Engine 2 at the following URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL _4164.html • The Cisco 7600 SIP-400 is not supported with PFC-2 based systems. • EtherChannel is not supported on Cisco 7600 SIP-400 • A maximum number of 200 PVCs or SVCs using Link Fragmentation and Interleaving (LFI) is supported for all ATM SPAs (or other ATM modules) in a Cisco 7600 series router. • For AToM in Cisco IOS 12.2SX releases, the Cisco 7600 SIP-400 does not support the following features when they are located in the data path. This means you should not configure the following features if the SIP is facing the customer edge (CE) or the MPLS core: – HDLCoMPLS – PPPoMPLS – Virtual Private LAN Service (VPLS) • For AToM beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-400 supports the following features on CE-facing interfaces: – HDLCoMPLS – PPPoMPLS – VPLS • The Cisco 7600 SIP-400 supports EoMPLS with directly connected provider edge (PE) devices when the Cisco 7600 SIP-400 is on the MPLS core side of the network. • The Cisco 7600 SIP-400 does not support the ability to enable or disable tunneling of Layer 2 packets, such as for the VLAN Trunking Protocol (VTP), Cisco Discovery Protocol (CDP), and bridge protocol data unit (BPDU). The Cisco 7600 SIP-400 tunnels BPDUs, and always blocks VTP and CDP packets from the tunnel. • In ATMoMPLS AAL5 and cell mode, the Cisco 7600 SIP-400 supports non-matching VPIs/VCIs between PEs if the Cisco 7600 SIP-400 is on both sides of the network. • The Cisco 7600 SIP-400 supports matching on FR-DE to set MPLS-EXP for FRoMPLS.3-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Restrictions • The Cisco 7600 SIP-400 supports use of the xconnect command to configure AToM circuits for all AToM connection types. • The Cisco 7600 SIP-400 does not support the following QoS classification features with AToM: – Matching on data-link connection identifier (DLCI) is unsupported. – Matching on virtual LAN (VLAN) is unsupported. – Matching on class of service (CoS) is unsupported in Cisco IOS Release 12.2(18)SXE and Cisco IOS Release 12.2(18)SXE2 only. Beginning in Cisco IOS Release 12.2(18)SXF, it is supported with the 2-Port Gigabit Ethernet SPA. – Matching on input interface is unsupported. – Matching on packet length is unsupported. – Matching on media access control (MAC) address is unsupported. – Matching on protocol type, including Border Gateway Protocol (BGP), is unsupported. • The Cisco 7600 SIP-400 does not support the following QoS classification features using MQC: – ACL IPv6 full address – ACL IPv6 TCP flags – Class map (match class-map command) – CoS inner (match cos inner command)—Supported beginning in Cisco IOS Release 12.2(33)SRA on 2-Port Gigabit Ethernet SPA input and output interfaces and with bridging features. – Destination sensitive services (DSS) – Discard class (match discard-class command) – Frame Relay DLCI (match fr-dlci command)—Supported beginning in Cisco IOS Release 12.2(33)SRA on Frame Relay input and output interfaces and with Frame Relay bridging features. – Input interface (match input-interface command) – Input VLAN (match input vlan command)—Supported beginning in Cisco IOS Release 12.2(33)SRA on output interfaces only. – IP RTP (match ip rtp command) – IPv4 and IPv6 ToS – MAC address (match mac command) – Match protocol (match protocol command)—Supports IP only. – Packet length (match packet length command) – QoS group (match qos-group command) – Source and destination autonomous system (AS) (match as command) – Source and destination Border Gateway Protocol (BGP) community (match bgp-community command) – VLAN (match vlan command) – VLAN inner (match vlan inner command)—Supported beginning in Cisco IOS Release 12.2(33)SRA on input and output interfaces and with bridging features.3-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Restrictions • The Cisco 7600 SIP-400 does not support the following QoS marking features: – CoS (set cos command) – CoS inner (set cos inner command) • The Cisco 7600 SIP-400 does not support the following QoS marking features using MQC: – QoS group (set qos-group command) – Next-hop (set next-hop command) – Discard class (set discard-class command) – Table (set table command) • The Cisco 7600 SIP-400 does not support the following QoS queueing actions using MQC: – Flow-based queueing – Adaptive shaping • The Cisco 7600 SIP-400 does not support the following QoS policing feature: – Policing by Committed Information Rate (CIR) percentage (police cir percent command)—Supported as of Cisco IOS Release 12.2(18)SXF. • The Cisco 7600 SIP-400 does not support the following Frame Relay features: – Matching on DLCI. – Bridging encapsulation. – Multicast on multipoint interfaces. – FRF.5 – FRF.8. – FRF.12 fragmentation – FRF.16 multilink support of four-octet extended addressing on an SVC – NNI – PVC bundling – PPP over Frame Relay • The Cisco 7600 SIP-400 does not support RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5, Multipoint Bridging (MPB). However, point-to-point bridging is supported. • As of Cisco IOS Release 12.2(18)SXF, when using the Cisco 7600 SIP-400 with the 2-Port Gigabit Ethernet SPA or the 1-Port OC-48c/STM-16 ATM SPA, consider the following oversubscription guidelines: – The Cisco 7600 SIP-400 only supports installation of one 1-Port OC-48c/STM-16 ATM SPA without any other SPAs installed in the SIP. – The Cisco 7600 SIP-400 supports installation of up to two 2-Port Gigabit Ethernet SPAs without any other SPAs installed in the SIP. – The Cisco 7600 SIP-400 supports installation of any combination of OC-3 or OC-12 POS or ATM SPAs, up to a combined ingress bandwidth of OC-48 rates. – The Cisco 7600 SIP-400 supports installation of any combination of OC-3 or OC-12 POS or ATM SPAs up to a combined ingress bandwidth of OC-24 rates, when installed with a single 2-Port Gigabit Ethernet SPA. For more details on SIP-400 oversubscription guidelines refer to 3-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Restrictions • Q-in-Q (the ability to map a single 802.1Q tag or a random double tag combination into a VPLS instance, a Layer 3 MPLS VPN, or an EoMPLS VC) is not supported. • Cisco Discovery Protocol (CDP) is disabled by default on the 2-Port Gigabit Ethernet SPA interfaces and subinterfaces on the Cisco 7600 SIP-400. • The SDH, E1/E3 modes are not qualified on 1XCHOC12/DS0 SPA on Cisco 7600 SIP-400 in 12.2(33)SRD1 release. • MFR, FRF.12 is not supported on 1XCHOC12/DS0 SPA on Cisco 7600 SIP-400 in 12.2(33)SRD1 release. • VC QoS on VP-PW feature works only with Single Cell Relay and does not work with Packed Cell Relay. • Effective from Cisco IOS Release 15.1(01)S, the Hot-Standby Psuedo Wires (HSPW) feature is supported on SIP400 PW having imposition and disposition on access side for ScEoMPLS, ATM and TDM cross connect.The feature also supports a maximum number of 6000 backup PWs. – SONET OC3 SPA supports a maximum number of 576 PWs. • 24T1E1 SPA supports a maximum number of 191 PWs. Cisco 7600 SIP-600 Restrictions As of Cisco IOS Release 12.2(18)SXF, the Cisco 7600 SIP-600 has the following restrictions: • The Cisco 7600 SIP-600 is not supported by the Supervisor Engine 32 or the Supervisor Engine 720 with PFC3A. For more information about the requirements for Policy Feature Cards (PFCs) on the Cisco 7600 series router, refer to the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, Supervisor Engine 32, and Supervisor Engine 2 at the following URL:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/note s/OL_4164.html The Cisco 7600 SIP-600 supports installation of only a single SPA in the first subslot. • Removal of one type of SPA and reinsertion of a different type of SPA during OIR causes a reload of the Cisco 7600 SIP-600. • Q-in-Q (the ability to map a single 802.1Q tag or a random double tag combination into a VPLS instance, a Layer 3 MPLS VPN, or an EoMPLS VC) is not supported. • H-VPLS with MPLS edge requires either an OSM or Cisco 7600 SIP-600 in both the downlink (facing UPE) and uplink (MPLS core). • Output policing is not supported. • The aggregate guaranteed bandwidth configured for all QOS policies applied to a main interface cannot exceed the bandwidth of the link. 1% of the link rate bandwidth is reserved for control packet traffic. The remaining 99% of guaranteed rates are available for QoS configuration. For policies applied to the main interface, an attempt is made to acquire the 1% guaranteed rate from class-default. If control packet bandwidth can not be acquired, then errors are reported in the log file. • On any Cisco 7600 SIP-600 Ethernet port subinterface using VLANs, a unique VLAN ID must be assigned. This VLAN ID cannot be in use by any other interface on the Cisco 7600 series router. • Certain restrictions apply when using the SIP-600 and the IPSec VPN SPA on the same chassis: – The SIP-600 should not be installed in the same chassis with an IPSec VPN SPA when running SXF.3-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported MIBs – The SIP-600 is not supported in 12.2(33)SRA. – Starting with SRB, the SIP-600 and IPSec VPN SPA can be present in the same chassis. However, SIP-600 subinterfaces cannot be used when VPN crypto-connect mode is configured. Cisco 7600 SSC-400 Restrictions As of Cisco IOS Release 12.2(18)SXE2, the Cisco 7600 SSC-400 has the following restrictions: • The Cisco 7600 SSC-400 is only supported by the Supervisor Engine 720 (MSFC3 and PFC3). For more information about the requirements for Policy Feature Cards (PFCs) on the Cisco 7600 series router, refer to the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, Supervisor Engine 32, and Supervisor Engine 2 at the following URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL _4164.html The Cisco 7600 SSC-400 only supports two IPSec VPN SPAs. As of Cisco IOS Release 12.2(18)SXF, the Cisco 7600 SSC-400 has the following restrictions: • The Cisco 7600 SSC-400 is not supported by the Supervisor Engine 32. The Cisco 7600 SSC-400 is only supported by the Supervisor Engine 720 (MSFC3 and PFC3). For more information about the requirements for Policy Feature Cards (PFCs) on the Cisco 7600 series router, refer to the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, Supervisor Engine 32, and Supervisor Engine 2 at the following URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL _4164.html • The Cisco 7600 SSC-400 only supports two IPSec VPN SPAs. Supported MIBs The following MIBs are supported in Cisco IOS Release 12.2(18)SXE and later for the Cisco 7600 SIP-200 on a Cisco 7600 series router: • CISCO-ENTITY-ASSET-MIB • CISCO-ENTITY-EXT-MIB • CISCO-ENTITY-FRU-CONTROL-MIB • ENTITY-MIB • OLD-CISCO-CHASSIS-MIB The following MIBs are supported in Cisco IOS Release 12.2(18)SXE and later for the Cisco 7600 SIP-400 on a Cisco 7600 series router: • ATM-ACCOUNTING-INFORMATION-MIB (RFC 2512) • ATM-MIB (RFC 2515) • ATM-SOFT-PVC-MIB • ATM-TC-MIB • ATM-TRACE-MIB • CISCO-AAL5-MIB3-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Supported MIBs • CISCO-ATM-CONN-MIB • CISCO-ATM-RM-MIB • CISCO-ATM TRAFFIC-MIB • CISCO-CLASS-BASED-QOS-MIB • CISCO-ENTITY-ASSET-MIB • CISCO-ENTITY-EXT-MIB • CISCO-ENTITY-FRU-CONTROL-MIB • ENTITY-MIB • IF-MIB • OLD-CISCO-CHASSIS-MIB • SONET MIB (RFC 2558) The following MIBs are supported in Cisco IOS Release 12.2(18)SXF and later for the Cisco 7600 SIP-600 on a Cisco 7600 series router: • CISCO-ENTITY-ASSET-MIB • CISCO-ENTITY-EXT-MIB • CISCO-ENTITY-FRU-CONTROL-MIB • ENTITY-MIB • OLD-CISCO-CHASSIS-MIB The following MIBs are supported in Cisco IOS Release 12.2(18)SXE2 and later for the Cisco 7600 SSC-400 on a Cisco 7600 series router: • CISCO-ENTITY-ASSET-MIB • CISCO-ENTITY-EXT-MIB • CISCO-ENTITY-FRU-CONTROL-MIB • ENTITY-MIB • ETHER-MIB • OLD-CISCO-CHASSIS-MIB For more information about MIB support on a Cisco 7600 series router, refer to the Cisco 7600 Series Internet Router MIB Specifications Guide at the following URL: http://www.cisco.com/en/US/products/hw/routers/ps368/prod_technical_reference_list.html To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://tools.cisco.com/ITDIT/MIBS/servlet/index If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml3-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC Displaying the SIP and SSC Hardware Type To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL: https://tools.cisco.com/RPF/register/register.do Displaying the SIP and SSC Hardware Type To verify the SIP or SSC hardware type that is installed in your Cisco 7600 series router, you can use the show module command. There are other commands on the Cisco 7600 series router that also provide SIP and SSC hardware information, such as the show idprom command and show diagbus command. Table 3-1 shows the hardware description that appears in the show module and show idprom command output for each type of SIP that is supported on the Cisco 7600 series router. Example of the show module Command The following example shows output from the show module command on the Cisco 7600 series router with a Cisco 7600 SIP-400 installed in slot 13: Router# show module 13 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 13 0 4-subslot SPA Interface Processor-400 7600-SIP-400 JAB0851042X Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 13 00e0.aabb.cc00 to 00e0.aabb.cc3f 0.525 12.2(PP_SPL_ 12.2(PP_SPL_ Ok Mod Online Diag Status --- ------------------- 13 Pass Example of the show idprom Command The following example shows sample output for a Cisco 7600 SIP-200 installed in slot 4 of the router: Router# show idprom module 4 IDPROM for module #4 (FRU is '4-subslot SPA Interface Processor-200') OEM String = 'Cisco Systems' Product Number = '7600-SIP-200' Table 3-1 SIP Hardware Descriptions in show Commands SIP Description in show module and show idprom Commands Cisco 7600 SIP-200 4-subslot SPA Interface Processor-200 / 7600-SIP-200 Cisco 7600 SIP-400 4-subslot SPA Interface Processor-400 / 7600-SIP-400 Cisco 7600 SIP-600 1-subslot SPA Interface Processor-600 / 7600-SIP-600 Cisco 7600 SSC-400 2-subslot Services SPA Carrier-400 / 7600-SSC-400 3-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC SIP-200 and SIP-400 Network Clock Distribution Serial Number = 'SAD0738006Y' Manufacturing Assembly Number = '73-8272-03' Manufacturing Assembly Revision = '03' Hardware Revision = 0.333 Current supplied (+) or consumed (-) = -4.77A SIP-200 and SIP-400 Network Clock Distribution The Cisco 7600 series routers have a distributed clocking system with two 8 KHZ backplane reference clocks that connect to every slot in the backplane to provide an egress (Tx) timing reference for the SPAs. Starting with Cisco IOS release 12.2(33)SRB,the SIP-200 or SIP-400 can take clock input from various clock sources and distribute the clock to other supported cards by way of the chassis backplane to allow network operators to synchronize the transmit clocks of serial interfaces to a central timing reference. Synchronization to a central timing reference can help eliminate frame slips and associated loss of data on SONET and SDH interfaces. Both the SIP-200 and the SIP-400 can act as the source that drives the backplane reference clocks by other SIPs. When a SIP-200 or SIP-400 is the source of the clocks, the SIP uses the recovered Rx clock from any one of its SPA's input ports (see Table 3- 2 for which SPAs support this functionality). The SIP either derives an 8-KHz [no space] clock that it drives onto one or both backplane signals, or provides its own Stratum 3 clock to the backplane. Both the SIP-200 and the SIP-400 can also receive backplane clocks for use by their SPAs. When the SIP-200 and the SIP-400 receives backplane clocks, the clocks are dejittered and provided to the SPAs. Table 3-2 shows reference clock sources. Table 3-3 shows the reference clock sources available for mapping to the backplane. Table 3-4 shows the clocks available to specific line cards. Table 3-2 Reference Clock Sources Reference Clock Input for Data Transmission SIP-200 SIP-400 Local All supported SONET/Serial SPAs All supported SONET/Serial SPAs Line All supported SONET/Serial SPAs All supported SONET/Serial SPAs BITS Input SPA-8XCHT1/E1 SPA-24CHT1-CE-ATM Table 3-3 Reference Clock Sources Available for Mapping to Backplane Clock Source Line Card SPA Clock Derived From Internal Oscillator SIP-200 Not applicable Not applicable SIP-400 Not applicable Not applicable3-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC SIP-200 and SIP-400 Network Clock Distribution Interface SIP-200 SONET/SDH SPA-2XOC3-POS, SPA-4XOC3-POS SPA-2XOC3-ATM, SPA-4XOC3-ATM SIP-400 SPA-1CHOC3-CE-AT M SPA-2XOC3-POS, SPA-4XOC3-POS SPA-1XOC12-POS SPA-1XOC48-POS SPA-2XOC3-ATM, SPA-4XOC3-ATM SPA-1XOC12-ATM SPA-1XOC-48ATM 8X1FE-TX-V2 4X1FE-TX-V2 Controller SIP-200 SPA-8XCHT1/E1 T1/E1 SPA-1XCHSTM1/OC3 STM1/OC3 SPA-2XT3/E3, SPA-4XT3/E3 Cannot provide clock to backplane SPA-2XCT3/DS0, SPA-4XCT3/DS0 Cannot provide the clock to backplane Table 3-4 Line Cards Able to Receive Clocks from Backplane Line Card SPA Minimum Interface Level for Clock Source Input SIP-200 SPA-8XCHT1/E1 Cannot take clock from backplane SPA-2XT3/E3, SPA-4XT3/E3 Cannot take clock from backplane SPA-2XCT3/DS0, SPA-4XCT3/DS0 Cannot take clock from backplane SPA-1XCHSTM1/OC3 STM1/OC3 SPA-2XOC3-POS, SPA-4XOC3-POS SPA-2XOC3-ATM, SPA-4XOC3-ATM Table 3-3 Reference Clock Sources Available for Mapping to Backplane Clock Source Line Card SPA Clock Derived From3-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC SIP-200 and SIP-400 Network Clock Distribution Note The default clock for T3 / E3 interfaces for the SPA-1xCHSTM1/OC3 or SPA-1xCHOC12/STM4 are internal. If you have line configuration on the T3, you must change the clock source back to line, to get the setup back to the old state after upgrade. For additional information, see BITS Clock Support—Receive and Distribute—CEoP SPA on SIP-400, page 10-37. SIP-400 SPA-24CHT1-CE-ATM T1/E1 SPA-1CHOC3-CE-ATM STM1/OC3 SPA-2XOC3-POS, SPA-4XOC3-POS SPA-1XOC12-POS STM4/OC12 SPA-2XOC3-ATM, SPA-4XOC3-ATM STM1/OC3 SPA-1XOC12-ATM STM4/OC12 SPA-1XOC-48ATM STM16/OC48 Table 3-4 Line Cards Able to Receive Clocks from Backplane Line Card SPA Minimum Interface Level for Clock Source Input3-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 3 Overview of the SIPs and SSC SIP-200 and SIP-400 Network Clock DistributionC H A P T E R 4-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 4 Configuring the SIPs and SSC This chapter provides information about configuring SIPs and SSCs on the Cisco 7600 series router. It includes the following sections: • Configuration Tasks, page 4-1 • Configuration Examples, page 4-170 For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals Command Reference publications that correspond to your Cisco IOS software release. For more information about the commands used in this chapter,refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Configuration Tasks This section describes how to configure the SIPs and SSCs and includes information about verifying the configuration. It includes the following topics: • Required Configuration Tasks, page 4-2 • Identifying Slots and Subslots for SIPs, SSCs, and SPAs, page 4-2 • Configuring Compressed Real-Time Protocol, page 4-5 • Configuring Frame Relay Features, page 4-7 • Configuring Layer 2 Interworking Features on a SIP, page 4-32 • Configuring Private Hosts over Virtual Private LAN Service (VPLS), page 4-54 • Configuring BFD over VCCV on SIP-400, page 4-75 • Configuring MPLS Features on a SIP, page 4-79 • Configuring QoS Features on a SIP, page 4-94 • Configuring NAT, page 4-129 • Configuring Lawful Intercept on a Cisco 7600 SIP-400, page 4-129 • Configuring Security ACLs on an Access Interface on a Cisco 7600 SIP-400, page 4-131 • Configuring CoPP on the Cisco 7600 SIP-400, page 4-1324-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • Configuring IGMP Snooping on a SIP-200, page 4-153 • Configuring ACFC and PFC Support on Multilink Interfaces, page 4-154 • Configuring PPPoEoE on a Cisco 7600 SIP-400, page 4-159 • Configuring Source IPv4 and Source MAC Address Binding on the SIP-400, page 4-164 • Resetting a SIP, page 4-170 • Layer 2 Interworking Configuration Examples, page 4-170 • MPLS Configuration Examples, page 4-172 • QoS Configuration Examples, page 4-173 • Private Hosts SVI (Interface VLAN) Configuration Example, page 4-178 This section identifies those features that have SIP-specific configuration guidelines for you to consider and refers you to the supporting platform documentation. Many of the Cisco IOS software features on the Cisco 7600 series router that the FlexWAN and Enhanced FlexWAN modules support, the SIPs also support. Use this chapter while also referencing the list of supported features on the SIPs in Chapter 3, “Overview of the SIPs and SSC.” Note When referring to the other platform documentation, be sure to note any SIP-specific configuration guidelines described in this document.Layer 2 Interworking Configuration Examples, page 4-170 For information about configuring other features supported on the Cisco 7600 series router but not discussed in this document, refer to the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SR at the following URL: http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/swcg.html Note Effective from Cisco IOS Software Release 15.0(1)S, a number of QoS commands documented in this chapter are hidden in the software image; hence you have to use their replacement commands. Although the hidden commands are still available on Cisco IOS Software, you cannot access these commands from the CLI interactive help. For more information on the replacement commands, see the Legacy QoS Command Deprecation feature document at: http://www.cisco.com/en/US/docs/ios/ios_xe/qos/configuration/guide/legacy_qos_cli_deprecation_xe. html Required Configuration Tasks As of Cisco IOS Release 12.2(18)SXE, there are not any features that require direct configuration on the SIP or SSC. This means that you do not need to attach to the SIP or SSC itself to perform any configuration. However, the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 do implement and support certain features that are configurable at the system level on the Route Processor (RP). Identifying Slots and Subslots for SIPs, SSCs, and SPAs This section describes how to specify the physical locations of a SIP and SPA on the Cisco 7600 series routers within the command-line interface (CLI) to configure or monitor those devices.4-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Note For simplicity, any reference to “SIP” in this section also applies to the SSC. Specifying the Slot Location for a SIP or SSC The Cisco 7600 series router supports different chassis models, each of which supports a certain number of chassis slots. Note The Cisco 7600 series router SIPs are not supported with a Supervisor Engine 1, Supervisor Engine 1A, Supervisor Engine 2, or Supervisor Engine 720-3A.4-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Figure 4-1 shows an example of a SIP installed in slot 6 on a Cisco 7609 router. The Cisco 7609 router has nine vertically-oriented chassis slots, which are numbered 1 to 9 from right to left. Figure 4-1 SIP and SPA Installed in a Cisco 7609 Router Some commands allow you to display information about the SIP itself, such as show module, show sip-disk, show idprom module, show hw-module slot, and show diagbus. These commands require you to specify the chassis slot location where the SIP that you want information about is installed. For example, to display status and information about the SIP installed in slot 6 as shown in Figure 4-1, enter the following command: Router# show module 6 For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References.. 1 SIP subslot 0 4 SIP subslot 3 2 SIP subslot 1 5 Chassis slots 1–9 (numbered from right to left) 3 SIP subslot 2 129006 INPUT OK FAN OK OUTPUT FAIL o INPUT OK FAN OK OUTPUT FAIL o SUPERVISOR2 WS-X6K-SUP2-2GE STATUS SYSTEM CONSOL PW E R MGMT RESET CONSOLE CONSOLE PORT MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100% 1% LINK LINK SUPERVISOR2 WS-X6K-SUP2-2GE STATUS SYSTEM CONSOL PW E R MGMT RESET CONSOLE CONSOLE PORT MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100% 1% LINK LINK SWITCH FABRIC MDL STATUS SELECT NEXT WS-C6500-SFM ACTIVE OC12 POS MM OSM-40C12-POS-MM STATUS 2 1 4 3 RESET LINK 1 LINK 2 LINK 3 LINK 4 CARRIER ALARM ACTIVE TX RX TX PORT 1 RX CARRIER ALARM ACTIVE TX RX TX PORT 2 RX CARRIER ALARM ACTIVE TX RX TX PORT 3 RX CARRIER ALARM ACTIVE TX RX TX RX OC12 POS MM OSM-40C12-POS-MM STATUS 2 1 4 3 RESET LINK 1 LINK 2 LINK 3 LINK 4 CARRIER ALARM ACTIVE TX RX TX PORT 1 RX CARRIER ALARM ACTIVE TX RX TX PORT 2 RX CARRIER ALARM ACTIVE TX RX TX PORT 3 RX CARRIER ALARM ACTIVE TX RX TX RX OC12 POS MM OSM-40C12-POS-MM STATUS 2 1 4 3 RESET LINK 1 LINK 2 LINK 3 LINK 4 CARRIER ALARM ACTIVE TX RX TX PORT 1 RX CARRIER ALARM ACTIVE TX RX TX PORT 2 RX CARRIER ALARM ACTIVE TX RX TX PORT 3 RX CARRIER ALARM ACTIVE TX RX TX RX 8 PORT OC3 POS MM OSM-8OC3-POS MM STATUS 1 1 2 2 3 3 1 2 3 4 4 4 RESET LINK CARRIER ALARM LINK LINK LINK LINK 5 6 7 8 8 PORT OC3 POS MM OSM-8OC3-POS MM STATUS 1 1 2 2 3 3 1 2 3 4 4 4 RESET LINK CARRIER ALARM LINK LINK LINK LINK 5 6 7 8 STATUS 2 0 3 1 PROCESSOR SPA INTERFACE 7600-SIP-200 LINK CARRIER ALARM LINK 5 POWER SUPPLY 1 POWER SUPPLY 2 3 1 4 2 SPA-4XT3 E/ 3 TX RX A/L 0 C/A TX RX A/L 1 C/A TX RX A/L 2 C/A TX RX A/L 3 STATUS C/A4-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Specifying the SIP or SSC Subslot Location for a SPA SIP subslots begin their numbering with “0” and have a horizontal or vertical orientation depending on the orientation of the SIP in the router chassis slot, as shown in the “SIP, SSC, and SPA Product Overview” chapter of the Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide. Figure 4-1 shows an example of a Cisco 7600 SIP-200 installed with a vertical orientation on a Cisco 7609 router. The Cisco 7600 SIP-200 supports four subslots for the installation of SPAs. In this example, the subslot locations are vertically oriented as follows: • SIP subslot 0—Top–right subslot • SIP subslot 1—Bottom–right subslot • SIP subslot 2—Top–left subslot • SIP subslot 3—Bottom–left subslot Figure 4-2 shows the faceplate for the Cisco 7600 SIP-200 in a horizontal orientation. Figure 4-2 Cisco 7600 SIP-200 Faceplate In this view, the subslot locations in a horizontal orientation are as follows: • SIP subslot 0—Top–left subslot • SIP subslot 1—Top–right subslot • SIP subslot 2—Bottom–left subslot • SIP subslot 3—Bottom–right subslot The SIP subslot numbering is indicated by a small numeric label beside the subslot on the faceplate. Just as with the SIPs, some commands allow you to display information about the SPA itself, such as show idprom module and show hw-module subslot. These commands require you to specify both the physical location of the SIP and SPA in the format, slot/subslot, where: • slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. • subslot—Specifies the secondary slot of the SIP where the SPA is installed. For example, to display the operational status for the SPA installed in the first subslot of the SIP in chassis slot 6 shown in Figure 4-1, enter the following command: Router# show hw-module subslot 6/0 oir For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Configuring Compressed Real-Time Protocol Compressed Real-Time Protocol (CRTP), from RFC 1889 (RTP: A Transport Protocol for Real-Time Applications), provides bandwidth efficiencies over low-speed links by compressing the UDP/RTP/IP header when transporting voice. With CRTP, the header for Voice over IP traffic can be reduced from 40 STATUS 2 0 3 1 SPA INTERFACE PROCESSOR 7600-SIP-200 1168494-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks bytes to approximately 2 to 5 bytes offering substantial bandwidth efficiencies for low-speed links. CRTP is supported over Frame Relay, ATM, PPP, distributed MLPPP (dMLPPP), and HDLC encapsulated interfaces. Table 4-1 provides information about where the CRTP feature for SPA interfaces is supported. CRTP Configuration Guidelines To support CRTP on the Cisco 7600 SIP-200, consider the following guidelines: • High-level Data Link Control (HDLC), PPP, or Frame Relay encapsulation must be configured. • TCP or RTP header compression, or both, must be enabled. • When distributed fast-switching is enabled, the detail option is not available with the show ip rtp header-compression and show ip tcp header-compression commands. Users who need the detailed information for either of these commands can retrieve this information by disabling distributed fast-switching and then entering the show ip rtp header-compression detail or show ip tcp header-compression detail commands. • When using CRTP with distributed features on the Cisco 7600 SIP-200, consider the following guidelines and restrictions: – Hardware- and software-based CRTP is supported with Distributed Link Fragmentation and Interleaving over Leased Lines (dLFIoLL) if only one link is present on the multilink interface. – The following restrictions apply to Multilink PPP interfaces that use LFI: If RTP header compression is configured, RTP packets originating on or destined to the router will be fast-switched if the link is limited to one channel. If the link has more than one channel, the packets will be process-switched. Table 4-1 CRTP Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Hardware-based CRTP In Cisco IOS Release 12.2(18)SXE and later: • 8-Port Channelized T1/E1 SPA • 2-Port and 4-Port Channelized T3 SPA Not supported. Not supported. Hardware- and software-based CRTP In Cisco IOS Release 12.2(33)SRA: • 8-Port Channelized T1/E1 SPA • 2-Port and 4-Port Channelized T3 SPA • 1-Port Channelized OC-3/STM-1 SPA Not supported. Not supported. CRTP with dLFIoLL—Only supported with one link present on the multilink interface In Cisco IOS Release 12.2(18)SXE and later: • 8-Port Channelized T1/E1 SPA • 2-Port and 4-Port Channelized T3 SPA Support for the following SPA was added in Cisco IOS Release 12.2(33)SRA: • 1-Port Channelized OC-3/STM-1 SPA Not supported. Not supported. CRTP with dMLPPP Supported. Not supported if LFI is enabled. Not supported. Not supported. CRTP with dMLPPP and MPLS Not supported. Not supported. Not supported.4-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks CRTP should not be configured on a multilink interface when LFI is enabled on the multilink interface if the multilink bundle has more than one member link, and a QoS policy with a feature is enabled on the multilink interface. Note In a dMLPPP/dLFI configuration, packets do not carry the MLPPP header and sequence number. Thus, MLPPP distributes the packets across all member links. As a result, packets that are compressed by CRTP may arrive out-of-order at the receiving router. This prohibits CRTP from decompressing the packet header and forces CRTP to drop the packets. For information on configuring CRTP, see Configuring Distributed Compressed Real-Time Protocol at the following URL: http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfdcrtp.html Configuring Frame Relay Features Many of the Frame Relay features supported on the FlexWAN and Enhanced FlexWAN modules on the Cisco 7600 series router are also supported by the SIPs. For a list of the supported Frame Relay features on the SIPs, see Chapter 3, “Overview of the SIPs and SSC.” This section describes those Frame Relay features that have SIP-specific configuration guidelines. After you review the SIP-specific guidelines described in this document, then refer to the referenced URLs for more information about configuring Frame Relay features. The Frame Relay features for SIPs and SPAs are qualified as distributed features because the processing for the feature is handled by the SIP or SPA, or a combination of both. Configuring Distributed Multilink Frame Relay (FRF.16) on the Cisco 7600 SIP-200 The Distributed Multilink Frame Relay (dMLFR) feature provides a cost-effective way to increase bandwidth for particular applications by enabling multiple serial links to be aggregated into a single bundle of bandwidth. Multilink Frame Relay is supported on the User-Network Interface (UNI) and the Network-to-Network Interface (NNI) in Frame Relay networks. Note Based on your link configuration, dMLFR can be either software-based on the Cisco 7600 SIP-200, or hardware-based on the 8-Port Channelized T1/E1 SPA, 2-Port and 4-Port Channelized T3 SPAs, and 1-Port Channelized OC-3/STM-1 SPA. For more information about the hardware-based configuration, see also Chapter 17, “Configuring the 8-Port Channelized T1/E1 SPA,” and Chapter 19, “Configuring the 2-Port and 4-Port Channelized T3 SPAs.”4-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Table 4-2 provides information about where the dMLFR feature for SPA interfaces is supported. This section includes the following topics: • Overview of dMLFR, page 4-8 • dMLFR Configuration Guidelines, page 4-9 • dMLFR Configuration Tasks, page 4-10 • Verifying dMLFR, page 4-13 Overview of dMLFR The Distributed Multilink Frame Relay feature enables you to create a virtual interface called a bundle or bundle interface. The bundle interface emulates a physical interface for the transport of frames. The Frame Relay data link runs on the bundle interface, and Frame Relay virtual circuits are built upon it. The bundle is made up of multiple serial links, called bundle links. Each bundle link within a bundle corresponds to a physical interface. Bundle links are invisible to the Frame Relay data-link layer, so Frame Relay functionality cannot be configured on these interfaces. Regular Frame Relay functionality that you want to apply to these links must be configured on the bundle interface. Bundle links are visible to peer devices. The local router and peer devices exchange link integrity protocol control messages to determine which bundle links are operational and to synchronize which bundle links should be associated with which bundles. For link management, each end of a bundle link follows the MLFR link integrity protocol and exchanges link control messages with its peer (the other end of the bundle link). To bring up a bundle link, both ends of the link must complete an exchange of ADD_LINK and ADD_LINK_ACK messages. To maintain the link, both ends periodically exchange HELLO and HELLO_ACK messages. This exchange of hello messages and acknowledgments serves as a keepalive mechanism for the link. If a router is sending hello messages but not receiving acknowledgments, it will resend the hello message up to a configured maximum number of times. If the router exhausts the maximum number of retries, the bundle link line protocol is considered down (unoperational). The bundle link interface’s line protocol status is considered up (operational) when the peer device acknowledges that it will use the same link for the bundle. The line protocol remains up when the peer device acknowledges the hello messages from the local router. The bundle interface’s line status becomes up when at least one bundle link has its line protocol status up. The bundle interface’s line status goes down when the last bundle link is no longer in the up state. This behavior complies with the Class A bandwidth requirement defined in FRF.16. Table 4-2 dMLFR Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Hardware- and software-based dMLFR In Cisco IOS Release 12.2(18)SXE and later: • 8-Port Channelized T1/E1 SPA • 2-Port and 4-Port Channelized T3 SPA In Cisco IOS Release 12.2(33)SRA and later: • 1-Port Channelized OC-3/STM-1 SPA InCisco IOS Release 12.2(33)SRC and later: Not supported. Not supported.4-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks The bundle interface’s line protocol status is considered up when the Frame Relay data-link layer at the local router and peer device synchronize using the Local Management Interface (LMI), when LMI is enabled. The bundle line protocol remains up as long as the LMI keepalives are successful. dMLFR Configuration Guidelines To support dMLFR on the Cisco 7600 SIP-200, consider the following guidelines: • dMLFR must be configured on the peer device. • The dMLFR peer device must not send frames that require assembly. • The Cisco 7600 SIP-200 supports distributed links under the following conditions: – All links are on the same Cisco 7600 SIP-200. – T1 and E1 links cannot be mixed in a bundle. – Member links in a bundle are recommended to have the same bandwidth. • QoS is implemented on the Cisco 7600 SIP-200 for dMLFR. • dMLFR is supported with Frame Relay over MPLS (FRoMPLS) on the Cisco 7600 SIP-200 between the customer edge (CE) and provider edge (PE) of the MPLS network. • The Cisco 7600 SIP-200 only supports the RPR+ High Availability (HA) feature with dMLFR. • dMLFR is supported in software by the Cisco 7600 SIP-200, or in hardware by the supported SPA. This support is determined by your link configuration. • dMLFR is supported in software if bundle link members are on different SPAs in the same SIP. Software-Based Guidelines dMLFR will be implemented in the software if any of the following conditions are met: • Any one bundle link member is a fractional T1 or E1 link. • There are more than 12 T1 or E1 links in a bundle. Hardware-Based Guidelines dMLFR will be implemented in the hardware when all of the following conditions are met: • All bundle link members are T1 or E1 only. • All bundle links are on the same SPA. • There are no more than 12 links in a bundle. dMLFR Restrictions When configuring dMLFR on the Cisco 7600 SIP-200, consider the following restrictions: • FRF.9 hardware compression is not supported. • Software compression is not supported. • Encryption is not supported. • The maximum differential delay supported is 50 ms when supported in hardware, and 100 ms when supported in software. • Fragmentation is not supported on the transmit side.4-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks dMLFR Configuration Tasks The following sections describe how to configure dMLFR: • Creating a Multilink Frame Relay Bundle, page 4-10 (required) • Assigning an Interface to a dMLFR Bundle, page 4-11 (required) Creating a Multilink Frame Relay Bundle SUMMARY STEPS Step 1 interface mfr number Step 2 frame-relay multilink bid name Step 3 frame-relay intf-type dce DETAILED STEPS To configure the bundle interface for dMLFR, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface mfr number Configures a multilink Frame Relay bundle interface and enters interface configuration mode, where: • number—Specifies the number for the Frame Relay bundle. Step 2 Router(config-if)# frame-relay multilink bid name (Optional) Assigns a bundle identification name to a multilink Frame Relay bundle, where: • name—Specifies the name for the Frame Relay bundle. Note The bundle identification (BID) will not go into effect until the interface has gone from the down state to the up state. One way to bring the interface down and back up again is by using the shutdown and no shutdown commands in interface configuration mode. Step 3 Router(config-if)# frame-relay intf-type dce Configures the router to function as a digital communications equipment (DCE) device, or as a switch.4-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Assigning an Interface to a dMLFR Bundle To configure an interface link and associate it as a member of a dMLFR bundle, use the following commands beginning in global configuration mode. Repeat these steps to assign multiple links to the dMLFR bundle. SUMMARY STEPS Step 1 interface serial address OR interface serial slot/subslot/port/t1-number:channel-group OR interface serial slot/subslot/port:channel-group Step 2 encapsulation frame-relay mfr number [name] Step 3 frame-relay multilink lid name Step 4 Router(config-if)# frame-relay multilink hello seconds Step 5 Router(config-if)# frame-relay multilink ack seconds Step 6 Router(config-if)# frame-relay multilink retry number DETAILED STEPS If you use this task to assign more than 12 T1 or E1 interface links as part of the same bundle, or if any of the T1/E1 interface links are fractional T1/E1, or any links reside on multiple SPAs as part of the same bundle, then software-based dMLFR is implemented automatically by the Cisco 7600 SIP-200.4-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Command Purpose Step 1 1-Port Channelized OC-3/STM-1 SPA Router(config)# interface serial address 2-Port and 4-Port Channelized T3 SPA Router(config)# interface serial slot/subslot/port/t1-number:channel-group 8-Port Channelized T1/E1 SPA Router(config)# interface serial slot/subslot/port:channel-group Specifies a serial interface and enters interface configuration mode, where: • address—For the different supported syntax options for the address argument for the 1-Port Channelized OC-3/STM-1 SPA, refer to the “Interface Naming” section of the “Configuring the 1-Port Channelized OC-3/STM-1 SPA” chapter. • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. • t1-number—Specifies the logical T1 number in channelized mode. • channel-group—Specifies the logical channel group assigned to the time slots within the T1 or E1 group. Note If you configure a fractional T1/E1 interface on the SPA using a channel group and specify that fractional T1/E1 channel group as part of this task, then software-based dMLFR is implemented automatically by the Cisco 7600 SIP-200 when you assign the interface to the dMLFR bundle. Step 2 Router(config-if)# encapsulation frame-relay mfr number name Creates a multilink Frame Relay bundle link and associates the link with a bundle, where: • number—Specifies the number for the Frame Relay bundle. This number should match the dMLFR interface number specified in the interface mfr command. • name—(Optional) Specifies the name for the Frame Relay bundle. Step 3 Router(config-if)# frame-relay multilink lid name (Optional) Assigns a bundle link identification name with a multilink Frame Relay bundle link, where: • name—Specifies the name for the Frame Relay bundle. Note The bundle link identification (LID) will not go into effect until the interface has gone from the down state to the up state. One way to bring the interface down and back up again is by using the shutdown and no shutdown commands in interface configuration mode.4-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Verifying dMLFR To verify dMLFR configuration, use the show frame-relay multilink command. If you use the show frame-relay multilink command without any options, information for all bundles and bundle links is displayed. The following examples show output for the show frame-relay multilink command with the serial number and detailed options. Detailed information about the specified bundle links is displayed. Router# show frame-relay multilink serial6 detailed Bundle: MFR49, State = down, class = A, fragmentation disabled BID = MFR49 No. of bundle links = 1, Peer's bundle-id = Bundle links: Serial6/0/0:0, HW state = up, link state = Add_sent, LID = test Cause code = none, Ack timer = 4, Hello timer = 10, Max retry count = 2, Current count = 0, Peer LID = , RTT = 0 ms Statistics: Add_link sent = 21, Add_link rcv'd = 0, Add_link ack sent = 0, Add_link ack rcv'd = 0, Add_link rej sent = 0, Add_link rej rcv'd = 0, Remove_link sent = 0, Remove_link rcv'd = 0, Remove_link_ack sent = 0, Remove_link_ack rcv'd = 0, Hello sent = 0, Hello rcv'd = 0, Hello_ack sent = 0, Hello_ack rcv'd = 0, outgoing pak dropped = 0, incoming pak dropped = 0 Step 4 Router(config-if)# frame-relay multilink hello seconds (Optional) Configures the interval at which a bundle link will send out hello messages, where: • seconds—Specifies the number of seconds between hello messages sent out over the multilink bundle. The default is 10 seconds. Step 5 Router(config-if)# frame-relay multilink ack seconds (Optional) Configures the number of seconds that a bundle link will wait for a hello message acknowledgment before resending the hello message, where: • seconds—Specifies the number of seconds a bundle link will wait for a hello message acknowledgment before resending the hello message. The default is 4 seconds. Step 6 Router(config-if)# frame-relay multilink retry number (Optional) Configures the maximum number of times a bundle link will resend a hello message while waiting for an acknowledgment, where: • number—Specifies the maximum number of times a bundle link will resend a hello message while waiting for an acknowledgment. The default is 2 tries. Command Purpose4-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring Distributed Multilink PPP on the Cisco 7600 SIP-200 The Distributed Multilink Point-to-Point Protocol (dMLPPP) feature allows you to combine T1/E1 lines into a bundle that has the combined bandwidth of multiple T1/E1 lines. This is done by using a dMLPPP link. You choose the number of bundles and the number of T1/E1 lines in each bundle. This allows you to increase the bandwidth of your network links beyond that of a single T1/E1 line without having to purchase a T3 line. Note Based on your link configuration, dMLPPP can be either software-based on the Cisco 7600 SIP-200, or hardware-based on the 8-Port Channelized T1/E1 SPA and 2-Port and 4-Port Channelized T3 SPAs. For more information about the hardware-based configuration, see also Chapter 17, “Configuring the 8-Port Channelized T1/E1 SPA,” Chapter 19, “Configuring the 2-Port and 4-Port Channelized T3 SPAs.”, and Chapter 25, “configuring the 1-Port Channelized OC3/STM-1 SPA. SIP-200 includes the per-fragment overhead of the MLPPP header for every fragment. On the Cisco 7600 series router, if you apply a QoS policy (with queuing CLI like bandwidth, WRED, shaping or a non-queuing CLI like policing on the egress interface of the MLP bundle having any number of member links in it), the rate and number of packets received can be different in the following situations: • Without an MLP header • If the policy is applied on the ingress side of the MLP bundle This difference narrows down as the size of the packet increases say, from 50 to 480 bytes. This behavior is expected owing to line card architecture. Note On SIP-400 shaping and policing is done without taking the MLP header into account. Table 4-3 provides information about where the dMLppp feature for SPA interfaces is supported. This section includes the following topics: • dMLPPP Configuration Guidelines, page 4-15 • dMLPPP Configuration Tasks, page 4-15 • Verifying dMLPPP, page 4-20 Table 4-3 dMLPPP Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Hardware-based dMLPPP Supported Not supported. Not supported. Hardware- and software-based dMLPPP In Cisco IOS Release 12.2(18)SXE and later: • 8-Port Channelized T1/E1 SPA • 2-Port and 4-Port Channelized T3 SPA In Cisco IOS Release 12.2(33)SRA and later: • 1-Port Channelized OC3/STM-1 SPA Not supported. Not supported.4-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks dMLPPP Configuration Guidelines dMLPPP is supported in software by the Cisco 7600 SIP-200, or in hardware by the supported SPA. This support is determined by your link configuration. The Cisco 7600 SIP-200 supports distributed links under the following conditions: • All links are on the same Cisco 7600 SIP-200. • T1 and E1 links cannot be mixed in a bundle. • Member links in a bundle are recommended to have the same bandwidth. • Multilink interface creation is not supported beyond 65535. If you configure a multilink interface number that is more than 65535, on a switchover, you will experience a connectivity loss. • QoS is implemented on the Cisco 7600 SIP-200 for dMLPPP. Software-Based Guidelines dMLPPP will be implemented in the software if any of the following conditions are met: • Any one bundle link member is a fractional T1 or E1 link. • There are more than 12 T1 or E1 links in a bundle. • To enable fragmentation for software-based dMLPPP, you must configure the ppp multilink interleave command. This command is not required to enable fragmentation for hardware-based dMLPPP. Hardware-Based Guidelines dMLPPP will be implemented in the hardware when all of the following conditions are met: • All bundle link members are T1 or E1 only. • All bundle links are on the same SPA. • There are no more than 12 links in a bundle. dMLPPP Restrictions When configuring dMLPPP on the Cisco 7600 SIP-200, consider the following restrictions: • Hardware and software compression is not supported. • Encryption is not supported. • The maximum differential delay supported is 50 ms when supported in hardware, and 100 ms when supported in software. dMLPPP Configuration Tasks The following sections describe how to configure dMLPPP: • Enabling Distributed CEF Switching, page 4-15 (required) • Creating a dMLPPP Bundle, page 4-16 (required) • Assigning an Interface to a dMLPPP Bundle, page 4-18 (required) • Configuring Link Fragmentation and Interleaving over dMLPPP, page 4-20 (optional) Enabling Distributed CEF Switching To enable dMLPPP, you must first enable distributed CEF switching. Distributed CEF switching is enabled by default on the Cisco 7600 series router.4-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Note When the value of the cef table is high due to high number of routes and the LC doesnot have enough memory, CEF gets disabled. New xconnect does not get activated on the device irrespective of LC being used or not used as ingress or egress LC. SUMMARY STEPS Step 1 ip cef distributed DETAILED STEPS To enable dCEF, use the following command in global configuration mode: Creating a dMLPPP Bundle SUMMARY STEPS Step 1 interface multilink group-number Step 2 ip address ip-address mask Step 3 ppp multilink interleave Step 4 ppp multilink mrru local | remote mrru-value Step 5 mtu bytes Step 6 ppp multilink fragment delay delay DETAILED STEPS Command Purpose Router(config)# ip cef distributed Enables distributed CEF switching. 4-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks To configure a dMLPPP bundle, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface multilink group-number Creates a multilink interface and enters interface configuration mode, where: • group-number—Specifies the group number for the multilink bundle. Note To enable no interface multilink group-number, remove the associated multilink group for the member links using the command no ppp multilink. Step 2 Router(config-if)# ip address ip-address mask Sets the IP address for the multilink group, where: • ip-address—Specifies the IP address for the interface. • mask—Specifies the mask for the associated IP subnet. Step 3 Router(config-if)# ppp multilink interleave (Optional—Software-based LFI) Enables fragmentation for the interfaces assigned to the multilink bundle. Fragmentation is disabled by default in software-based LFI. Step 4 Router(config-if)# ppp multilink mrru [local | remote] mrru-value Configures the MRRU value negotiated on a multilink bundle when MLP is used. • local—(Optional) Configures the local MRRU value. The default values for the local MRRU are the value of the multilink group interface MTU for multilink group members, and 1524 bytes for all other interfaces. • remote—(Optional) Configures the minimum value that software will accept from the peer when it advertises its MRRU. By default, the software accepts any peer MRRU value of 128 or higher. You can specify a higher minimum acceptable MRRU value in a range from 128 to 16384 bytes.4-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Assigning an Interface to a dMLPPP Bundle To configure an interface PPP link and associate it as a member of a multilink bundle, use the following commands beginning in global configuration mode. Repeat these steps to assign multiple links to the dMLPPP bundle. Note If you use this task to assign more than 12 T1 or E1 interface links as part of the same bundle, or if any of the T1/E1 interface links are fractional T1/E1, or any links reside on multiple SPAs as part of the same bundle, then software-based dMLPPP is implemented automatically by the Cisco 7600 SIP-200. SUMMARY STEPS Step 1 interface serial address OR interface serial slot/subslot/port/t1-number:channel-group OR interface serial slot/subslot/port:channel-group OR Step 2 encapsulation ppp Step 3 ppp multilink Step 4 ppp authentication chap Step 5 ppp chap hostname name Step 6 ppp multilink group group-number Step 5 Router(config-if)# mtu bytes (Optional) Adjusts the maximum packet size or MTU size. • Once you configure the MRRU on the bundle interface, you enable the router to receive large reconstructed MLP frames. You may want to configure the bundle MTU so the router can transmit large MLP frames, although it is not strictly necessary. • The maximum recommended value for the bundle MTU is the value of the peer’s MRRU. The default MTU for serial interfaces is 1500. The software will automatically reduce the bundle interface MTU if necessary, to avoid violating the peer’s MRRU. Step 6 Router(config-if)# ppp multilink fragment delay delay (Optional) Sets the fragmentation size satisfying the configured delay on the multilink bundle, where: • delay—Specifies the delay in milliseconds. Command Purpose4-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks DETAILED STEPS Command Purpose Step 1 1-Port Channelized OC-3/STM-1 SPA Router(config)# interface serial address 2-Port and 4-Port Channelized T3 SPA Router(config)# interface serial slot/subslot/port/t1-number:channel-group 8-Port Channelized T1/E1 SPA Router(config)# interface serial slot/subslot/port:channel-group 1 Port Channelized OC12/STM4 SPA Router(config)# interface serial address Specifies a serial interface and enters interface configuration mode, where: • address—For the different supported syntax options for the address argument for the 1-Port Channelized OC-3/STM-1 SPA, refer to the “Interface Naming” section of the “Configuring the 1-Port Channelized OC-3/STM-1 SPA” chapter. • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. • t1-number—Specifies the logical T1 number in channelized mode. • channel-group—Specifies the logical channel group assigned to the time slots within the T1 or E1 group. Note If you configure a fractional T1/E1 interface on the SPA using a channel group and specify that fractional T1/E1 channel group as part of this task, then software-based dMLPPP is implemented automatically by the Cisco 7600 SIP-200 when you assign the interface to the dMLPPP bundle. Step 2 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Note To enable no encapsulation ppp, remove the associated multilink group for the member links using the command no ppp multilink. Step 3 Router(config-if)# ppp multilink (Optional) Enables dMLPPP on the interface. Step 4 Router(config-if)# ppp authentication chap (Optional) Enables Challenge Handshake Authentication Protocol (CHAP) authentication. Step 5 Router(config-if)# ppp chap hostname name (Optional) Assigns a name to be sent in the CHAP challenge. • name—Specifies an alternate username that will be used for CHAP authentication Step 6 Router(config-if)# ppp multilink group group-number Assigns the interface to a multilink bundle, where: • group-number—Specifies the group number for the multilink bundle. This number should match the dMLPPP interface number specified in the interface multilink command.4-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring Link Fragmentation and Interleaving over dMLPPP Link fragmentation and interleaving (LFI) over dMLPPP is supported in software on the Cisco 7600 SIP-200, or in hardware on the 2-Port and 4-Port Channelized T3 SPA and the 8-Port Channelized T1/E1 SPA. This support is determined by your link configuration. Software-Based Guidelines When configuring LFI over dMLPPP, consider the following guidelines for software-based LFI: • LFI over dMLPPP will be configured in software if there is more than one link assigned to the dMLPPP bundle. • LFI is disabled by default in software-based LFI. To enable LFI on the multilink interface, use the ppp multilink interleave command. • Fragmentation size is calculated from the delay configured and the member link bandwidth. • You must configure a policy map with a class under the multilink interface. • CRTP should not be configured on a multilink interface when LFI is enabled on the multilink interface if the multilink bundle has more than one member link, and a QoS policy with a feature is enabled on the multilink interface. Hardware-Based Guidelines When configuring LFI over dMLPPP, consider the following guidelines for hardware-based LFI: • LFI over dMLPPP will be configured in hardware if you only assign one link (either T1/E1 or fractional T1/E1) to the dMLPPP bundle. • LFI is enabled by default in hardware-based LFI with a default size of 512 bytes. To enable LFI on the serial interface, use the ppp multilink interleave command. • A policy map having a class needs to be applied to the multilink interface. Verifying dMLPPP To verify dMLPPP configuration, use the show ppp multilink command, as shown in the following example: Router# show ppp multilink Multilink2, bundle name is group2 Bundle up for 00:01:21 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned 0 discarded, 0 lost received, 1/255 load 0x0 received sequence, 0x0 sent sequence Member links: 2 active, 0 inactive (max not set, min not set) Se4/3/0/1:0, since 00:01:21, no frags rcvd Se4/3/0/1:1, since 00:01:19, no frags rcvd If hardware-based dMLPPP is configured on the SPA, the show ppp multilink command displays “Multilink in Hardware” as shown in the following example: Router# show ppp multilink Multilink1, bundle name is group1 Bundle up for 00:00:13 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned 0 discarded, 0 lost received, 206/255 load 0x0 received sequence, 0x0 sent sequence4-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Member links: 2 active, 0 inactive (max not set, min not set) Se4/2/0/1:0, since 00:00:13, no frags rcvd Se4/2/0/2:0, since 00:00:10, no frags rcvd Distributed fragmentation on. Fragment size 512. Multilink in Hardware. Configuring Distributed Link Fragmentation and Interleaving for Frame Relay and ATM Interfaces The Distributed Link Fragmentation and Interleaving (dLFI) feature supports the transport of real-time traffic, such as voice, and non-real-time traffic, such as data, on lower-speed Frame Relay and ATM virtual circuits (VCs) and on leased lines without causing excessive delay to the real-time traffic. This feature is implemented using dMLPPP over Frame Relay, ATM, and leased lines. The feature enables delay-sensitive real-time packets and non-real-time packets to share the same link by fragmenting the large data packets into a sequence of smaller data packets (fragments). The fragments are then interleaved with the real-time packets. On the receiving side of the link, the fragments are reassembled and the packets reconstructed. The dLFI feature is often useful in networks that send real-time traffic using Distributed Low Latency Queueing, such as voice, but have bandwidth problems that delay this real-time traffic due to the transport of large, less time-sensitive data packets. The dLFI feature can be used in these networks to disassemble the large data packets into multiple segments. The real-time traffic packets then can be sent between these segments of the data packets. In this scenario, the real-time traffic does not experience a lengthy delay waiting for the low- data packets to traverse the network. The data packets are reassembled at the receiving side of the link, so the data is delivered intact. The ability to configure Quality of Service (QoS) using the Modular QoS CLI while also using dMLPPP is also introduced as part of the dLFI feature. For specific information about configuring dLFI, refer to the FlexWAN and Enhanced FlexWAN Module Installation and Configuration Note located at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/flexport/combo/index.htm For information about configuring dLFI on ATM SPAs, see the “Configuring Link Fragmentation and Interleaving with Virtual Templates” section on page 7-54 in Chapter 7, “Configuring the ATM SPAs.” Table 4-4 provides information about where the dLFI feature for SPA interfaces is supported. Table 4-4 dLFI Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Hardware-based dLFI In Cisco IOS Release 12.2(18)SXE and later: • 8-Port Channelized T1/E1 SPA • 2-Port and 4-Port Channelized T3 SPA In Cisco IOS Release 12.2(18)SXE and later: • 2-Port OC-3c/STM-1 ATM S PA • 1-Port OC-12c/STM-4 ATM S PA Not supported. Hardware- and software-based dLFI In Cisco IOS Release 12.2(33)SRA: • 8-Port Channelized T1/E1 SPA • 2-Port and 4-Port Channelized T3 SPA • 1-Port Channelized OC-3/STM-1 SPA Not supported. Not supported.4-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Cisco 7600 Series Router LFI Restrictions When configuring LFI on the Cisco 7600 series router, consider the following restrictions: • A maximum number of 200 permanent virtual circuits (PVCs) or switched virtual circuits (SVCs) using Link Fragmentation and Interleaving (LFI) is supported for all ATM SPAs (or other ATM modules) in a Cisco 7600 series router. • LFI using FRF.12 is supported in hardware only for the 2-Port and 4-Port Channelized T3 SPA and 8-Port Channelized T1/E1 SPA. • LFI over dMLPPP is supported in software or hardware depending on your link configuration. For more information about software-based LFI over dMLPPP, see the “Configuring Link Fragmentation and Interleaving over dMLPPP” section on page 4-20. For more information about hardware-based LFI over dMLPPP, refer to the Chapter 17, “Configuring the 8-Port Channelized T1/E1 SPA,” and Chapter 19, “Configuring the 2-Port and 4-Port Channelized T3 SPAs.” • QoS is implemented on the Cisco 7600 SIP-200 for dLFI. Frame Relay Fragmentation (FRF.12) Frame Relay Fragmentation (FRF.12) supports voice and other real-time delay-sensitive data on low-speed links. The standard accommodates variations in frame sizes that allows a combination of real-time and non real-time data. FRF.12 is developed to allow long data frames to be fragmented into smaller pieces (fragments) and interleaved with real-time frames. In this way, real-time and non-real-time data frames are carried together on lower-speed links without causing excessive delay to the real-time traffic. dLFI with MPLS Not supported. Not supported. Not supported. dLFI with MPLS on VPN Supported between the CE and PE devices, and with virtual routing and forwarding (VRF) configuration. Not supported. Not supported. Table 4-4 dLFI Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Table 4-5 shows the list of SPAs supporting FRF.12 on SIP-400. The table also lists the fragment size and fragment mode. Ta b l e 4 - 5 List of SPAs supporting FRF.12 on SIP-400 Restrictions Following restrictions apply for FRF.12 on SIP-400: • FRF.12 supports SPA with fragmentation and re-assembly capability in their hardware. • Fragmentation support is available only for fragment size of 128, 256 and 512 bytes. Any other value configured is rounded off to the nearest lower denomination from the allowed fragment size with a console message. • Fragmentation statistics counters are not supported for SPA based fragmentation. Configuring FRF.12 on SIP-400 Configure FRF.12 on SIP-400 through Policy-map-class Complete the following to configure FRF.12 on SIP-400 through policy-map-class. SUMMARY STEPS Step 1 enable Step 2 configure terminal Step 3 class-map class-map-name Step 4 match ip precedence precedence-range Step 5 policy-map policy-map-name Step 6 class class-name Step 7 priority percent {x% | y ms} Step 8 map-class frame-relay map-class-name Step 9 frame-relay fragment fragment_size Step 10 service-policy input | output policy-map-name Step 11 interface serial slot/subslot/port:channel-group Step 12 ip address address mask Step 13 encapsulation frame-relay SPA Name Fragment Size Supported (bytes) Fragment Mode 1-port Channelized OC12/STM-4 SPA 128, 256, and 512 Hardware 8-Port Channelized T1/E1 SPA 128, 256, and 512 Hardware 2-Port and 4-Port Channelized T3 SPA 128, 256, and 512 Hardware 1-Port Channelized OC-3/STM-1 SPA 128, 256, and 512 Hardware 1-Port Channelizes OC48/DS3 SPA 128, 256, and 512 Hardware4-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 14 frame-relay interface-type dce | dte Step 15 frame-relay interface-dlci dlci-number Step 16 class frf12 Step 17 exit4-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks DETAILED STEPS Command or Action Purpose Step 1 enable Example: Router> enable Enables privileged EXEC mode. Enter your password when prompted. Step 2 configure terminal Example: Router# configure terminal Enters global configuration mode. Step 3 class-map [match-all | match-any] class-name Example: Router(config)# class-map match-all prec4 Creates a traffic class. • match-all—(Optional) Specifies that all match criteria in the class map must be matched, using a logical function AND of all matching statements defined under the class. This is the default keyword. • match-any—(Optional) Specifies that one or more match criteria must match, using a logical function OR of all matching statements defined under the class. • class-name—Specifies the user-defined name of the class. Note You can define up to 256 unique class maps. Step 4 match ip precedence precedence-range Example: Router(config-cmap)# match ip precedence 4 Matches the precedence value in the IP header. • precedence-range: Specifies the precedence value ranging from 0 to 7. Step 5 policy-map policy-map-name Example: Router(config-cmap)# policy-map child2 Specifies the name of the policy map to be created or modified. • policy-map-name—Specifies the name of the policy to configure. Step 6 class class-name Example: Router(config-pmap)# class prec4 Specifies the name of a predefined class included in the service policy. • class-name—Specifies the name of the class to configure. Step 7 priority percent x% | y ms Example: Router(config-pmap-c)# priority percent 45 Enables conditional policing rate (kbps or link percent). Conditional policing is used if the logical or physical link is congested, where: • x —Specifies the burst size in kbps.The burst size configures the network to accommodate temporary bursts of traffic. • y —Specifies the burst size in bytes. • ms —Specifies the burst size in bytes. 4-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 8 map-class frame-relay map-class-name Example: Router(config-pmap-c)# map-class frame-relay frf12 Specifies a map class to define FRF.12. Step 9 frame-relay fragment fragment_size Example: Router(config-map-class)# frame-relay fragment 128 Enables fragmentation of frame relay frames for a frame relay map class. Step 10 service-policy input | output policy-map-name Example: Router(config-map-class)# service-policy output parent2 Attaches a traffic policy to the input or output direction of an interface, where: • policy-map-name—Specifies the name of the traffic policy to configure. Step 11 interface serial slot/subslot/port:channel-grou p Example: Router(config-map-class)# interface serial 3/0/2/1:0 Selects the interface to configure. • slot/subslot/port:channel-group—Specifies the location of the interface. Step 12 ip address ip-address mask Example: Router(config-if)# ip address 111.10.10.11 255.255.255.0 Sets an IP address for an interface. • ip-address—IP address. • mask—Mask for the associated subnet. Step 13 encapsulation frame-relay Example: Router(config-if)# encapsulation frame-relay Enables frame relay encapsulation and allows frame relay processing on the supported interface. Step 14 frame-relay interface-type dce | dte Example: Router(config-if)# frame-relay interface-type dte Configures the router to function as a Digital Communications Equipment (DCE) or Data Terminal Equipment (DTE) device. Command or Action Purpose4-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuration Example This is an example to configure FRF.12 on SIP-400 through policy-map-class. Router> enable Router# configure terminal Router(config)# class-map match-all precedence 4 Router(config-cmap)# match ip precedence 4 Router(config-cmap)# policy-map child2 Router(config-pmap)# class precedence 4 Router(config-pmap-c)# priority percent 45 Router(config-pmap-c)# map-class frame-relay frf12 Router(config-map-class)# frame-relay fragment 128 Router(config-map-class)# service-policy output parent2 Router(config-map-class)# interface serial 3/0/2/1:0 Router(config-if)# ip address 111.10.10.11 255.255.255.0 Router(config-if)# encapsulation frame-relay Router(config-if)# frame-relay intf-type dte Router(config-if)# frame-relay interface-dlci 100 Router(config-fr-dlci)# class frf12 Router(config-fr-dlci)# exit This is an example to disable FRF.12 on SIP-400 through policy-map-class: Router(config-map-class)# interface Serial3/0/2/1:0 Router(config-if)# frame-relay interface-dlci 100 Router(config-fr-dlci)# no class frf12 Step 15 frame-relay interface-dlci dlci-number Example: Router(config-if)# frame-relay interface-dlci 100 Creates the specified DLCI on the subinterface and enters DLCI configuration mode, where: • dlci-number—Specifies the DLCI number to be used on the specified subinterface. Step 16 class frf12 no class frf12 Example: Router(config-fr-dlci)# class frf12 Router(config-fr-dlci)# no class frf12 Specifies a class to define FRF.12. Use the no form of this command to disable frame relay fragmentation. Step 17 exit Example: Router(config-fr-dlci)# exit Returns the command-line interface (CLI) to privileged EXEC mode. Command or Action Purpose4-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configure End-to-end FRF.12 Fragmentation on SIP-400 Complete the following to configure end-to-end FRF.12 fragmentation on SIP-400. SUMMARY STEPS Step 1 enable Step 2 configure terminal Step 3 interface serial slot/subslot/port:channel-group Step 4 ip address address mask Step 5 encapsulation frame-relay Step 6 frame-relay interface-dlci dlci-number [protocol ip ip-address] Step 7 frame-relay interface-type dce | dte Step 8 frame-relay fragment fragment_size end-to-end Step 9 exit4-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks DETAILED STEPS Command or Action Purpose Step 1 enable Example: Router> enable Enables privileged EXEC mode. Enter your password when prompted. Step 2 configure terminal Example: Router# configure terminal Enters global configuration mode. Step 3 interface serial slot/subslot/port:channel-grou p Example: Router(config-map-class)# interface Serial 3/0/2/1:0 Selects the interface to configure. • slot/subslot/port:channel-group—Specifies the location of the interface. Step 4 ip address ip-address mask Example: Router(config-if)# ip address 111.10.10.11 255.255.255.0 Sets an IP address for an interface. • ip-address—IP address. • mask—Mask for the associated subnet. Step 5 encapsulation frame-relay Example: Router(config-if)# encapsulation frame-relay Enables frame relay encapsulation and allows frame relay processing on the supported interface. Step 6 frame-relay interface-dlci dlci-number [protocol ip ip-address] Example: Router(config-if)# frame-relay interface-dlci 100 For point-to-point subinterfaces, assigns a data link connection identifier (DLCI) to the interface that connects to the new router, and provides the IP address of the serial port on the new router. This command should be used if the staging router is acting as the BOOTP server. Step 7 frame-relay interface-type dce | dte Example: Router(config-if)# frame-relay interface-type dte Configures the router to function as a Digital Communications Equipment (DCE) or Data Terminal Equipment (DTE) device.4-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuration Example This is an example to configure FRF.12 on SIP-400 through policy-map-class. Router> enable Router# configure terminal Router(config)# interface Serial3/0/2/1:0 Router(config-if)# ip address 111.10.10.11 255.255.255.0 Router(config-if)# encapsulation frame-relay Router(config-if)# frame-relay interface-dlci 100 Router(config-if)# frame-relay intf-type dte Router(config-if)# frame-relay fragment 128 end-to-end Router(config-if)# exit Verifying the Configuration This section provides the commands to verify the configuration of FRF.12 on SIP-400. Router# show frame-relay fragment interface dlci frag-type size in-frag out-frag dropped-frag Se3/0/2/1:0.1 *** fragment counters are not supported *** Note The show frame-relay fragment command does not work for hardware based fragmentation. Router# show frame-relay pvc PVC Statistics for interface Serial3/0/2/1:0 (Frame Relay DCE) Active Inactive Deleted Static Local 1 0 0 0 Switched 0 0 0 0 Unused 0 0 0 0 DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial3/0/2/1:0.1 input pkts 20 output pkts 17 in bytes 7640 out bytes 5799 dropped pkts 0 in pkts dropped 0 Step 8 frame-relay fragment fragment_size end-to-end no frame-relay fragment fragment_size end-to-end Example: Router(config-if)# frame-relay fragment 128 end-to-end Router(config-if)# no frame-relay fragment 128 end-to-end Enables fragmentation of frame relay frames on an interface. Use the no form of this command to disable frame relay fragmentation. Step 9 exit Example: Router(config-if)# exit Returns the command-line interface (CLI) to privileged EXEC mode. Command or Action Purpose4-31 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 16 out bcast bytes 5760 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 00:19:08, last time pvc status changed 00:09:22 fragment type end-to-end fragment size 128 <<<<<<<<< Troubleshooting Tips Configuring Voice over Frame Relay FRF.11 and FRF.12 Voice over Frame Relay (VoFR) enables a router to carry voice traffic (for example, telephone calls and faxes) over a frame relay network using the FRF.11 protocol. This specification defines multiplexed data, voice, fax, dual-tone multi-frequency (DTMF) digit-relay, and channel-associated signaling (CAS) frame formats. The Frame Relay backbone must be configured to include the map class and Local Management Interface (LMI). The Cisco VoFR implementation enables dynamic- and tandem-switched calls and Cisco trunk calls. Dynamic-switched calls include dial-plan information included that processes and routes calls based on the telephone numbers. The dial-plan information is contained within dial-peer entries. Note Because the Cisco 7600 series router does not support voice modules, it can act only as a VoFR tandem switch when FRF.11 or FRF.12 is configured on the SIPs. Tandem-switched calls are switched from incoming VoFR to an outgoing VoFR-enabled data-link connection identifier (DLCI) and tandem nodes enable the process. The nodes also switch Cisco trunk calls. Permanent calls are processed over the Cisco private-line trunks and static FRF.11 trunks that specify the frame format and coder types for voice traffic over a Frame Relay network. VoFR connections depend on the hardware platform and type of call. The types of calls are: • Switched (user dialed or auto-ringdown and tandem) • Permanent (Cisco trunk or static FRF.11 trunk) Problem Solution How do I debug the NPC frame relay. Use the debug npc frame-relay command to display information related to Frame Relay fragmentation on an NPC. Use the command on LC. How do I display the contents of the next hop protocol address to DLCI mapping table on the router. Use the show frame-relay map command. Sample output of the command: Router#show frame-relay map Serial1/2 (up): ip 172.16.1.4 dlci 401(0x191,0x6410), dynamic, broadcast,, status defined, active Serial1/2 (up): ip 172.16.1.5 dlci 501(0x1F5,0x7C50), dynamic, broadcast,, status defined, active Serial1/2 (up): ip 172.16.1.2 dlci 301(0x12D,0x48D0), dynamic, broadcast,, status defined, active4-32 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Note FRF.11 support was removed in Cisco IOS Release 12.2(18)SXF on the Cisco 7600 series router. Table 4-6 provides information about where the VoFR feature for SPA interfaces is supported. For specific information about configuring voice over Frame Relay FRF.11 and FRF.12, refer to the Cisco IOS Voice, Video, and Fax Configuration Guide located at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fvvfax_c/vvfvofr.htm Configuring Layer 2 Interworking Features on a SIP This section provides SIP-specific information about configuring the Layer 2 interworking features on the Cisco 7600 series router. It includes the following topics: • Configuring Bridging for ATM Interfaces (RFC 1483/RFC 2684), page 4-33 Table 4-6 VoFR Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 FRF.11 In Cisco IOS Releases 12.2(18)SXE and 12.2(18)SXE2: • 8-Port Channelized T1/E1 SPA • 2-Port and 4-Port Channelized T3 SPA Not supported Not supported FRF.12 In Cisco IOS Release 12.2(18)SXE and later, and in Cisco IOS Release 12.2(33)SRA for FRF.12 in SPA, which is hardware mode: • 8-Port Channelized T1/E1 SPA • 2-Port and 4-Port Channelized T3 SPA • 1-Port Channelized OC-3/STM-1 SPA In Cisco IOS Release 12.2(18)SXE and later, and in Cisco IOS Release 12.2(33)SRA for FRF.12 in LC mode, which is software mode: • SPA-12in1 • SPA-2xt3/e3 • SPA-4xt3/e3 Supported Not supported FRF.12 Effective with 15.2(1)S Release, FRF.12 supports SIP-400 with the following Channelized SPAs: • 1-port Channelized OC12/STM4 SPA • 8-port Channelized T1/E1 SPA • 2-port and 4-port Channelized T3 SPA • 1-port Channelized OC3/STM1 SPA • 1-port Channelized OC48/STM16/DS3 SPA Supported Not supported4-33 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • Configuring Multipoint Bridging, page 4-36 • Configuring Private Hosts over Virtual Private LAN Service (VPLS), page 4-54 Configuring Bridging for ATM Interfaces (RFC 1483/RFC 2684) The following types of bridging are supported on ATM SPAs in the Cisco 7600 series router. For information about SIP and SPA compatibility with each of these features, see Table 4-7. Note RFC 1483 has been obsoleted and superseded by RFC 2684, Multiprotocol Encapsulation over ATM Adaptation Layer 5. To avoid confusion, this document continues to refer to the original RFC numbers. • RFC 1483/RFC 2684 bridging for point-to-point PVCs —RFC 1483 has been obsoleted and superseded by RFC 2684, Multiprotocol Encapsulation over ATM Adaptation Layer 5. RFC 2684 specifies the implementation of point-to-point bridging of Layer 2 PDUs from an ATM interface. • RFC 1483/RFC 2684 bridging with IEEE 802.1Q tunneling—Allows service providers to aggregate multiple VLANs over a single VLAN, while still keeping the individual VLANs segregated and preserving the VLAN IDs for each customer. This tunneling simplifies traffic management for the service provider, while keeping customer networks secure. • RFC 1483/RFC 2684 half-bridging—Routes IP traffic from a stub-bridged Ethernet LAN over a bridged RFC 1483/RFC 2684 ATM interface, without using integrated routing and bridging (IRB). This allows bridged traffic that terminates on an ATM PVC to be routed on the basis of the destination IP address. • ATM routed bridge encapsulation (RBE)—The ATM SPAs support ATM Routed Bridge Encapsulation (RBE), which is similar in functionality to RFC 1483 ATM half-bridging, except that ATM half-bridging is configured on a point-to-multipoint PVC, while RBE is configured on a point-to-point PVC. • Bridging of routed encapsulations (BRE)—Enables an ATM SPA to receive RFC 1483/2684 routed encapsulated packets and forward them as Layer 2 frames. In a BRE configuration, the PVC receives the routed PDUs, removes the RFC 1483 routed encapsulation header, and adds an Ethernet MAC header to the packet. The Layer 2 encapsulated packet is then switched by the forwarding engine to the Layer 2 interface determined by the VLAN number and destination MAC. • Per VLAN Spanning Tree (PVST) to PVST+ Bridge Protocol Data Unit (BPDU) interoperability—PVST is a Cisco proprietary protocol that allows a Cisco device to support multiple spanning tree topologies on a per-VLAN basis. PVST uses the BPDUs defined in IEEE 802.1D, but instead of one STP instance per switch, there is one STP instance per VLAN. PVST+ is a Cisco proprietary protocol that creates one STP instance per VLAN (as in PVST). However, PVST+ enhances PVST and uses Cisco proprietary BPDUs with a special 802.2 Subnetwork Access Protocol (SNAP) Organizational Unique Identifier (OUI) instead of the standard IEEE 802.1D frame format used by PVST. PVST+ BPDUs are also known as Simple Symmetric Transmission Protocol (SSTP) BPDUs. Note The 1GE SPA on SIP-400 does not support the encapsulation dot1q vlan-id [native] command4-34 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Table 4-7 provides information about where the bridging features for ATM SPA interfaces are supported. For more details about the implementation and information about configuring bridging for ATM SPA interfaces, see Chapter 7, “Configuring the ATM SPAs.” Table 4-7 Bridging for ATM Interfaces Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 RFC 1483/RFC 2684 Bridging for Point-to-Point PVCs (bridge-domain command) In Cisco IOS Release 12.2(18)SXE and later, and in Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA In Cisco IOS Release 12.2(18)SXE and later, and in Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA • 1-Port OC-12c/STM-4 ATM S PA Not supported. RFC 1483/RFC 2684 Bridging with IEEE 802.1Q Tunneling for Point-to-Point PVCs (bridge-domain dot1q-tunnel command) In Cisco IOS Release 12.2(18)SXE and later, and in Cisco IOS Release 12.2(33)SRA and later: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA In Cisco IOS Release 12.2(18)SXE and later, and in Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA • 1-Port OC-12c/STM-4 ATM S PA In Cisco IOS Release 12.2(18)SXF and Cisco IOS Release 12.2(33)SRA and later: • 1-Port OC-48c/STM-16 ATM S PA Not supported. RFC 1483/RFC 2684 Half-Bridging for Point-to-Multipoint PVCs In Cisco IOS Release 12.2(18)SXE and later, and in Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA Not supported. Not supported. RFC 1483/RFC 2684 Routed Bridge Encapsulation (RBE) for Point-to-Point PVCs In Cisco IOS Release 12.2(18)SXE and later, and in Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA Not supported. Not supported.4-35 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks RFC 1483/RFC 2684 Bridging of Routed Encapsulations (BRE) for PVCs In Cisco IOS Release 12.2(18)SXE and later, and in Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA Not supported. Not supported. Enhancements to RFC 1483/RFC 2684 Spanning Tree Interoperability (PVST to PVST+ BPDU Interoperability) In Cisco IOS Release 12.2(18)SXF2 and later, and in Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA In Cisco IOS Release 12.2(18)SXF2 and later, and in Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA • 1-Port OC-12c/STM-4 ATM S PA • 1-Port OC-48c/STM-16 ATM S PA Not supported. Multi-VLAN to VC In Cisco IOS Release 12.2(18)SXE and later, and in Cisco IOS Release 12.2(33)SRA and later: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA In Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA • 1-Port OC-12c/STM-4 ATM S PA • 1-Port OC-48c/STM-16 ATM S PA Not supported. Table 4-7 Bridging for ATM Interfaces Feature Compatibility by SIP and SPA Combination (continued) Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-36 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring Multipoint Bridging Multipoint bridging (MPB) enables the connection of multiple ATM PVCs, Frame Relay PVCs, Bridge Control Protocol (BCP) ports, and WAN Gigabit Ethernet subinterfaces into a single broadcast domain (virtual LAN), together with the LAN ports on that VLAN. This enables service providers to add support for ethernet-based layer 2 services to the proven technology of their existing ATM and Frame Relay legacy networks. Customers can then use their current VLAN-based networks over the ATM or Frame Relay cloud. This also allows service providers to gradually update their core networks to the latest Gigabit Ethernet optical technologies, while still supporting their existing customer base. ATM interfaces use RFC 1483/RFC 2684 bridging, and Frame Relay interfaces use RFC 1490/RFC 2427 bridging, both of which provide an encapsulation method to allow the transport of Ethernet frames over each type of Layer 2 network. Beginning in Cisco IOS Release 12.2(33)SRA, MPB support is added on the Cisco 7600 SIP-400 to multiplex different VLANs that are configured across multiple Gigabit Ethernet subinterfaces into a single broadcast domain. Gigabit Ethernet interfaces can also reside on different Cisco 7600 SIP-400s and belong to the same bridge domain. 4-37 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Table 4-8 provides information about where the MPB features for SPA interfaces are supported. Table 4-8 MPB Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 MPB—60 VCs or interfaces per VLAN globally in system In Cisco IOS Release 12.2(18)SXE and later: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA • 2-Port and 4-Port Channelized T3 SPA • 2-Port and 4-Port Clear Channel T3/E3 SPA • 8-Port Channelized T1/E1 SPA In Cisco IOS Release 12.2(18)SXE and later: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA • 1-Port OC-12c/STM-4 ATM S PA Not supported. MPB—112 VCs or interfaces per VLAN on each SIP Note If you are using Virtual Private LAN Service (VPLS), see the MPB configuration guidelines. In Cisco IOS Release 12.2(33)SRA: • 1-Port Channelized OC-3/STM-1 SPA • 2-Port and 4-Port OC-3c/STM-1 ATM SPA • 2-Port and 4-Port OC-3c/STM-1 POS SPA • 2-Port and 4-Port Channelized T3 SPA • 2-Port and 4-Port Clear Channel T3/E3 SPA • 8-Port Channelized T1/E1 SPA Not applicable. Not supported.4-38 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks MPB—120 VCs or interfaces per VLAN on each SIP Note If you are using VPLS, see the MPB bridging configuration guidelines. Not supported. In Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA • 1-Port OC-12c/STM-4 ATM S PA • 1-Port OC-48c/STM-16 ATM SPA • 2-Port and 4-Port OC-3c/STM-1 POS SPA • 1-Port OC-12c/STM-4 POS SPA • 1-Port OC-48c/STM-16 POS SPA In Cisco IOS Release 15.2(1)S: • 1-Port Channelized OC12/STM-4 SPA • 2-Port and 4-Port T3/E3 SPA • 8-Port Channelized T1/E1 SPA • 1-Port Channelized OC-3/STM-1 SPA • 1-Port Channelized OC48/STM/16/DS3 SPA • 2 and 4-Port Clear Channel T3/E3 SPA Not supported. MPB on Gigabit Ethernet—Layer 2 bridging of frames between subinterfaces on different physical Gigabit Ethernet ports Not supported. In Cisco IOS Release 12.2(33)SRA: • 2-Port Gigabit Ethernet SPA Not supported. PIM snooping for MPB Not supported. Supported for all SPAs in Cisco IOS Release 12.2(33)SRA. Not supported. Table 4-8 MPB Feature Compatibility by SIP and SPA Combination (continued) Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-39 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring MPB for ATM PVCs You can configure MPB manually on individual PVCs, or you can configure a range of PVCs to configure all of the PVCs at one time. ATM interfaces use RFC 1483/RFC 2684 bridging, which provides an encapsulation method to allow the transport of Ethernet frames over the Layer 2 network. Note RFC 1483 has been obsoleted and superseded by RFC 2684, Multiprotocol Encapsulation over ATM Adaptation Layer 5. To avoid confusion, this document continues to refer to the original RFC numbers. MPB for ATM PVCs Configuration Guidelines • Only ATM permanent virtual circuits (PVCs) are supported. SVCs are not supported. • MPB is not supported on VLAN IDs 0, 1, 1002–1005, and 4095. • Refer to Table 4-8 for limitations on the number of supported VCs. • If you are using VPLS on a VC, then the total number of supported VC connection points for MPB (112 for the Cisco 7600 SIP-200, or 120 for the Cisco 7600 SIP-400) is reduced by one for each VPLS VC configured on that bridged VLAN. This reduces the total available number of VC connection points for MPB on that VLAN globally for that SIP. For example, if you configure 10 VPLS VCs on bridged VLAN 100, for a SPA on a Cisco 7600 SIP-200 in slot 4, then 10 connection points are allocated to the VPLS VCs for VLAN 100 across the SIP in slot 4. The total number of connection points available for MPB on VLAN 100 for the Cisco 7600 SIP-200 in slot 4 is 112 minus 10, or 102. A different VLAN (for example, VLAN 300) on that same Cisco 7600 SIP-200 in slot 4, without any VPLS VCs, will have the full 112 VCs available. • Routing and bridging is supported on the same interface or subinterface, but for security reasons, routing and bridging is not supported on any given PVC. Therefore, you should not configure an IP address on a point-to-point subinterface and then configure bridging on a PVC on that subinterface. • For a limited form of trunking on ATM PVCs supporting multiple VLANs to a single VC, you can configure dot1q tag. However, this configuration can lead to a performance penalty. When using this configuration, you can specify up to 32 bridge-domain command entries for a single PVC. The highest tag value in a group of bridge-domain commands must be greater than the first tag entered (but less than 32 greater than the first tag entered). SUMMARY STEPS Step 1 vlan vlan-id | vlan-range Step 2 interface atm slot/subslot/port Step 3 interface atm slot/subslot/port.subinterface point-to-point | multipoint Note All commands up till here must be executed at the global configutation mode. Herafter the commands will be executed at the sub-interface configuration mode Step 4 no ip address Step 5 pvc name vpi |vci or range range-name pvc start-vpi|start-vci end-vpi | end-vci 4-40 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 6 bridge-domain vlan-id access | dot1q tag| dot1q-tunnel ignore-bpdu-pid pvst-tlv CE-vlan increment split-horizon DETAILED STEPS To configure MPB for ATM PVCs, perform the following steps beginning in global configuration mode. Command Purpose Step 1 Router(config)# vlan vlan-id | vlan-range Adds the specified VLAN IDs to the VLAN database and enters VLAN configuration mode, where: • vlan-id—Specifies a single VLAN ID. The valid range is from 2 to 4094. • vlan-range—Specifies multiple VLAN IDs, as either a list or a range. The vlan-range can contain a list of the VLAN IDs, separated by a comma (,), dash (-), or both. Note Before you can use a VLAN for multipoint bridging, you must manually enter its VLAN ID into the VLAN database. Step 2 Router(config)# interface atm slot/subslot/port Specifies or creates an ATM interface, where: • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. Step 3 Router(config)# interface atm slot/subslot/port.subinterface point-to-point | multipoint Specifies or creates a subinterface and enters subinterface configuration mode, where: • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. • .subinterface—Specifies the number of the subinterface on the interface port. • point-to-point—Specifies a point-to-point subinterface. • multipoint—Specifies a multipoint subinterface that allows multiple PVCs to use the same subinterface. Step 4 Router(config-subif)# no ip address Disables IP processing on the subinterface by removing its IP address.4-41 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Use the following commands (pvc and bridge-domain) to create and configure PVCs individually. Repeat these commands as desired. Or, use the range pvc and bridge-domain command with the increment keyword to configure a range of PVCs. Step 5 Router(config-subif)# pvc [name] vpi/vci or Router(config-subif)# range [range-name] pvc start-vpi/start-vci end-vpi/end-vci Configures a new ATM PVC or range of ATM PVCs with the specified VPI and VCI numbers and enters VC configuration mode or PVC range configuration mode, where: • name—(Optional) Specifies the descriptive name to identify this PVC. • vpi/vci—Specifies the virtual path identifier (VPI) and virtual channel identifier (VCI) for this PVC. • range-name—(Optional) Specifies the descriptive name of the range, up to a maximum of 15 characters. • start-vpi/—Specifies the beginning value for the range of virtual path identifiers (VPIs). The valid range is from 0 to 255, with a default of 0. • start-vci—Specifies the beginning value for a range of virtual channel identifiers (VCIs). The valid range is from 32 to 65535. • end-vpi/—Specifies the end value for the range of VPIs. The valid range is from 0 to 255, with a default that is equal to the start-vpi value. • end-vci—Specifies the end value for a range of virtual channel identifiers (VCIs). The VCI value ranges from 32 to 65535. Command Purpose4-42 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 6 Router(config-if-atm-vc)# bridge-domain vlan-id access | dot1q tag| dot1q-tunnel ignore-bpdu-pid pvst-tlv CE-vlan increment split-horizon Enables RFC 1483 bridging to map a bridged VLAN to an ATM PVC, where: • vlan-id—Specifies the number of the VLAN to be used in this bridging configuration. The valid range is from 2 to 4094. The VLAN ID must have been previously added to the VLAN database in Step 1. • access—(Optional) Enables access-only bridging access mode, in which the bridged connection does not transmit or act upon bridge protocol data unit (BPDU) packets. • dot1q—(Optional) Enables IEEE 802.1Q tagging to preserve the class of service (CoS) information from the Ethernet frames across the ATM network. If not specified, the ingress side assumes a CoS value of 0 for QoS purposes. Using the dot1q keyword helps avoid misconfiguration because incoming untagged frames, or tagged frames that don’t match the specified vlan-id are dropped. • tag—(Optional—ATM PVCs only) Specifies the IEEE 802.1Q value in the range 1 to 4095. You can specify up to 32 bridge-domain command entries using dot1q tag for a single PVC. The highest tag value in a group of bridge-domain commands must be greater than the first tag entered (but less than 32 greater than the first tag entered). • dot1q-tunnel—(Optional) Enables IEEE 802.1Q tunneling mode, so that service providers can use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated. Note The access, dot1q, and dot1q-tunnel options are mutually exclusive. If you do not specify any of these options, the connection operates in “raw” bridging access mode, which is similar to access, except that the connection processes and transmits BPDU packets. • ignore-bpdu-pid—(Optional—ATM PVCs only) Ignores the protocol-ID field in RFC 1497 bridge protocol data unit (BPDU) packets, to allow interoperation with ATM customer premises equipment (CPE) devices that do not distinguish BPDU packets from data packets. Command Purpose4-43 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Verifying MPB for ATM PVCs To display information about the PVCs that have been configured on ATM interfaces, use the following commands: • show atm pvc—Displays a summary of the PVCs that have been configured. • show atm vlan—Displays the connections between PVCs and VLANs. Note Use the show atm vlan command instead of the show interface trunk command to display information about ATM interfaces being used for multipoint bridging. The following shows an example of each command: Router# show atm pvc VCD / Peak Avg/Min Burst Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells Sts 5/0/0 1 0 102 PVC SNAP UBR 599040 UP 5/0/0 2 0 103 PVC SNAP UBR 599040 UP 5/0/0 3 0 111 PVC SNAP UBR 599040 UP 5/0/0 3 0 111 PVC SNAP UBR 599040 UP 5/0/0 3 0 111 PVC SNAP UBR 599040 UP Router# show atm vlan Options Legend: DQ - dot1q; DT - dot1q-tunnel; MD - multi-dot1q; AC - access; SP - split-horizon; BR - broadcast; IB - ignore-bpdu-pid; DEF - default Interface VCD VPI Network Customer PVC Options /VCI Vlan ID Dot1Q-ID Status ATM5/0/0 1 0/102 102 1002 UP MD ATM5/0/0 2 0/103 103 1003 UP MD • pvst-tlv CE-vlan—(Optional) When transmitting, translates PVST+ BPDUs into IEEE BPDUs. When receiving, translates IEEE BPDUs into PVST+ BPDUs. CE-vlan specifies the customer-edge VLAN in the SSTP Tag-Length-Value (TLV) to be inserted in an IEEE BPDU to a PVST+ BPDU conversion. • increment—(Optional—PVC range configuration mode only) Increments the bridge domain number for each PVC in the range. This keyword is used when you are configuring a range of PVCs using the range pvc command. • split-horizon—(Optional) Drops egress traffic going out a VC or interface with split-horizon configured, that arrived on an interface with split-horizon configured. Command Purpose4-44 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks ATM5/0/0 3 0/111 111 1111 UP MD ATM5/0/0 3 0/111 112 1112 UP MD ATM5/0/0 3 0/111 113 1113 UP MD Verification Use these commands to verify operation. Configuring MPB for Frame Relay You can configure MPB for Frame Relay on individual DLCI circuits. You can optionally add 802.1Q tagging or 802.1Q tunneling. Frame Relay interfaces use RFC 1490/RFC 2427 bridging, which provides an encapsulation method to allow the transport of Ethernet frames over the Layer 2 network. Note RFC 1490 has been obsoleted and superseded by RFC 2427, Multiprotocol Interconnect over Frame Relay. To avoid confusion, this document continues to refer to the original RFC numbers. MPB for Frame Relay Configuration Guidelines • Multipoint bridging on Frame Relay interfaces supports only IETF encapsulation. Cisco encapsulation is not supported for MPB. • MPB is not supported on VLAN IDs 0, 1, 1002–1005, and 4095. • Refer to Table 4- 8 for limitations on the number of supported VCs. • If you are using VPLS, then the total number of supported DLCI connection points for MPB (112 for the Cisco 7600 SIP-200, or 120 for the Cisco 7600 SIP-400) is reduced by one for each VPLS instance configured on that bridged VLAN. This reduces the total available number of DLCI connection points for MPB on that VLAN globally for that SIP. For example, if you configure 10 VPLS instances on a bridged VLAN 100, for a SPA on a Cisco 7600 SIP-200 in slot 4, then 10 connection points are allocated to the VPLS instances for VLAN 100 across the SIP in slot 4. Command Purpose Router# show ethernet service evc [id evc-id | interface interface-id] [detail] Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detail option provides additional information on the EVC. Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail] Displays information about one or more service instances: If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances on the given interface. Router# show ethernet service interface [interface-id] [detail] Displays information in the Port Data Block (PDB). Router# show ethernet service instance summary Displays overall EVC count as well as individual interface EVC count.4-45 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks The total number of connection points available for MPB on VLAN 100 for the Cisco 7600 SIP-200 in slot 4 is 112 minus 10, or 102. A different VLAN (for example, VLAN 300) on that same Cisco 7600 SIP-200 in slot 4, without any VPLS DLCIs, will have the full 112 DLCIs available. • Routing and bridging is supported on the same interface or subinterface, but for security reasons, routing and bridging is not supported on any given DLCI. Therefore, you should not configure an IP address on a point-to-point subinterface and then configure bridging on a DLCI on that subinterface. SUMMARY STEPS Step 1 vlan vlan-id | vlan-range Step 2 interface serial slot/subslot/port or interface pos slot/subslot/port Step 3 encapsulation frame-relay ietf Step 4 interface serial slot/subslot/port.subinterface point-to-point | multipoint OR interface serial slot/subslot/port/t1-number:channel-group.subinterface point-to-point | multipoint OR interface serial slot/subslot/port:channel-group.subinterface point-to-point | multipoint OR interface pos slot/subslot/port.subinterface point-to-point | multipoint OR interface serial address Note All commands up till here must be executed at the global configutation mode. Herafter the commands will be executed at the sub-interface configuration mode unless specifically mentioned otherwise Step 5 no ip address Step 6 frame-relay interface-dlci dlci ietf Step 7 bridge-domain vlan-id access | dot1q | dot1q-tunnel pvst-tlv CE-vlan split-horizon (This command is executed on the DLCI interface configuration mode) Note ChOC-12 does not support the bridge-domain command.4-46 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks DETAILED STEPS To configure MPB for Frame Relay on serial or POS SPAs, perform the following steps beginning in global configuration mode: Command Purpose Step 1 Router(config)# vlan vlan-id | vlan-range Adds the specified VLAN IDs to the VLAN database and enters VLAN configuration mode, where: • vlan-id—Specifies a single VLAN ID. The valid range is from 2 to 4094. • vlan-range—Specifies multiple VLAN IDs, as either a list or a range. The vlan-range can contain a list of the VLAN IDs, separated by a comma (,), dash (-), or both. Note Before you can use a VLAN for multipoint bridging, you must manually enter its VLAN ID into the VLAN database. Step 2 Router(config)# interface serial slot/subslot/port or Router(config)# interface pos slot/subslot/port Specifies or creates a serial or POS interface, where: • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. Step 3 Router(config-if) encapsulation frame-relay ietf Enables Frame Relay encapsulation on the interface, using IETF encapsulation. You must specify the ietf keyword either here or in Step 6 for each individual DLCI. Note Multipoint bridging does not support Cisco encapsulation using the cisco keyword.4-47 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 4 2-Port and 4-Port Clear Channel T3/E3 SPA Router(config)# interface serial slot/subslot/port.subinterface point-to-point | multipoint 2-Port and 4-Port Channelized T3 SPA Router(config)# interface serial slot/subslot/port/t1-number:channel-group.subi nterface point-to-point | multipoint 8-Port Channelized T1/E1 SPA Router(config)# interface serial slot/subslot/port:channel-group.subinterface point-to-point | multipoint 1-Port Channelized OC-3/STM-1 SPA and 1-Port Channelized OC-12/STM-4 SPA Router(config)# interface serial address 1-Port OC-12c/STM-4 POS SPA or 2-Port and 4-Port OC-3c/STM-1 POS SPA Router(config)# interface pos slot/subslot/port.subinterface point-to-point | multipoint Specifies or creates a subinterface and enters subinterface configuration mode, where: • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. • .subinterface—Specifies the number of the subinterface on the interface port. • t1-number—Specifies the logical T1 number in channelized mode. • address—For the different supported syntax options for the address argument for the 1-Port Channelized OC-3/STM-1 SPA or 1-Port Channelized OC-12/STM-4 SPA, see the “Interface Naming” section of the “Configuring the 1-Port Channelized OC-3/STM-1 SPA” chapter. • channel-group—Specifies the logical channel group assigned to the time slots within the T1 or E1 group. • point-to-point—Specifies a point-to-point subinterface. • multipoint—Allows multiple PVCs to use the same subinterface Step 5 Router(config-subif)# no ip address Disables IP processing on a particular interface by removing its IP address. Command Purpose4-48 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 6 Router(config-subif)# frame-relay interface-dlci dlci ietf Creates the specified DLCI on the subinterface and enters DLCI configuration mode, where: • dlci—Specifies the DLCI number to be used on the specified subinterface. • ietf—(Optional) Specifies IETF encapsulation. This option is required if you did not specify IETF encapsulation in Step 4. Note This command includes other options that are not supported when using multipoint bridging. Step 7 Router(config-fr-dlci)# bridge-domain vlan-id access | dot1q | dot1q-tunnel pvst-tlv CE-vlan split-horizon Enables RFC 1490 bridging to map a bridged VLAN to a Frame Relay DLCI, where: • vlan-id —Specifies the number of the VLAN to be used in this bridging configuration. The valid range is from 2 to 4094. The VLAN ID must have been previously added to the VLAN database in Step 1. • access—(Optional) Enables access-only bridging access mode, in which the bridged connection does not transmit or act upon bridge protocol data unit (BPDU) packets. • dot1q—(Optional) Enables IEEE 802.1Q tagging to preserve the class of service (CoS) information from the Ethernet frames across the Frame Relay network. If not specified, the ingress side assumes a CoS value of 0 for QoS purposes. Using the dot1q keyword helps avoid misconfiguration because incoming untagged frames, or tagged frames that do not match the specified vlan-id are dropped. • dot1q-tunnel—(Optional) Enables IEEE 802.1Q tunneling mode, so that service providers can use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated. Command Purpose4-49 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Verifying MPB for Frame Relay To display information about the DLCIs that have been configured on Frame Relay interfaces, use the show frame-relay vlan command. Router# show frame-relay vlan Interface Bridge DLCI Domain POS3/1/0.100 100 100 Configuring MPB for Gigabit Ethernet Beginning in Cisco IOS Release 12.2(33)SRA, MPB support is added on the Cisco 7600 SIP-400 to multiplex different VLANs that are configured across multiple Gigabit Ethernet subinterfaces into a single broadcast domain. Gigabit Ethernet interfaces can also reside on different Cisco 7600 SIP-400s and belong to the same bridge domain. MPB for Gigabit Ethernet Configuration Guidelines • The Cisco 7600 SIP-400 can support a total of up to 4096 subinterfaces and bridge-domain instances per VLAN. For example, one subinterface with a configured VLAN using MPB will consume two of the available 4096 total allowable subinterfaces and bridge domains combined. • Up to 60 subinterfaces can be put into the same bridge domain on the Cisco 7600 SIP-400. Note The access, dot1q, and dot1q-tunnel options are mutually exclusive. If you do not specify any of these options, the connection operates in “raw” bridging access mode, which is similar to access, except that the connection processes and transmits BPDU packets. • pvst-tlv CE-vlan—(Optional) When transmitting, translates PVST+ BPDUs into IEEE BPDUs. When receiving, translates IEEE BPDUs into PVST+ BPDUs. CE-vlan specifies the customer-edge VLAN in the SSTP Tag-Length-Value (TLV) to be inserted in an IEEE BPDU to a PVST+ BPDU conversion. • split-horizon—(Optional) Drops egress traffic going out a VC or interface with split-horizon configured, that arrived on an interface with split-horizon configured. Note ChOC-12 does not support the bridge-domain command. Command Purpose4-50 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks To configure MPB for Gigabit Ethernet, perform the following steps beginning in global configuration mode: Command Purpose Step 1 Router(config)# vlan {vlan-id | vlan-range} Adds the specified VLAN IDs to the VLAN database and enters VLAN configuration mode, where: • vlan-id—Specifies a single VLAN ID. The valid range is from 2 to 4094. • vlan-range—Specifies multiple VLAN IDs, as either a list or a range. The vlan-range can contain a list of the VLAN IDs, separated by a comma (,), dash (-), or both. Note Before you can use a VLAN for multipoint bridging, you must manually enter its VLAN ID into the VLAN database. Step 2 Router(config)# interface gigabitethernet slot/subslot/port.subinterface Specifies or creates a Gigabit Ethernet subinterface and enters subinterface configuration mode, where: • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. • .subinterface—Specifies the number of the subinterface on the interface port.4-51 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 3 Router(config-subif) encapsulation dot1q vlan-id Enables IEEE 802.1Q encapsulation on the interface, where vlan-id specifies the virtual LAN identifier. The allowed range is from 1 to 4095. Step 4 Router(config-subif)# bridge-domain vlan-id [dot1q | dot1q-tunnel] [bpdu {drop | transparent}] [split-horizon] Enables bridging of VLANs across Gigabit Ethernet subinterfaces, where: • vlan-id —Specifies the number of the VLAN to be used in this bridging configuration. The valid range is from 2 to 4094. The VLAN ID must have been previously added to the VLAN database in Step 1. • dot1q—(Optional) Enables IEEE 802.1Q tagging to preserve the class of service (CoS) information from the Ethernet frames across the ATM network. If not specified, the ingress side assumes a CoS value of 0 for QoS purposes. • dot1q-tunnel—(Optional) Enables IEEE 802.1Q tunneling mode, so that service providers can use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated. Note The dot1q and dot1q-tunnel options are mutually exclusive. If you do not specify either of these options, the connection operates in “raw” bridging access mode, which is similar to access, except that the connection processes and transmits BPDU packets. • bpdu {drop | transparent}—(Optional) Specifies whether or not BPDUs are processed or dropped, where: – drop—Specifies BPDU packets are dropped on the subinterface. – transparent—Specifies BPDU packets are forwarded as data on the subinterface, but not processed. • split-horizon—(Optional) Drops egress traffic going out a VC or interface with split-horizon configured, that arrived on an interface with split-horizon configured. Command Purpose4-52 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring Private Hosts SVI (Interface VLAN) The Private Hosts feature allows automatic insertion of Router (SVI) MAC intothe Private Hosts configuration. Private Hosts track the L2 port that a server is connected to, and limit undesired traffic through MAC-layer ACLs. Hosts can carry multiple traffic types via trunk port, remain isolated from each other, and still communicate to a common server. Private hosts work at Layer 2 interface level. Port classification • Isolated ports: The hosts which need to be isolated will be directly or indirectly connected through DSLAMs to this type of ports. The unicast traffic received on these ports should be always destined towards specified upstream devices • Promiscuous ports: The ports facing the core network or devices like BRAS and multicast servers are called promiscuous ports. These ports can allow any unicast or broadcast traffic received from upstream devices. Private hosts traffic is treated as Layer 2 traffic and routing needs an external router to be configured. Instead of configuring a server MAC address into Private Hosts, you must configure the router MAC address. This featureadds the SVIs into the Private Host configuration, eliminating the need for the external router Configuration tasks To configure the private hosts SVI (Interface VLAN) feature, perform the following steps in the global configuration mode: Command Purpose Step 1 Router(config)# [no] private-hosts This command is used enable or disable private hosts feature on a Cisco 7600 device globally. A [no] form of the command disables the private hosts feature globally. This command is in disabled mode by default Step 2 Router(config)# [no] private-hosts mac-list This command is used to populate the MAC address list. A [no] form of the command is used to delete MAC address from the list. The list itself is deleted after the deletion of last MAC address Step 3 Router(config)# [no] private-hosts vlan-list This command is used to provide list of VLANs that need to be isolated. A [no] form will remove the given VLANs from the isolated VLAN list. Note This VLAN -list is also used to program the promiscuous devices' MAC addresses Step 4 Router(config)# [no] private-hosts promiscous [vlan-list ] This command is used to provide list of promiscuous MAC addresses and optional VLAN-list on which these devices might exist. If the VLAN-list is not given, the VLAN list is taken from the global isolated VLAN- list configured. This command can be executed multiple times with different MAC-list and vlan-list combination4-53 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Restrictions The following restrictions should be considered while configuring the private hosts SVI feature: • You cannot restrict Private Host SVIs to a configured subset of VLANs. If you want a subset of VLANs to use SVI's, you must ensure there are no SVIs on the VLANs that are not to be routed. • This feature is applicable only to native system. • This feature is not supported on hybrid systems. • This feature installs protocol independent PACLs and enables MAC classification on the VLAN. As a result features like RACLs do not work with it. • This feature is supported only PFC-3BXL or above cards. • This feature is not supported on EARL6 or below. Sample Configuration PE18_C7606#conf t Enter configuration commands, one per line. End with CNTL/Z. PE18_C7606(config)#private-hosts PE18_C7606(config)#private-hosts mac-list ML1 10de.aa0d.e2ad PE18_C7606(config)#private-hosts vlan-list? vlan-list PE18_C7606(config)#private-hosts vlan-list 1 PE18_C7606(config)#private-hosts promiscuous? promiscuous PE18_C7606(config)#private-hosts promiscuous ML1 Verifying the Private Hosts SVI (Interface VLAN) configuration Use the following show commands to verify the Private Hosts SVI (Interface VLAN) configuration: Command Purpose Router(config)# show private-hosts configuration Displays the global private hosts configuration Router(config)# show private-hosts access-lists Displays the private hosts related access lists Router(config)# show private-hosts interface configuration Displays the ports on which the feature is enabled with the configured mode Router(config)# show private-hosts mac-list Displays the configured mac-lists and their members4-54 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring Private Hosts over Virtual Private LAN Service (VPLS) The private host feature supports the redirection of broadcast and unicast from isolated ports over VPLS virtual circuit. The private host feature allows the addition of one VPLS enabled VLAN (cross-connect configured on a VLAN) in the private host vlan-list, along with the regular VLAN and SVI. Restrictions and Guidelines While configuring private hosts over VPLS, besides noting the private host SVI restrictions listed in Restrictions, page 4-165, keep the following additional guidelines in mind: • Private host limits VPLS support for only one VLAN. If the private host Vlan-list already has a VPLS VLAN (VLAN with cross-connect), the addtion of another VPLS VLAN will be blocked. • If any VLAN in the Vlan-list has cross-connect configured, configuring cross-connect on another VLAN in the Vlan-list will be blocked. Configuration Steps Use the following commands to configure private hosts over VPLS. SUMMARY STEPS 1. [no] private-hosts 2. private-hosts vlan-list vlan-ids 3. private-hosts promiscuous mac list name 4. private-hosts mac-list mac list name mac-id DETAILED STEPS Command Purpose Router(config)#[no] private-hosts Example: PE17_C7606(config)#private-hosts Globally enables or disables the Private Hosts SVI feature on a Cisco 7600 device. The ‘no’ form of the command disables this feature globally. By default, this command is in disabled mode. Router(config)#private-hosts vlan-list vlan-ids Example: PE17_C7606(config)#private-hosts vlan-list 10-15 Enables private hosts on the specified VLAN or range of VLAN IDs.4-55 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Verifying the Private Hosts on the VPLS Configuration Use the following show commands to verify the private hosts over VPLS configuration: Example PE17_C7606#show private-hosts ? access-lists Show the private hosts related access lists configuration Show private hosts global configuration interface Show private hosts interface related configuration mac-list Show the mac lists and their members Table 4-9 provides the troubleshooting solutions for the Private Host feature. Table 4-9 Troubleshooting Scenarios for Private Host feature Router(config)#private-hosts promiscuous mac list name Example: PE17_C7606(config)#private-hosts promiscuous maclist-1 Sets a name for a group of private hosts enabled with promiscuous MAC addresses. Router(config)#private-hosts mac-list mac list name mac-id Example: PE17_C7606(config)#private-hosts mac-list maclist-1 0000.1e11.00d1 Assigns MAC addresses to the MAC list. Command Purpose Command Purpose Router(config)# show private-hosts access-lists Displays access lists related to private hosts Router(config)#show private-hosts configuration Displays private hosts global configuration Router(config)# show private-hosts interface Displays configuation related to private hosts interface. Router(config)# show private-hosts mac-list Displays MAC lists and their members. Problem Solution To troubleshoot and view all the TCAM entries. Use the sh hw-mod su subslot tcam command to verify and troubleshoot issues related to the TCAM entries. To troubleshoot and view virtual VLAN IDs on a qinq subinterface. Use the test hw-mod su subslot command to troubleshoot issues related to virtual VLAN ID values on a QnQ subinterface.4-56 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring PPP Bridging Control Protocol Support The Bridging Control Protocol (BCP) feature on the SIPs and SPAs enables forwarding of Ethernet frames over serial and SONET networks, and provides a high-speed extension of enterprise LAN backbone traffic through a metropolitan area. The implementation of BCP on the SPAs includes support for IEEE 802.1D Spanning Tree Protocol, IEEE 802.1Q Virtual LAN (VLAN), and high-speed switched LANs. The Bridging Control Protocol (BCP) feature provides support for BCP to Cisco devices, as described in RFC 3518, Point-to-Point Protocol (PPP) Bridging Control Protocol (BCP). The Cisco implementation of BCP is a VLAN infrastructure that does not require the use of subinterfaces to group Ethernet 802.1Q trunks and the corresponding PPP links. This approach enables users to process VLAN encapsulated packets without having to configure subinterfaces for every possible VLAN configuration. BCP operates in two different modes: • Trunk mode BCP (switchport)—A single BCP link can carry multiple VLANs. • Single-VLAN BCP (bridge-domain)—A single BCP link carries only one VLAN. In addition, in Cisco IOS Release 12.2(33)SRA, BCP is supported over dMLPPP links on the Cisco 7600 SIP-200 with the 2-Port and 4-Port Channelized T3 SPA and 8-Port Channelized T1/E1 SPA. BCP over dMLPPP is supported in trunk mode only. Effective from Cisco IOS release 15.2(1)S, BCP over dMLPPP is also supported on the Cisco 7600 SIP 400 with the following the following SPAs: • 2-Port and 4-Port Channelized T3 SPA • 8-Port Channelized T1/E1 SPA • 1-Port Channelized OC12/STM-4 SPA • 1-Port Channelized OC-3/STM-1 SPA • 1-Port Channelized OC48/STM/16/DS3 SPA • 2 and 4-Port Clear Channel T3/E3 SPA BCP Feature Compatibility Table 4-10 provides information about where the BCP features are supported. Incorrect VLAN ID is programmed. Use the command show hw-module subslot tcam all_entries vlan to confirm the correct VLAN IDs. Erroneous or disabled TCAM entries Use the show plat soft qos tcamfeature and show platform software qos tcam commands to correct the TCAM entries. Problem Solution4-57 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Table 4-10 BCP Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Trunk mode BCP (switchport) In Cisco IOS Release 12.2(18)SXE and later: • 2-Port and 4-Port Channelized T3 SPA • 2-Port and 4-Port Clear Channel T3/E3 SPA • 8-Port Channelized T1/E1 SPA • 2-Port and 4-Port OC-3c/STM-1 POS SPA Support for the following SPA was added in Cisco IOS Release 12.2(33)SRA: • 1-Port Channelized OC-3/STM-1 SPA In Cisco IOS Release 12.2(18)SXE and later: • 1-Port OC-12c/STM-4 POS SPA • 2-Port and 4-Port OC-3c/STM-1 POS SPA • 1-Port OC-48c/STM-16 POS SPA In Cisco IOS release 15.2(1)S: • 1-Port Channelized OC12/STM-4 SPA • 2-Port and 4-Port T3/E3 SPA • 8-Port Channelized T1/E1 SPA • 1-Port Channelized OC-3/STM-1 SPA • 1-Port Channelized OC48/STM/16/DS3 SPA • 2 and 4-Port Clear Channel T3/E3 SPA Not supported.4-58 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Tag-native Mode for Trunk BCP (switchport) • In Cisco IOS 12.2SX releases—Not supported. • In Cisco IOS Release 12.2(33)SRA: – 2-Port and 4-Port Channelized T3 SPA – 2-Port and 4-Port Clear Channel T3/E3 SPA – 8-Port Channelized T1/E1 SPA – 2-Port and 4-Port OC-3c/STM-1 POS SPA – 1-Port Channelized OC-3/STM-1 SPA • In Cisco IOS 12.2SX releases—Not supported. • In Cisco IOS Release 12.2(33)SRA: – 1-Port OC-12c/STM-4 POS SPA – 2-Port and 4-Port OC-3c/STM-1 POS SPA – 1-Port OC-48c/STM-1 6 POS SPA • In Cisco IOS release 15.2(1)S: – 1-Port Channelized OC12/STM-4 SPA – 2-Port and 4-Port Channelized T3 SPA – 8-Port Channelized T1/E1 SPA – 1-Port Channelized OC-3/STM-1 SPA – 1-Port Channelized OC48/STM/16/DS3 SPA – 2 and 4-Port Clear Channel T3/E3 SPA Not supported. Table 4-10 BCP Feature Compatibility by SIP and SPA Combination (continued) Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-59 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks BCP Configuration Guidelines When configuring BCP support for SPAs on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, consider the following guidelines: • Be sure to refer to Table 4-10 for feature compatibility information. • Beginning in Cisco IOS Release 12.2(33)SRA, QoS is supported on bridged interfaces. In Cisco IOS Release 12.2(18)SXF2 and earlier, QoS is not supported on bridged interfaces. Single-VLAN BCP (bridge-domain) In Cisco IOS Release 12.2(18)SXE and later: • 2-Port and 4-Port Channelized T3 SPA • 2-Port and 4-Port Clear Channel T3/E3 SPA • 8-Port Channelized T1/E1 SPA • 2-Port and 4-Port OC-3c/STM-1 POS SPA Support for the following SPA was added in In Cisco IOS Release 12.2(33)SRA: • 1-Port Channelized OC-3/STM-1 SPA In Cisco IOS Release 12.2(33)SRA: • 1-Port OC-12c/STM-4 POS SPA • 2-Port and 4-Port OC-3c/STM-1 POS SPA • 1-Port OC-48c/STM-16 POS SPA In Cisco IOS release 15.2(1)S: • 1-Port Channelized OC12/STM-4 SPA • 2-Port and 4-Port Channelized T3 SPA • 8-Port Channelized T1/E1 SPA • 1-Port Channelized OC-3/STM-1 SPA • 1-Port Channelized OC48/STM/16/DS3 SPA • 2 and 4-Port Clear Channel T3/E3 SPA Not supported. BCP over dMLPPP (trunk mode only) In Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port Channelized T3 SPA • 8-Port Channelized T1/E1 SPA In Cisco IOS release 15.2(1)S: • 1-Port Channelized OC12/STM-4 SPA • 2-Port and 4-Port Channelized T3 SPA • 8-Port Channelized T1/E1 SPA • 1-Port Channelized OC-3/STM-1 SPA • 1-Port Channelized OC48/STM/16/DS3 SPA Not supported. Table 4-10 BCP Feature Compatibility by SIP and SPA Combination (continued) Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-60 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • Although RFC 3518 specifies support for Token Ring and Fiber Distributed Data Interface (FDDI), BCP on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 supports only Ethernet currently. Configuring BCP in Trunk Mode When BCP is configured in trunk mode, a single BCP link can carry multiple VLANs. This usage of BCP is consistent with that of normal Ethernet trunk ports. Trunk Mode BCP Configuration Guidelines When configuring BCP support in trunk mode for SPAs on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, consider the following guidelines: • Be sure to refer to Table 4-10 for feature compatibility information. • There are some differences between the Ethernet trunk ports and BCP trunk ports. – Ethernet trunk ports support ISL and 802.1Q encapsulation, but BCP trunk ports support only 802.1Q. – Ethernet trunk ports support Dynamic Trunk Protocol (DTP), which is used to automatically determine the trunking status of the link. BCP trunk ports are always in trunk state and no DTP negotiation is performed. – The default behavior of Ethernet trunk ports is to allow all VLANs on the trunk. The default behavior of BCP trunks is to disallow all VLANs. This means that VLANs that need to be allowed have to be explicitly configured on the BCP trunk port. • Use the switchport command under the WAN interface when configuring trunk mode BCP. • The SIPs support the following maximum number of BCP ports on any given VLAN: – In Cisco IOS Release 12.2(18)SXE and later—Maximum of 60 BCP ports – In Cisco IOS Release 12.2(33)SRA—Maximum of 112 BCP ports on Cisco 7600 SIP-200 and maximum of 120 BCP ports on Cisco 7600 SIP-400. • To use VLANs in trunk mode BCP, you must use the vlan command to manually add the VLANs to the VLAN database. The default behavior for trunk mode BCP allows no VLANs. • Trunk mode BCP is not supported on VLAN IDs 0, 1006–1023, and 1025. • The native VLAN (VLAN1) has the following restrictions for trunk mode BCP: – In Cisco IOS Release 12.2SX—The native VLAN is not supported. – Beginning in Cisco IOS Release 12.2(33)SRA—The native VLAN is supported. • For trunk mode BCP (switchport), STP interoperability is the same as that of Ethernet switchports. This means that the STP path cost of WAN links can be changed and other STP functionality such as BPDU Guard and PortFast will work on the WAN links. However, it is not recommended to change the default values. • VLAN Trunking Protocol (VTP) is supported. Note The management VLAN, VLAN 1, must be explicitly enabled on the trunk to send VTP advertisements.4-61 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks To configure BCP in trunk mode, perform the following steps beginning in global configuration mode: Command Purpose Step 1 Router(config)# vlan dot1q tag native (Optional) Enables dot1q tagging for all VLANs in a trunk. By default, packets on the native VLAN are sent untagged. When you enable dot1q tagging, packets are tagged with the native VLAN ID. Step 2 1-Port Channelized OC-3/STM-1 SPA or 1-Port Channelized OC-12/STM-4 SPA Router(config)# interface serial address 2-Port and 4-Port Clear Channel T3/E3 SPA Router(config)# interface serial slot/subslot/port 2-Port and 4-Port Channelized T3 SPA Router(config)# interface serial slot/subslot/port/t1-number:channel-group 8-Port Channelized T1/E1 SPA Router(config)# interface serial slot/subslot/port:channel-group 1-Port OC-12c/STM-4 POS SPA or 2-Port and 4-Port OC-3c/STM-1 POS SPA Router(config)# interface pos slot/subslot/port Specifies an interface and enters interface configuration mode, where: • address—For the different supported syntax options for the address argument for the 1-Port Channelized OC-3/STM-1 SPA, refer to the “Interface Naming” section of the “Configuring the 1-Port Channelized OC-3/STM-1 SPA” chapter. • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. • t1-number—Specifies the logical T1 number in channelized mode. • channel-group—Specifies the logical channel group assigned to the time slots within the T1 or E1 group. Step 3 Router(config-if)# switchport Puts an interface that is in Layer 3 mode into Layer 2 mode for Layer 2 configuration. PPP encapsulation is automatically configured, and the interface is automatically configured for trunk mode and nonegotiate status. Step 4 Router(config-if)# shutdown Disables the interface.4-62 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 5 Router(config-if)# no shutdown Restarts the disabled interface. Step 6 Router(config-if)# switchport trunk allowed vlan {all | {add | remove | except} vlan-list [,vlan-list...] | vlan-list [,vlan-list...]} (Optional) Controls which VLANs can receive and transmit traffic on the trunk, where: • all—Enables all applicable VLANs. • add vlan-list [,vlan-list...]—Appends the specified list of VLANs to those currently set instead of replacing the list. • remove vlan-list [,vlan-list...]—Removes the specified list of VLANs from those currently set instead of replacing the list. • except vlan-list [,vlan-list...]—Excludes the specified list of VLANs from those currently set instead of replacing the list. • vlan-list [,vlan-list...]—Specifies a single VLAN number from 1 to 4094, or a continuous range of VLANs that are described by two VLAN numbers from 1 to 4094. You can specify multiple VLAN numbers or ranges using a comma-separated list. To specify a range of VLANs, enter the smaller VLAN number first, separated by a hyphen and the larger VLAN number at the end of the range. Note Do not enable the reserved VLAN range (1006 to 1024) on trunks when connecting a Cisco 7600 series router running the Cisco IOS software on both the supervisor engine and the MSFC to a Cisco 7600 series router running the Catalyst operating system. These VLANs are reserved in Cisco 7600 series routers running the Catalyst operating system. If enabled, Cisco 7600 series routers running the Catalyst operating system may error-disable the ports if there is a trunking channel between these systems. Command Purpose4-63 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Verifying BCP in Trunk Mode Because the PPP link has to flap (be brought down and renegotiated), it is important that you run the following show commands after you configure BCP in trunk mode to confirm the configuration: The following output of the show interfaces commands provide an example of the information that is displayed when BCP is configured in trunk mode. Note When switchport is configured, the encapsulation is automatically changed to PPP. Router# show interfaces trunk Port Mode Encapsulation Status Native vlan PO4/1/0 on 802.1q trunking 1 Port Vlans allowed on trunk PO4/1/0 1-1005,1025-1026,1028-4094 Port Vlans allowed and active in management domain PO4/1/0 1,100,200 Port Vlans in spanning tree forwarding state and not pruned PO4/1/0 1,100,200 Router# show interfaces switchport Name: PO4/1/0 Command Purpose 1-Port Channelized OC-3/STM-1 SPA or 1-Port Channelized OC-12/STM-4 SPA Router# show interfaces [serial address] trunk [module number] 2-Port and 4-Port Channelized T3 SPA Router# show interfaces [serial slot/subslot/port/t1-number:channel-group] trunk [module number] 2-Port and 4-Port Clear Channel T3/E3 SPA Router# show interfaces [serial slot/subslot/port] trunk [module number] 8-Port Channelized T1/E1 SPA Router# show interfaces [serial slot/subslot/port:channel-group] trunk [module number] 1-Port OC-12c/STM-4 POS SPA or 2-Port and 4-Port OC-3c/STM-1 POS SPA Router# show interfaces [pos slot/subslot/port] trunk [module number] Displays the interface-trunk information, where: • address—For the different supported syntax options for the address argument for the 1-Port Channelized OC-3/STM-1 SPA, refer to the “Interface Naming” section of the “Configuring the 1-Port Channelized OC-3/STM-1 SPA” chapter. • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. • t1-number—Specifies the logical T1 number in channelized mode. • channel-group—Specifies the logical channel group assigned to the time slots within the T1 or E1 group. • module number—(Optional) Specifies the chassis slot number of the SIP and displays information for all interfaces of the SPAs in that SIP.4-64 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Switchport: Enabled Administrative Mode: trunk Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: 100 Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Unknown unicast blocked: disabled Unknown multicast blocked: disabled Router# show interfaces pos4/1/0 POS4/1/0 is up, line protocol is up Hardware is Packet over Sonet MTU 4470 bytes, BW 155000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, crc 16, loopback not set Keepalive set (10 sec) Scramble disabled LCP Open Open: BRIDGECP, CDPCP Last input 00:00:05, output 00:00:05, output hang never Last clearing of "show interface" counters 18:48:09 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 13161719 packets input, 1145463122 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1685 packets output, 620530 bytes, 0 underruns 0 output errors, 0 applique, 30 interface resets 0 output buffer failures, 0 output buffers swapped out 11 carrier transitions Configuring BCP in Single-VLAN Mode When BCP is configured in single-VLAN mode, a single BCP link carries only one VLAN. This is considered BCP in access mode. Single-VLAN Mode BCP Configuration Guidelines When configuring BCP support in single-VLAN mode for SPAs on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, consider the following guidelines: • Be sure to refer to Table 4-10 for feature compatibility information.4-65 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • Use the bridge-domain vlan-id dot1q form of the command under a WAN interface or an ATM PVC. The dot1q keyword is necessary. It indicates that all frames on the BCP link will be tagged with a 802.1Q header. Untagged frames received on a BCP link will be dropped. • For serial and POS SPA interfaces, the encapsulation of the interface must be PPP; otherwise, the bridge-domain command will not be accepted. • The ATM SPAs on the Cisco 7600 series router do not support single-VLAN BCP. • For single-VLAN BCP, you can configure the following maximum number of VCs per VLAN: – In Cisco IOS Release 12.2SX—60 VCs or interfaces per VLAN per chassis. – Beginning in Cisco IOS Release 12.2(33)SRA—112 VCs or interfaces per VLAN per Cisco 7600 SIP-200; 120 VCs or interfaces per VLAN per Cisco 7600 SIP-400. • VLANs must be manually added to the VLAN database, using the vlan command, to be able to use those VLANs in single-VLAN BCP. • BCP is not supported on VLAN IDs 0, 1 (native), 1006–1023, and 1025. • For single-VLAN BCP, only basic Spanning Tree Protocol (STP) interoperability is supported. This means that single-VLAN BCP interfaces will participate in the STP domain and the correct path cost of the links will be calculated; however, changing any STP parameters for the link is not supported. • VLAN Trunking Protocol (VTP) is not supported on single-VLAN BCP. To configure BCP in single-VLAN mode on serial or POS SPAs, perform the following steps beginning in global configuration mode: Command Purpose Step 1 1-Port Channelized OC-3/STM-1 SPA or 1-Port Channelized OC-12/STM-4 SPA Router(config)# interface serial address 2-Port and 4-Port Channelized T3 SPA Router(config)# interface serial slot/subslot/port/t1-number:channel-group 8-Port Channelized T1/E1 SPA Router(config)# interface serial slot/subslot/port:channel-group 1-Port OC-12c/STM-4 POS SPA or 2-Port and 4-Port OC-3c/STM-1 POS SPA Router(config)# interface pos slot/subslot/port 2-Port and 4-Port Clear Channel T3/E3 SPA Router(config)# interface serial slot/subslot/port Specifies an interface and enters interface configuration mode, where: • address—For the different supported syntax options for the address argument for the 1-Port Channelized OC-3/STM-1 SPA, refer to the “Interface Naming” section of the “Configuring the 1-Port Channelized OC-3/STM-1 SPA” chapter. • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. • t1-number—Specifies the logical T1 number in channelized mode. • channel-group—Specifies the logical channel group assigned to the time slots within the T1 or E1 group. Step 2 Router(config-if)# no ip address Disables IP processing on a particular interface by removing its IP address. Step 3 Router(config-if)# encapsulation ppp Configures the interface for PPP encapsulation.4-66 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Verifying BCP in Single-VLAN Mode Because the PPP link has to flap (be brought down and renegotiated), it is important that you run the following show command after you configure BCP in single-VLAN mode to confirm the configuration: Router# show interfaces pos4/1/0 POS4/1/0 is up, line protocol is up Hardware is Packet over Sonet MTU 4470 bytes, BW 155000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, crc 16, loopback not set Keepalive set (10 sec) Scramble disabled LCP Open Open: BRIDGECP, CDPCP Last input 00:00:09, output 00:00:09, output hang never Last clearing of "show interface" counters 00:00:24 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 32 packets input, 1709 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 17 packets output, 1764 bytes, 0 underruns 0 output errors, 0 applique, 3 interface resets 0 output buffer failures, 0 output buffers swapped out 1 carrier transitions Step 4 Router(config-if)# bridge-domain vlan-id [dot1q | dot1q-tunnel] Establishes a domain and tags all Ethernet frames on the BCP link with the 802.1Q header, where: • vlan-id—Specifies the number of the VLAN to be used in this bridging configuration. The valid range is from 2 to 4094. The VLAN ID must have been previously added to the VLAN database. • dot1q—(Optional) Enables IEEE 802.1Q tagging to preserve the class of service (CoS) information from the Ethernet frames across the WAN interface. If not specified, the ingress side assumes a CoS value of 0 for QoS purposes. Using the dot1q keyword helps avoid misconfiguration because incoming untagged frames, or tagged frames that do not match the specified vlan-id are dropped. • dot1q-tunnel—(Optional) Enables IEEE 802.1Q tunneling mode, so that service providers can use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated. Step 5 Router(config-if)# shutdown Disables the interface. Step 6 Router(config-if)# no shutdown Restarts the disabled interface. Command Purpose4-67 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring BCP over dMLPPP Beginning in Cisco IOS Release 12.2(33)SRA, BCP is supported over dMLPPP links on the Cisco 7600 SIP-200 with the 2-Port and 4-Port Channelized T3 SPA and 8-Port Channelized T1/E1 SPA. BCP over dMLPPP is supported in trunk mode only. Effective from Cisco IOS release 15.2(1)S, BCP over dMLPPP is also supported on the Cisco 7600 SIP 400 with the following the following SPAs: • 2-Port and 4-Port Channelized T3 SPA • 8-Port Channelized T1/E1 SPA • 1-Port Channelized OC12/STM-4 SPA • 1-Port Channelized OC-3/STM-1 SPA • 1-Port Channelized OC48/STM/16/DS3 SPA For more information about configuring the BCP over dMLPPP feature, see Chapter 17, “Configuring the 8-Port Channelized T1/E1 SPA,” and Chapter 18, “Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs.” Configuring Virtual Private LAN Service Virtual Private LAN Service (VPLS) enables geographically separate LAN segments to be interconnected as a single bridged domain over a packet switched network, such as IP, MPLS, or a hybrid of both. VPLS solves the network reconfiguration problems at the CE that are associated with Layer 2 Virtual Private Network (L2VPN) implementations. The current Cisco IOS software L2VPN implementation builds a point-to-point connection to interconnect the two attachment VCs of two peering customer sites. To communicate directly among all sites of an L2VPN network, a distinct emulated VC needs to be created between each pair of peering attachment VCs. For example, when two sites of the same L2VPN network are connected to the same PE, it requires that two separate emulated VCs be established towards a given remote site, instead of sharing a common emulated VC between these two sites. For a L2VPN customer who uses the service provider backbone to interconnect its LAN segments, the current implementation effectively turns its multiaccess broadcast network into a fully meshed point-to-point network, which requires extensive reconfiguration on the existing CE devices. VPLS is a multipoint L2VPN architecture that connects two or more customer devices using EoMPLS bridging techniques. VPLS with EoMPLS uses an MPLS-based provider core, where the PE routers have to cooperate to forward customer Ethernet traffic for a given VPLS instance in the core. VPLS uses the provider core to join multiple attachment circuits together to simulate a virtual bridge that connects the multiple attachment circuits together. From a customer point of view, there is no topology for VPLS. All of the CE devices appear to connect to a logical bridge emulated by the provider core. Hierarchical Virtual Private LAN Service with MPLS to the Edge In a flat or non-hierarchical VPLS configuration, a full mesh of pseudowires (PWs) is needed between all PE nodes. A pseudowire defines a VLAN and its corresponding pseudoport. Hierarchical Virtual Private LAN Service (H-VPLS) reduces both signaling and replication overhead by using a combination of full-mesh and hub-and-spoke configurations. Hub-and-spoke configurations operate with split horizon to allow packets to be switched between pseudowires (PWs), which effectively reduce the number of PWs between PEs. 4-68 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Figure 4-3 H-VPLS with MPLS to the Edge Network In the H-VPLS with MPLS to the edge architecture, Ethernet Access Islands (EAIs) work in combination with a VPLS core network, with MPLS as the underlying transport mechanism. EAIs operate like standard Ethernet networks. In Figure 4-3, devices CE1, CE2a and CE2b reside in an EAI. Traffic from any CE devices within the EAI are switched locally within the EAI by the user-facing provider edge (UPE) device along the computed spanning-tree path. Each user-facing provider edge device is connected to one or more network-facing provider edge devices using PWs. The traffic local to the UPE is not forward to any network-facing provider edge devices. VPLS Configuration Guidelines When configuring VPLS on a SIP, consider the following guidelines: • For support of specific VPLS features by SIP, see Table 4- 11. • The SIPs support up to 4000 VPLS domains per Cisco 7600 series router. • The SIPs support up to 60 VPLS peers per domain per Cisco 7600 series router. • The SIPs support up to 30,000 pseudowires, used in any combination of domains and peers up to the 4000-domain or 60-peer maximums. For example, support of up to 4000 domains with 7 peers, or up to 60 peers in 500 domains. • When configuring VPLS on a Cisco 7600 SIP-600, consider the following guidelines: – Q-in-Q (the ability to map a single 802.1Q tag or a random double tag combination into a VPLS instance, a Layer 3 MPLS VPN, or an EoMPLS VC) is not supported. – H-VPLS with Q-in-Q edge—Requires a Cisco 7600 SIP-600 in the uplink, and any LAN port or Cisco 7600 SIP-600 on the downlink. • H-VPLS with MPLS edge requires either an OSM module, Cisco 7600 SIP-600, or Cisco 7600 SIP-400 in both the downlink (facing UPE) and uplink (MPLS core). • The Cisco 7600 SIP-400 and Cisco 7600 SIP-600 provide Transparent LAN Services (TLS) and Ethernet Virtual Connection Services (EVCS). PE-PoP PE-PoP 158088 PE-CLE L2VPN router CE4 7600s 802.3 .1Q Full Mesh LDP AToM or L2TPv3 PSN CE1 400 401 CE2a CE2b Customer applied VLAN Tags for WG isolation (CE-VLAN) PE-PoP Data 401 EType SA DA 100 33 MPLS network SP applied VCLabel & Tunnel LSP VPLS functioning between participating PEs4-69 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • The Cisco 7600 SIP-400 does not support redundant PW links from a UPE to multiple NPEs. • For information about configuring VPLS on the SIPs, consider the guidelines in this document and then refer to the “Virtual Private LAN Services on the Optical Services Modules” section of the Optical Services Module Software Configuration Note for the Cisco 7600 series router at the following URL: http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html4-70 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks VPLS Feature Compatibility Table 4-11 provides information about where the VPLS features are supported.4-71 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Table 4-11 VPLS Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 H-VPLS with MPLS edge Not supported. In Cisco IOS Release 12.2(33)SRA: • 2-Port Gigabit Ethernet SPA • 2-Port and 4-Port OC-3c/STM-1 POS SPA • 1-Port OC-12c/STM-4 POS SPA • 1-Port OC-48c/STM-16 POS SPA In Cisco IOS release 15.2(1)S: • 1-Port Channelized OC12/STM-4 SPA • 2-Port and 4-Port Channelized T3 SPA • 8-Port Channelized T1/E1 SPA • 1-Port Channelized OC-3/STM-1 SPA • 1-Port Channelized OC48/STM/16/DS3 SPA • 2 and 4-Port Clear Channel T3/E3 SPA In Cisco IOS Release 12.2(18)SXF and later: • 1-Port 10-Gigabit Ethernet SPA • 5-Port Gigabit Ethernet SPA • 10-Port Gigabit Ethernet SPA • 1-Port OC-192c/STM-64 POS/RPR SPA • 2-Port and 4-Port OC-48c/STM-16 POS SPA Support for the following SPAs was added in Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-48c/STM-16 POS SPA4-72 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks H-VPLS with Q-in-Q edge Not supported. Not supported. In Cisco IOS Release 12.2(18)SXF and later: • 1-Port 10-Gigabit Ethernet SPA • 5-Port Gigabit Ethernet SPA • 10-Port Gigabit Ethernet SPA • 1-Port OC-192c/STM-64 POS/RPR SPA • 2-Port and 4-Port OC-48c/STM-16 POS SPA Support for the following SPAs was added in Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-48c/STM-16 POS SPA VPLS with point-to-multipoint EoMPLS and fully-meshed PE configuration Not supported. In Cisco IOS Release 12.2(33)SRA: • 2-Port Gigabit Ethernet SPA • 2-Port and 4-Port OC-3c/STM-1 POS SPA • 1-Port OC-12c/STM-4 POS SPA • 1-Port OC-48c/STM-16 POS SPA In Cisco IOS release 15.2(1)S: • 1-Port Channelized OC12/STM-4 SPA • 2-Port and 4-Port Channelized T3 SPA • 8-Port Channelized T1/E1 SPA • 1-Port Channelized OC-3/STM-1 SPA • 1-Port Channelized OC48/STM/16/DS3 SPA • 2 and 4-Port Clear Channel T3/E3 SPA In Cisco IOS Release 12.2(18)SXF and later: • 1-Port 10-Gigabit Ethernet SPA • 5-Port Gigabit Ethernet SPA • 10-Port Gigabit Ethernet SPA • 1-Port OC-192c/STM-64 POS/RPR SPA • 2-Port and 4-Port OC-48c/STM-16 POS SPA Support for the following SPAs was added in Cisco IOS Release 12.2(33)SRA: • 2-Port and 4-Port OC-48c/STM-16 POS SPA Table 4-11 VPLS Feature Compatibility by SIP and SPA Combination (continued) Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-73 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring Asymmetric Carrier-Delay During redundant link deployments where the remote network element is enabled, a link or port may be displayed as UP before the port or link is ready to forward data. This leads to traffic loss during switchover, as UP events are notified faster than the DOWN events leading to traffic loss. Table 4-12 lists the differences between the conventional Carrier-Delay and Assymetric Carrier-Delay implementations. Table 4-12 Conventional Carrier-Delay versus Assymetric Carrier-Delay Restrictions and Usage Guidelines • The acceptable limit to configure Carrier-Delay DOWN time is eleven milliseconds and above for SIP-600 line cards. By default, Carrier-Delay is configured to 10 milliseconds during a card bootup. If you prefer to increase the default value of 10 milliseconds, you can manually configure and set the values on the SIP-600. The acceptable limit to configure carrier-delay UP time is 4 seconds and above for SIP-200 and SIP-400 cards only if there is a scaled EVC configuration. Otherwise you can configure carrier-delay UP time to less than 4 seconds. Conventional Carrier -Delay implementation Assymetric Carrier-Delay implementation You can configure Carrier-Delay on a main physical interface. You can configure Assymetric Carrier-Delay on a main physical interface. The acceptable limit to configure Carrier-Delay UP time is 4 seconds and above. The acceptable limit to configure Carrier-Delay DOWN time is 11 milliseconds and above for SIP-600. The acceptable limit to configure carrier-delay UP time is 4 seconds and above for SIP-200 and SIP-400 cards only if there is a scaled EVC configuration. Otherwise you can configure carrier-delay UP time to less than 4 seconds. You can configure a single delay value for UP and DOWN events on a link. You can configure separate delay values for each DOWN and UP events on a link. Traffic losses and timer optimization issues when the link is UP or DOWN. Delays are useful when the link is enabled or disabled (due to physical link failures/restoration or remote end events) before the actual link status is declared. To prevent traffic loss in the SIP -200/400/600 line cards, you can configure seperate notifications or carrier-delay values during card boot UP/DOWN event notifications. Erroneous cascading impact on other features in the SIP200/SIP400/SIP600 line cards. Example: An erroneous routing table convergence occurs where the link is available in the routing table. Dependent features such as Routing Convergence and FRR are delayed on the local end. Disruption of the fast readout links. Delays streamlined ensuring stable topologies.4-74 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • As the Fast Link feature and Carrier-Delay features are mutually exclusive, Fast Link feature is enabled by default. • If you configure Carrier-Delay values, Fast Link feature is disabled on a line card. • Though the Fast Link feature is configured by default in the card, the Carrier-Delay feature overwrites the Fast Link feature when configured. • If you have not configured the Carrier-Delay values, Fast link feature values are utilized for DOWN event notification. SUMMARY STEPS 1. enable 2. configure terminal 3. interface type slot/bay/port 4. carrier-delay [0-60] 5. carrier-delay [{up | down} [seconds]{msec| sec}] 6. end DETAILED STEPS Command or Action Purpose Step 1 enable Example: Router> enable Enables privileged EXEC mode. • Enter your password if prompted. Step 2 configure terminal Example: Router# configure terminal Enters global configuration mode. Step 3 config # interface type slot/bay/port Example: P19_C7609-S(config)#int gig8/0/1 Selects the maininterface to configure. Step 4 carrier-delay [0-60] Example: P19_C7609-S(config)#carrier-delay 20 Configures the conventional carrier-delay value in seconds. Note Ensure that the Carrier-Delay values are configured within the acceptable range of 0-60. If not, the router displays an error message.4-75 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Note Once you have configured assymetric carrier delay (ACD) UP timer, the link should come UP only after the configured delay. A situation where the remote end comes UP sooner than the local end(where ACD is configured) is expected, as the remote end does not have any asymetric carrier delay configured. SPA detects and then signals to the remote end that the PORT is UP. Whereas the local end (ACD configured), will come UP only after the UP timer is configured. Verification You can use the show run command to display the Carrier-Delay configurations on an SIP-200/400 physical interface. sh run int Fa2/0/0 Building configuration... Current configuration: 219 bytes ! interface FastEthernet2/0/0 ip address 32.0.0.1 255.255.255.0 logging event link-status carrier-delay up 10 carrier-delay down 5 end Configuring BFD over VCCV on SIP-400 BFD over VCCV is a mechanism for operation and management of pseudowires to enable fault detection and diagnostics.Bidirectional forwarding detection (BFD) is a protocol that detects faults in the bidirectional path between two forwarding engines. In pseudowires, BFD uses the virtual circuit connectivity verification (VCCV) for detecting data plane failures. VCCV provides a control channel that is associated with a pseudowire (PW) and the corresponding operations and management functions. MPLS pseudowires can dynamically signal or statically configure virtual circuit (VC) labels. VCCV control channel (CC) types define possible control channels that VCCV can support and connection verification (CV) types indicate the types of CV packets and protocols that can be sent on the specified control channel. In dynamically signalled pseudowires, the CC types and CV types are also signalled. In statically configured pseudowires, the CC and CV types must be configured on both ends of the pseudowire. Step 5 carrier-delay [{up | down} [seconds]{msec| sec}] Example: P19_C7609-S(config-if)#carrier-delay up 8 P19_C7609-S(config-if)#carrier-delay down 5 Configures the Assymetric Carrier-Delay up or down value in milliseconds or seconds. Note ‘Four seconds’ is the lower limit for the Assymmetric Carrier-Delay UP timer value, on a scaled EVC configuration. If you configure the UP timer to be lesser than 4secs the following message is displayed: Minimum carrier-delay for UP timer is 4secs if there is a scaled EVC configuration Step 6 end Exits the configuration mode. Command or Action Purpose4-76 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks The following BFD over VCCV modes are possible on pseudowires: • BFD over VCCV on static pseudowire with attachment circuit signaling • BFD over VCCV on static pseudowire with out attachment circuit signaling • BFD over VCCV on dynamic pseudowire with out attachment circuit signaling Configuration Restrictions Follow these restrictions while configuring BFD over VCCV on SIP-400. • Only BFD over VCCV Type1 without internet protocol (IP) /user datagram protocol (UDP) is supported. In VCCV Type1, traffic follows the same path as pseudowire data traffic and VCCV Type 1 can be used only for MPLS pseudowires with control word. • L2TPv3 is currently not supported. • Pseudowire redundancy is not supported. • Only ATM is supported as attachment circuit. • Up to 1200 pseudowires can be enabled for BFD over VCCV. • When BFD over VCCV is enabled on the pseudowire, switched virtual interface (SVI) based ethernet over multi protocol label switching (EoMPLS) is not supported. • When BFD over VCCV is enabled on the pseudowire, multipoint core-facing interface is not supported. • BFD over VCCV sessions are supported only on single-segment pseudowires between provider edge routers (PEs). • BFD over VCCV sessions between terminating PE routers (T-PEs) and switching PE routers (S-PEs) are not supported. • BFD over VCCV sessions are supported only on multi-segment pseudowires between terminating PE routers (T-PEs). • Only these SPAs are supported on the line card edge that faces the attachment circuit: – 2-Port OC-3c/STM-1 ATM SPA – 4-Port OC-3c/STM-1 ATM SPA – 1-Port OC-12c/STM-4 ATM SPA – 1-Port OC-48c/STM-16 ATM SPA Configuration Steps Perform these steps to configure BFD over VCCV. SUMMARY STEPS Step 1 enable Step 2 configure terminal Step 3 bfd-template single-hop bfd-template-name Step 4 interval min-tx msec min-rx msec multiplier number Step 5 exit4-77 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 6 pseudowire-class pseudowire-class-name Step 7 encapsulation mpls Step 8 vccv bfd template bfd-template-name Step 9 exit Step 10 interface atmslot/subslot/port Step 11 pvc vpi/vci l2transport Step 12 xconnect destination vc-id pseudowire-class pseudowire-class-name Step 13 exit DETAILED STEPS Command Purpose Step 1 Router> enable Enables privileged EXEC mode. Enter your password if prompted. Step 2 Router# configure terminal Enters global configuration mode. Step 3 Router(config)# bfd-template single-hop bfd-template-name Specifies the BFD template. Step 4 Router(config-bfd)# interval min-tx msec min-rx msec multiplier number Router(config-bfd)# interval min-tx 500 min-rx 500 multiplier 3 Specifies the following BFD VCCV parameters: • min-tx: Minimum transmission interval in milliseconds, that the local system uses when transmitting BFD control packets. The valid range is 50-999. • min-rx: Minimum receiving interval in milliseconds, between received control packets that this system is capable of supporting. The valid range is 50-999. • multiplier: The negotiated transmit interval, multiplied by this value, provides the detection time for the transmitting system in asynchronous mode. Step 5 Router(config-bfd)# exit Exits from the BFD template configuration mode. Step 6 Router(config)# pseudowire-class pseudowire-class-name Router(config)# pseudowire-class BFD Specifies the pseudowire class. Step 7 Router(config-pw-class)# encapsulation mpls Specifies the encapsulation method. Step 8 Router(config-pw-class)# vccv bfd template bfd-template-name Router(config-pw-class)# vccv bfd template bfd-template Applies the configured BFD interval timers to BFD VCCV pseudowire class. Step 9 Router(config-pw-class)# exit Exits from the pseudowire class configuration mode.4-78 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Note If you apply or remove a QoS service policy on the ATM PVC, then the configured BFD VCCV sessions are also renegotiated and a minimal drop in data traffic occurs. Verifying BFD VCCV Configuration Use the show mpls l2 vc command to verify the BFD VCCV configuration. RouterA# show mpls l2transport vc detail Local interface: AT3/0/0 up, line protocol up, ATM AAL5 2/101 up Destination address: 23.1.1.1, VC ID: 1, VC status: up Output interface: Gi5/1, imposed label stack {2559} Preferred path: not configured Default path: active Next hop: 9.1.1.2 Create time: 00:18:39, last status change time: 00:04:50 Signaling protocol: LDP, peer 23.1.1.1:0 up Targeted Hello: 22.1.1.1(LDP Id) -> 23.1.1.1, LDP is UP Status TLV support (local/remote) : enabled/supported LDP route watch : enabled Label/status state machine : established, LruRru Last local dataplane status rcvd: No fault Last local SSS circuit status rcvd: No fault Last local SSS circuit status sent: No fault Last local LDP TLV status sent: No fault Last remote LDP TLV status rcvd: No fault Last remote LDP ADJ status rcvd: No fault MPLS VC labels: local 16, remote 2559 Group ID: local 0, remote 0 MTU: local 4470, remote 4470 Remote interface description: ^M Sequencing: receive disabled, send disabled Control Word: On (configured: autosense) VCCV BFD protection active BFD Template - bfd CC Type - 1 CV Type - fault detection only with IP/UDP headers SSO Descriptor: 23.1.1.1/1, local label: 16 SSM segment/switch IDs: 8195/4097 (used), PWID: 12290 Step 10 Router(config)# interface atm slot/subslot/port Router(config)# interface atm3/0/0 Specifies an ATM interface and enters interface configuration mode. Step 11 Router(config-if)# pvc vpi/vci l2transport Router(config-if)# pvc 2/101 l2transport Assigns a virtual path identifier (VPI) and a virtual circuit identifier (VCI). The l2transport keyword indicates that the permanent virtual circuit (PVC) is a switched PVC instead of a terminated PVC. Step 12 Router(config-atm-pvc)# xconnect destination vc-id pseudowire-class pseudowire-class-name Router(config-atm-pvc)# xconnect 16.1.1.1 2 pseudowire-class BFD Specifies the virtual circuit (VC). • destination: Specifies the loopback address of the remote router. • vc-id: Identifies the virtual circuit between the PE routers at each end point of the VC. It must be unique for each VC. Step 13 Router(config-atm-pvc)# exit Exits from the ATM PVC configuration mode. Command Purpose4-79 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks VC statistics: transit packet totals: receive 225, send 89 transit byte totals: receive 13300, send 5340 transit packet drops: receive 0, seq error 0, send 0 Alternatively, you can also use the show bfd neighbors command from the destination router to verify the configuration. RouterB# show bfd neighbors mpls-pw 22.1.1.1 vcid 1 detail NeighAddr LD/RD RH/RS State Int 22.1.1.1 :1 1/1 Up Up N/A Session state is UP and not using echo function. OurAddr: 0.0.0.0 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 500000, MinRxInt: 500000, Multiplier: 3 Received MinRxInt: 500000, Received Multiplier: 3 Holddown (hits): 1372(2), Hello (hits): 500(4051) Rx Count: 3200, Rx Interval (ms) min/max/avg: 1/488/91 last: 128 ms ago Tx Count: 3203, Tx Interval (ms) min/max/avg: 40/472/91 last: 128 ms ago Elapsed time watermarks: 0 0 (last: 0) Registered protocols: Xconnect Uptime: 00:04:49 Last packet: Version: 1 - Diagnostic: 0 State bit: Up - Demand bit: 0 Poll bit: 0 - Final bit: 1 Multiplier: 3 - Length: 24 My Discr.: 1 - Your Discr.: 1 Min tx interval: 500000 - Min rx interval: 500000 Min Echo interval: 0 Debugging the BFD Configuration Use these debug commands to troubleshoot the BFD VCCV configuration. Configuring MPLS Features on a SIP Many of the MPLS features supported on the FlexWAN and Enhanced FlexWAN modules on the Cisco 7600 series router are also supported by the SIPs. For a list of the supported MPLS features on the SIPs, see Chapter 3, “Overview of the SIPs and SSC.” This section describes those MPLS features that have SIP-specific configuration guidelines. After you review the SIP-specific guidelines described in this document, then refer to the following URL for more information about configuring MPLS features: Command Purpose debug condition xconnect peer ipaddress vcid vcid Allows conditional filtering of debug messages based on VC ID. debug mpls l2 vc vccv events Debugs any transport over MPLS (AToM) VCCV events. debug mpls l2 vc vccv bfd events Enables the debug event messages during the creation of a BFD session. This command enables debug event messages when BFD sends the data plane fault notification to L2VPN and also when L2VPN sends the attachment circuit signaling status to BFD.4-80 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexmpls.html This section includes the following topics: • Configuring Any Transport over MPLS on a SIP, page 4-80 • Configuring Hierarchical Virtual Private LAN Service (H-VPLS) with MPLS to the Edge, page 4-83 • Configuring MPLS Traffic Engineering Class-Based Tunnel Selection (CBTS) on the Cisco 7600 SIP-600, page 4-83 Configuring Any Transport over MPLS on a SIP Any Transport over MPLS (AToM) transports Layer 2 packets over a Multiprotocol Label Switching (MPLS) backbone. AToM uses a directed Label Distribution Protocol (LDP) session between edge routers for setting up and maintaining connections. Forwarding occurs through the use of two levels of labels, switching between the edge routers. The external label (tunnel label) routes the packet over the MPLS backbone to the egress Provider Edge (PE) at the ingress PE. The VC label is a demuxing label that determines the connection at the tunnel endpoint (the particular egress interface on the egress PE as well as the virtual path identifier [VPI]/virtual channel identifier [VCI] value for an ATM Adaptation Layer 5 [AAL5] protocol data unit [PDU], the data-link connection identifier [DLCI] value for a Frame Relay PDU, or the virtual LAN [VLAN] identifier for an Ethernet frame). For specific information about configuring AToM features, refer to the FlexWAN and Enhanced FlexWAN Module Installation and Configuration Note located at the following URL: http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexmpls.html Note When referring to the FlexWAN documentation, be sure to note any SIP-specific configuration guidelines described in this document. Cisco 7600 SIP-200 AToM Features The Cisco 7600 SIP-200 supports the following AToM features: • ATM over MPLS (ATMoMPLS)—AAL5 VC mode • Ethernet over MPLS (EoMPLS)—(Single cell relay) VC mode • Frame Relay over MPLS (FRoMPLS) • FRoMPLS with dMLFR—Supported between the CE and PE devices. • High-Level Data Link Control (HDLC) over MPLS (HDLCoMPLS) • PPP over MPLS (PPPoMPLS)—Not supported with dMLPPP or dLFI • Hierarchical QoS for EoMPLS VCs Cisco 7600 SIP-200 AToM Configuration Guidelines When configuring AToM with a Cisco 7600 SIP-200, consider the following guidelines: • You cannot use a SIP-200 and an Ethernet SPA on the customer-facing side because the Ethernet SPA is a Layer 3 only interface. • Because the SIP-200 supports WAN interfaces, you can use the SIP-200 for non-Ethernet access (FR,HDLC,ATM,PPP) at the customer-facing side. • For VLAN-based xconnect (also called line card-based EoMPLS), the customer-facing port must be a Layer 2 port and the backbone-facing card must be a Layer 3 port. 4-81 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • The SIP-200 does not supportdot1q subinterface-based xconnect towards the edge. Cisco 7600 SIP-400 AToM Features The Cisco 7600 SIP-400 supports the following AToM features: • ATMoMPLS—AAL0 mode (single cell relay only. From 12.2(33) release onwards packed cell relay) • ATMoMPLS—AAL5 mode • ATMoMPLS— Port mode cell relay (from Cisco IOS 12.2(33) SRD release onwards) • EoMPLS—Port mode • EoMPLS—VLAN mode • FRoMPLS—DLCI mode • TDM over MPLS (Starting from Cisco IOS release 12.2(33) SRD onwards) • Beginning in Cisco IOS Release 12.2(33)SRA: – Hierarchical QoS for EoMPLS VCs – HDLCoMPLS – PPPoMPLS – ATM local switching Cisco 7600 SIP-400 AToM Configuration Guidelines When configuring AToM with a Cisco 7600 SIP-400, consider the following guidelines: • The Cisco 7600 SIP-400 is not supported with a Supervisor Engine 1, Supervisor Engine 1A, Supervisor Engine 2, or Supervisor Engine 720 PFC3A. • The Cisco 7600 SIP-400 is not supported with PFC-2-based systems. • For AToM in Cisco IOS 12.2SX releases, the Cisco 7600 SIP-400 does not support the following features when they are located in the data path. This means you should not configure the following features if the SIP is facing the customer edge (CE) or the MPLS core: – HDLCoMPLS – PPPoMPLS – VPLS • For AToM beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-400 supports the following features on CE-facing interfaces: – HDLCoMPLS – PPPoMPLS – VPLS • The Cisco 7600 SIP-400 supports EoMPLS with directly connected provider edge (PE) devices when the Cisco 7600 SIP-400 is on the MPLS core side of the network. • The Cisco 7600 SIP-400 does not support the ability to enable or disable tunneling of Layer 2 packets, such as for the VLAN Trunking Protocol (VTP), Cisco Discovery Protocol (CDP), and bridge protocol data unit (BPDU). The Cisco 7600 SIP-400 tunnels BPDUs, and always blocks VTP and CDP packets from the tunnel.4-82 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • In ATMoMPLS AAL5 and cell mode, the Cisco 7600 SIP-400 supports non-matching VPIs/VCIs between PEs if the Cisco 7600 SIP-400 is on both sides of the network. • The Cisco 7600 SIP-400 supports matching on FR-DE to set MPLS-EXP for FRoMPLS. • The Cisco 7600 SIP-400 does not support the following QoS classification features with AToM: – Matching on data-link connection identifier (DLCI) is unsupported. – Matching on virtual LAN (VLAN) is unsupported. – Matching on class of service (CoS) is unsupported in Cisco IOS Release 12.2(18)SXE and Cisco IOS Release 12.2(18)SXE2 only. Beginning in Cisco IOS Release 12.2(18)SXF, it is supported with the 2-Port Gigabit Ethernet SPA. – Matching on input interface is unsupported. – Matching on packet length is unsupported. – Matching on media access control (MAC) address is unsupported. – Matching on protocol type, including Border Gateway Protocol (BGP), is unsupported. Understanding MPLS Imposition on the Cisco 7600 SIP-400 to Set MPLS Experimental Bits The MPLS imposition function encapsulates non-MPLS frames (such as Ethernet, VLAN, Frame Relay, ATM, or IP) into MPLS frames. MPLS disposition performs the reverse function. An input QoS policy map is applied to ingress packets before MPLS imposition takes place. This means that the packets are treated as non-MPLS frames, so any MPLS-related matches have no effect. In the case of marking experimental (EXP) bits using the set mpls experimental command, the information is passed to the AToM or MPLS component to set the EXP bits. After imposition takes place, the frame becomes an MPLS frame and an output QoS policy map (if it exists) can apply MPLS-related criteria. On the egress side, an output QoS policy map is applied to the egress packets after MPLS disposition takes place. This means that packets are treated as non-MPLS frames, so any MPLS-related criteria has no effect. Before disposition, the frame is an MPLS frame and the input QoS policy map (if it exists) can apply MPLS-related criteria. The Encoded Address Recognition Logic (EARL) is a centralized processing engine for learning and forwarding packets based upon MAC address on the Cisco 7600 series router supervisor engines. The EARL stores the VLAN, MAC address, and port relationships. These relationships are used to make switching decisions in hardware. The EARL engine also performs MPLS imposition, and the MPLS EXP bits are copied either from the IP TOS field (using trust dscp or trust precedence mode), or from the DBUS header QoS field (using trust cos mode). When using the 2-Port Gigabit Ethernet SPA with the Cisco 7600 SIP-400 as the customer-side interface configured for 802.1Q encapsulation for IP imposition with MPLS, the Layer 2 CoS value is not automatically copied into the corresponding MPLS packet’s EXP bits. Instead, the value in the IP precedence bits is copied. To maintain the 802.1Q CoS values, classify the imposition traffic on the customer-facing Gigabit Ethernet interface in the input direction to match on CoS value, and then set the MPLS experimental action for that class as shown in the following example: Router(config)# class-map cos0 Router(config-cmap)# match cos 0 Router(config-cmap)# exit ! Router(config)# class-map cos1 Router(config-cmap)# match cos 1 Router(config-cmap)# exit !4-83 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Router(config)# policy-map policy1 Router(config-pmap)# class cos0 Router(config-pmap-c)# set mpls experimental imposition 0 Router(config-pmap-c)# exit Router(config-pmap)# class cos1 Router(config-pmap-c)# set mpls experimental imposition 1 Cisco 7600 SIP-600 AToM Features The Cisco 7600 SIP-600 supports the following AToM features: • Any Transport over MPLS (AToM) support—EoMPLS only (Encoded Address Recognition Logic [EARL]-based and SIP-based EoMPLS) Configuring Hierarchical Virtual Private LAN Service (H-VPLS) with MPLS to the Edge The Cisco 7600 SIP-400 and Cisco 7600 SIP-600 support the H-VPLS with MPLS to the Edge feature. For more information about VPLS support on the SIPs, see the “Configuring Virtual Private LAN Service” section on page 4-67. Configuring MPLS Traffic Engineering Class-Based Tunnel Selection (CBTS) on the Cisco 7600 SIP-600 Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) Class-Based Tunnel Selection (CBTS) enables you to dynamically route and forward traffic with different class of service (CoS) values onto different TE tunnels between the same tunnel headend and the same tailend. The TE tunnels can be regular TE or DiffServ-aware TE (DS-TE) tunnels. The set of TE (or DS-TE) tunnels from the same headend to the same tailend that you configure to carry different CoS values is referred to as a “tunnel bundle.” Tunnels are “bundled” by creating a master tunnel and then attaching member tunnels to the master tunnel. After configuration, CBTS dynamically routes and forwards each packet into the tunnel that meets the following requirements: • Is configured to carry the CoS of the packet • Has the right tailend for the destination of the packet Because CBTS offers dynamic routing over DS-TE tunnels and requires minimum configuration, it greatly eases deployment of DS-TE in large-scale networks. CBTS can distribute all CoS values on eight different tunnels. CBTS also allows the TE tunnels of a tunnel bundle to exit headend routers through different interfaces. CTBS configuration involves performing the following tasks: • Creating multiple (DS-) TE tunnels withe same headend and tailend and indicating on each of these tunnels which CoSs are to be transported on the tunnel. • Creating a master tunnel, attaching the member tunnels to it, and making the master tunnel visible for routing.4-84 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks MPLS Traffic Engineering Class-Based Tunnel Selection (CBTS) Configuration Guidelines When configuring MPLS Traffic Engineering Class-Based Tunnel Selection (CBTS), consider the following guidelines: • CBTS has the following prerequisites: – MPLS enabled on all tunnel interfaces – Cisco Express Forwarding (CEF) or distributed CEF (dCEF) enabled in general configuration mode • CBTS has the following restrictions: – For a given destination, all CoS values are carried in tunnels terminating at the same tailend. Either all CoS values are carried in tunnels or no values are carried in tunnels. In other words, for a given destination, you cannot map some CoS values in a DS-TE tunnel and other CoS values in a Shortest Path First (SPF) Label Distribution Protocol (LDP) or SPF IP path. – No LSP is established for the master tunnel and regular traffic engineering attributes (bandwidth, path option, fast reroute) are irrelevant on a master tunnel. TE attributes (bandwidth, bandwidth pool, preemption, priorities, path options, and so on) are configured completely independently for each tunnel. – CBTS does not allow load-balancing of a given EXP value in multiple tunnels. If two or more tunnels are configured to carry a given experimental (EXP) value, CBTS picks one of these tunnels to carry this EXP value. – CBTS supports aggregate control of bumping (that is, it is possible to define default tunnels to be used if other tunnels go down. However, CBTS does not allow control of bumping if the default tunnel goes down. CBTS does not support finer-grain control of bumping. For example, if the voice tunnel goes down, redirect voice to T2, but if video goes down, redirect to T3. – The operation of CBTS is not supported with Any Transport over MPLS (AToM), MPLS TE Automesh, or label-controlled (LC)-ATM. Creating Multiple MPLS Member TE or DS-TE Tunnels from the Same Headend to the Same Tailend SUMMARY STEPS Step 1 interface tunnel number Step 2 ip unnumbered type number Step 3 tunnel destination {hostname | ip-address} Step 4 tunnel mode mpls traffic-eng Step 5 tunnel mpls traffic-eng bandwidth [sub-pool | global] bandwidth Step 6 tunnel mpls traffic-eng exp [list-of-exp-values] [default] Step 7 exit DETAILED STEPS Perform the following task to create multiple MPLS member TE or DS-TE tunnels with the same headend and same tailend and to configure EXP values to be carried by each of these tunnels. The procedure begins in global configuration mode.4-85 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Command Purpose Step 1 Router(config)# interface tunnel number Configures a tunnel interface type and enters interface configuration mode. • number—Number of the tunnel interface that you want to create or configure. Step 2 Router(config-if)# ip unnumbered type number Enables IP processing on an interface without assigning an explicit IP address to the interface. • type—Type of another interface on which the router has an assigned IP address. • number—Number of another interface on which the router has an assigned IP address. It cannot be another unnumbered interface. Step 3 Router(config-if)# tunnel destination {hostname | ip-address} Specifies the destination of the tunnel for this path option. • hostname—Name of the host destination. • ip-address—IP address of the host destination expressed in four-part, dotted decimal notation. Step 4 Router(config-if)# tunnel mode mpls traffic-eng Sets the mode of a tunnel to MPLS for TE. Step 5 Router(config-if)# tunnel mpls traffic-eng bandwidth [sub-pool | global] bandwidth Configures the bandwidth for the MPLS TE tunnel. If automatic bandwidth is configured for the tunnel, use the tunnel mpls traffic-eng bandwidth command to configure the initial tunnel bandwidth, which is adjusted by the auto-bandwidth mechanism. • sub-pool—(Optional) Indicates a subpool tunnel. • global—(Optional) Indicates a global pool tunnel. Entering this keyword is not necessary, for all tunnels are global pool in the absence of the sub-pool keyword. But if users of pre-DiffServ-aware Traffic Engineering (DS-TE) images enter this keyword, it is accepted. • bandwidth—Bandwidth, in kilobits per second, set aside for the MPLS traffic engineering tunnel. Range is between 1 and 4294967295. Note You can configure any existing mpls traffic-eng command on these TE or DS-TE tunnels. 4-86 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Creating a Master Tunnel, Attaching Member Tunnels, and Making the Master Tunnel Visible SUMMARY STEPS Step 1 interface tunnel number Step 2 ip unnumbered type number Step 3 tunnel destination {hostname | ip-address} Step 4 tunnel mode mpls traffic-eng exp-bundle master Step 5 tunnel mode mpls traffic-eng exp-bundle member tunnel-id Step 6 tunnel mpls traffic-eng autoroute announce Step 7 tunnel mpls traffic-eng autoroute metric absolute | relative value Step 6 Router(config-if)# tunnel mpls traffic-eng exp [list-of-exp-values] [default] Specifies an EXP value or values for an MPLS TE tunnel. • list-of-exp-values—EXP value or values that are are to be carried by the specified tunnel. Values range from 0 to 7. • default—The specified tunnel is to carry all EXP values that are: – Not explicitly allocated to another tunnel – Allocated to a tunnel that is currently down Step 7 Router(config-if)# exit Exits to global configuration mode. Step 8 Repeat steps 1 through 7 on the same headend router to create additional tunnels from this headend to the same tailend. Command Purpose4-87 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks DETAILED STEPS Perform the followings task to create a master tunnel, attach member tunnels to it, and make the master tunnel visible for routing. The procedure begins in global configuration mode. Command Purpose Step 1 Router(config)# interface tunnel number Configures a tunnel interface type and enters interface configuration mode. • number—Number of the tunnel interface that you want to create or configure. Step 2 Router(config-if)# ip unnumbered type number Enables IP processing on an interface without assigning an explicit IP address to the interface. • type—Type of another interface on which the router has an assigned IP address. • number—Number of another interface on which the router has an assigned IP address. It cannot be another unnumbered interface. Step 3 Router(config-if)# tunnel destination {hostname | ip-address} Specifies the destination of the tunnel for this path option. • hostname—Name of the host destination. • ip-address—IP address of the host destination expressed in four-part, dotted decimal notation. Step 4 Router(config-if)# tunnel mode mpls traffic-eng exp-bundle master Specifies this is the master tunnel for the CBTS configuration. Step 5 Router(config-if)# tunnel mode mpls traffic-eng exp-bundle member tunnel-id Attaches a member tunnel to the master tunnel. • tunnel-id—Number of the tunnel interface to be attached to the master tunnel. Repeat this command for each member tunnel.4-88 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Note Alternatively, static routing could be used instead of autoroute to make the TE or DS-TE tunnels visible for routing. Verifying That the MPLS TE or DS-TE Tunnels Are Operating and Announced to the IGP The following show commands can be used to verify that the MPLS TE or DS-TE tunnels are operating and announced to the IGP. The commands are all entered in privileged EXEC configuration mode. Step 6 Router(config-if)# tunnel mpls traffic-eng autoroute announce Specifies that the Interior Gateway Protocol (IGP) should use the tunnel (if the tunnel is up) in its enhanced SPF calculation. Step 7 Router(config-if)# tunnel mpls traffic-eng autoroute metric absolute | relative value (Optional) Specifies the MPLS TE tunnel metric that the IGP enhanced SPF calculation uses. • absolute—Indicates the absolute metric mode; you can enter a positive metric value. • relative—Indicates the relative metric mode; you can enter a positive, negative, or zero value. • value—Metric that the IGP enhanced SPF calculation uses. The relative value can be from –10 to 10. Note Even though the value for a relative metric can be from –10 to +10, configuring a tunnel metric with a negative value is considered a misconfiguration. If the metric to the tunnel tailend appears to be 4 from the routing table, then the cost to the tunnel tailend router is actually 3 because 1 is added to the cost for getting to the loopback address. In this instance, the lowest value that you can configure for the relative metric is -3. Command Purpose Command Purpose Router# show mpls traffic-eng topology {A.B.C.D | igp-id {isis nsap-address | ospf A.B.C.D} [brief] Shows the MPLS traffic engineering global topology as currently known at this node. • A.B.C.D—Specifies the node by the IP address (router identifier to interface address). • igp-id—Specifies the node by IGP router identifier. • isis nsap-address—Specifies the node by router identification (nsap-address) if you are using IS-IS. • ospf A.B.C.D—Specifies the node by router identifier if you are using OSPF. • brief—Provides a less detailed version of the topology. Router# show mpls traffic-eng exp Displays EXP mapping. 4-89 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks The show mpls traffic-eng topology command output displays the MPLS TE global topology: Router# show mpls traffic-eng topology 10.0.0.1 IGP Id: 10.0.0.1, MPLS TE Id:10.0.0.1 Router Node (ospf 10 area 0) id 1 link[0]: Broadcast, DR: 180.0.1.2, nbr_node_id:6, gen:18 frag_id 0, Intf Address:180.0.1.1 TE metric:1, IGP metric:1, attribute_flags:0x0 SRLGs: None physical_bw: 100000 (kbps), max_reservable_bw_global: 1000 (kbps) max_reservable_bw_sub: 0 (kbps) Global Pool Sub Pool Total Allocated Reservable Reservable BW (kbps) BW (kbps) BW (kbps) --------------- ----------- ---------- bw[0]: 0 1000 0 bw[1]: 0 1000 0 bw[2]: 0 1000 0 bw[3]: 0 1000 0 bw[4]: 0 1000 0 bw[5]: 0 1000 0 bw[6]: 0 1000 0 bw[7]: 100 900 0 link[1]: Broadcast, DR: 180.0.2.2, nbr_node_id:7, gen:19 frag_id 1, Intf Address:180.0.2.1 TE metric:1, IGP metric:1, attribute_flags:0x0 SRLGs: None physical_bw: 100000 (kbps), max_reservable_bw_global: 1000 (kbps) max_reservable_bw_sub: 0 (kbps) Global Pool Sub Pool Total Allocated Reservable Reservable BW (kbps) BW (kbps) BW (kbps) --------------- ----------- ---------- bw[0]: 0 1000 0 bw[1]: 0 1000 0 Router# show ip cef [type number] [detail] Displays entries in the forwarding information base (FIB) or displays a summary of the FIB. • type number —Identifies the interface type and number for which to display FIB entries. • detail—Displays detailed FIB entry information. Router# show mpls forwarding-table [network {mask | length} [detail] Displays the contents of the MPLS label forwarding information base (LFIB). • network—Identifies the destination network number. • mask—Identifies the network mask to be used with the specified network. • length—Identifies the number of bits in the destination mask. • detail—Displays information in long form (includes length of encapsulation, length of MAC string, maximum transmission unit [MTU], and all labels). Router# show mpls traffic-eng autoroute Displays tunnels that are announced to the Interior Gateway Protocol (IGP). Command Purpose4-90 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks bw[2]: 0 1000 0 bw[3]: 0 1000 0 bw[4]: 0 1000 0 bw[5]: 0 1000 0 bw[6]: 0 1000 0 bw[7]: 0 1000 0 The show mpls traffic-eng exp command output displays EXP mapping information about a tunnel: Router# show mpls traffic-eng exp Destination: 10.0.0.9 Master:Tunnel10Status: IP Members: StatusConf EXPActual EXP Tunnel1UP/ACTIVE55 Tunnel2UP/ACTIVEdefault0 1 2 3 4 6 7 Tunnel3UP/INACTIVE(T)2 Tunnel4DOWN3 Tunnel5UP/ACTIVE(NE) (T)=Tailend is different to master (NE)=There is no exp value configured on this tunnel. The show ip cef detail command output displays detailed FIB entry information for a tunnel: Router# show ip cef tunnel1 detail IP CEF with switching (Table Version 46), flags=0x0 31 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 2 2 instant recursive resolutions, 0 used background process 8 load sharing elements, 8 references 6 in-place/0 aborted modifications 34696 bytes allocated to the FIB table data structures universal per-destination load sharing algorithm, id 9EDD49E1 1(0) CEF resets Resolution Timer: Exponential (currently 1s, peak 1s) Tree summary: 8-8-8-8 stride pattern short mask protection disabled 31 leaves, 23 nodes using 26428 bytes Table epoch: 0 (31 entries at this epoch) Adjacency Table has 13 adjacencies 10.0.0.9/32, version 45, epoch 0, per-destination sharing 0 packets, 0 bytes tag information set, all rewrites inherited local tag: tunnel head via 0.0.0.0, Tunnel1, 0 dependencies traffic share 1 next hop 0.0.0.0, Tunnel1 valid adjacency tag rewrite with Tu1, point2point, tags imposed {12304} 0 packets, 0 bytes switched through the prefix tmstats: external 0 packets, 0 bytes internal 0 packets, 0 bytes The show mpls forwarding-table detail command output displays detailed information from the MPLS LFIB: Router# show mpls forwarding 10.0.0.9 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface Tun hd Untagged 10.0.0.9/32 0 Tu1 point2point 4-91 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks MAC/Encaps=14/18, MRU=1500, Tag Stack{12304}, via Fa6/0 00027D884000000ED70178A88847 03010000 No output feature configured Per-exp selection: 1 Untagged 10.0.0.9/32 0 Tu2 point2point MAC/Encaps=14/18, MRU=1500, Tag Stack{12305}, via Fa6/1 00027D884001000ED70178A98847 03011000 No output feature configured Per-exp selection: 2 3 Untagged 10.0.0.9/32 0 Tu3 point2point MAC/Encaps=14/18, MRU=1500, Tag Stack{12306}, via Fa6/1 00027D884001000ED70178A98847 03012000 No output feature configured Per-exp selection: 4 5 Untagged 10.0.0.9/32 0 Tu4 point2point MAC/Encaps=14/18, MRU=1500, Tag Stack{12307}, via Fa6/1 00027D884001000ED70178A98847 03013000 No output feature configured Per-exp selection: 0 6 7 The show mpls traffic-eng autoroute command output displays tunnels that are announced to the Interior Gateway Protocol (IGP). Router# show mpls traffic-eng autoroute MPLS TE autorouting enabled destination 10.0.0.9, area ospf 10 area 0, has 4 tunnels Tunnel1 (load balancing metric 20000000, nexthop 10.0.0.9) (flags: Announce) Tunnel2 (load balancing metric 20000000, nexthop 10.0.0.9) (flags: Announce) Tunnel3 (load balancing metric 20000000, nexthop 10.0.0.9) (flags: Announce) Tunnel4 (load balancing metric 20000000, nexthop 10.0.0.9) (flags: Announce)4-92 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Troubleshooting This section describes how to troubleshoot common ATMoMPLS and EoMPLS issues. Scenarios/Problems Solution How do I list all the L2transport VCs and their status (whether up or down), and also the pseudowire destination IP address? Use the show mpls l2 vc command. This example displays detailed status for a specific VC: Router# show mpls l2 vc 1100 detail Local interface: VFI VPLS-1100 up MPLS VC type is VFI, internetworking type is Ethernet Destination address: 1.1.1.1,VC ID:1100, VC status: up Output interface: Tu0,imposed label stack {27 17} Preferred path: not configured Default path: active Next hop:point2point Create time:2d23h, last status change time: 2d23h Signaling protocol: LDP, peer 1.1.1.1:0 up MPLS VC labels: local 17, remote 17 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: Sequencing: receive disabled, send disabled VC statistics packet totals: receive 1146978, send 3856011 byte totals: receive 86579172, send 316899920 packet drops: receive 0, send 0 These examples show the status of the active and backup pseudowires before, during, and after a switchover: Router# show mpls l2 vc detail Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- AT0/2/0.1 ATM VPC CELL 50 10.1.1.2 100 UP AT0/2/0.1 ATM VPC CELL 50 10.1.1.3 100 STANDBY 4-93 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks The show mpls l2 vc detail command on the backup PE router displays the status of the pseudowires as shown in this example. The active pseudowire on the backup PE router has the HOTSTANDBY status. Router-standby# show mpls l2 vc detail Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- AT0/2/0.1 ATM VPC CELL 50 10.1.1.2 100 HOTSTANDBY AT0/2/0.1 ATM VPC CELL 50 10.1.1.3 100 DOWN During a switchover, the status of the active and backup pseudowires changes: Router# show mpls l2 vc detail Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- AT0/2/0.1 ATM VPC CELL 50 10.1.1.2 100 RECOVERING AT0/2/0.1 ATM VPC CELL 50 10.1.1.3 100 DOWN After the switchover is complete, the recovering pseudowire shows a status of UP: Router# show mpls l2 vc detail Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- AT0/2/0.1 ATM VPC CELL 50 10.1.1.2 100 UP AT0/2/0.1 ATM VPC CELL 50 10.1.1.3 100 STANDBY Scenarios/Problems Solution4-94 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring QoS Features on a SIP This section describes configuration of the SIP-specific QoS features using the Modular QoS command-line interface (CLI). Before referring to any other QoS documentation for the platform or in the Cisco IOS software, use this section to determine SIP-specific QoS feature support and configuration guidelines. For additional details about QoS concepts and features in Cisco IOS 12.2 releases, you can then refer to the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2, at http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/fqos_c.html This section includes the following topics: • General QoS Feature Configuration Guidelines, page 4-95 • Configuring QoS Features Using MQC, page 4-96 • Configuring QoS Traffic Classes on a SIP, page 4-96 • Configuring QoS Class-Based Marking Policies on a SIP, page 4-102 • Configuring QoS Congestion Management and Avoidance Policies on a SIP, page 4-105 • Configuring Dual-Priority Queuing on a Cisco 7600 SIP-400, page 4-113 How do I verify whether the LDP neighborship is established between the PE routers? Use the show mpls ldp neighbor command. This example shows a sample output of the command: PE1#show mpls ldp neighbor Peer LDP Ident: 11.11.11.11:0; Local LDP Ident 10.10.10.10:0 TCP connection: 11.11.11.11.32784 - 10.10.10.10.646 State: Oper; Msgs sent/rcvd: 1073/1061; UPstream Up time: 14:53:49 LDP discovery sources: GigabitEthernet1/1, Src IP addr: 110.110.110.1 Targeted Hello 10.10.10.10 -> 11.11.11.11, active <<-- This should be 'active'. Addresses bound to peer LDP Ident: 11.11.11.11 7.23.8.20 120.120.120.2 110.110.110.1 How do I check locally generated LDP PDUs? Use the show mpls ldp discovery command. This example displays a sample output of the command: Router# show mpls ldp discovery Local LDP Identifier: 10.1.1.1:0 Discovery Sources: Interfaces: Ethernet1/1/3 (ldp): xmit/recv LDP Id: 172.23.0.77:0 LDP Id: 10.144.0.44:0 LDP Id: 10.155.0.55:0 ATM3/0.1 (ldp): xmit/recv LDP Id: 10.203.0.7:2 ATM0/0.2 (tdp): xmit/recv TDP Id: 10.119.0.1:1 Targeted Hellos: 10.8.1.1 -> 10.133.0.33 (ldp): active, xmit/recv LDP Id: 10.133.0.33:0 10.8.1.1 -> 192.168.7.16 (tdp): passive, xmit/recv TDP Id: 10.133.0.33:0Router# Scenarios/Problems Solution4-95 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • Configuring Priority Percent on a Policy-Map on a Cisco 7600 SIP-400, page 4-115 • Configuring Percent Priority and Percent Bandwidth Support on a Cisco 7600 SIP-400, page 4-116 • Configuring QoS Traffic Shaping Policies on a SIP, page 4-117 • Configuring QoS Traffic Policing Policies on a SIP, page 4-118 • Attaching a QoS Traffic Policy to an Interface, page 4-124 • Configuring Network-Based Application Recognition and Distributed Network-Based Application Recognition, page 4-124 • Configuring Hierarchical QoS on a SIP, page 4-126 • Configuring PFC QoS on a Cisco 7600 SIP-600, page 4-129 • Configuring IPv6 Hop-by-Hop Header Security, page 4-143 General QoS Feature Configuration Guidelines This section identifies some general QoS feature guidelines for certain types of SPAs. You can find other feature-specific SIP and SPA configuration guidelines and restrictions in the other QoS sections of this chapter. ATM SPA QoS Configuration Guidelines Follow these guidelines for the 2-Port and 4-Port OC-3c/STM-1 ATM SPA: • In the ingress direction, all QoS features are supported by the Cisco 7600 SIP-200. • In the egress direction: – All queueing-based features (such as class-based weighted fair queueing [CBWFQ], and ATM per-VC WFQ, WRED, and shaping) are implemented on the segmentation and reassembly (SAR) processor on the SPA. – Policing is implemented on the SIP. – Class queue shaping is not supported. Effective 15.1(2)S release onwards, all the QoS features for ATM SPA is applicable for CEoP SPA. For more information on configuring QoS Features on CEoP SPAs, see Chapter 10, “Configuring the CEoP and Channelized ATM SPAs”. Ethernet SPA QoS Configuration Guidelines For the Ethernet SPAs, the following QoS behavior applies: • In both the ingress and egress directions, all QoS features calculate packet size similarly to how packet size calculation is performed by the FlexWAN and Enhanced FlexWAN modules on the Cisco 7600 series router. • Specifically, all features consider the IEEE 802.3 Layer 2 headers and the Layer 3 protocol payload. The CRC, interframe gap, and preamble are not included in the packet size calculations. Note For Fast Ethernet SPAs, QoS cannot change the speed of an interface (for example, Fast Ethernet SPAs cannot change QoS settings whenever an interface speed is changed between 100 and 10 Mbps). When the speed is changed, the user must also adjust the QoS setting accordingly. 4-96 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring QoS Features Using MQC The Modular QoS CLI (MQC) is a CLI structure that allows users to create traffic policies and attach these policies to interfaces. A traffic policy contains a traffic class and one or more QoS features. A traffic class is used to select traffic, while the QoS features in the traffic policy determine how to treat the classified traffic. If you apply a traffic policy at a main interface that also contains subinterfaces, then all of the traffic that goes through the subinterfaces is processed according to the policy at the main interface. For example, if you configure a traffic shaping policy at the main interface, all of the traffic going through the subinterfaces is aggregated and shaped to the rate defined in the traffic shaping policy at the main interface. To configure QoS features using the Modular QoS CLI on the SIPs, complete the following basic steps: Step 1 Define a traffic class using the class-map command. Step 2 Create a traffic policy by associating the traffic class with one or more QoS features (using the policy-map command). Step 3 Attach the traffic policy to the interface using the service-policy command. MQC policy support existing on ATM VC is extended to the ATM PVP from Cisco IOS Release 12.2(33)SRE. For a complete discussion about MQC, refer to the Modular Quality of Service Command-Line Interface Overview Chapter of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2 publication at: http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfmcli2.html Configuring QoS Traffic Classes on a SIP Use the QoS classification features to select your network traffic and categorize it into classes for further QoS processing based on matching certain criteria. The default class, named class-default, is the class to which traffic is directed for any traffic that does not match any of the selection criteria in the configured class maps. QoS Traffic Class Configuration Guidelines When configuring traffic classes on a SIP, consider the following guidelines: • You can define up to 256 unique class maps. • A single class map can contain up to 8 different match command statements. • For ATM bridging, Frame Relay bridging, MPB, and BCP features, the following matching features are supported on bridged frames beginning in Cisco IOS Release 12.2(33)SRA: – Matching on ATM CLP bit (input interface only) – Matching on CoS – Matching on Frame Relay DE bit (input interface only) – Matching on Frame Relay DLCI – Matching on inner CoS 4-97 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks – Matching on inner VLAN – Matching on IP DSCP – Matching on IP precedence – Matching on VLAN • The Cisco 7600 SIP-600 does not support combining matches on QoS group or input VLAN with other types of matching criteria (for example, access control lists [ACLs]) in the same class or policy map. • The Cisco 7600 SIP-400 supports matching on ACLs for routed traffic only. Matching on ACLs is not supported for bridged traffic. • The SIP-400 does not support dynamic, time-based, or tos-matching ACLs. The SIP-400 also does not support the log option in ACL. • When configuring hierarchical QoS on the Cisco 7600 SIP-600, if you configure matching on an input VLAN in a parent policy, then only matching on a QoS group is supported in the child policy. • For support of specific matching criteria by SIP, see Table 4-13. SUMMARY STEPS Step 1 class-map [match-all | match-any] class-name Step 2 match type DETAILED STEPS To create a user-defined QoS traffic class, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# class-map [match-all | match-any] class-name Creates a traffic class, where: • match-all—(Optional) Specifies that all match criteria in the class map must be matched, using a logical AND of all matching statements defined under the class. This is the default. • match-any—(Optional) Specifies that one or more match criteria must match, using a logical OR of all matching statements defined under the class. • class-name—Specifies the user-defined name of the class. Note You can define up to 256 unique class maps. Step 2 Router(config-cmap)# match type Specifies the matching criterion to be applied to the traffic, where type represents one of the forms of the match command supported by the SIP as shown in Table 4-13. Note A single class-map can contain up to 8 different match command statements.4-98 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Table 4-13 provides information about which QoS classification features are supported for SIPs on the Cisco 7600 series router. For more information about most of the commands documented in this table, refer to the Cisco IOS Quality of Service Solutions Command Reference. Table 4-13 QoS Classification Feature Compatibility by SIP Feature (match command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Matching on access control list (ACL) number (match access-group command) Supported for all SPAs with the following types of ACLs: • Protocols—ICMP, IGMP, EIGRP, OSPF, PIM, and GRE • Source and destination port • TCP flags • ToS (DSCP and precedence) Supported for all SPAs with the following types of ACLs: • Source and destination port • TCP flag (IPv4 only) • IP address (IPv6 compress mode only) Supported for all SPAs with the following types of ACLs: • IPv4 and IPv6 • Protocols—ICMP, IGMP, UDP, and MAC • Source and destination ports • TCP flags • ToS Matching on ACL name (match access-group name command) Supported for all SPAs. Supported for all SPAs. Supported for all SPAs. Match on any packet (match any command) Note Not supported for user-defined class maps. Supported for all SPAs. Supported for all SPAs. Supported for all SPAs. Matching on ATM cell loss priority (CLP) (match atm clp command) • Supported for all ATM SPAs. • Cisco IOS Release 12.2(33)SRA—Support added for ATM CLP matching with RFC 1483 bridging features. • Supported for all ATM SPAs on ATM input interface only. • Cisco IOS Release 12.2(33)SRA—Support added for ATM CLP matching with RFC 1483 bridging features on ATM input interface only. Not supported. Matching on class map (match class-map command) Supported for all SPAs. Not supported. Not supported.4-99 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Matching on Class of Service (CoS) (match cos command) Supported in Cisco IOS Release 12.2(33)SRA on the 4-Port and 8-Port Fast Ethernet SPA using dot1q encapsulation. • Supported on Fast ethernet SPAs from 12.2(33) SRD onwards. • 2-Port Gigabit Ethernet SPA only—Input and output 802.1Q tagged frames. • Cisco IOS Release 12.2(33)SRA—Support added for inner CoS matching with bridging features. Supported in Cisco IOS Release 12.2(33)SRA for switchport queueing. Note CoS classification is available through PFC QoS using MAC address ACLs. Matching on inner CoS (match cos inner command) • Supported for all SPAs. • Cisco IOS Release 12.2(33)SRA—Supported added for inner CoS matching with bridging features. Supported in Cisco IOS Release 12.2(33)SRA on the 2-Port Gigabit Ethernet SPA and Fast ethernet SPA from 12.2(33) SRD: • Input and output interfaces • Inner CoS matching with bridging features Not supported. Match on Frame Relay discard eligibility (DE) bit (match fr-de command) • Supported for Frame Relay input and output interfaces. • Cisco IOS Release 12.2(33)SRA—Support added for Frame Relay DE matching with Frame Relay bridging features. • Supported for a Frame Relay input interface only. • Cisco IOS Release 12.2(33)SRA—Support added for Frame Relay DE matching with Frame Relay bridging features on input Frame Relay interface only. Note Because the Cisco 7600 SIP-400 acts as a Frame Relay data terminal equipment (DTE) device only, and not a data communications equipment (DCE) device, the Cisco 7600 SIP-400 does not support dropping of frames that match on FR DE bits; however, other QoS actions are supported. Not supported. Table 4-13 QoS Classification Feature Compatibility by SIP (continued) Feature (match command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-100 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Match on Frame Relay data-link connection identifier (DLCI) (match fr-dlci command) • Supported for Frame Relay input and output interfaces. • Cisco IOS Release 12.2(33)SRA—Support added for Frame Relay DLCI matching with Frame Relay bridging features. Supported in Cisco IOS Release 12.2(33)SRA on Frame Relay input and output interfaces, and with Frame Relay bridging features. Not supported. Match on input VLAN (match input vlan command—Matches the VLAN from an input interface) Supported for EoMPLS interfaces. Supported in Cisco IOS Release 12.2(33)SRA—Output interface only, and with bridging features. Note Service policy is applied on the output interface of the Cisco 7600 SIP-400 to match the VLAN from the input interface. Supported in Cisco IOS Release 12.2(33)SRA—Output interface only for software-based EoMPLS. Note The service policy is applied on the output interface of the Cisco 7600 SIP-600 to match the VLAN from the input interface. If you configure matching on an input VLAN in a parent policy with hierarchical QoS, then only matching on QoS group is supported in the child policy. Match on IP DSCP (match ip dscp command) • Supported for all SPAs. • Cisco IOS Release 12.2(33)SRA—Support added for IP DSCP matching with bridging features on an input interface only. • Supported for all SPAs. • Cisco IOS Release 12.2(33)SRA—Support added for IP DSCP matching with bridging features. Supported for all SPAs. Match on DSCP (match dscp command) • Supported for all SPAs. • Supported for all SPAs. • Supported for all SPAs. Match on IP (match IP command) • Supported for all SPAs. • Supported for all SPAs. • Supported for all SPAs. Match on IP precedence (match ip precedence command) Supported for all SPAs. • Supported for all SPAs. • Cisco IOS Release 12.2(33)SRA—Support added for IP precedence matching with bridging features. Supported for all SPAs. Table 4-13 QoS Classification Feature Compatibility by SIP (continued) Feature (match command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-101 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Match on IP Real-Time Protocol (RTP) (match ip rtp command) Supported for all SPAs. Not supported. Not supported. Match on MAC address for an ACL name (match mac address command) Not supported. Not supported. Not supported. Match on destination MAC address (match destination-address mac command) Not supported. Not supported. Not supported. Match on source MAC address (match source-address mac command) Not supported. Not supported. Not supported. Match on MPLS experimental (EXP) bit (match mpls experimental command) Supported for all SPAs. Supported for all SPAs. Supported for all SPAs. Match on Layer 3 packet length in IP header (match packet length command) Supported for all SPAs. Not supported. Not supported. Match on QoS group (match qos-group command) Supported in Cisco IOS Release 12.2(33)SRA—Output interface only. Not supported. Supported in software-based EoMPLS configurations only using hierarchical QoS, where the parent policy configures matching on input VLAN and the child policy configures matching on QoS group. Match on protocol (match protocol command) Not supported for NBAR. Not supported. Supports matching on IP and IPv6. Match on VLAN (match vlan command—Matches the outer VLAN of a Layer 2 802.1Q frame) Not supported. Supported in Cisco IOS Release 12.2(33)SRA: • Input and output interfaces • Outer VLAN ID matching for 802.1Q tagged frames Supported in Cisco IOS Release 12.2(33)SRA: • Output interface only • Outer VLAN ID matching for 802.1Q tagged frames Table 4-13 QoS Classification Feature Compatibility by SIP (continued) Feature (match command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-102 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring QoS Class-Based Marking Policies on a SIP After you have created your traffic classes, you can configure traffic policies to configure marking features to apply certain actions to the selected traffic in those classes. In most cases, the purpose of a packet mark is identification. After a packet is marked, downstream devices identify traffic based on the marking and categorize the traffic according to network needs. This categorization occurs when the match commands in the traffic class are configured to identify the packets by the mark (for example, match ip precedence, match ip dscp, match cos, and so on). The traffic policy using this traffic class can then set the appropriate QoS features for the marked traffic. In some cases, the markings can be used for purposes besides identification. Distributed WRED, for instance, can use the IP precedence, IP DSCP, or MPLS EXP values to detect and drop packets. In ATM networks, the CLP bit of the packet is used to determine the precedence of packets in a congested environment. If congestion occurs in the ATM network, packets with the CLP bit set to 1 are dropped before packets with the CLP bit set to 0. Similarly, the DE bit of a Frame Relay frame is used to determine the priority of a frame in a congested Frame Relay network. In Frame Relay networks, frames with the DE bit set to 1 are dropped before frames with the DE bit set to 0. QoS Class-Based Marking Policy Configuration Guidelines When configuring class-based marking on a SIP, consider the following guidelines: • Packet marking is supported on interfaces, subinterfaces, and ATM virtual circuits (VCs). In an ATM PVC, you can configure packet marking in the same traffic policy where you configure the queueing actions, on a per-VC basis. However, only PVC configuration of service policies is supported for classes using multipoint bridging (MPB) match criteria. • For ATM bridging, Frame Relay bridging, MPB, and BCP features, the following marking features are supported on bridged frames beginning in Cisco IOS Release 12.2(33)SRA: – Set ATM CLP bit (output interface only) – Set Frame Relay DE bit (output interface only) – Set inner CoS Match on VLAN Inner (match vlan inner command—Matches the innermost VLAN of the 802.1Q tag in the Layer 2 frame) • Supported for all SPAs. • Cisco IOS Release 12.2(33)SRA—Support added for inner VLAN ID matching with bridging features. Supported in Cisco IOS Release 12.2(33)SRA: • Input and output interface • Inner VLAN ID matching with bridging features Not supported. Match ATM VCI (match atm-vci command) • Not supported Supported on ATM PVP Not supported No match on specified criteria (match not command) Supported for all SPAs. Supported for all SPAs. Not supported. Table 4-13 QoS Classification Feature Compatibility by SIP (continued) Feature (match command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-103 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • If a service policy configures both class-based marking and marking as part of a policing action, then the marking using policing takes precedence over any class-based marking. • The Cisco 7600 SIP-600 supports marking on input interfaces only. • For support of specific marking criteria by SIP, see Table 4-14. SUMMARY STEPS Step 1 policy-map policy-map-name Step 2 class class-name | class-default Step 3 set type DETAILED STEPS To configure a QoS traffic policy with class-based marking, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# policy-map policy-map-name Creates or modifies a traffic policy and enters policy map configuration mode, where: • policy-map-name—Specifies the name of the traffic policy to configure. Names can be a maximum of 40 alphanumeric characters. Step 2 Router (config-pmap)# class class-name | class-default Specifies the name of the traffic class to which this policy applies and enters policy-map class configuration mode, where: • class-name—Specifies that the policy applies to a user-defined class name previously configured. • class-default—Specifies that the policy applies to the default traffic class. Step 3 Router(config-pmap-c)# set type Specifies the marking action to be applied to the traffic, where type represents one of the forms of the set command supported by the SIP as shown in Table 4-14.4-104 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Table 4-14 provides information about which QoS class-based marking features are supported for SIPs on the Cisco 7600 series router. Table 4-14 QoS Class-Based Marking Feature Compatibility by SIP Marking Feature (set command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Set ATM CLP bit (set atm-clp command—Marks the ATM cell loss bit with value of 1) • Supported for ATM output interfaces only. • Cisco IOS Release 12.2(33)SRA—Support added for ATM CLP marking on output interfaces also with RFC 1483 bridging features. Supported for ATM SPA output interfaces only. Not supported. Set discard class (set discard-class command—Marks the packet with a discard class value for per-hop behavior) Not supported. Not supported. Not supported. Set Frame Relay DE bit (set fr-de command—Marks the Frame Relay discard eligibility bit with value of 1) • Supported for Frame Relay output interfaces only. • Cisco IOS Release 12.2(33)SRA—Support added for Frame Relay DE marking on output interfaces only with Frame Relay bridging features. Supported for Frame Relay output interfaces only. Not supported. Set DSCP Supported for all SPAs. Supported for all SPAs. Supported for all SPAs on an input interface. Set Precedence Supported for all SPAs. Supported for all SPAs. Supported for all SPAs on an input interface. Set IP DSCP (set ip dscp command—Marks the IP differentiated services code point [DSCP] in the type of service [ToS] byte with a value from 0 to 63) Supported for all SPAs. Supported for all SPAs. Supported for all SPAs on an input interface. Set IP precedence (set ip precedence command—Marks the precedence value in the IP header with a value from 0 to 7.) Supported for all SPAs. Supported for all SPAs. Supported for all SPAs on an input interface.4-105 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks For more detailed information about configuring class-based marking features, refer to the Class-Based Marking document located at the following URL: http://www.cisco.com/en/US/docs/ios/12_1t/12_1t5/feature/guide/cbpmark2.html Note When referring to other class-based marking documentation, be sure to note any SIP-specific configuration guidelines described in this document. Configuring QoS Congestion Management and Avoidance Policies on a SIP This section describes SIP- and SPA-specific information for configuring QoS traffic policies for congestion management and avoidance features. These features are generally referred to as queueing features. QoS Congestion Management and Avoidance Policy Configuration Guidelines When configuring queueing features on a SIP, consider the following guidelines: Set Layer 2 802.1Q CoS (set cos command—Marks the CoS value from 0 to 7 in an 802.1Q tagged frame) • Supported for all SPAs. • In Cisco IOS Release 12.2(33)SRA—Not supported with set cos-inner command on the same interface. Supported in Cisco IOS Release 12.2(33)SRA. Not supported. Set Layer 2 802.1Q CoS (set cos-inner command—Marks the inner CoS field from 0 to 7 in a bridged frame) Supported in Cisco IOS Release 12.2(33)SRA with bridging features on the 4-Port and 8-Port Fast Ethernet SPA. Supported in Cisco IOS Release 12.2(33)SRA with bridging features. Not supported. Set MPLS experimental (EXP) bit on label imposition (set mpls experimental imposition command) Supported for all SPAs. Supported for all SPAs. Note The table keyword is not supported. Supported for all SPAs on an input interface. Set MPLS EXP on topmost MPLS label (set mpls experimental topmost command) Supported for all SPAs. Supported for all SPAs. Not supported. Set QoS group (set qos-group command—Marks the packet with a QoS group association) Not supported. Not supported. Supported only for software-based EoMPLS on an input SPA switchport interface. Table 4-14 QoS Class-Based Marking Feature Compatibility by SIP (continued) Marking Feature (set command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-106 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • The Cisco 7600 series router supports different forms of queueing features. See Table 4-15 to determine which queueing features are supported by SIP type. • When configuring queueing on the Cisco 7600 SIP-400, consider the following guidelines: – A queue on the Cisco 7600 SIP-400 is not assured any minimum bandwidth. – You cannot configure bandwidth or shaping with queueing under the same class in a service policy on the Cisco 7600 SIP-400. – If you want to define bandwidth parameters and priority under different classes in the same service policy on the Cisco 7600 SIP-400, then you can only use the bandwidth remaining percent command. The Cisco 7600 SIP-400 does not support other forms of the bandwidth command with priority in the same service policy. • You can use policing with queueing to limit the traffic rate. • On the Cisco 7600 SIP-400, WRED is supported on bridged VCs with classification on precedence and DSCP values. On other SIPs, WRED does not work on bridged VCs (for example, VCs that implement MPB). • When configuring WRED on the Cisco 7600 SIP-400, consider the following guidelines: – WRED is supported on bridged VCs with classification on precedence and DSCP values. – WRED explicit congestion notification (ECN) is not supported for output traffic on ATM SPAs. – ECN is supported for IP traffic on output POS interfaces only. – You can use the low-order TOS bits in the IP header for explicit congestion notification (ECN) for WRED. If you configure random-detect ecn in a service policy and apply it to either a POS interface or a VC on a POS interface, then if at least one of the ECN bits is set and the packet is a candidate for dropping, the Cisco 7600 SIP-400 marks both ECN bits. If either one of the ECN bits is set, the Cisco 7600 SIP-400 will not drop the packet. – WRED ECN is not support for MPLS packets. • On the Cisco 7600 SIP-400, the default queue limit is calculated on the following basis: – As of Cisco IOS 12.2(33) SRB Release, the default queue limit is calculated based on the number of 250-byte packets that the SIP can transmit in one half of a second. For example, for an OC-3 SPA with a rate of 155 Mbps, the default queue limit is 38,750 packets (155000000 x 0.5 / 250 x 8). As of Cisco IOS 12.2(33)SRB Release, configurable values for queue-limit and WRED thresholds are in units of 250-byte buffers when configuring these parameters on a SIP-400. – When configured in Cisco IOS 12.2(33) SXF Release and Cisco IOS 12.2(33)SRA Release, the configured queue-limit and WRED thresholds on the SIP-400 are in units of packets, regardless of the packet size. • For more detailed information about configuring congestion management features, refer to the Cisco IOS Quality of Service Solutions Configuration Guide document corresponding to your Cisco IOS software release.4-107 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Table 4-15 provides information about which QoS queueing features are supported for SIPs on the Cisco 7600 series router. Note Effective with Cisco IOS Release 15.0(1)S, the fair-queue (WFQ) command is not available on Cisco IOS Software. Use the MQC equivalent fair-queue (WFQ) command in the Legacy QoS Command Deprecation feature document at: http://www.cisco.com/en/US/docs/ios/ios_xe/qos/configuration/guide/legacy_qos_cli_deprecation_xe. html Table 4-15 QoS Congestion Management and Avoidance Feature Compatibility by SIP and SPA Combination Congestion Management and Avoidance Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Aggregate Weighted Random Early Detection (random-detect aggregate, random-detect dscp (aggregate), and random-detect precedence (aggregate) commands) Supported for ATM SPA PVCs only—Cisco IOS Release 12.2(18)SXE and later and in Cisco IOS Release 12.2(33)SRA Supported for ATM SPA PVCs only—Cisco IOS Release 12.2(18)SXE and later and in Cisco IOS Release 12.2(33)SRA. Supported for all SPAs. For more information on configuring aggregate WRED, see the “Configuring Aggregate WRED for PVCs” section on page 7-30. Class-based Weighted Fair Queueing (CBWFQ) (bandwidth, queue-limit commands) Supported for all SPAs. Supported for all SPAs. Supported for all SPAs. Dual-Queue Support (priority and priority level commands) Not supported. Supported for all SPAs—Cisco IOS Release 12.2(33)SRB and later. Not supported. Flow-based Queueing (fair queueing/WFQ) (fair-queue command) Supported for all SPAs. Not supported. Not supported. Low Latency Queueing (LLQ)/ Queueing (priority command) Supported for all SPAs. Supported for all SPAs. Supported for all SPAs.4-108 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Random Early Detection (RED) (random-detect commands) Supported for all SPAs. • ATM SPAs—Up to 106 unique WRED minimum threshold (min-th), maximum threshold (max-th), and mark probability profiles supported. • Other SPAs—Up to 128 unique WRED min-th, max-th, and mark probability profiles supported. Supported for all SPAs. • ATM SPAs—Up to 106 unique WRED minimum threshold (min-th), maximum threshold (max-th), and mark probability profiles supported. • Other SPAs—Up to 128 unique WRED min-th, max-th, and mark probability profiles supported. Not supported. Weighted RED (WRED) Supported for all SPAs, with the following exception: • WRED is not supported on bridged VCs. Supported for all SPAs, with the following restriction: • WRED is supported on bridged VCs with classification on precedence and DSCP values. Not supported. Priority percent on Policy Map Supported Note Priority percent is not supported in ATM SPAs for both SIP200 and SIP400. Supported Note Priority percent is not supported in ATM SPAs for both SIP200 and SIP400. Not Supported All QoS features in ingress Supported Supported Supported Strict priorityand Ingress, no queueing Supported Supported Supported Table 4-15 QoS Congestion Management and Avoidance Feature Compatibility by SIP and SPA Combination Congestion Management and Avoidance Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-109 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Policing, classification, policing and marking in egress Supported Supported Supported Oversubscription Supported Supported Note In Cisco IOS 12.2(33)SRB Release, oversubscription is only supported for two 2-Port Copper and Optical Gigabit Ethernet SPAs. Note In the Cisco IOS 12.2(33)SRC Release support for oversubscription is extended to the 1-Port 10-Gigabit Ethernet SPA. Ingress oversubscription is only supported on Ethernet SPAs. Note Cisco IOS 12.2(33)SRC Release supports the following specific SPA combinations: Any combination of POS, ATM, CEoPs, and serial or channelized SPAs up to OC-48 aggregate bandwidth One 2-Port Gigabit Ethernet SPA or 2-Port Copper and Optical Gigabit Ethernet SPA and up to OC-24 equivalents of POS, ATM, CEoPs, and serial or channelized SPAs. One2-Port Copper and Optical Gigabit Ethernet SPA or two 2-Port 5GEv2 SPAs. (These are the ingress oversubscription combinations. This is the only case where the SIP-400 is oversubscribed on ingress. Supported Table 4-15 QoS Congestion Management and Avoidance Feature Compatibility by SIP and SPA Combination Congestion Management and Avoidance Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-110 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks SUMMARY STEPS Step 1 policy-map policy-map-name Step 2 class class-name | class-default Step 3 bandwidth bandwidth-kbps | percent percent Step 4 queue-limit number-of-packets DETAILED STEPS To configure a QoS CBWFQ policy, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# policy-map policy-map-name Creates or modifies a traffic policy and enters policy map configuration mode, where: • policy-map-name—Specifies the name of the traffic policy to configure. Names can be a maximum of 40 alphanumeric characters. Step 2 Router (config-pmap)# class class-name | class-default Specifies the name of the traffic class to which this policy applies and enters policy-map class configuration mode, where: • class-name—Specifies that the policy applies to a user-defined class name previously configured. • class-default—Specifies that the policy applies to the default traffic class.4-111 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Sample Configuration Scenario Router#show policy-map interface GigabitEthernet3/3/0 Service-policy output: policy_map_1 Counters last updated 00:00:02 ago queue stats for all priority classes: Queueing queue limit 25000 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: classmap_1 (match-all) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: ip precedence 1 Priority: Strict, b/w exceed drops: 0 Strict priority Class-map: class-default (match-any) 4 packets, 240 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Step 3 Router(config-pmap-c)# bandwidth bandwidth-kbps | percent percent Specifies the bandwidth allocated to a class belonging to a policy map. Note The amount of bandwidth configured should be large enough to also accommodate Layer 2 overhead. • bandwidth-kbps—Specifies the amount of bandwidth, in number of kbps, to be assigned to a class. • percent—Specifies the amount of guaranteed bandwidth, based on the absolute percent of available bandwidth. • percentage—Used in conjunction with the percent keyword, the percentage of the total available bandwidth to be set aside for the priority classes. Note If strict priority is assigned to a class in the parent policy, and control packets do not fall in that class, the interface may flap between the UP and DOWN states as the strict priority consumes the entire bandwidth. See Sample Configuration Scenario, page 111 for a sample scenaio illustrating this effect. Step 4 Router(config-pmap-c)# queue-limit number-of-packets Specifies the maximum number of packets the queue can hold for a class policy configured in a policy map. • number-of-packets—A number in the range 1-65536 specifying the maximum number of packets that the queue for this class can accumulate. Command Purpose4-112 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Match: any queue limit 2 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 4/240 Router# Router# Router#show policy-map interface GigabitEthernet3/3/0 Service-policy output: policy_map_1 Counters last updated 00:00:02 ago queue stats for all priority classes: Queueing queue limit 25000 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: classmap_1 (match-all) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: ip precedence 1 Priority: Strict, b/w exceed drops: 0 Strict priority Class-map: class-default (match-any) 4 packets, 240 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: any queue limit 2 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 4/240 Router# Router#show interface GigabitEthernet3/3/0 GigabitEthernet3/3/0 is up, line protocol is up Hardware is GigEther SPA, address is 0023.33c5.dc40 (bia 0023.33c5.dc40) Internet address is 9.30.65.47/16 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, BW=100000 kbps (interface bandwidth) reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Full Duplex, 100Mbps, media type is T output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/274/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: Class-based queueing Output queue: 0/40 (size/max) 5 minute input rate 2000 bits/sec, 4 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 983112 packets input, 71000650 bytes, 0 no buffer Received 73032 broadcasts (0 IP multicasts)4-113 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks 0 runts, 0 giants, 0 throttles 274 input errors, 17 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 514955 multicast, 0 pause input 6856 packets output, 519181 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Router# Router# Configuring Dual-Priority Queuing on a Cisco 7600 SIP-400 When configuring Dual-Priority Queuing, consider the following guidelines: • Only two priority levels are supported. • Level 1 is higher than level 2. • Propagation is supported on both levels. • A priority without a level is mapped to level 1. • The police rate includes a Layer 2 header but not cyclic redundancy check (CRC), preamble, or interframe gap. • Dual-priority queuing is not supported on ATM SPAs. SUMMARY STEPS Step 1 priority Step 2 priority leve Step 3 priority y ms Step 4 priority x kbps y bytes Step 5 priority percent x% | y ms DETAILED STEPS To configure dual-priority queuing, use the following commands: Command or Action Purpose Router(config-pmap-c)# priority Gives priority to a class of traffic belonging to a policy map. Router(config-pmap-c)# priority level Configures multiple priority queues. • level—A range of priority levels. Valid values are from 1 (high priority) to 4 (low priority). The default is 1.4-114 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring Hierarchical Queuing Framework on a Cisco 7600 SIP-400 Hierarchical Queuing Framework configuration involves two modules residing on the SIP-400 line card - the HQF client and the HQF mapper functions. The HQF client processes requests from the mapper. The role of the mapper module is primarily to create, update, and delete queues. While configuring the HQF, use the following guidelines: • Only two priority levels are supported. • Level 1 is higher than level 2. • Propagation is supported on both levels. • A priority without a level is mapped to level 1. • The sum of bandwidth percentage and another queue’s bandwidth reservation must not exceed 100% bandwidth. • The police rate includes a Layer 2 header but not cyclic redundancy check (CRC), preamble, or interframe gap. • Dual-priority queuing is not supported on ATM SPAs. SUMMARY STEPS Step 1 policy-map policy-name Step 2 class class-name Step 3 priority y ms Step 4 priority x kbps y bytes Step 5 priority percent x% | y ms Step 6 police rate DETAILED STEPS To configure dual-priority queuing, use the following commands: Router(config-pmap-c)# priority y ms • ms—Specifies the burst size in bytes. The burst size configures the network to accommodate temporary bursts of traffic. Router(config-pmap-c)# priority x kbps y bytes • x kbps—Specifies the burst size in kbps. • y bytes—Specifies the burst size in bytes. Router(config-pmap-c)# priority percent x% | y ms Enables conditional policing rate (kbps or link percent). Conditional policing is used if the logical or physical link is congested. Command or Action Purpose4-115 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring Priority Percent on a Policy-Map on a Cisco 7600 SIP-400 SUMMARY STEPS Step 1 class-map name Step 2 match ip precedence 0-7 Step 3 policy-map name Step 4 class voip Step 5 priority percent 1-100 DETAILED STEPS To configure priority percent on a policy-map, use the following commands: Command or Action Purpose Router(config)# policy-map policy-name Specifies the name of the policy map to be created or modified. Router(config-pmap)# class class-name • Specifies the name of a predefined class included in the service policy. Router(config-pmap-c)# priority y ms • ms—Specifies the burst size in bytes. The burst size configures the network to accommodate temporary bursts of traffic. Router(config-pmap-c)# priority x kbps y bytes • x kbps—Specifies the burst size in kbps. • y bytes—Specifies the burst size in bytes. Router(config-pmap-c)# priority percent x% | y ms Enables conditional policing rate (kbps or link percent). Conditional policing is used if the logical or physical link is congested. Router(config-pmap-c)# police rate Sets the policing rate (in bps) Command or Action Purpose Router(config-pmap-c)# class-map name Example: Router(config-pmap-c)# class-map voip Specifies a class belonging to a policy map. Router(config-pmap-c)# match ip precedence 0-7 Example: Router(config-pmap-c)# match ip precedence 3 Matches the precedence value in the IP header with a value from 0 to 7.4-116 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Note Queuing for QoS features like CBWFQ, LLQ, WRED, happens on the ATM-SPA itself (SPA-ATM-OC3/OC12/OC48 on SIP200/SIP400). Because of hardware limitations, a policy-map with priority percent, can not work on SPA-ATM-OC3/OC12/OC48. So while configuring dLFIoATM on SPA-ATM-OC3/OC12/OC48 on SIP200/SIP400, a Virtual-Template interface configured with a policy-map having priority percent command can not be associated to a PVC Configuring Percent Priority and Percent Bandwidth Support on a Cisco 7600 SIP-400 SUMMARY STEPS Step 1 bandwidth x kbps Step 2 bandwidth percent x% Step 3 bandwidth remaining percent x% DETAILED STEPS To configure percent priority and percent bandwidth, use the following commands: Router(config-pmap-c)# policy-map name Example: Router(config-pmap-c)# policy-map llq Specifies the name of the policy map. Router(config-pmap-c)# class name Example: Router(config-pmap-c)# class voip Specifies the traffic class to which the policy applies Router(config-pmap-c)# priority percent 1-100 Example: Router(config-pmap-c)# priority percent 23 Enables specified conditional policing rate on the policy map Command or Action Purpose Command or Action Purpose Router(config-pmap-c)# bandwidth x kbps Specifies or modifies the bandwidth allocated for a class belonging to a policy map. Router(config-pmap-c)# bandwidth percent x% Specifies the amount of guaranteed bandwidth, based on an absolute percent of available bandwidth. Router(config-pmap-c)# bandwidth remaining percent x% Specifies the remaining percent—Amount of guaranteed bandwidth, based on a relative percent of available bandwidth.4-117 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring QoS Traffic Shaping Policies on a SIP This section describes SIP- and SPA-specific information for configuring QoS traffic policies for shaping traffic. QoS Traffic Shaping Policy Configuration Guidelines When configuring queueing features on a SIP, consider the following guidelines: • The Cisco 7600 series router supports different forms of queueing features. See Table 4-16 to determine which traffic shaping features are supported by SIP type. • Use a hierarchical policy if you want to achieve minimum bandwidth guarantees using CBWFQ with a Frame Relay map class. First, configure a parent policy to shape to the total bandwidth required (on the Cisco 7600 SIP-400, use the class-default in Cisco IOS Release 12.2(18)SXF, or a user-defined class beginning in Cisco IOS Release 12.2(33)SRA). Then, define a child policy using CBWFQ for the minimum bandwidth percentages. • ATM SPAs do not support MQC-based traffic shaping. You need to configure traffic shaping for ATM interfaces using ATM Layer 2 VC shaping. • For more detailed information about configuring congestion management features, refer to the Cisco IOS Quality of Service Solutions Configuration Guide document corresponding to your Cisco IOS software release. Table 4-16 provides information about which QoS traffic shaping features are supported for SIPs on the Cisco 7600 series router. Table 4-16 QoS Traffic Shaping Feature Compatibility by SIP and SPA Combination Traffic Shaping Feature (shape command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Adaptive shaping for Frame Relay (shape adaptive command) Supported for all SPAs. Not supported. Not supported. Class-based shaping (shape average, shape peak commands) Supported for all SPAs. Shape average is supported for all SPAs with the following exceptions: • Committed burst (bc)—Not supported. • Excess burst (be)—Not supported. Supports only shape average for all SPAs. Policy-map class shaping of average-rate of traffic by percentage of bandwidth (shape average percent command) Not supported. Not supported. Not supported. Policy-map class shaping with adaptation to backward explicit congestion notification (BECN) (shape adaptive command) Supported for all SPAs. Not supported. Not supported.4-118 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring QoS Traffic Policing Policies on a SIP This section describes SIP- and SPA-specific information for configuring QoS traffic policing policies. QoS Traffic Policing Policy Configuration Guidelines When configuring traffic policing on a SIP, consider the following guidelines: • The Cisco 7600 series router supports different forms of policing using the police command. See Table 4-17 to determine which policing features are supported by SIP type. • When configuring policing on the Cisco 7600 SIP-600, consider the following guidelines: – The Cisco 7600 SIP-600 supports conform-action policing on input interfaces only, unless it is being implemented with queueing. – The Cisco 7600 SIP-600 does not support any policing actions (shown in Table 4-18) using the exceed-action or violate-action keywords on an input interface. – The Cisco 7600 SIP-600 supports exceed-action policing on an output interface with a drop action only, when the policing is being implemented with queueing. – The Cisco 7600 SIP-600 supports marking for exceed-action policing only using the set-dscp-transmit command. • When configuring a policing service policy and specifying the CIR in bits per second without specifying the optional conform (bc) or peak (be) burst in bytes, the Cisco 7600 SIP-400 calculates the burst size based on the number of bytes that it can transmit in 250 ms using the CIR value. For example, a CIR of 1 Mbps (or 1,000,000 bps) is equivalent to 125,000 bytes per second, which is 125 bytes per millisecond. The calculated burst is 250 x 125 = 31250 bytes. If the calculated burst is less than the interface maximum transmission unit (MTU), then the interface MTU is used as the burst size. This behaviour remains till SRE Release. From Release 15.0(1)S onwards, if the calculated burst size is less than the MTU, SIP 400 will not increment the burst size to the MTU. • You can use policing with queueing to limit the traffic rate. • If a service policy configures both class-based marking and marking as part of a policing action, then the marking using policing takes precedence over any class-based marking. Policy-map class shaping with reflection of forward explicit congestion notification (FECN) as BECN (shape fecn-adapt command) Supported for all SPAs. Not supported. Not supported. Policy-map class shaping of peak-rate of traffic by percentage of bandwidth (shape peak percent command) Not supported. Not supported. Not supported. Table 4-16 QoS Traffic Shaping Feature Compatibility by SIP and SPA Combination (continued) Traffic Shaping Feature (shape command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-119 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • When configuring policing with MPB features on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, the set-cos-inner-transmit action is supported beginning in Cisco IOS Release 12.2(33)SRA. • SIP-400 line cards do not support multiple marking actions in one police class of traffic. For example - set-cos-inner-transmit and set-cos-transmit both cannot be configured together as below: class accPriority priority police cir percent 40 pir percent 100 conform-action set-cos-inner-transmit 5 conform-action set-cos-transmit 5 • Set-mpls-experimental-topmost-transmit command configuration guidelines on SIP-400. Refer Table 4-18 for QoS Policing Action Compatibility by SIP and SPA Combination. The set-mpls-experimental-topmost-transmit is valid for ingress side only. The set-mpls-experimental-topmost-transmit command is only effective when the SIP-400 receives a packet from line with the MPLS tag. The set-mpls-experimental-imposition-transmit is effective when the imposition is done on the ingress side. If SIP-400 does the imposition it inserts the EXPERIMENTAL bit(s) directly otherwise it copies the EXP bit to DBUS COS. EARL will then copy the DBUS COS to EXP while doing the imposition. This is expected behaviour. So even though set-mpls-experimental-topmost-transmit is supported on SIP-400, it works differently in the L3VPN case where the packet coming in from line is not an MPLS tagged packet. Note For any policer command, the minimum policer configuration value is 8kbps. Table 4-17 provides information about which policing features are supported for SIPs on the Cisco 7600 series router. Table 4-17 QoS Policing Feature Compatibility by SIP and SPA Combination Policing Feature (police command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Policing by aggregate policer (police aggregate command) Not supported. Not supported. Supported for all SPAs. Policing by bandwidth using token bucket algorithm (police command) Supported for all SPAs. Supported for all SPAs. Supported for all SPAS. Policing by committed information rate (CIR) percentage (police (percent) command—police cir percent form) Supported for all SPAs. Supported for all SPAs. Not supported. Policing with 2-color marker (CIR and peak information rate [PIR]) (police (two rates) command—police cir pir form) Supported for all SPAs. Supported for all SPAs. Supported for all SPAs.4-120 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks To create QoS traffic policies with policing, use the following commands beginning in global configuration mode: Policing by flow mask (police flow mask command) Not supported. Not supported. Supported for all SPAs. Policing by microflow (police flow command) Not supported. Not supported. Supported for all SPAs. Table 4-17 QoS Policing Feature Compatibility by SIP and SPA Combination (continued) Policing Feature (police command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Command Purpose Step 1 Router(config)# policy-map policy-map-name Creates or modifies a traffic policy and enters policy map configuration mode, where: • policy-map-name—Specifies the name of the traffic policy to configure. Names can be a maximum of 40 alphanumeric characters. Step 2 Router (config-pmap)# class {class-name | class-default} Specifies the name of the traffic class to which this policy applies and enters policy-map class configuration mode, where: • class-name—Specifies that the policy applies to a user-defined class name previously configured. • class-default—Specifies that the policy applies to the default traffic class. Use one of the following forms of police commands to evaluate traffic for the specified class. See Table 4-17 to determine which SIPs support the different policing features. Step 3 Router(config-pmap-c)# police bps [burst-normal] [burst-max] conform-action action exceed-action action violate-action action Specifies a maximum bandwidth usage by a traffic class through the use of a token bucket algorithm, where: • bps—Specifies the average rate in bits per second. Valid values are 8000 to 200000000. • burst-normal—(Optional) Specifies the normal burst size in bytes. Valid values are 1000 to 51200000. The default normal burst size is 1500 bytes. • burst-max—(Optional) Specifies the excess burst size in bytes. Valid values are 1000 to 51200000. • action—Specifies the policing command (as shown in Table 4-18) for the action to be applied to the corresponding conforming, exceeding, or violating traffic.4-121 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 4 Router(config-pmap-c)# police cir percent percentage [burst-in-msec] [bc conform-burst-in-msec] [pir percent percentage] [be peak-burst-in-msec] [conform-action action [exceed-action action [violate-action action]]] Configures traffic policing on the basis of a percentage of bandwidth available on an interface, where: • cir percent percentage—Specifies the committed information rate (CIR) bandwidth percentage. Valid values are 1 to 100. • burst-in-msec—(Optional) Burst in milliseconds. Valid values are 1 to 2000. • bc conform-burst-in-msec—(Optional) Specifies the conform burst (bc) size used by the first token bucket for policing traffic in milliseconds. Valid values are 1 to 2000. • pir percent percentage—(Optional) Specifies the peak information rate (PIR) bandwidth percentage. Valid values are 1 to 100. • be peak-burst-in-msec—(Optional) Specifies the peak burst (be) size used by the second token bucket for policing traffic in milliseconds. Valid values are 1 to 2000. • action—Specifies the policing command (as shown in Table 4-18) for the action to be applied to the corresponding conforming, exceeding, or violating traffic. Step 5 Router(config-pmap-c)# police {cir cir} [bc conform-burst] {pir pir} [be peak-burst] [conform-action action [exceed-action action [violate-action action]]] Configures traffic policing using two rates, the committed information rate (CIR) and the peak information rate (PIR), where: • cir cir—Specifies the CIR at which the first token bucket is updated as a value in bits per second. Valid values are 8000 to 200000000. • bc conform-burst—(Optional) Specifies the conform burst (bc) size in bytes used by the first token bucket for policing. Valid values are 1000 to 51200000. • pir pir—Specifies the PIR at which the second token bucket is updated as a value in bits per second. Valid values are 8000 to 200000000. • be peak-burst—(Optional) Specifies the peak burst (be) size in bytes used by the second token bucket for policing. The size varies according to the interface and platform in use. • action—(Optional) Specifies the policing command (as shown in Table 4-18) for the action to be applied to the corresponding conforming, exceeding, or violating traffic. Command Purpose4-122 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 6 Router(config-pmap-c)# police flow {bits-per-second [normal-burst-bytes] [maximum-burst-bytes] [pir peak-rate-bps]} | [conform-action action] [exceed-action action] [violate-action action] Configures a microflow policer, where: • bits-per-second—Specifies the CIR in bits per second. Valid values are from 32000 to 4000000000 bits per second. • normal-burst-bytes—(Optional) Specifies the CIR token bucket size. Valid values are from 1000 to 512000000 bytes. • maximum-burst-bytes—(Optional) Specifies the PIR token-bucket size. Valid values are from 1000 to 32000000 bytes. • pir peak-rate-bps—(Optional) Specifies the PIR in bits per second. Valid values are from 32000 to 4000000000 bits per second. • action—Specifies the policing command (as shown in Table 4-18) for the action to be applied to the corresponding conforming, exceeding, or violating traffic. Step 7 Router(config-pmap-c)# police flow mask {dest-only | full-flow | src-only} {bits-per-second [normal-burst-bytes] [maximum-burst-bytes]} [conform-action action] [exceed-action action] Configures a flow mask to be used for policing, where: • dest-only—Specifies the destination-only flow mask. • full-flow—Specifies the full-flow mask. • src-only—Specifies the source-only flow mask. • bits-per-second—Specifies the CIR in bits per second. Valid values are from 32000 to 4000000000 bits per second. • normal-burst-bytes—(Optional) Specifies the CIR token bucket size. Valid values are from 1000 to 512000000 bytes. • maximum-burst-bytes—(Optional) Specifies the PIR token bucket size. Valid values are from 1000 to 32000000 bytes. • action—Specifies the policing command (as shown in Table 4-18) for the action to be applied to the corresponding conforming or exceeding traffic. Step 8 Router(config-pmap-c)# police aggregate name Specifies a previously defined aggregate policer name and configures the policy-map class to use the specified name of the aggregate policer. Command Purpose4-123 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Table 4-18 provides information about which policing actions are supported for SIPs on the Cisco 7600 series router. Note For restrictions on use of certain marking features with different types of policing actions (conform, exceed, or violate actions), be sure to see the “QoS Traffic Policing Policy Configuration Guidelines” section on page 4-118. Table 4-18 QoS Policing Action Compatibility by SIP and SPA Combination Policing Action (set command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Drop the packet (drop command) Supported for all SPAs. Supported for all SPAs. Supported for all SPAs—Input interface only. Set the ATM CLP bit to 1 and transmit (set-clp-transmit command) Supported only for ATM SPAs . Supported only for CeoP and ATM S PAs . Not supported. Set the inner CoS value and transmit (set-cos-inner-transmit command) Supported in Cisco IOS Release 12.2(33)SRA with bridging features. Supported in Cisco IOS Release 12.2(33)SRA with bridging features. Not supported. Set the Frame Relay DE bit to 1 and transmit (set-frde-transmit command) Supported for all SPAs. Supported for all SPAs. Not supported. Set the IP precedence and transmit (set-prec-transmit command) Supported for all SPAs. Supported for all SPAs. Supported for all SPAs —Input interface only. Set the IP DSCP and transmit (set-dscp-transmit command) Supported for all SPAs. Supported for all SPAs. Supported for all SPAs—Input interface only. Set the MPLS EXP bit (0–7) on imposition and transmit (set-mpls-experimental-impositiontransmit command Supported for all SPAs. Supported for all SPAs. Supported for all SPAs. Set the MPLS EXP bit in the topmost label and transmit (set-mpls-experimental-topmost-tr ansmit command) Supported for all SPAs. Supported for all SPAs. Refer to QoS Traffic Class Configuration Guidelines, page 4-96 Supported for all SPAs. Transmit all packets without alteration (transmit command) Supported for all SPAs. Supported for all SPAs Supported for all SPAs.4-124 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Attaching a QoS Traffic Policy to an Interface Before a traffic policy can be enabled for a class of traffic, it must be configured on an interface. A traffic policy also can be attached to an ATM permanent virtual circuit (PVC) subinterface, Frame Relay data-link connection identifier (DLCI), and Ethernet subinterfaces. Traffic policies can be applied for traffic coming into an interface (input), and for traffic leaving that interface (output). Attaching a QoS Traffic Policy for an Input Interface When you attach a traffic policy to an input interface, the policy is applied to traffic coming into that interface. To attach a traffic policy for an input interface, use the following command beginning in interface configuration mode: Attaching a QoS Traffic Policy to an Output Interface When you attach a traffic policy to an output interface, the policy is applied to traffic leaving that interface. To attach a traffic policy to an output interface, use the following command beginning in interface configuration mode: Configuring Network-Based Application Recognition and Distributed Network-Based Application Recognition Note Network-Based Application Recognition (NBAR) and Distributed Network-Based Application Recognition (dNBAR) are supported on the Cisco 7600 SIP-200 only. NBAR feature is not supported in Release 15.0(1)S and later Releases. The purpose of IP quality of service (QoS) is to provide appropriate network resources (bandwidth, delay, jitter, and packet loss) to applications. QoS maximizes the return on investments on network infrastructure by ensuring that mission-critical applications get the required performance and noncritical applications do not hamper the performance of critical applications. Command Purpose Router(config-if)# service-policy input policy-map-name Attaches a traffic policy to the input direction of an interface, where: • policy-map-name—Specifies the name of the traffic policy to configure. Command Purpose Router(config-if)# service-policy output policy-map-name Attaches a traffic policy to the output direction of an interface, where: • policy-map-name—Specifies the name of the traffic policy to configure. 4-125 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks IP QoS can be deployed by defining classes or categories of applications. These classes are defined by using various classification techniques available in Cisco IOS software. After these classes are defined and attached to an interface, the desired QoS features, such as marking, congestion management, congestion avoidance, link efficiency mechanisms, or policing and shaping can then be applied to the classified traffic to provide the appropriate network resources amongst the defined classes. Classification, therefore, is an important first step in configuring QoS in a network infrastructure. NBAR is a classification engine that recognizes a wide variety of applications, including web-based and other difficult-to-classify protocols that utilize dynamic TCP/UDP port assignments. When an application is recognized and classified by NBAR, a network can invoke services for that specific application. NBAR ensures that network bandwidth is used efficiently by classifying packets and then applying QoS to the classified traffic. Some examples of class-based QoS features that can be used on traffic after the traffic is classified by NBAR include: • Class-based marking (the set command) • Class-based weighted fair queueing (the bandwidth and queue-limit commands) • Low latency queueing (the priority command) • Traffic policing (the police command) • Traffic shaping (the shape command) Note The NBAR feature is used for classifying traffic by protocol. The other class-based QoS features determine how the classified traffic is forwarded and are documented separately from NBAR. Furthermore, NBAR is not the only method of classifying network traffic so that QoS features can be applied to classified traffic. For information on the class-based features that can be used to forward NBAR-classified traffic, see the individual feature modules for the particular class-based feature as well as the Cisco IOS Quality of Service Solutions Configuration Guide. Many of the non-NBAR classification options for QoS are documented in the “Modular Quality of Service Command-Line Interface” section of the Cisco IOS Quality of Service Solutions Configuration Guide. These commands are configured using the match command in class map configuration mode. NBAR introduces several new classification features that identify applications and protocols from Layer 4 through Layer 7: • Statically assigned TCP and UDP port numbers • Protocols that are non-UDP and non-TCP • Dynamically assigned TCP and UDP port numbers. Classification of such applications requires stateful inspection; that is, the ability to discover the data connections to be classified by parsing the connections where the port assignments are made. • Sub-port classification or classification based on deep packet inspection; that is, classification by looking deeper into the packet. NBAR can classify static port protocols. Although access control lists (ACLs) can also be used for this purpose, NBAR is easier to configure and can provide classification statistics that are not available when using ACLs. 4-126 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols that are transversing an interface. The Protocol Discovery feature discovers any protocol traffic supported by NBAR. Protocol Discovery maintains the following per-protocol statistics for enabled interfaces: total number of input and output packets and bytes, and input and output bit rates. The Protocol Discovery feature captures key statistics associated with each protocol in a network that can be used to define traffic classes and QoS policies for each traffic class. For specific information about configuring NBAR and dNBAR, refer to the Network-Based Application Recognition and Distributed Network-Based Application Recognition feature documentation located at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm Configuring Hierarchical QoS on a SIP Table 4-19 provides information about where the hierarchical QoS features for SPA interfaces are supported. Configuring Hierarchical QoS with Tiered Policy Maps Hierarchical QoS with tiered policy maps is a configuration where the actions associated with a class contain a queuing action (such as shaping) and a nested service policy, which in itself is a policy map with classes and actions. This hierarchy of the QoS policy map is then translated into a corresponding hierarchy of queues. Hierarchical QoS with Tiered Policy Maps Configuration Guidelines When configuring hierarchical QoS with tiered policy maps on a SIP, consider the following guidelines: • For information about where hierarchical QoS with tiered policy maps is supported, see Table 4-19 on page 4-126. • You can configure up to three levels of hierarchy within the policy maps. Table 4-19 Hierarchical QoS Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Hierarchical QoS for EoMPLS VCs Supported for all SPAs in Cisco IOS Release 12.2(18)SXE and later, and in Cisco IOS Release 12.2(33)SRA. Supported for all SPAs beginning in Cisco IOS Release 12.2(33)SRA. Supported for all SPAs in Cisco IOS Release 12.2(18)SXF and later, and in Cisco IOS Release 12.2(33)SRA. Hierarchical QoS—Tiered policy maps with parent policy using class-default only on the main interface. Not applicable. Supported for all SPAs in Cisco IOS Release 12.2(18)SXF and later. Supported in Cisco IOS Release 12.2(18)SXF and later, and in Cisco IOS Release 12.2(33)SRA using match vlan command in parent policy. Hierarchical QoS—Tiered policy maps with parent policy in user-defined or class-default classes on the main interface. Supported for all SPAs in Cisco IOS Release 12.2(18)SXF and later, and in Cisco IOS Release 12.2(33)SRA. Supported for all SPAs in Cisco IOS Release 12.2(33)SRA. Not supported.4-127 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • The parent policy map has the following restrictions on a main interface: – In Cisco IOS Release 12.2(18)SXF and later—Supports the shape queueing action in the default class (class-default) only. – In Cisco IOS Release 12.2(33)SRA—Supports VLAN or ACL matching, and shape or bandwidth queueing actions in any class, user-defined and class-default. • When configuring hierarchical QoS for software-based EoMPLS on the Cisco 7600 SIP-600, if you configure match input vlan in the parent policy, then you can only configure match qos-group in the child policy. • In hierarchical QoS, you cannot configure just a set command in the parent policy. The set command works only if you configure other commands in the policy. • The child policy map supports shape, bandwidth, LLQ, queue limit, and WRED QoS features. • With hierarchical QoS on a subinterface, the parent policy map supports hierarchical QoS using the shape average command as a queueing action in the default class (class-default) only. • If you configure service policies at the main interface, subinterface, and VC levels, then the policy applied at the VC level takes precedence over a policy at the interface. • In a Frame Relay configuration, if you need to define service policies at the interface, subinterface, and PVC at the same time, then you can use a map class. • For a POS subinterface with a Frame Relay PVC, a service policy can be applied either at the subinterface or at the PVC, but not both. • Use a hierarchical policy if you want to achieve minimum bandwidth guarantees using CBWFQ with a map class. First, configure a parent policy to shape to the total bandwidth required (use the class-default in Cisco IOS Release 12.2(18)SXF, or a user-defined class beginning in Cisco IOS Release 12.2(33)SRA). Then, define a child policy using CBWFQ for the minimum bandwidth percentages. • You can configure hierarchical QoS up to the following limits, according to the current Cisco IOS software limits: – Up to 1024 class maps – Up to 1024 policy maps – Up to 256 classes within a policy map – Up to 8 match statements per class • If a hierarchical policy-map is applied on the SIP-400 interface , the child policy will only receive the packets which are not dropped by its parent. In other words, packets which are dropped in parent policy-map in a particular class because of some qos action are not visible to child policy-maps attached to that class and thus will not be classified. An example is illustrated: Class-map: voip (match-any) 16894 packets, 4375196 bytes 30 second offered rate 116000 bps, drop rate 108000 bps Match: any Priority: 32 kbps, burst bytes 1500, b/w exceed drops: 889 police: cir 100000 bps, bc 3125 bytes conformed 968 packets, 250362 bytes; actions: Only these are passed and the rest are dropped transmit exceeded 15926 packets, 4124834 bytes; actions:4-128 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks drop conformed 100000 bps, exceed 1649000 bps Service-policy : out Counters last updated 00:00:01 ago Class-map: prec0 (match-any) 966 packets, 250194 bytes Only those packets which are not dropped in parent pmap are seen by this child policy-map. 30 second offered rate 8000 bps, drop rate 7000 bps Match: ip precedence 0 QoS Set precedence 2 Packets marked 966 police: cir 8000 bps, bc 1500 bytes conformed 77 packets, 19943 bytes; actions: transmit exceeded 889 packets, 230251 bytes; actions: drop conformed 8000 bps, exceed 91000 bps Configuring Hierarchical QoS for EoMPLS VCs The Hierarchical Quality of Service (HQoS) for EoMPLS VCs feature extends support for hierarchical, parent and child relationships in QoS policy maps. This feature also provides EoMPLS per-VC QoS for point-to-point VCs. The new feature adds the ability to match the virtual LAN (VLAN) IDs that were present on a packet when the packet was originally received by the router. It also supports the ability to match on a QoS group that is set to the same value of the IP precedence or 802.1P class of service (CoS) bits that are received on the incoming interface. This allows service providers to classify traffic easily for all or part of a particular EoMPLS network, as well as to preserve the customer’s original differentiated services (DiffServ) QoS values. In EoMPLS applications, the parent policy map typically specifies the maximum or the minimum bandwidth for a group of specific VCs in an EoMPLS network. Then child policy maps in the policy can implement a different bandwidth or perform other QoS operations (such as traffic shaping) on a subset of the selected VCs. This feature enables service providers to provide more granular QoS services to their customers. It also gives service providers the ability to preserve customer IP precedence or CoS values in the network. Note For information about where hierarchical QoS for EoMPLS VCs is supported, see Table 4-19 on page 4-126.4-129 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks For more information about configuring hierarchical QoS for EoMPLS VCs, refer to the Optical Services Module Configuration Note located at the following URL: http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SR_OSM_config/OSM.pdf Configuring PFC QoS on a Cisco 7600 SIP-600 The Cisco 7600 SIP-600 supports most of the same QoS features as those supported by the Policy Feature Card on the Cisco 7600 series router. This section describes those QoS features that have SIP-specific configuration guidelines. After you review the SIP-specific guidelines described in this document, then refer to the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SR located at the following URL: http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/swcg.html PFC QoS on a Cisco 7600 SIP-600 Configuration Guidelines • Output policing is not supported. Configuring NAT This section describes guidelines for configuring Network Address Translation (NAT). Developed by Cisco, NAT allows a single device, such as a router, to act as agent between the Internet public network and a local private network. For details on NAT refer to Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.2 located at the following URL: http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/nat.html For NAT configuration commands refer to the Cisco IOS IP Addressing Services Command Reference located at the following URL: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html As a general restriction, while configuring NAT make sure nat pool size is limited to 15 bits. If you configure the nat pool size to more than 15 bits the following error message is displayed on the system: Error Message pool size should be maximum 15 bits long. Configuring Lawful Intercept on a Cisco 7600 SIP-400 This section describes configuring Lawful Intercept on a Cisco 7600 SIP-400. For initial configuration of the Lawful Intercept feature, see the Cisco 7600 Lawful Intercept Configuration Guide at the following URL: http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/lawful_intercept/76licfg.htm l4-130 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks SUMMARY STEPS • snmp-server view viewA ciscoTap2MIB included OR snmp-server view viewA ciscoIpTapMIB included • snmp-server group groupA v3 auth read viewA write viewA notify viewA • snmp-server user user1 groupA v3 auth md5 cisco DETAILED STEPS To configure Lawful Intercept on a Cisco 7600 SIP-400, use the following commands: Command Purpose Router(config)# snmp-server view viewA ciscoTap2MIB included Router(config)# snmp-server view viewA ciscoIpTapMIB included Creates a view having access to the MIBS. Router(config)# snmp-server group groupA v3 auth read viewA write viewA notify viewA Creates a group having access to this view. Router(config)# snmp-server user user1 groupA v3 auth md5 cisco Creates a user who is a member of groupA.4-131 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring Security ACLs on an Access Interface on a Cisco 7600 SIP-400 This section describes configuration of the SIP-specific ACL features on access interfaces. Before referring to any other ACL documentation for the platform or in the Cisco IOS software, use this section to determine SIP-specific ACL feature support and configuration guidelines. An Access Control List (ACL) is a collection of ordered permit and deny statements, referred to as Access Control Entries (ACEs), which determine whether a particular packet will be forwarded or dropped. An ACL offers application layer awareness, providing operational staff with some flexibility in the level of isolation of a host. For instance, an ACL may be applied to enforce complete host isolation, denying all traffic to and from that particular host or, alternately, to just filter certain traffic flows, while permitting all others. For additional details about ACL concepts and features in Cisco IOS Release 12.2, refer to the Cisco IOS Security Configuration Guide, Release 12.2, at the following URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html This section includes the following topics: • Security ACL Configuration Guidelines, page 4-131 • Configuring Security ACL, page 4-131 Security ACL Configuration Guidelines • Up to 100 unique ACLs are recommended per chassis, with a maximum of 24 ACEs per ACL for Security ACL. • Up to one input ACL and one output ACL are recommended for all 8K subinterfaces on the SIP. • Source and Destination IPv4 Address, Port Number, ToS/DSCP, Protocol type, and TCP flags can be specified in the ACEs. As of Cisco IOS Release 12.2(33)SRB, IPV6 is not supported. • Template Security ACL is not supported as of Cisco IOS Release 12.2(33)SRB. • Security ACLs are only supported on a Route Switch Processor 720 (RSP720) with a Cisco 7600 SIP-400. • Standard, extended, and named ACLs are supported; other ACL types such as reflexive and time-based ACLs are not supported. Configuring Security ACL SUMMARY STEPS Step 1 access-list access list number permit ip host ip address any Step 2 interface gigabitethernet slot/subslot/port access Step 3 ip address address Step 4 encapsulation dot1q vlan-id Step 5 ip access-group access-list-number in Step 6 ip access-group access-list-number out4-132 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks DETAILED STEPS Verifying ACL Configuration Use the following command to verify ACL configuration: Configuring CoPP on the Cisco 7600 SIP-400 This section describes the configuration of Control Plane Policing (CoPP) on the Cisco 7600 SIP-400. Because the majority of control plane processing is done on the CPU, a malicious user can attack a router by simply pumping control plane traffic to the router. On an unprotected router, this results in the CPU utilization nearing 100%, resource exhaustion, and the command line console being locked, intensifying the problem because the user is not able to apply any rectifying action on the router. Using CoPP protects the control plane against these denial-of-service (DoS) attacks, ensuring routing stability, reachability, and packet delivery by providing filtering and rate-limiting capabilities for control plane packets. Command or Action Purpose Step 1 Router(config)# access-list access list number permit ip host ip address any Configures an access list. Step 2 Router(config-int)# interface gigabitethernet slot/subslot/port access Selects the gigabitethernet interface. Step 3 Router(config-int)# ip address address Specifies the IP address. Step 4 Router(config-int)# encapsulation dot1q vlan-id Enables traffic encapsulation. • vlan-id—Virtual LAN identifier; valid values are from 1 to 4094. Step 5 Router(config-int)# ip access-group access-list-number in Sets filtering method. • access-list-number—Number of an access list. This is a decimal number from 1 to 199 or 1300 to 2699. • in—Filters on inbound packets. Step 6 Router(config-int)# ip access-group access-list-number out Sets filtering method. • access-list-number—Number of an access list. This is a decimal number from 1 to 199 or 1300 to 2699. • out—Filters on outbound packets. Command or Action Purpose Router# show access-list [access-list-number | name] Displays access list configuration. • access-list-number—(Optional) Access list number to display. The range is 0 to 1199. The system displays all access lists by default. • name—(Optional) Name of the IP access list to display. 4-133 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks For additional information regarding DoS and CoPP, refer to the Cisco 7600 Series Router Cisco IOS Software Configuration Guide. This section contains the following topics: • Configuring Per-Subscriber/Per-Protocol CoPP on Access Interfaces on a Cisco 7600 SIP-400, page 4-134 • Configuring Per-Subinterface CoPP on Access Interfaces on a Cisco 7600 SIP-400, page 4-1364-134 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring Per-Subscriber/Per-Protocol CoPP on Access Interfaces on a Cisco 7600 SIP-400 This section describes the configuration of Per-Subscriber/Per-Protocol CoPP on a Cisco 7600 SIP-400. Per-Subscriber/Per-Protocol CoPP Configuration Guidelines • The Cisco 7600 CoPP feature is supported with a Route Switch Processor 720 (RSP720) and Cisco 7600 SIP-400 combination only. • When enabling the RP-based aggregate CoPP functionality, the required class maps should be configured for each of the protocol-matching criteria. The CoPP policy maps should be created for all the protocols that need to be policed. • Once the router processor decides to install a rate-limiter on an interface, there will be a delay for actually installing the rate-limiter on the Cisco 7600 SIP-400. During this interval, it is possible that the aggregate rate-limiter would start dropping good user packets, if the per-interface rates are not chosen carefully. For example, consider that there are 10 interfaces and 100 pps is used as the aggregate rate and 15 pps as the per-interface rate. If there are seven attacks on the router at a time, the aggregate limit would be exceeded and user traffic would be affected. • As of Cisco IOS Release 12.2(33)SRB, the CoPP Per-subscriber/Per-Protocol feature is only supported for DHCP, ARP, and ICMP protocols. DHCP and ARP policing are performed on the SPA, while ICMP policing is performed at the router processor level. SUMMARY STEPS • class-map arp-peruser • match protocol arp • match subscriber access • class-map dhcp-peruser • match protocol dhcp • match subscriber access • policy-map copp-peruser • class arp-peruser • police rate units pps burst burst-in-packets packets • control-plane user-type access • service-policy input copp-peruser • platform copp observation-period time • platform copp interface arp off DETAILED STEPS To configure Per-Subscriber/Per-Protocol CoPP support, use the following commands: Command or Action Purpose Router(config)# class-map arp-peruser Creates a class map for ARP. Router(config-cmap)# match protocol arp Matches ARP traffic. Router(config-cmap)# match subscriber access Defines the class map for access interfaces.4-135 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Verifying Per-Subscriber/Per-Protocol CoPP To verify Per-Subscriber/Per-Protocol CoPP configuration, use the following commands: Router(config)# class-map dhcp-peruser Creates a class map for DHCP. Router(config-cmap)# match protocol dhcp Configures the match criterion for a DHCP class map. Router(config-cmap) match subscriber access Defines the class map for access interfaces. Router(config)# policy-map copp-peruser Specifies CoPP as the policy map. Router(config-pmap)# class arp-peruser Creates an ARP peruser class. Router(config-pmap-c)# police rate units pps burst burst-in-packets packets Specifies the burst rate. • units—Rate at which traffic is policed in packets per second. Valid values are 1 to 2000000 pps. • burst-in-packets—(Optional) Specifies the burst rate that is used for policing traffic. Valid values are 1 to 512000 packets. Router(config-pmap-c)# class dhcp-peruser Creates a DHCP peruser class. Router(config-pmap-c)# police rate units pps burst burst-in-packets packets Specifies the burst rate. • units—Rate at which traffic is policed in packets per second. Valid values are 1 to 2000000 pps. • burst-in-packets—(Optional) Specifies the burst rate that is used for policing traffic. Valid values are 1 to 512000 packets. Router(config)# control-plane user-type access Applies the policy on control-plane-user interface. Router(config-cp-user)# service-policy input copp-peruser Configures the per-user policy map. Router(config)# platform copp observation-period time Configures the observation window. • time—Amount of time in minutes. Router# platform copp interface arp off Clears a per-subinterface rate-limiter for ARP on an interface. • interface—Defines interface. Command or Action Purpose4-136 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring Per-Subinterface CoPP on Access Interfaces on a Cisco 7600 SIP-400 This section describes the configuration of Per-Subinterface CoPP on a Cisco 7600 SIP-400. Per-Subinterface CoPP Configuration Guidelines This section describes guidelines to consider when configuring Per-Subinterface CoPP. • Per-Subinterface CoPP is supported on Cisco 7600 series routers with Supervisor 720, SIP-400, and Ethernet SPAs. • The following packet types can be rate-limited on the SIP-400: – DHCP packets – ARP packets – ATM OAM packets – Ethernet OAM packets – PPPoE discovery packets Note DHCP and ARP packets are supported in Cisco IOS Release 12.2(33)SRB and later. ATM OAM, Ethernet OAM, and PPPoE discovery packets are supported in Cisco IOS Release 12.2(33)SRC and later. • If there is a normal QoS policy installed on an interface, the SIP-400 first applies the QoS policy, then the Security ACL, then the CoPP rate-limiter on a packet. • During a switchover, all dynamic rate-limiters on the router are turned off. • During online insertion and removal (OIR) of a line card, the rate-limiters on the interfaces are reset. Configuring Per-Subinterface CoPP SUMMARY STEPS • class-map class-map-name • match protocol protocol-name [arp | dhcp | atm-oam | ethernet-oam | pppoe-discovery] • match subscriber access • policy-map policy-map-name Command or Action Purpose Router# show platform copp rate-limit [arp | dhcp | all] Displays configuration settings. • arp—Displays ARP information. • dhcp—Displays DHCP information. • all—Displays ARP and DHCP information. Router# show policy-map policy-map-name Verifies that packets match the desired class. • policy-map-name—(Optional) Name of the policy map.4-137 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • class class-map-name • police rate units [pps burst burst-in-packets packets | bps burst burst-in-bytes bytes] • control-plane user-type access • service-policy input policy-map-name • platform copp observation-period time • platform copp interface protocol-name off DETAILED STEPS To configure Per-Subinterface CoPP support, use the following commands: Command or Action Purpose Router(config)# class-map class-map-name Creates a class map for the packet protocol. Router(config-cmap)# match protocol protocol-name [arp | dhcp | atm-oam | ethernet-oam | pppoe-discovery] Matches packet protocol traffic. Router(config-cmap)# match subscriber access Defines the class map for access interfaces. Router(config)# policy-map policy-map-name Specifies CoPP as the policy map. Router(config-pmap)# class class-map-name Creates a class map for the packet protocol. Router(config-pmap-c)# police rate units [pps burst burst-in-packets packets | bps burst burst-in-bytes bytes] Specifies the burst rate. • units—Rate at which traffic is policed in packets per second. Valid values are 1 to 2000000. • burst-in-packets—(Optional) Specifies the burst rate (in packets per second) that is used for policing traffic. Valid values are 1 to 512000 packets. • burst-in-bytes—(Optional) Specifies the burst rate (in bytes per second) that is used for policing traffic. Valid values are 100 to 1000 bytes. Router(config)# control-plane user-type access Applies the policy on the control-plane user interface. Router(config-cp-user)# service-policy input policy-map-name Configures the policy map. Router(config)# platform copp observation-period time Configures the observation window. • time—Amount of time in minutes. Router# platform copp interface protocol-name off Clears a per-subinterface limiter for the packet protocol on an interface. • interface—Defines the interface. • protocol-name—Defines the packet protocol.4-138 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Verifying Per-Subinterface CoPP To verify Per-Subinterface CoPP configuration, use the following commands: Configuring DBUS COS Queuing on SIP-400 Packets coming from the Hyperion ASIC to the SIP-400 switch are buffered in two queues - High Priority (HP) and Low Priority (LP). Packets with the Bridge Protocol Data Unit (BPDU) bit or certain Class-of-Service (CoS) values set, are sent as high-priority. When the BPDU bit is not set, egress packets on the SIP-400 switch are placed in an internal low or high priority queue. This feature provides a CLI to allow the user to specify the DBUS CoS values in the SIP-400 switch's high priority queue. Note The CoS values can only be set in the internally generated DBUS header and not in headers that exist prior to the packet entering the Cisco 7600 router or those on packets leaving the Cisco 7600 router. The configuration is available per slot and not in the global configuration mode. This is so that any line card can be configured to use hardware configuration values stored for that slot independent of any other line card in the chassis. If no values are specified using the command, then SIP-400 cards use the default DBUS CoS values of 5, 6, and 7. The CoS values input from the command are stored in the running configuration. These configured values are set whenever there is a line card Online Insertion or Removal (OIR). If the SIP-400 card is physically removed from the chassis, the configured CoS values are removed from the running configuration. If the SIP-400 is reinserted in the chassis, the default CoS values are used until the configuration is modified. This feature has a minimal impact on memory and bandwidth. Configuration Guidelines and Restrictions Keep the following guidelines in mind while configuring this feature: • DBUS COS Queuing is supported only on the SIP-400. • The DBUS COS Queuing command allow the end user to only control the CoS value queuing behavior. The command does not allow the user to specify queuing behavior for the BPDU bit. • For the SIP-400, a warning message is displayed if the values 6 and 7 do not map to the priority queue. Command or Action Purpose Router# show platform copp rate-limit protocol-name [arp | dhcp | atm-oam | ethernet-oam | pppoe-discovery | all] Displays configuration settings for the selected packet protocol or all protocols. Router# show platform np copp [ifnum] [detail] Displays debug information for a given session or for all sessions. • ifnum—Identifies a specific session ID. • detail—Shows full rate-limiting values.4-139 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuration Steps Use the commands described in the following sections to configure the DBUS COS Queuing on SIP-400: SUMMARY STEPS Step 1 Router# hw-module slot slot queue priority switch-fpga output cos values |none Step 2 Router# no hw-module slot slot queue priority switch-fpga output DETAILED STEPS Sample configuration The following is an example of the feature configuration: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ! Map only CoS values 4, 5, 6, and 7 to the high priority queue Command or Action Purpose Router# hw-module slot slot queue priority switch-fpga output cos values |none Example: Router# hw-module slot 5 queue priority switch-fpga output none S pecifies the CoS values that are placed in the SIP-400 switch high priority queue. slot is the slot being configured in the chassis cos values are in the range of 0-7. If the none keyword is specified, all the CoS values go to the SIP-400 switch's low priority queue. Note If CoS values 6 and 7 are not set to the SIP-400 switch's high priority queue by the CLI, then the terminal displays a SIP-400 specific warning message, since not prioritizing the valuescan severely affect performance. The each individual cos value should be formatted with a space in between like 4 5 6 7. You can configure non-consecutive values example 3 5 6 7 as long as 6 and 7 are included in the list. This command replaces any values that were previously set. Router# no hw-module slot slot queue priority switch-fpga output Example: Router# no hw-module slot 5 queue priority switch-fpga output Sets the CoS values back to the defaults4-140 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Router(config)# hw-module slot 5 queue priority switch-fpga output 4 5 6 7 Router(config)# ! Map only CoS values 6 and 7 to the high priority queue Router(config)# ! Note that this un-maps 4 and 5 from the high priority queue Router(config)# hw-module slot 5 queue priority switch-fpga output 6 7 Router(config)# do show running-config | include qos-priority Router(config)# hw-module slot 5 queue priority switch-fpga output 6 7 Router(config)# ! Remove all CoS values from the high priority queue Router(config)# hw-module slot 5 queue priority switch-fpga output none WARNING: CoS values 6 and 7 are typically considered high priority. Setting these values to low priority may cause service disturbances during traffic congestion. Router(config)# do show running-config | include switch-fpga Router(config)# hw-module slot 5 queue priority switch-fpga output none HELP Messages You can access command line help to view command options and allowed arguments, while configuring the feature. Some examples are illustrated below: Router(config)#hw-module slot 5 ? queue Linecard internal queueing configuration Router(config)#hw-module slot 5 queue ? priority Specify priority values Router(config)#hw-module slot 5 queue priority ? switch-fpga Switch FPGA internal queueing configuration Router(config)#hw-module slot 5 queue priority switch-fpga ? output Output policy Router(config)#hw-module slot 5 queue priority switch-fpga output ? <0-7> Up to 8 class of service values separated by spaces none No priority values Verifying the DBUS COS Queuing Configuration Use the following show commands to verify the DBUS COS Queuing configuration:4-141 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Verification Examples SIP-400-5#show platform hardware bonham counters Bonham Packet Counters: AEFC A S Packets (offset 0x00A2) 0 AEFC B S Packets (offset 0x00A6) 0 AEFC A BG Packets (offset 0x00AA) 0 AEFC B BG Packets (offset 0x00AE) 0 SPI Tx Packets (offset 0x018C) 305473085 SPI Rx Packets (offset 0x0212) 851791536 DDR Tx Hi Packets (offset 0x028C) 1 DDR Tx Low Packets (offset 0x0290) 851785180 DDR Rx Packets (offset 0x030A) 306352642 CP FIFO Tx Packets (offset 0x0388) 6446 CP FIFO Rx Packets (offset 0x0408) 6455 INP to ENP Packets (offset 0x0488) 0 PKT BUF HP Packets (offset 0x050C) 30000000 PKT BUF LP Packets (offset 0x0510) 275466630 AEFC A Good Notify (offset 0x00CA) 0 AEFC A Bad Notify (offset 0x00CE) 1 AEFC B Good Notify (offset 0x00D2) 0 AEFC B Bad Notify (offset 0x00D6) 1 AEFC A Sent Msg (offset 0x00DA) 0 AEFC A Drop Msg (offset 0x00DE) 0 AEFC B Sent Msg (offset 0x00E2) 0 AEFC B Drop Msg (offset 0x00E6) 0 Error Counters: SPI Rx Addr Errors (offset 0x0204) 0 DDR Rx Hdr CRC Err (offset 0x030E) 0 DDR Rx Pkt CRC Err (offset 0x0312) 0 DDR Rx Seq Errors (offset 0x0316) 0 DDR Rx Len Errors (offset 0x031A) 0 DDR Tx HP Errors (offset 0x0294) 0 DDR Tx LP Errors (offset 0x0298) 0 CP FIFO Tx Errors (offset 0x038C) 0 CP FIFO Rx Errors (offset 0x040C) 0 CP FIFO Rx Seq Err (offset 0x0410) 0 INP to ENP Errors (offset 0x048C) 0 Pkt buf HP pkt drops (offset 0x0534) 0 Pkt buf LP pkt drops (offset 0x0538) 886012 Pkt buf LLQ pkt drops(offset 0x0546) 0 Show Command Description SIP-400#show platform hardware bonham counters Displays the aggregate counters for both low and high priority packets dropped by the SIP-400 switch due to egress oversubscription. Note The SIP-400 switch does not maintain per-interface counters for these dropped packets but aggregates them. SIP-400# show platform hardware bonham register | inc Priority Shows the setting in hardware The first bit is CoS 0 and the ninth bit is BPDU. SIP-400# show platform hardware bonham counters | inc PKT BUF Shows the total packet count through high-priority and low-priority queues4-142 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Packets which are classified as high priority in the egress path are reflected in the 'PKT BUF HP Packets' counter. Low priority packets are reflected in the 'PKT BUF LP Packets" counter. High priority packets that have been dropped by the SIP-400 switch because of backpressure from the egress network processor, are reflected in the 'Pkt buf HP pkt drops' counter. Low priority drops are reflected in the 'Pkt buf LP pkt drops' counter. Configuring IPv6 Hop-by-Hop Header Security on SIP-200 or SIP-400 IPv6 Hop-by-Hop (HBH) extension header is part of the original specification of the IPv6 protocol (RFC 2460). An IPv6 packet Hop-by-Hop extension header is identified by the header type 0, and when present, this extension header must always be the first extension header (EH) to follow the main header. Because a node must process any received packet that has an HBH extension header, forwarding packets containing the HBH header can represent a security threat. This can happen when a large number of IPv6 packets with Hop-by-Hop (HBH) extension headers are sent, creating a possibility of Denial of Service (DoS) attacks. The IPv6 - Hop-by-Hop Rate Limiter feature provides protection from Denial of Service (DoS) attacks. This feature allows IPv6 traffic with Hop-by-Hop headers to be rate-limited on the 7600 SIP-400 and SIP-200 line cards. Cisco IOS Release 12.2(33)SRD1 introduces support for configuring IPv6 Hop-by-Hop policing on SIP-400 and Cisco IOS Release 12.2(33)SRD3 introduces support for this feature on SIP-200. The Cisco 7600 routers treat IPv6 packets with HBH extension headers as Layer 2 packets. Layer 3 ACLs cannot be applied to these packets; hence a way to rate-limit these on the line card is needed. For Cisco IOS Releases 12.2(33)SRD1 and 12.2(33)SRE, only the first extension header of type Hop-by-Hop is rate-limited by the line card. The SIP-200 and SIP-400 line cards support this feature on SUP720, SUP32, RSP720-1GE and RSP720-10GE supervisors. The policer is a Packets-Per-Second (PPS) policer and is per network processor. rate-limits can be configured up to and including 25600 pps. The default police rate is 21.36 k pps, and ROMMON variable is IPv6_policer_rate. Setting the policer rate to zero drops all the IPv6 HBH packets. Usage Guidelines The following factors need to be considered while configuring the IPv6 Hop-By-Hop Policing feature: • Setting the police rate to 0 drops all the IPv6 HBH packets. • After setting the police rate, the setting will remain on the line card even if the line card is moved to another chassis running Cisco IOS Release 12.2(33)SRD3 or later. • IPv6 packets with HBH and EH will bypass other QoS configured on the line card. Supported Supervisor Engines and SPAs The Cisco 7600 supports IPv6 Hop-By-Hop Policing rate limit on the following : • Supervisor engines: – Supervisor Engine 720 4-143 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks – Supervisor Engine 32 – RSP720-1GE – RSP720-10GE • SIP-400 supporting the following SPAs: – SPA-2x1GE-V2 – SPA-5x1GE-V2 – SPA-2xOC3-POS – SPA-4xOC3-POS – SPA-1xOC12-POS – SPA-1xOC48-POS – SPA-1CHOC3-CE-ATM – SPA-24CHT1-CE-ATM – SPA-2xOC3-ATM – SPA-4xOC3-ATM – SPA-1xOC12-ATM – SPA-1xOC48-ATM • SIP-200supporting the following SPAs: – SPA-2xOC3-POS – SPA-4xOC3-POS – SPA-1xOC12-POS – SPA-2xOC3-ATM – SPA-4xOC3-ATM – SPA-1xOC12-ATM Configuring IPv6 Hop-by-Hop Header Security To connect to a specific line card for the purpose of executing the test platform police ipv6 set command, test platform police ipv6 get command, or test platform police ipv6 disable use the attach command in privileged EXEC mode. You can then set the IPv6 internal police rate by using the test platform police ipv6 set command in privileged EXEC mode from the line card console. SUMMARY STEPS Use the following summary of commands to configure the IPv6 Hop-by-Hop feature on a SIP-400 or a SIP-200. Step 1 Router # attach slot Step 2 SIP-400-slot> enable 4-144 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 3 SIP-400-slot# test platform police ipv6 set rate Step 4 SIP-400-slot# test platform police ipv6 disable DETAILED STEPS Command or Action Purpose Router# attach slot Example: Router# attach 3 Allows you to log in to the specified interface of the SIP-400 or SIP-200 console. SIP-400-slot> enable Example: SIP-400-3> enable Enables privileged EXEC mode. 4-145 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Note To exit the slot, type Control+C three times from the attach console slot. The ^C^C^C key sequence ends the session. This tip is also displayed as you enter the console slot. Sample Configuration To set the policer on the SIP-400 and use the get command to display the configured police rate PE17_C7606# attach 2 Entering CONSOLE for slot 2 Type "^C^C^C" to end this session SIP-400-2> enable SIP-400-2# test platform police ipv6 set ? <0-25600> pps, 0 to drop all the IPv6 HBH packets SIP-400-2# test platform police ipv6 set 1000 SIP-400-2# test platform police ipv6 get For SIP-400: SIP-400-3# test platform police ipv6 set rate Example: SIP-400-3# test platform police ipv6 set 1022 For SIP-200: SIP-200-3# test platform police ipv6 set rate Example: SIP-200-3# test platform police ipv6 set 300 Sets the IPv6 internal police rate, in packets per second (pps), on the SIP-400 interface. Sets the IPv6 internal police rate, in packets per second (pps), on the SIP-200 interface. SIP-400-3# test platform police ipv6 disable Example: SIP-400-3# test platform police ipv6 disable Disables the IPv6 internal policer. Note On a SIP-400, rate=65535 indicates that the policer is disabled. Command or Action Purpose 4-146 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks IPv6 with HBH header is policed at 1001.35 pps OR SIP-400-8# test platform police ipv6 set ? <0-25600> pps, 0 drop all the IPv6 HBH packets SIP-400-8# test platform police ipv6 set 300 SIP-400-8# test platform police ipv6 get IPv6 with HBH header is policed at 292.6 pps To disable the IPv6 internal policer on the SIP-400: SIP-400-8# test platform police ipv6 disable SIP-400-8# test platform police ipv6 get IPv6 with HBH header is not policed. To set the policer on the SIP-200 and use the get command to display the configured police rate SIP-200-2# test platform police ipv6 set 0 Dropping all the IPv6 HBH Policer SIP-200-2# test platform police ipv6 set 1000 IPv6 HBH packet policer rate = 1000 pps SIP-200-2# test platform police ipv6 get IPv6 HBH packet policer rate = 1000 pps, Rate in rommon = 1000 pps To disable the IPv6 internal policer on the SIP-200: SIP-200-2# test platform police ipv6 disable SIP-200-2# test platform police ipv6 get IPv6 with HBH header is not policed. SIP-200-2# show platform software ipv6-policer IPv6 HBH packet policer rate = 1000 pps Rate in rommon = 1000 pps Packets dropped = 297850, Packets punted to RP = 37424 Verifying the IPv6 Hop-By-Hop Policing Configuration To verify the configuration of the IPv6 Hop-by-Hop policing feature, use the following show commands: Command or Action Purpose SIP-400-slot# test platform police ipv6 get OR SIP-200-slot# test platform police ipv6 get Displays the IPv6 internal police rate on the line card. SIP-400-slot# show platform np rppp rate Displays information about all the internal policers, where: • np refers to the Network Processor. • rppp stands for Routing Punt Path Policer. • rate signifies the aggregate policer speed at which packets are routed to the RP.4-147 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Verification Examples To view the policer rate limit: SIP-400-4# test platform police ipv6 get IPv6 with HBH header is policed at 0.0 pps To view the packets rate-limited : SIP-400-4# show platform np rppp rate | inc HBH IPv6 HBH packet policer rate = 0.0pps,x = 0,y2 = 0,tokens = 10240, SIP-400-4# SIP-400-3# show platform np rppp rate RPPP NP Client Rate Information: Default RPPP rate = 1335.14pps,x = 1,y2 = 6,tokens = 10240, pkts=0 Priority RPPP rate = 1335.14pps,x = 1,y2 = 6,tokens = 10240, pkts=0 L4R/PBHK configs RPPP rate = 21362.30pps,x = 1,y2 = 2,tokens = 10240, pkts=0 Broadband FSOL RPPP rate = 10681.15pps,x = 1,y2 = 3,tokens = 10240, pkts=0 CFM RPPP rate = 1335.14pps,x = 1,y2 = 6,tokens = 4194304, pkts=0 IPv6 HBH packet policer rate = 21362.30pps,x = 1,y2 = 2,tokens = 10240, pkts=0 SIP-200-1# show platform software ipv6-policer IPv6 HBH packet policer rate = 21000 pps, Rate in rommon = 21000 pps Packets dropped = 0 packets, Packets punted to RP = 0. Note The values for setting and getting may not match exactly and are approximated. Triple Nesting QoS Support on SIP400 Beginning with the Cisco IOS Release 12.2(33)SRE, SIP-400 extends configuration support for three levels of policy on the SIP-400 line card, from the existing support for two levels of queuing. The third level of user-defined QoS policy maps will support non-queuing features. Triple nesting QoS on SIP-400 allows you to define an MQC policy with parent, child and grand-child (Three nested policies). Queuing classes are supported for parent and child while the third grandchild level supports only non-queuing actions like policing and marking. SIP-200-slot#show platform software ipv6-policer Displays full details of the policer rate limit and rate-limited packets. Note All the commands listed above can be run on the SIP-400 and SIP-200 line cards. Command or Action Purpose4-148 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks The Triple Nesting QoS feature is not expected to have any significant change in memory or CPU utilization on the SIP-400 This policy-map can be applied to following interfaces: • PPP Main Interface • Sub Interfaces • EVC (either on the main interface or on the subinterface configured with dot1q). • FR DLCI • ATM VC The following con depicts that a policy with a third-level grandchild non-queing policy is currently not supported on SIP-400. Pseudo Policy: parent queuing child queuing grand-child Policing (No queuing allowed) This feature is applicable on both ingress and egress QoS policy maps. The following table shows the Triple Nesting QoS support over the various interfaces: FLAT Policy Parent Policy Child Policy Grandchild Policy Ingress Egress Ingress Egress Ingress Egress Ingress Egress UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD GIG main interface shape - - Yes Yes No No Yes Yes Yes Yes Yes Yes No No No No priority No No Yes Yes No No No No Yes Yes Yes Yes No No No No band width No No Yes Yes No No Yes Yes No No Yes Yes No No No No p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes ip prec marking Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes GIG dot1Q/QinQ sub interface shape - - Yes Yes - - - - Yes Yes Yes Yes No No No No priority No No Yes Yes No No No No Yes Yes Yes Yes No No No No band width No No Yes Yes No No Yes Yes No No Yes Yes No No No No p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes ip prec marking Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes4-149 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks EVC shape Yes Yes Yes Yes - - - - Yes Yes Yes Yes No No No No priority No No Yes Yes No No No No Yes Yes Yes Yes No No No No band width No No Yes Yes No No Yes Yes No No Yes Yes No No No No p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes ip prec marking Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes ISG shape No No No Yes No No No Yes No No Yes Yes No No No No priority No No No Yes No No No No No No Yes Yes No No No No band width No No No Yes No No No Yes No No Yes Yes No No No No p olicy Yes Yes No Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes ip prec marking Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Channelized interface (SONET/SDH such as the 1-Port Channelized OC-3/STM-1 SPA) shape No No Yes Yes No No Yes Yes No No Yes Yes No No No No priority No No Yes Yes No No No No No No Yes Yes No No No No band width No No Yes Yes No No Yes Yes No No Yes Yes No No No No p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes ip prec marking Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes POS with FR shape No No Yes Yes No No Yes Yes No No Yes Yes No No No No priority No No Yes Yes No No No No No No Yes Yes No No No No band width No No Yes Yes No No Yes Yes No No Yes Yes No No No No p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes ip prec marking Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes ATM PVC shape No No No No No No No No No No No No No No No No priority No No Yes Yes No No No No No No No No No No No No band width No No Yes Yes No No No No No No No No No No No No FLAT Policy Parent Policy Child Policy Grandchild Policy Ingress Egress Ingress Egress Ingress Egress Ingress Egress UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD4-150 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuration and Restrictions • Queuing Support on third level policy map • ATM SPA doesn't support Hierarchical queuing • Any service-policy supporting existing features on eother the ingress or the egress side, can have an extra level of policer in ingress or egress side too. This policer can be applied on a user-defined class or class-default in the third level of policy-map. • If a hierarchical policy-map is applied to subniterface, then the parent class has to be class-default Configuration procedure SUMMARY STEPS Step 1 service-policy output Parent Step 2 service-policy ingress_policy Step 3 service-policy input third ingress_policy_level DETAILED STEPS p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes ip prec marking Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes FLAT Policy Parent Policy Child Policy Grandchild Policy Ingress Egress Ingress Egress Ingress Egress Ingress Egress UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD Command Purpose Router(config-if)# service-policy output Parent Example: Router(config-if)# service-policy output Parent-155M Applies this service-policy to an interface on the egress side4-151 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuration Samples Example of Third Level User Defined Egress QoS Policy-Map policy-map NMC_POLICING class NMC_RP police 8000 8000 8000 conform-action set-dscp-transmit cs6 exceed-action set-dscp-transmit cs6 class NMC_SNMP police cir 8000 bc 8000 be 8000 conform-action set-dscp-transmit af21 exceed-action set-dscp-transmit af21 policy-map CE_EGRESS_QUEUING class NMC bandwidth remaining percent 1 service-policy NMC_POLICING Level THREE Policy-map - Only policing policy-map Parent-155M Level ONE Policy-map class class-default shape average 147712000 service-policy CE_EGRESS_QUEUING <<<< Level TWO Policy-map Router(config-if)#service-policy ingress_policy Example: Router(config-if)#service-policy ingress_policy Applies this service-policy to an interface on the ingress side Router(config-if)#service-policy input third ingress_policy_level Example: Router(config-if)# service-policy input ingress-three Specifies that the service-policy applied on the ingress side is a grandchild level policy Command Purpose4-152 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Applying this service-policy to a Main interface interface GigabitEthernet1/3/0 service-policy output Parent-155M Applying this service-policy to a Sub interface interface GigabitEthernet1/2/1.100 encapsulation dot1Q 456 service-policy output Parent-155M Applying this service-policy to FR DLCI interface Serial7/3/0/1:10 encapsulation frame-relay IETF frame-relay interface-dlci 20 service-policy output Parent-155M Applying this service-policy to EVC interface GigabitEthernet1/3/0 service instance 51 ethernet encapsulation dot1q 51 service-policy output Parent-155M Example of Third Level User Defined Ingress QoS Policy-Map policy-map ingress-one class COS3 police cir 10240000 bc 1280000 conform-action set-dscp-transmit af21 exceed-action set-dscp-transmit af22 policy-map ingress-two class NMC shape average 10000000 service-policy ingress-one policy-map ingress-three class COS1 shape average 10000 service-policy ingress-two4-153 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Applying this service-policy to a Main interface interface GigabitEthernet1/2/0 no ip address negotiation auto service-policy input ingress-three Example of Third Level User Defined QoS Policy-Map for ATM policy-map tnq2 class class-default police 400000 policy-map tnq1 class video police 300000 service-policy tnq2 policy-map tnq class tnq police 10000000 service-policy tnq1 Applying this service-policy to a ATM PVC interface ATM1/0/0 no ip address no atm enable-ilmi-trap pvc 10/100 service-policy out tnq Configuring IGMP Snooping on a SIP-200 IGMP snooping constrains the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices. As the name implies, IGMP snooping requires the LAN router to snoop on the IGMP transmissions between the host and the router and to keep track of multicast groups and member ports. When the router receives an IGMP report from a host for a particular multicast group, the router adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.4-154 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks The multicast router sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry. The router creates one entry per VLAN in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join request. For more information and configuration instructions, see the Cisco 7600 Series Router IOS Software Configuration Guide, Release 12.2SR. Configuring ACFC and PFC Support on Multilink Interfaces About ACFC and PFC Using the Address and Control Field Compression (ACFC) and PPP Protocol Field Compression (PFC) Support on Multilink Interfaces feature, you can control the negotiation and application of the Link Control Protocol (LCP) configuration options for ACFC and PFC. If ACFC is negotiated during Point-to-Point Protocol (PPP) negotiation, Cisco routers may omit the High-Level Data Link Control (HDLC) header on links using HDLC encapsulation. IF PFC is negotiated during PPP negotiation, Cisco routers may compress the PPP protocol field from two bytes to one byte. The PPP commands described in this section provide options to control PPP negotiation, allowing the HDLC framing and the protocol field to remain uncompressed. These commands allow the system administrator to control when PPP negotiates the ACFC and PFC options during initial LCP negotiations and how the results of the PPP negotiation are applied. Note Address and control field compression is only applicable to links that use PPP in HDLC-like framing as described by RFC 1662. Restrictions and Usage Guidelines ACFC and PFC should be configured with the link shut down. Note When Multilink PPP is configured in hardware, ACFC and PFC are active only when all links in the bundle have ACFC and PFC configured. Using ACFC and PFC can result in gains in effective bandwidth because they reduce the amount of framing overhead for each packet. However, using ACFC or PFC changes the alignment of the network data in the frame, which in turn can impair the switching efficiency of the packets both at the local and remote ends of the connection. For these reasons, it is generally recommended that ACFC and PFC not be enabled without carefully considering the potential results. ACFC and PFC options are supported only when the serial interfaces are multilink member interfaces. ACFC and PFC configured on MLP interfaces do not have any effect during PPP negotiation or during packet transmission.4-155 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Supported Platforms SIP-200/SPA This feature is supported on SIP-200 for the following SPAs: • 2-Port and 4-Port Channelized T3 SPA • 8-Port Channelized T1/E1 SPA • 1-Port Channelized OC3/STM-1 SPA Configuring ACFC and PFC Support The following sections list the configuration tasks for ACFC and PFC handling. Configuring ACFC Support SUMMARY STEPS Use the following summary of commands to configure the ACFC. Step 1 enable Step 2 configure terminal Step 3 interface serial slot/subslot/port:channel-group Step 4 shutdown Step 5 ppp acfc remote {apply | reject | ignore} Step 6 ppp acfc local {request | forbid} Step 7 no shutdown DETAILED STEPS To configure ACFC support, perform the following tasks in interface configuration mode: Command Purpose Step 1 Router> enable Enables privileged EXEC mode. • Enter your password if prompted. Step 2 Router# configure terminal Enables global configuration mode.4-156 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks ACFC Configuration Example The following example configures the interface to accept ACFC requests from a remote peer and perform ACFC on frames sent to the peer, and include the ACFC option in its outbound configuration in its outbound configuration requests: Router> enable Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface serial 4/1/1/1:0 Router(config-if)# shutdown Router(config-if)# ppp acfc remote apply Router(config-if)# ppp acfc local request Router(config-if)# no shutdown Configuring PFC Support SUMMARY STEPS Use the following summary of commands to configure the PFC. Step 3 Router(config)# interface serial slot/subslot/port:channel-group Example: Router(config)# interface serial 2/1/0:2 Selects the interface to configure. • slot/subslot/port:channel-group—Specifies the location of the interface. Step 4 Router(config-if)# shutdown Shuts down the interface. Step 5 Router(config-if)# ppp acfc remote {apply | reject | ignore} Example: Router(config-if)# ppp acfc remote apply Configures how the router handles the ACFC option in configuration requests received from a remote peer. • apply—ACFC options are accepted and ACFC may be performed on frames sent to the remote peer. • reject—ACFC options are explicitly ignored. • ignore—ACFC options are accepted, but ACFC is not performed on frames sent to the remote peer. Step 6 Router(config-if)# ppp acfc local {request | forbid} Example: Router(config-if)# ppp acfc local request Configures how the router handles ACFC in its outbound configuration requests. • request—The ACFC option is included in outbound configuration requests. • forbid—The ACFC option is not sent in outbound configuration requests, and requests from a remote peer to add the ACFC option are not accepted. Step 7 Router(config-if)# no shutdown Reenables the interface. Command Purpose4-157 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 1 enable Step 2 configure terminal Step 3 interface serial slot/subslot/port:channel-group Step 4 shutdown Step 5 ppp pfc remote {apply | reject | ignore} Step 6 ppp pfc local {request | forbid} Step 7 no shutdown DETAILED STEPS To configure PFC support, perform the following tasks in interface configuration mode: : Command Purpose Step 1 Router> enable Enables privileged EXEC mode. • Enter your password if prompted. Step 2 Router# configure terminal Enables global configuration mode. Step 3 Router(config)# interface serial slot/subslot/port:channel-group Example: Router(config)# interface serial 3/0/0:0 Selects the interface to configure. • slot/subslot/port:channel-group—Specifies the location of the interface. Step 4 Router(config-if)# shutdown Shuts down the interface Step 5 Router(config-if)# ppp pfc remote {apply | reject | ignore} Example: Router(config-if)# ppp pfc remote apply Configures how the router handles the PFC option in configuration requests received from a remote peer. • apply—PFC options are accepted and PFC may be performed on frames sent to the remote peer. • reject—PFC options are explicitly ignored. • ignore—PFC options are accepted, but PFC is not performed on frames sent to the remote peer. Step 6 Router(config-if)# ppp pfc local {request | forbid} Example: Router(config-if)# ppp pfc local forbid Configures how the router handles PFC in its outbound configuration requests. • request—The PFC option is included in outbound configuration requests. • forbid—The PFC option is not sent in outbound configuration requests, and requests from a remote peer to add the PFC option are not accepted. Step 7 Router(config-if)# no shutdown Reenables the interface.4-158 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks PFC Configuration Example The following example configures the interface to explicitly ignore the PFC option received from a remote peer, and exclude the PFC option from its outbound configuration requests and reject any request from a remote peer to add the PFC option: Router> enable Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface serial 4/1/1/1:0 Router(config-if)# shutdown Router(config-if)# ppp pfc remote reject Router(config-if)# ppp pfc local forbid Router(config-if)# no shutdown4-159 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring PPPoEoE on a Cisco 7600 SIP-400 Point-to-Point Protocol (PPP) provides a standard method of communicating to peers over a point-to-point link. An Ethernet link provides multipoint communication between multiple peers. PPP over Ethernet (PPPoE) allows point-to-point communication across multipoint Ethernet links. The PPPoE over Ethernet interface (PPPoEoE) enables the Cisco 7600 series router with Cisco 7600 SIP-400 to terminate Ethernet PPP sessions over Ethernet links. The PPPoE over IEEE 802.1Q VLANs feature enables the router to terminate Ethernet PPP sessions across VLAN links. IEEE 802.1Q encapsulation is used to interconnect a VLAN-capable router with another VLAN-capable networking device. The packets on the 802.1Q link contain a standard Ethernet frame and the VLAN information associated with that frame. Supported Features PPPoEoE on the Cisco 7600 SIP-400 supports the following features: • PPPoE discovery packets (rate-limited), PPPoE PPP control packets, and PPPoE PPP IP data packets provide a per-user session on an Ethernet interface. • PPPoE is supported on main interfaces, 802.1Q and QinQ access interfaces, and VLAN ranges (802.1Q ranges and QinQ inner ranges). • 8 K PPPoE sessions are supported. • PPPoE and IP sessions can be configured on the same subinterface. Limitations and Restrictions PPPoEoE on the Cisco 7600 SIP-400 has the following limitations and restrictions: • PPP over ATM (PPPoA) is not supported. • Tunneling of PPPoE sessions (Level 2 Tunneling Protocol) is not supported. • Ambiguous VLANs and a range of VLANs for IP session interfaces are not supported. However, a range of VLANs is supported for PPPoE-configured interfaces. • Negotiated maximum transmission unit (MTU) value can only be 1492 or 1500 bytes. • If the ip tcp adjust-mss command is used, the only value supported is 1468. • PPPoE can only be configured on subinterfaces using the access keyword. Configuration Tasks for PPPoE over Ethernet To configure PPPoE over Ethernet, perform the following tasks: • Configuring a Virtual Template Interface, page 4-160 • Creating an Ethernet Interface and Enabling PPPoE, page 4-161 • Configuring PPPoE in a BBA Group, page 4-162 • Configuring PPPoE over 802.1Q VLANs on a Cisco 7600 SIP-400, page 4-1634-160 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring a Virtual Template Interface Configure a virtual template before you configure PPPoE on an Ethernet interface. The virtual template interface is a logical entity that is applied dynamically as needed to an incoming PPP session request. SUMMARY STEPS Step 1 interface virtual-template number Step 2 ip unnumbered ethernet number Step 3 mtu bytes Step 4 ppp authentication chap Step 5 ppp ipcp ip address required DETAILED STEPS To create and configure a virtual template interface, enter the following commands beginning in global configuration mode: The following example shows the configuration of a virtual template interface: Router(config)# interface virtual-template 1 Router(config-if)# ip unnumbered ethernet 21 Router(config-if)# no peer default ip address Router(config-if)# ppp authentication chap Router(config-if)# ppp authorization vpn1 Router(config-if)# ppp accounting vpn1 Note The PPP commands shown in these examples are typical of virtual template configurations. Not all PPP commands are required. Refer to the PPP documentation for more information. Command or Action Purpose Step 1 Router(config)# interface virtual-template number Creates a virtual template interface and enters interface configuration mode. Step 2 Router(config-if)# ip unnumbered ethernet number Enables IP without assigning a specific IP address on the LAN. Step 3 Router(config-if)# mtu bytes (Optional) Sets the maximum MTU size for the interface. Note MTU size can be set only to 1492 or 1500. Step 4 Router(config-if)# ppp authentication chap Enables PPP authentication on the virtual template interface. Step 5 Router(config-if)# ppp ipcp ip address required Required for legacy dial-up and DSL networks. Prevents a PPP session from being set up with 0.0.0.0 remote ip address.4-161 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Monitoring and Maintaining a Virtual Access Interface When a virtual template interface is applied dynamically to an incoming user session, a virtual access interface (VAI) is created. You cannot use the command line interface (CLI) to directly create or configure a VAI, but you can display and clear the VAI by using the following commands in privileged EXEC mode. SUMMARY STEPS Step 1 clear interface virtual-access number DETAILED STEPS The following example shows how to display the active VAI configuration: Router# show interfaces virtual-access 1.1 configuration ! interface virtual-access1.1 if vrf forwarding vrf-1 ip unnumbered Loopback1 no ip proxy-arp peer default ip address pool vrf-1 ppp authentication chap end Note Virtual-access 1.1 is a PPPoE subinterface. The following example shows how to clear a live session: Router# clear interface virtual-access 1.1 Router# Creating an Ethernet Interface and Enabling PPPoE SUMMARY STEPS Step 1 interface gigabitethernet number Step 2 protocol pppoe group group-name Command or Action Purpose Router# show interfaces virtual-access number configuration Displays the configuration of the active VAI that was created using a virtual template interface. The configuration keyword restricts output to configuration information. Router# clear interface virtual-access number Tears down the live sessions and frees the memory for other client users.4-162 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks DETAILED STEPS To create an Ethernet interface and enable PPPoE on it, enter the following commands beginning in global configuration mode: Configuring PPPoE in a BBA Group Note Cisco IOS Release 12.2(33)SRC does not support the configuration of BBA groups using RADIUS. You must configure BBA groups manually. SUMMARY STEPS Step 1 bba-group pppoe name Step 2 virtual-template template-number Step 3 pppoe limit per-mac per-mac-limit Step 4 pppoe limit max-sessions number Step 5 pppoe limit per-vc per-vc-limit Step 6 exit Step 7 interface type number access Step 8 encapsulation dot1q vlan-id Step 9 pppoe enable group group-name DETAILED STEPS To configure a broadband aggregation (BBA) group for PPPoE and link it to the appropriate virtual template interface, enter the following commands beginning in global configuration mode: Command or Action Purpose Step 1 Router(config)# interface gigabitethernet number Creates an Ethernet interface and enters interface configuration mode. Step 2 Router(config-if)# protocol pppoe group group-name Enables PPPoE and allows PPPoE sessions to be created through that interface. Command or Action Purpose Step 1 Router(config)# bba-group pppoe name Configures a BBA group to be used to establish PPPoE sessions. name identifies the BBA group. You can have multiple BBA groups. Step 2 Router(config-bba)# virtual-template template-number Specifies the virtual template interface to use to clone VA I s . Step 3 Router(config-bba)# pppoe limit per-mac per-mac-limit (Optional) Specifies the maximum number of sessions per MAC address for each PPPoE port that uses the group.4-163 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Configuring PPPoE over 802.1Q VLANs on a Cisco 7600 SIP-400 PPPoE over IEEE 802.1Q VLANs enables the Cisco 7600 series router with the SIP-400 to support PPPoE over IEEE 802.1Q encapsulated VLAN interfaces. IEEE 802.1Q encapsulation is used to interconnect a VLAN-capable router with another VLAN-capable networking device. The packets on the 802.1Q link contain a standard Ethernet frame and the VLAN information associated with that frame. Note PPPoE is disabled by default on a VLAN. Configuring a Virtual Template Before configuring PPPoE on an IEEE 802.1Q VLAN interface, configure a virtual template and a BBA group. See the “Configuring a Virtual Template Interface” section on page 4-160, and the “Configuring PPPoE in a BBA Group” section on page 4-162. Creating an Ethernet IEEE 802.1Q Encapsulated Subinterface and Enabling PPPoE SUMMARY STEPS Step 1 interface gigabitethernet slot/subslot/port.number access Step 2 encapsulation dot1q vlan-id [second-dot1q inner-vlan-id] Step 3 pppoe enable group group-name DETAILED STEPS To create an Ethernet 802.1Q interface and enable PPPoE on it, enter the following commands beginning in global configuration mode. Step 4 Router(config-bba)# pppoe limit max-sessions number (Optional) Specifies the maximum number of PPPoE sessions that can be terminated on this router from all interfaces. Step 5 Router(config-bba)# pppoe limit per-vc per-vc-limit (Optional) Specifies the maximum number of PPPoE sessions for each VC that uses the group. Step 6 Router(config-bba)# exit Returns to global configuration mode. Step 7 Router(config)# interface type number access Specifies the type of interface to which you want to attach the BBA group and enters interface configuration mode. Note The access keyword is required on subinterfaces, but must not be used for main interfaces. Step 8 Router(config-if)# encapsulation dot1q vlan-id Enables IEEE 802.1Q encapsulation of traffic on a specified subinterface in a VLAN. Specify the VLAN identifier. Note This step is required only for 802.1Q and QinQ interfaces. Step 9 Router(config-if)# pppoe enable group group-name Attaches the BBA group to the VLAN. Command or Action Purpose4-164 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Verifying PPPoE over Ethernet and IEEE 802.1Q VLAN To verify PPPoEoE and IEEE 802.1Q VLAN, enter the following commands in privileged EXEC mode: Clearing PPPoE Sessions To clear PPPoE sessions, enter the following commands in privileged EXEC mode: Configuring Source IPv4 and Source MAC Address Binding on the SIP-400 The Source IPv4 and Source MAC Address Binding feature is used in conjunction with the DHCP Authorized ARP and Secure ARP features to provide a check of the source IPv4 and source MAC address binding information before a packet can proceed to a higher level of processing. If the binding information does not exist, the packet is dropped. Configuration Guidelines When configuring source IPv4 and source MAC address binding, follow these guidelines: Command or Action Purpose Step 1 Router(config)# interface gigabitethernetslot/subslot/port.number access Creates a Gigabit Ethernet subinterface and enters subinterface configuration mode. Step 2 Router(config-subif) # encapsulation dot1q vlan-id [second-dot1q inner-vlan-id] Enables IEEE 802.1Q encapsulation on a specified subinterface in VLANs. Step 3 Router(config-subif)# pppoe enable group group-name Enables PPPoE and allows PPPoE sessions to be created through the specified subinterface. Command or Action Purpose Router# show pppoe session all Displays PPPoE session information for each session ID. Router# show pppoe session packets Displays PPPoE session statistics. Router# show pppoe summary Displays PPPoE summary statistics. Command or Action Purpose Router# clear pppoe all Clears all PPPoE sessions. Router# clear pppoe interface Clears all PPPoE sessions on a physical interface or subinterface. Router# clear pppoe rmac Clears PPPoE sessions from a client host MAC address. Router# pppoe interface interface vlan vlan-number Clears sessions on a per-VLAN basis in ambiguous VLAN cases.4-165 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks • Supports access subinterfaces on the Cisco 7600 series routers in DHCP and non-DHCP environments. Note Static entry of the MAC and IP address is required in a non-DHCP environment. • Supports IPv4 unicast packets only. • Supports Ethernet interfaces, subinterfaces, and routed Switched Virtual Interfaces (SVIs). • Supports interface/subinterface and intelligent edge (iEdge) IP sessions. • Supports up to 128000 IPv4 and MAC address bindings (subscriber entries) for the Cisco 7600 series router, and 8000 MAC address subscriber entries for each Cisco 7600 SIP-400. • This feature is recommended primarily for access-facing interfaces and subinterfaces. • Supports Cisco 7600 series router with RSP720, SUP720, or SUP 32. • Supports on Cisco 7600 SIP-400 for the following Ethernet SPAs: – 2-Port Gigabit Ethernet SPA – 5-Port Gigabit Ethernet SPA – 10-Port Gigabit Ethernet SPA • Supports only Ethernet and Ethernet logical interfaces. This feature can be supported on other interfaces provided they have Ethernet encapsulations underneath their primary encapsulation (for example, RBE or routed bridged PVC or EVC). • If you are using EVC, this feature must be configured for bridge domain. Restrictions When configuring source IPv4 and source MAC address binding, note these restrictions: • This feature cannot be used if multiple clients are using the same MAC address and they are on the same logical interfaces (VLAN). • This feature does not support native LAN cards on the Cisco 7600 series router. • This feature supports only one EVC per SVI. Configuring Source IPv4 and Source MAC Address Binding To configure this feature, perform the following tasks: • Securing ARP Table Entries to DHCP Leases, page 4-165 • Configuring the Interfaces for Source IPv4 and Source MAC Address Binding, page 4-166 • Configuring DHCP Authorized ARP, page 4-168 • Showing the Number of Dropped Packets, page 4-169 Securing ARP Table Entries to DHCP Leases This task describes how to secure ARP table entries to DHCP leases, starting in global configuration mode.4-166 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks SUMMARY STEPS Step 1 configure terminal Step 2 ip dhcp pool pool-name Step 3 network network-number Step 4 update arp Step 5 exit DETAILED STEPS Example: Router# configure terminal Router(config)# ip dhcp pool tc10 Router(dhcp-config)# network 10.0.0.0 255.255.255.0 Router(dhcp-config)# update arp Router(dhcp-config)# exit Configuring the Interfaces for Source IPv4 and Source MAC Address Binding This task describes how to enable source IPv4 and source MAC address binding in interface configuration mode. SUMMARY STEPS Step 1 configure terminal Step 2 interface vlan vlan-number Step 3 ip address ip-address mask Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# ip dhcp pool pool-name Configures a DHCP address pool and enters DHCP pool configuration mode. pool-name—Name of the pool. Can either be a symbolic string or an integer. Step 3 Router(dhcp-config)# network network-number Configures the network number and mask for a DHCP address pool. network-number—IP address of the primary DHCP address pool. Note Use the network command to configure the Cisco 7600 series router as a DHCP server. Otherwise, the Cisco 7600 acts as a DHCP relay agent and gets the address from an outside server. Step 4 Router(dhcp-config)# update arp Secures insecure ARP table entries to the corresponding DHCP leases. Step 5 Router(dhcp-config)# exit Exits DHCP pool configuration mode.4-167 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Step 4 ip verify unicast source reachable-via rx l2-src Step 5 no shutdown DETAILED STEPS Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# interface vlan vlan-number Specifies interface and VLAN number and enters interface configuration mode. vlan-number—Range is from 1 to 4094. Note To configure a main interface, use the interface type slot/subslot/port command in global configuration mode. Step 3 Router(config-if)# ip address ip-address mask Sets an IP address for an interface. ip-address—IP address. mask—Mask for the associated subnet. Step 4 Router(config-if)# ip verify unicast source reachable-via rx l2-src Enables source IPv4 and source MAC address binding. Step 5 Router(config-if)# no shutdown Enables the interface.4-168 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Example: Router# configure terminal Router(config)# interface vlan 10 Router(config-if)# ip address 10.0.0.1 255.255.255.0 Router(config-if)# ip verify unicast source reachable-via rx l2-src Router(config-if)# no shutdown Configuring DHCP Authorized ARP This task describes how to disable dynamic ARP learning on an interface, starting in interface configuration mode. SUMMARY STEPS Step 1 configure terminal Step 2 interface type slot/subslot/port Step 3 arp authorized Step 4 arp timeout seconds Step 5 service instance id ethernet Step 6 encapsulation dot1q vlan-id Step 7 rewrite ingress tag pop {1 | 2} symmetric Step 8 bridge-domain bridge-id Step 9 no shutdown Step 10 exit DETAILED STEPS Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# interface type slot/subslot/port Configures an interface type and enters interface configuration mode. type slot/subslot/port—Specifies the type and location of the interface. Step 3 Router(config-if)# arp authorized Disables dynamic ARP learning on an interface. Step 4 Router(config-if)# arp timeout seconds Configures how long an entry remains in the ARP cache. seconds—Time (in seconds) that an entry remains in the ARP cache. A value of 0 means that entries are never cleared from the cache. Step 5 Router(config-if)# service instance id ethernet Configures an Ethernet service instance on an interface and enters Ethernet service configuration mode. id—Integer in the range of 1 to 4294967295 that uniquely identifies a service instance on an interface.4-169 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Tasks Example: Router# configure terminal Router(config)# interface gigabitethernet 8/0/1 Router(config-if)# arp authorized Router(config-if)# arp timeout 60 Router(config-if)# service instance 101 ethernet Router(config-if-srv)# encapsulation dot1q 101 Router(config-if-srv)# rewrite ingress tag pop 1 symmetric Router(config-if-srv)# bridge-domain 10 Router(config-if-srv)# no shutdown Router(config-if-srv)# end Showing the Number of Dropped Packets This task describes how to display the number of packets dropped when the source IPv4 and source MAC address binding check has failed. Example” Router# attach 8 Entering CONSOLE for slot 8 Type “^C^C^C” to end this session SIP-400-8# show platform drops detail Global drops: Drops for all interfaces: Gi8/0/0 ENP ifixp 16 Source masking (normal occurrence) Gi8/0/1 INP ifixp 3 BPDUs are not supported on this i/f Step 6 Router(config-if-srv)# encapsulation dot1q vlan-id Defines the matching criteria to map 802.1Q frames ingress on an interface to the appropriate service instance. vlan-id—VLAN ID, an integer in the range 1 to 4094. Step 7 Router(config-if-srv)# rewrite ingress tag pop {1 | 2} symmetric Specifies the encapsulation adjustment to be performed on the frame ingress to the service instance. pop {1 | 2}—One or two tags are removed from the packet. symmetric—(Optional) Specifies tagging on the packets in the reverse direction (egress). Step 8 Router(config-if-serv)# bridge-domain bridge-id Binds the service instance to a bridge domain instance. bridge-id—Identifier for the bridge domain instance, an integer in the range of 1 to a platform-specific upper limit. Step 9 Router(config-if-srv)# no shutdown Enables the interface. Step 10 Router(config-if-srv)# end Ends the current configuration session and returns to privileged EXEC mode. Command Purpose Command Purpose Step 1 Router# attach slot-number Attaches to the SIP-400. slot-number—location of SIP-400. Step 2 SIP-400-8# show platform drops detail (Router prompt changes to SIP-400 prompt.) Shows statistics regarding dropped packets.4-170 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Examples Gi8/0/1 ENP ifixp 2008 Source masking (normal occurrence) Gi8/0/1 INP ifixp 2000 Src IP/MAC check failed Gi8/0/1 ENP ifixp 13 Source masking (normal occurrence) SIP-400-8# Resetting a SIP To reset a SIP, use the following command in privileged EXEC configuration mode: Configuration Examples This section includes the following examples for configuring SIPs installed in a Cisco 7600 series router: • Layer 2 Interworking Configuration Examples, page 4-170 • MPLS Configuration Examples, page 4-172 • QoS Configuration Examples, page 4-173 • Private Hosts SVI (Interface VLAN) Configuration Example, page 4-178 Layer 2 Interworking Configuration Examples This section includes the following Layer 2 interworking configuration examples: • BCP in Trunk Mode Configuration Example, page 4-170 • BCP in Single-VLAN Mode Configuration Example, page 4-171 BCP in Trunk Mode Configuration Example The following example shows how to configure BCP in trunk mode: ! Enter global configuration mode. ! Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. ! ! Specify the interface address. ! Router(config)# interface pos4/1/0 ! ! Put the interface in Layer 2 mode for Layer 2 configuration. Router(config-if)# switchport %Please shut/no shut POS4/1/0 to bring up BCP ! Command Purpose Router# hw-module module slot reset Turns power off and on to the SIP in the specified slot, where: • slot—Specifies the chassis slot number where the SIP is installed.4-171 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Examples ! When the switchport command is configured, the interface is automatically configured for ! trunk mode and nonegotiate status. ! Restart the interface to enable BCP. ! Router(config-if)# shutdown Router(config-if)# no shutdown ! ! Enable all VLANs for receiving and transmitting traffic on the trunk. ! Router(config-if)# switchport trunk allowed vlan all %Internal vlans not available for bridging:1006-1018,1021 The following example shows sample output from the show running-config command for this configuration. The switchport mode trunk and switchport nonegotiate commands are automatically NVgened when the switchport command is configured: Router# show running-config interface pos4/1/0 Building configuration... Current configuration : 191 bytes ! interface POS4/1/0 switchport switchport trunk allowed vlan all switchport mode trunk switchport nonegotiate no ip address encapsulation ppp clock source internal end BCP in Single-VLAN Mode Configuration Example The following example shows how to configure BCP in single-VLAN mode: ! Enter global configuration mode. ! Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. ! ! Specify the interface address ! Router(config)# interface pos4/1/0 ! ! Disable IP processing on the interface. This is recommended for BCP interfaces. ! Router(config-if)# no ip address ! ! Configure PPP encapsulation. You must configure PPP encapsulation before using the ! bridge-domain command. ! Router(config-if)# encapsulation ppp ! ! Configure the bridging domain tag all Ethernet frames on the BCP link with the 802.1Q ! header. ! Router(config-if)# bridge-domain 100 dot1q %Please shut/no shut POS4/1/0 to bring up BCP ! ! Restart the interface to enable BCP. ! Router(config-if)# shutdown Router(config-if)# no shutdown4-172 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Examples The following example shows sample output from the show running-config command for this configuration: Router# show running-config interface pos4/1/0 Building configuration... Current configuration : 122 bytes ! interface POS4/1/0 no ip address encapsulation ppp bridge-domain 100 dot1q clock source internal end The following example shows an example of the message that is sent if you attempt to configure the bridge-domain command without configuring PPP encapsulation: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface pos4/1/0 Router(config-if)# bridge-domain 100 dot1q Must set encapsulation to PPP before using hw bridging over PPP MPLS Configuration Examples This section includes the following MPLS configuration examples: • Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) Class-Based Tunnel Selection (CBTS) Configuration Example, page 4-172 Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) Class-Based Tunnel Selection (CBTS) Configuration Example The following example shows how to configure Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) Class-Based Tunnel Selection (CBTS). Tunnel1, Tunnel2, and Tunnel3 are member tunnels, and Tunnel4 is the master tunnel. Router(config)# interface Tunnel1 Router(config-if)# ip unnumbered loopback0 Router(config-if)# interface destination 24.1.1.1 Router(config-if)# tunnel mode mpls traffic-eng Router(config-if)# tunnel mpls traffic-eng bandwidth sub-pool 30000 Router(config-if)# tunnel mpls traffic-eng exp 5 Router(config)# interface Tunnel2 Router(config-if)# ip unnumbered loopback0 Router(config-if)# interface destination 24.1.1.1 Router(config-if)# tunnel mode mpls traffic-eng Router(config-if)# tunnel mpls traffic-eng bandwidth 50000 Router(config-if)# tunnel mpls traffic-eng exp 3 4 Router(config)# interface Tunnel3 Router(config-if)# ip unnumbered loopback0 Router(config-if)# interface destination 24.1.1.1 Router(config-if)# tunnel mode mpls traffic-eng Router(config-if)# tunnel mpls traffic-eng bandwidth 10000 Router(config-if)# tunnel mpls traffic-eng exp default Router(config)# interface Tunnel4 Router(config-if)# interface destination 24.1.1.14-173 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Examples Router(config-if)# tunnel mpls traffic-eng exp-bundle master Router(config-if)# tunnel mpls traffic-eng exp-bundle member Tunnel1 Router(config-if)# tunnel mpls traffic-eng exp-bundle member Tunnel2 Router(config-if)# tunnel mpls traffic-eng exp-bundle member Tunnel3 Router(config-if)# tunnel mpls traffic-eng autoroute enable QoS Configuration Examples This section includes the following QoS configuration examples: • QoS with Multipoint Bridging Configuration Examples, page 4-173 • Hierarchical QoS with 2-Level Policy Map Configuration Examples, page 4-177 QoS with Multipoint Bridging Configuration Examples The SIPs and SPAs support a subset of QoS features with MPB configurations. • For ATM bridging, Frame Relay bridging, MPB, and BCP features on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, these matching features are supported on bridged frames beginning in Cisco IOS Release 12.2(33)SRA: – Matching on ATM CLP bit – Matching on Frame Relay DE bit – Matching on Frame Relay DLCI – Matching on inner VLAN – Matching on inner CoS – Matching on IP DSCP (input interface only) • For ATM bridging, Frame Relay bridging, MPB, and BCP features on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, these marking features are supported on bridged frames beginning in Cisco IOS Release 12.2(33)SRA: – Set ATM CLP bit (output interface only) – Set Frame Relay DE bit (output interface only) – Set inner CoS • For ATM bridging, Frame Relay bridging, MPB, and BCP features on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, the following marking features with policing are supported on bridged frames beginning in Cisco IOS Release 12.2(33)SRA: – Set inner CoS For more information about configuring QoS on SIPs and SPAs, see the “Configuring QoS Features on a SIP” section on page 4-94. This section includes the following QoS with MPB configuration examples: • Matching All Traffic on an Inner VLAN Tag with MPB on SIPs and SPAs on the Cisco 7600 Series Router Example, page 4-174 • Marking the Inner CoS Value with MPB on SIPs and SPAs on the Cisco 7600 Series Router Example, page 4-174 • Configuring QoS Matching, Shaping, and Marking with MPB on SIPs and SPAs on the Cisco 7600 Series Router Example, page 4-1754-174 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Examples • Setting the Inner CoS Value as a Policing Action for SIPs and SPAs on the Cisco 7600 Series Router Example, page 4-176 Matching All Traffic on an Inner VLAN Tag with MPB on SIPs and SPAs on the Cisco 7600 Series Router Example You can match traffic on an inner VLAN ID of a packet when you are using bridging features on a SPA. The following example shows configuration of a QoS class that filters all bridged traffic for VLAN 100 into a class named “vlan-inner-100.” An output service policy is then applied to the SPA interface that bridges all outgoing traffic for the vlan-inner-100 class into VLAN 100. ! Configure the class maps with your matching criteria. ! Router(config)# class-map match-all vlan-inner-100 Router(config-cmap)# match vlan inner 100 ! ! Apply the service policy to an input or output bridged interface or VC. ! Router(config)# interface atm3/0/0 Router(config-if)# pvc 100/100 Router(config-if-atm-vc)# bridge-domain 100 dot1q Router(config-if-atm-vc)# service-policy output vlan-inner-100 Router(config-if)# end Marking the Inner CoS Value with MPB on SIPs and SPAs on the Cisco 7600 Series Router Example The following example shows configuration of a QoS class that filters all traffic matching on VLAN 100 into a class named “vlan-inner-100.” The configuration shows the definition of a policy-map (also named “vlan-inner-100”) that marks the inner CoS with a value of 3 for traffic in the vlan-inner-100 class. Since marking of the inner CoS value is only supported with bridging features, the configuration also shows the service policy being applied as an output policy to a serial SPA interface that bridges traffic into VLAN 100 using the bridge-domain command. ! Configure the class maps with your matching criteria. ! Router(config)# class-map match-all vlan-inner-100 Router(config-cmap)# match vlan inner 100 Router(config-cmap)# exit ! ! Configure the policy map to mark all traffic in a class. ! Router(config)# policy-map vlan-inner-100 Router(config-pmap)# class vlan-inner-100 Router(config-pmap-c)# set cos-inner 3 Router(config-pmap-c)# exit Router(config-pmap)# exit ! ! Apply the service policy to an input or output bridged interface or VC. ! Router(config)# interface serial3/0/0 Router(config-if)# no ip address Router(config_if)# encapsulation ppp Router(config-if)# bridge-domain 100 dot1q Router(config-if)# service-policy output vlan-inner-100 Router(config-if)# shutdown Router(config-if)# no shutdown Router(config-if)# end4-175 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Examples Configuring QoS Matching, Shaping, and Marking with MPB on SIPs and SPAs on the Cisco 7600 Series Router Example The following example shows a complete QoS configuration of matching, shaping, and marking with MPB on SIPs and SPAs. ! Configure the class maps with your matching criteria. ! The following class maps configure matching on the inner VLAN ID. ! Router(config)# class-map match-all vlan100 Router(config-cmap)# match vlan inner 100 Router(config-cmap)# exit Router(config)# class-map match-all vlan200 Router(config-cmap)# match vlan inner 200 Router(config-cmap)# exit Router(config)# class-map match-all vlan300 Router(config-cmap)# match vlan inner 300 Router(config-cmap)# exit ! ! The following class maps configure matching on the inner CoS value. ! Router(config)# class-map match-all cos0 Router(config-cmap)# match cos inner 0 Router(config-cmap)# exit Router(config)# class-map match-all cos1 Router(config-cmap)# match cos inner 1 Router(config-cmap)# exit Router(config)# class-map match-all cos2 Router(config-cmap)# match cos inner 2 Router(config-cmap)# exit Router(config)# class-map match-all cos7 Router(config-cmap)# match cos inner 7 Router(config-cmap)# exit ! ! Configure a policy map for the defined classes. ! The following policies define shaping characteristics for classes ! on different VLANs ! Router(config)# policy-map vlan100 Router(config-pmap)# class cos1 Router(config-pmap-c)# bandwidth percent 10 Router(config-pmap-c)# exit Router(config-pmap)# class cos2 Router(config-pmap-c)# bandwidth percent 20 Router(config-pmap-c)# exit Router(config-pmap)# class cos7 Router(config-pmap-c)# percent 30 Router(config-pmap-c)# exit Router(config-pmap)# exit Router(config)# policy-map vlan200 Router(config-pmap)# class cos1 Router(config-pmap-c)# bandwidth percent 10 Router(config-pmap-c)# exit Router(config-pmap)# class cos2 Router(config-pmap-c)# bandwidth percent 20 Router(config-pmap-c)# exit Router(config-pmap)# class cos7 Router(config-pmap-c)# percent 30 Router(config-pmap-c)# exit Router(config-pmap)# exit ! ! The following policy map defines criteria for an output interface using MPB ! Router(config)# policy-map egress_mpb Router(config-pmap)# class vlan1004-176 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Examples Router(config-pmap-c)# bandwidth percent 30 Router(config-pmap-c)# service-policy vlan100 Router(config-pmap-c)# exit Router(config-pmap)# class vlan200 Router(config-pmap-c)# bandwidth percent 40 Router(config-pmap-c)# service-policy vlan200 ! ! The following policy map defines criteria for an input interface using MPB ! Router(config)# policy-map ingress_mpb Router(config-pmap)# class vlan100 Router(config-pmap-c)# set cos-inner 5 Router(config-pmap-c)# exit Router(config-pmap)# class vlan200 Router(config-pmap-c)# set cos-inner 3 ! ! The following policy map defines criteria for an ATM output interface using MPB ! Note: You can only mark ATM CLP on an ATM output interface with MPB ! Router(config)# policy-map atm_clp Router(config-pmap)# class cos1 Router(config-pmap-c)# set atm-clp Router(config-pmap-c)# exit Router(config-pmap)# class cos2 Router(config-pmap-c)# set atm-clp Router(config-pmap-c)# exit Router(config-pmap)# exit ! ! Configure an interface for MPB and apply the service policies. ! The following example configures a POS interface in BCP trunk mode and applies two ! different service policies for the output and input traffic on the interface. ! Router(config)# interface POS3/0/0 Router(config-if)# switchport Router(config-if)# shutdown Router(config-if)# no shutdown Router(config-if)# switchport trunk allowed vlan 100,200,300 Router(config-if)# service-policy output egress_mpb Router(config-if)# service-policy input ingress_mpb ! ! The following example configures an ATM interface with bridging on VLAN 100 ! and applies a service policy for setting the ATM CLP for the output traffic. ! Router(config)# interface ATM 4/1/0 Router(config-if)# pvc 1/100 Router(config-if-atm-vc)# bridge-domain 100 Router(config-if-atm-vc)# service-policy output atm-clp Setting the Inner CoS Value as a Policing Action for SIPs and SPAs on the Cisco 7600 Series Router Example The following example shows configuration of a QoS class that filters all traffic for virtual LAN (VLAN) 100 into a class named “vlan-inner-100,” and establishes a traffic shaping policy for the vlan-inner-100 class. The service policy limits traffic to a CIR of 20 percent and a PIR of 40 percent, with a conform burst (bc) of 300 ms, and peak burst (be) of 400 ms, and sets the inner CoS value to 3. Because setting of the inner CoS value is only supported with bridging features, the configuration also shows the service policy being applied as an output policy for an ATM SPA interface permanent virtual circuit (PVC) that bridges traffic into VLAN 100 using the bridge-domain command. ! Configure the class maps with your matching criteria ! Router(config)# class-map match-all vlan-inner-100 Router(config-cmap)# match vlan inner 1004-177 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Examples Router(config-cmap)# exit ! ! Configure the policy map to police all traffic in a class and mark conforming traffic ! (marking traffic whose rate is less than the conform burst) ! Router(config)# policy-map vlan-inner-100 Router(config-pmap-c)# police cir percent 20 bc 300 ms be 400 ms pir percent 40 conform-action set-cos-inner-transmit 3 Router(config-pmap-c)# exit Router(config-pmap)# exit ! ! Apply the service policy to an input or output bridged interface or VC. ! Router(config)# interface atm3/0/0 Router(config-if)# pvc 100/100 Router(config-if-atm-vc)# bridge-domain 100 dot1q Router(config-if-atm-vc)# service-policy output vlan-inner-100 Router(config-if)# end Hierarchical QoS with 2-Level Policy Map Configuration Examples The following example shows configuration of hierarchical QoS that maps to two levels of hierarchical queues (you can configure up to three levels). The first-level policy (the parent policy) configures the aggregated data rate to be shaped to 1 Mbps for the class-default class. The second-level policy (the child policy) configures the traffic in User-A class for 40 percent of the bandwidth and traffic in User-B class for 60 percent of the bandwidth. Because this example shows the parent policy applying to the class-default class, it is supported in Cisco IOS Release 12.2(33)SXF and later, as well as in Cisco IOS Release 12.2(33)SRA. ! Configure the class maps with your matching criteria ! Router(config)# class-map match-any User-A Router(config-cmap)# match access-group A Router(config-cmap)# exit Router(config)# class-map match-any User-B Router(config-cmap)# match access-group B Router(config-cmap)# exit ! ! Configure the parent policy for class-default to shape ! all traffic in that class and apply a second-level policy. ! Router(config)# policy-map parent Router(config-pmap)# class class-default Router(config-pmap-c)# shape 1000000 Router(config-pmap-c)# service-policy child Router(config-pmap-c)# exit Router(config-pmap)# exit ! ! Configure the child policy to allocate different percentages of ! bandwidth by class. ! Router(config)# policy-map Child Router(config-pmap)# class User-A Router(config-pmap-c)# bandwidth percent 40 Router(config-pmap-c)# exit Router(config-pmap)# class User-B Router(config-pmap-c)# bandwidth percent 60 Router(config-pmap-c)# exit Router(config-pmap)# exit ! ! Apply the parent service policy to an input or output interface.4-178 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Configuration Examples ! Router(config)# interface GigabitEthernet 2/0/0 Router(config-if)# service-policy output parent The following example shows configuration of hierarchical QoS that maps to two levels of hierarchical queues, where the parent policy configures average traffic shaping rates on both user-defined classes as well as the class-default class, which is supported beginning in Cisco IOS Release 12.2(33)SRA. This configuration does not show the corresponding class map configuration, which also are required to support these policy maps. ! Configure the parent policy for user-defined and class-default classes to shape ! traffic in those classes and apply a second-level policy. ! Router(config)# policy-map parent Router(config-pmap)# class input-vlan100 Router(config-pmap-c)# shape average 100000 Router(config-pmap-c)# service-policy child-pm Router(config-pmap-c)# exit Router(config-pmap)# class input-vlan200 Router(config-pmap-c)# shape average 100000 Router(config-pmap-c)# service-policy child-pm Router(config-pmap-c)# exit Router(config-pmap)# class class-default Router(config-pmap-c)# shape average 200000 Router(config-pmap-c)# service-policy child-pm Router(config-pmap-c)# exit Router(config-pmap)# exit ! ! Configure the child policy to allocate different percentages of ! bandwidth by class. ! Router(config)# policy-map child-pm Router(config-pmap)# class cos0 Router(config-pmap-c)# bandwidth percent 10 Router(config-pmap-c)# exit Router(config-pmap)# class cos1 Router(config-pmap-c)# bandwidth percent 10 Router(config-pmap-c)# exit Router(config-pmap)# exit ! ! Apply the parent service policy to an input or output interface. ! Router(config)# interface gigabitethernet 2/0/0 Router(config-if)# service-policy output parent-pm Private Hosts SVI (Interface VLAN) Configuration Example The following example shows a typical configuration of the private hosts SVI (Interface VLAN) feature. Note New feature-related commands are highlighted. Router(config)#private-hosts vlan-list 200-202,204-205 Router(config)#private-hosts promiscuous maclist-1 Router(config)#private-hosts promiscuous maclist-2 Router(config)#private-hosts mac-list maclist-1 0000.1111.9991 Router(config)#private-hosts mac-list maclist-2 0000.1111.99924-179 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Troubleshooting Router(config)#private-hosts layer3 Router(config)#private-hosts ! ! Router(config)#interface GigabitEthernet3/0/1 Router(config-if)# switchport Router(config-if)#switchport access vlan 201 Router(config-if)#switchport mode access Router(config-if)#private-hosts mode promiscuous ! Router(config-if)#interface GigabitEthernet3/0/2 Router(config-if)#switchport Router(config-if)#switchport trunk encapsulation dot1q Router(config-if)#switchport trunk allowed vlan 200-205 Router(config-if)#switchport mode trunk Router(config-if)#private-hosts mode isolated ! ''The following example shows another configuration of the private hosts SVI: PE17_C7606(config)# PE17_C7606(config)#private-hosts PE17_C7606(config)#private-hosts mac-list ? WORD mac list name PE17_C7606(config)#private-hosts mac-list ml1 ? H.H.H 48-bit MAC address PE17_C7606(config)#private-hosts mac-list ml1 000a.001e.000d PE17_C7606(config)#private-hosts vlan-list 1 PE17_C7606(config)# private-hosts ? Private hosts configuration subcommands: layer3 enable layer 3 routing with private hosts mac-list MAC addresses list promiscuous MAC addresses list vlan-list Enables private hosts feature on a set of vlans PE17_C7606(config)# private-hosts promiscuous ml1 vlan-list 1 PE17_C7606(config)# Troubleshooting Table 4-20 lists some of the QoS troubleshooting scenarios in a SIP-400. Table 4-20 QoS Troubleshooting on a SIP-400 Problem Solution Error message on applying service-policy on any interface Check if you have configured the service-policy correctly. If not, re-apply the service policy on the interface. If the issue persists, contact TAC. No drop in priority queues despite excessive traffic flow To troubleshoot priority queues, configure the explicit policer value for the priority traffic. If the issue persists, contact TAC.4-180 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 4 Configuring the SIPs and SSC Troubleshooting No drops in class bandwidth when the offered rate crosses the configured bandwidth 1. Use the bandwidth command to ensure that a minimum bandwidth and not the maximum bandwidt exists. 2. Use the shape average command instead of the bandwidth command to assign a maximum bandwidth. 3. If the issue persists, contact TAC. Drops in some classes and no drops in others The traffic drops depend on the traffic pattern. Reserved bandwidth is forced when there is a congestion on the parent shaper or physical link that completely depends on the traffic pattern. If the issue persists, contact TAC. Problem SolutionC H A P T E R 5-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 5 Troubleshooting the SIPs and SSC This chapter describes techniques that you can use to troubleshoot the operation of your SIPs. It includes the following sections: • General Troubleshooting Information, page 5-1 • Using the Cisco IOS Event Tracer to Troubleshoot Problems, page 5-2 • Troubleshooting Oversubscription on the Cisco 7600 SIP-400, page 5-3 • Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs, page 5-3 The first section provides information about basic interface troubleshooting. If you are having a problem with your SPA, use the steps in the “Using the Cisco IOS Event Tracer to Troubleshoot Problems” section to begin your investigation of a possible interface configuration problem. To perform more advanced troubleshooting, see the other sections in this chapter. General Troubleshooting Information This section describes general information for troubleshooting SIPs, SSCs, and SPAs. It includes the following sections: • Interpreting Console Error Messages, page 5-1 • Using debug Commands, page 5-2 • Using show Commands, page 5-2 Interpreting Console Error Messages To view the explanations and recommended actions for Cisco 7600 series router error messages, including messages related to Cisco 7600 series router SIPs and SSCs, refer to the following documents: • Cisco 7600 Series Cisco IOS System Message Guide, 12.2SX (for error messages in Release 12.2SX) • System Error Messages for Cisco IOS Release 12.2S (for error messages in Release 12.2S) System error messages are organized in the documentation according to the particular system facility that produces the messages. The SIP and SSC error messages use the following facility names: • Cisco 7600 SIP-200—C7600_SIP200 • Cisco 7600 SIP-400—SIP4005-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 5 Troubleshooting the SIPs and SSC Using the Cisco IOS Event Tracer to Troubleshoot Problems • Cisco 7600 SIP-600—SIP600 • Cisco 7600 SSC-400—C7600_SSC400 Note Rate limit SIP200_MP-4-PAUSE ensures that one pause message is logged per unique occurrence across the SIP200 reloads and the subsequent occurrences are only statistically accounted. This is applicable only for SIP 200 and not for SIP 400 and SIP 600. Using debug Commands Along with the other debug commands supported on the Cisco 7600 series router, you can obtain specific debug information for SIPs and SSCs on the Cisco 7600 series router using the debug hw-module privileged EXEC command. The debug hw-module command is intended for use by Cisco Systems technical support personnel. Caution Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use. For more information about other debug commands that can be used on a Cisco 7600 series router, refer to the Cisco 7600 Series Cisco IOS Command Reference, 12.2 SXand to the Cisco IOS Debug Command Reference, Release 12.2 SR. Using show Commands There are several show commands that you can use to monitor and troubleshoot the SIPs and SSCs on the Cisco 7600 series router. This chapter describes using the show hw-module slot command to perform troubleshooting of your SPA. For more information about show commands to verify and monitor SIPs and SSCs, see the following chapters of this guide: • Chapter 4, “Configuring the SIPs and SSC” Using the Cisco IOS Event Tracer to Troubleshoot Problems Note This feature is intended for use as a software diagnostic tool and should be configured only under the direction of a Cisco Technical Assistance Center (TAC) representative. The Event Tracer feature provides a binary trace facility for troubleshooting Cisco IOS software. This feature gives Cisco service representatives additional insight into the operation of the Cisco IOS software and can be useful in helping to diagnose problems in the unlikely event of an operating system malfunction or, in the case of redundant systems, Route Processor switchover. 5-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 5 Troubleshooting the SIPs and SSC Troubleshooting Oversubscription on the Cisco 7600 SIP-400 Event tracing works by reading informational messages from specific Cisco IOS software subsystem components that have been preprogrammed to work with event tracing, and by logging messages from those components into system memory. Trace messages stored in memory can be displayed on the screen or saved to a file for later analysis. The SPAs currently support the “spa” component to trace SPA OIR-related events. Troubleshooting Oversubscription on the Cisco 7600 SIP-400 As of Cisco IOS Release 12.2(18)SXF, when using the Cisco 7600 SIP-400 with the 2-Port Gigabit Ethernet SPA or the 1-Port OC-48c/STM-16 ATM SPA, consider the following oversubscription guidelines: • The Cisco 7600 SIP-400 only supports installation of one 1-Port OC-48c/STM-16 ATM SPA without any other SPAs installed in the SIP. • The Cisco 7600 SIP-400 supports installation of up to two 2-Port Gigabit Ethernet SPAs without any other SPAs installed in the SIP. • The Cisco 7600 SIP-400 supports installation of any combination of OC-3 or OC-12 POS or ATM SPAs, up to a combined ingress bandwidth of OC-48 rates. • The Cisco 7600 SIP-400 supports installation of any combination of OC-3 or OC-12 POS or ATM SPAs up to a combined ingress bandwidth of OC-24 rates, when installed with a single 2-Port Gigabit Ethernet SPA. Configurations on the Cisco 7600 SIP-400 with an unsupported aggregate SPA bandwidth greater than OC-48 rates generates the following error message: SLOT 3: 00:00:05: %SIPSPA-4-MAX_BANDWIDTH: Total SPA bandwidth exceeds line card capacity of 2488 Mbps Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs The Cisco 7600 series router supports online insertion and removal (OIR) of the SPA interface processor (SIP) or SPA services card (SSC), in addition to each of the shared port adapters (SPAs). Therefore, you can remove a SIP or SSC with its SPAs still intact, or you can remove a SPA independently from the SIP or SSC, leaving the SIP or SSC installed in the router. This section includes the following topics on OIR support: • Preparing for Online Removal of a SIP or SSC, page 5-4 • Verifying Deactivation and Activation of a SIP or SSC, page 5-5 • Preparing for Online Removal of a SPA, page 5-6 • Verifying Deactivation and Activation of a SPA, page 5-7 • Deactivation and Activation Configuration Examples, page 5-8 Note For simplicity, any reference to “SIP” in this section also applies to the SSC.5-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 5 Troubleshooting the SIPs and SSC Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs Preparing for Online Removal of a SIP or SSC The Cisco 7600 series router supports OIR of the SIP and the SSC. To do this, you can power down a SIP (which automatically deactivates any installed SPAs) and remove the SIP with the SPAs still intact. Although graceful deactivation of a SIP is preferred using the no power enable module command, the Cisco 7600 series router does support removal of the SIP without deactivating it first. If you plan to remove a SIP, you can deactivate the SIP first, using the no power enable module global configuration command. When you deactivate a SIP using this command, it automatically deactivates each of the SPAs that are installed in that SIP. Therefore, it is not necessary to deactivate each of the SPAs prior to deactivating the SIP. Either a blank filler plate or a functional SPA should reside in every subslot of a SIP during normal operation. For more information about the recommended procedures for physical removal of the SIP, refer to the Cisco 7600 Series Router SIP, SSC, and SPA Hardware Installation Guide. Deactivating a SIP or SSC To deactivate a SIP or SSC and its installed SPAs prior to removal of the SIP, use the following command in global configuration mode: For more information about chassis slot numbering, refer to the “Identifying Slots and Subslots for SIPs, SSCs, and SPAs” section in this guide. Reactivating a SIP or SSC Once you deactivate a SIP or SSC, whether or not you have performed an OIR, you must use the power enable module global configuration command to reactivate the SIP. If you did not issue a command to deactivate the SPAs installed in a SIP, but you did deactivate the SIP using the no power enable module command, then you do not need to reactivate the SPAs after an OIR of the SIP. The installed SPAs automatically reactivate upon reactivation of the SIP in the router. For example, consider the case where you remove a SIP from the router to replace it with another SIP. You reinstall the same SPAs into the new SIP. When you enter the power enable module command on the router, the SPAs will automatically reactivate with the new SIP. Command Purpose Router(config)# no power enable module slot Shuts down any installed interfaces, and deactivates the SIP in the specified slot, where: • slot—Specifies the chassis slot number where the SIP is installed.5-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 5 Troubleshooting the SIPs and SSC Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs To activate a SIP and its installed SPAs after the SIP has been deactivated, use the following command in global configuration mode: For more information about chassis slot numbering, refer to the “Identifying Slots and Subslots for SIPs, SSCs, and SPAs” section in this guide. Verifying Deactivation and Activation of a SIP or SSC To verify the deactivation of a SIP or SSC, enter the show module command in privileged EXEC configuration mode. Observe the Status field associated with the SIP that you want to verify. The following example shows that the Cisco 7600 SIP-400 located in slot 13 is deactivated. This is indicated by its “PwrDown” status. Router# show module 13 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 13 0 4-subslot SPA Interface Processor-400 7600-SIP-400 JAB0851042X Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 13 00e0.aabb.cc00 to 00e0.aabb.cc3f 0.525 12.2(PP_SPL_ 12.2(PP_SPL_ Ok Mod Online Diag Status --- ------------------- 13 PwrDown To verify activation and proper operation of a SIP, enter the show module command and observe “Ok” in the Status field as shown in the following example: Router# show module 2 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 0 4-subslot SPA Interface Processor-200 7600-SIP-200 JAB074905S1 Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0000.0000.0000 to 0000.0000.003f 0.232 12.2(2004082 12.2(2004082 Ok Mod Online Diag Status --- ------------------- 2 Pass Command Purpose Router(config)# power enable module slot Activates the SIP in the specified slot and its installed SPAs, where: • slot—Specifies the chassis slot number where the SIP is installed.5-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 5 Troubleshooting the SIPs and SSC Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs Preparing for Online Removal of a SPA The Cisco 7600 series router supports OIR of a SPA independently of removing the SIP or SSC. This means that a SIP can remain installed in the router with one SPA remaining active, while you remove another SPA from one of the SIP subslots. If you are not planning to immediately replace a SPA into the SIP, then be sure to install a blank filler plate in the subslot. The SIP should always be fully installed with either functional SPAs or blank filler plates. The interface configuration is retained (recalled) if a SIP or SPA is removed and then replaced with one of the same type. This is not the case if you replace a Cisco 7600 SIP-200 with a Cisco 7600 SIP-400 or vice versa. If you are planning to remove a SIP along with its SPAs, then you do not need to follow the instructions in this section. To remove a SIP, see the “Preparing for Online Removal of a SIP or SSC” section on page 5-4. Note If you move the SPA (SPA-8XTE1/ SPA-4xCT3/DS0 / SPA-2xCT3/DS0/SPA-1xCHSTM1/OC3) from one LC to another type of LC in the same bay and same slot, the system will not retain the configuration of the old interface. Deactivating a SPA Although graceful deactivation of a SPA is preferred using the hw-module subslot shutdown command, the Cisco 7600 series router does support removal of the SPA without deactivating it first. Before deactivating a SPA, ensure that the SIP is seated securely into the slot before pulling out the SPA itself. Note If you are preparing for an OIR of a SPA, it is not necessary to independently shut down each of the interfaces prior to deactivation of the SPA. The hw-module subslot shutdown command automatically stops traffic on the interfaces and deactivates them along with the SPA in preparation for OIR. In similar fashion, you do not need to independently restart any interfaces on a SPA after OIR of a SPA or SIP. To deactivate a SPA and all of its interfaces prior to removal of the SPA, use the following command in global configuration mode: Command Purpose Router(config)# hw-module subslot slot/subslot shutdown [powered | unpowered] Deactivates the SPA in the specified slot and subslot of the SIP, where: • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies subslot number on a SIP where a SPA is installed. • powered—(Optional) Shuts down the SPA and all of its interfaces, and leaves them in an administratively down state with power enabled. This is the default state. • unpowered—(Optional) Shuts down the SPA and all of its interfaces, and leaves them in an administratively down state without power.5-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 5 Troubleshooting the SIPs and SSC Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs For more information about chassis slot and SIP subslot numbering, refer to the “Identifying Slots and Subslots for SIPs, SSCs, and SPAs” section in this guide. Reactivating a SPA Note You do not need to reactivate a SPA after an OIR of either the SIP or a SPA if you did not deactivate the SPA prior to removal. If the router is running, then the SPAs automatically start upon insertion into the SIP or with insertion of a SIP into the router. If you deactivate a SPA using the hw-module subslot shutdown global configuration command and need to reactivate it without performing an OIR, you need to use the no hw-module subslot shutdown global configuration command to reactivate the SPA and its interfaces. To activate a SPA and its interfaces after the SPA has been deactivated, use the following command in global configuration mode: Verifying Deactivation and Activation of a SPA When you deactivate a SPA, the corresponding interfaces are also deactivated. This means that these interfaces will no longer appear in the output of the show interface command. To verify the deactivation of a SPA, enter the show hw-module subslot all oir command in privileged EXEC configuration mode. Observe the Operational Status field associated with the SPA that you want to verify. In the following example, the SPA located in subslot 1 of the SIP in slot 2 of the router is administratively down from the hw-module subslot shutdown command: Router# show hw-module subslot all oir Module Model Operational Status -------------- ------------------ ------------------------- subslot 2/0 SPA-4XOC3-POS ok subslot 2/1 SPA-4XOC3-ATM admin down To verify activation and proper operation of a SPA, enter the show hw-module subslot all oir command and observe “ok” in the Operational Status field as shown in the following example: Router# show hw-module subslot all oir Module Model Operational Status -------------- ------------------ ------------------------- subslot 2/0 SPA-4XOC3-POS ok subslot 2/1 SPA-4XOC3-ATM ok Command Purpose Router(config)# no hw-module subslot slot/subslot shutdown Activates the SPA and its interfaces in the specified slot and subslot of the SIP, where: • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies subslot number on a SIP where a SPA is installed. 5-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 5 Troubleshooting the SIPs and SSC Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs Deactivation and Activation Configuration Examples This section provides the following examples of deactivating and activating SIPs and SPAs: • Deactivation of a SIP Configuration Example, page 5-8 • Activation of a SIP Configuration Example, page 5-8 • Deactivation of a SPA Configuration Example, page 5-8 • Activation of a SPA Configuration Example, page 5-8 Deactivation of a SIP Configuration Example Deactivate a SIP when you want to perform OIR of the SIP. The following example deactivates the SIP that is installed in slot 5 of the router, its SPAs, and all of the interfaces. The corresponding console messages are shown: Router# configure terminal Router(config)# no power enable module 5 1w4d: %OIR-6-REMCARD: Card removed from slot 5, interfaces disabled 1w4d: %C6KPWR-SP-4-DISABLED: power to module in slot 5 set off (admin request) Activation of a SIP Configuration Example Activate a SIP if you have previously deactivated it. If you did not deactivate the SPAs, the SPAs automatically reactivate with reactivation of the SIP. The following example activates the SIP that is installed in slot 5 of the router, its SPA, and all of the interfaces (as long as the hw-module subslot shutdown command was not issued to also deactivate the SPA): Router# configure terminal Router(config)# power enable module 5 Notice that there are no corresponding console messages shown with activation. If you re-enter the power enable module command, a message is displayed indicating that the module is already enabled: Router(config)# power enable module 5 % module is already enabled Deactivation of a SPA Configuration Example Deactivate a SPA when you want to perform OIR of that SPA. The following example deactivates the SPA (and its interfaces) that is installed in subslot 0 of the SIP located in slot 2 of the router and removes power to the SPA. Notice that no corresponding console messages are shown: Router# configure terminal Router(config)# hw-module subslot 2/0 shutdown unpowered Activation of a SPA Configuration Example Activate a SPA if you have previously deactivated it. If you have not deactivated a SPA and its interfaces during OIR of a SIP, then the SPA is automatically reactivated upon reactivation of the SIP. The following example activates the SPA that is installed in slot 2 of the router and all of its interfaces. 5-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 5 Troubleshooting the SIPs and SSC Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs Router# configure terminal Router(config)# no hw-module subslot 2/0 shutdown Router#5-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 5 Troubleshooting the SIPs and SSC Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs P A R T 3 ATM Shared Port Adapters C H A P T E R 6-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 6 Overview of the ATM SPAs This chapter provides an overview of the release history, features, and MIB support for the 1-Port OC-48c/STM-16 ATM SPA, 1-Port OC-12c/STM-4 ATM SPA, and the 2-Port and 4-Port OC-3c/STM-1 ATM SPA. This chapter includes the following sections: • Release History, page 6-2 • Overview, page 6-3 • Supported Features, page 6-7 • Unsupported Features, page 6-15 • Prerequisites, page 6-16 • Restrictions, page 6-16 • Supported MIBs, page 6-17 • SPA Architecture, page 6-18 • Displaying the SPA Hardware Type, page 6-206-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Release History Release History Release Modification 15.0(1)S • Network Clocking and SSM functionality support was added. • Support for the following ATM SPAs introduced: – 1-Port Clear Channel OC-3 ATM SPA Version 2 – 3-Port Clear Channel OC-3 ATM SPA Version 2 – 1-Port Clear Channel OC-12 ATM SPA Version 2 12.2(33)SRE • Support for the following features has been added for the ATM SPAs: – VC QoS on VP-PW – QoS support on Access Circuit Redundancy – Access Circuit Redundancy for ATM clients in single APS (SR APS ) environment. 12.2(33)SRD • Support for the following features was introduced for ATM SPAs on the Cisco 7600 SIP-400: – Port mode cell relay (single cell relay) – Port mode cell relay (packed cell relay) – Bridged Routed Encapsulation (BRE) 12.2(33)SRC • Support for Phase 2 Local Switching Redundancy 12.2(33)SRA • Some restrictions for QoS and MLPPP bundles were added. • Support for the following features was introduced for ATM SPAs on the Cisco 7600 SIP-200: – AToM VP Mode Cell Relay – MPLS over RBE – Multi-VC to VLAN scalability – QoS support on bridging features • Support for the following features was introduced for ATM SPAs on the Cisco 7600 SIP-400: – AToM VP Mode Cell Relay – Multi-VC to VLAN scalability – Multi-VLAN to VC – QoS support on bridging features 6-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Overview Overview The ATM SPAs are single-width, double-height, cross-platform Optical Carrier (OC) ATM adapter cards that provide OC-3c/STM-1c (155.52 Mbps), OC-12c/STM-4c (622.080 Mbps), or OC-48/STM-16 (2488 Mbps) connectivity and can be used in a Cisco 7600 series router. The ATM SPAs come in the following models: • 2-Port and 4-Port OC-3c/STM-1 ATM SPA (SPA-2XOC3-ATM=, SPA-4XOC3-ATM=) • 1-Port OC-12c/STM-4 POS SPA (SPA-1XOC12-ATM=) • 1-Port OC-48c/STM-16 ATM SPA (SPA-1XOC48-ATM=) • 1-Port and 3-port Clear Channel OC-3 ATM SPA Version 2 (SPA-1xOC3-ATM-V2=, SPA-3xOC3-ATM-V2) • 1-Port Clear Channel OC-12 ATM SPA Version 2 (SPA-1xOC12-ATM-V2=) The OC-3c ATM SPAs must be installed in a Cisco 7600 SIP-200 or Cisco 7600 SIP-400 SPA interface processor (SIP) before they can be used in the Cisco 7600 series router. The 1-Port OC-12c/STM-4 ATM SPA and 1-Port OC-48c/STM-16 ATM SPA must be installed in a Cisco 7600 SIP-400 before they can be used in the Cisco 7600 series router. You can install the SPA in the SIP before or after you insert the SIP into the router chassis. This allows you to perform online insertion and removal (OIR) operations either by removing individual SPAs from the SIP, or by removing the entire SIP (and its contained SPAs) from the router chassis. The ATM SPAs provide cost-effective wide-area network (WAN) connectivity for service providers across their existing ATM networks. Using a highly modular approach, the SPA and SIP form factors maximize the flexibility of an existing Cisco 7600 series router, allowing service providers to mix and match SPAs to more easily meet evolving port-density and networking media needs. The ATM SPAs also use small form-factor pluggable (SFP) optical transceivers, giving service providers port-level flexibility for different types of optical media (such as single mode and multimode). Changing the type of optical network involves simply replacing the transceiver, not the SPAs or SIP. 12.2(18)SXE • Support was introduced for the 2-Port and 4-Port OC-3c/STM-1 ATM SPAs on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 SPA interface processors (SIPs) on the Cisco 7600 series router and Catalyst 6500 series switch. • Support was introduced for the 1-Port OC-12c/STM-4 ATM SPA on the Cisco 7600 SIP-400 on the Cisco 7600 series router and Catalyst 6500 series switch. 12.2(18)SXF • Support was introduced for the 1-Port OC-48c/STM-16 ATM SPA on the Cisco 7600 SIP-400 on the Cisco 7600 series router and Catalyst 6500 series switch. 12.2(18)SXF2 • Support for the “Enhancements to RFC 1483 Spanning Tree Interoperability” feature was added for ATM SPAs on the Cisco 7600 series router and Catalyst 6500 series switch. • Documentation of a workaround for ATM SPA configuration on the Cisco 7600 SIP-200 has been added in Chapter 7, “Configuring the ATM S PAs ” to address a Routed Bridge Encapsulation (RBE) limitation where only one remote MAC address is supported.6-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Overview Note A maximum of two ATM SPAs can be installed in each SIP, and these SPAs can be different models (such as a 2-Port OC-3c/STM-1 ATM SPA and a 1-Port OC-12c/STM-4 ATM SPA). You can also mix SPAs of different types, such as ATM and POS, in a SIP, depending on the space requirements of the SIPs. An exception is that only one 1-Port OC-48c/STM-16 ATM SPA can be installed in a SIP; the other slot should be left empty. See the following sections for more information about the ATM SPAs: • ATM Overview, page 6-4 • PVC and SVC Encapsulations, page 6-4 • PVC and SVC Service Classes, page 6-5 • Advanced Quality of Service, page 6-6 ATM Overview Asynchronous Transfer Mode (ATM) uses cell-switching and multiplexing technology that combines the benefits of circuit switching (constant transmission delay and guaranteed capacity) with those of packet switching (flexibility and efficiency for intermittent traffic). ATM transmits small cells (53 bytes) with minimal overhead (5 bytes of header and checksum, with 48 bytes for data payload), allowing for very quick switching times between the input and output interfaces on a router. ATM is a connection-oriented environment, in which each ATM endpoint (or node) must establish a separate connection to the specific endpoints in the ATM network with which it wants to exchange traffic. This connection (or channel) between the two endpoints is called a virtual circuit (VC). Each VC is uniquely identified by the combination of a virtual path identifier (VPI) and a virtual channel identifier (VCI). The VC is treated as a point-to-point mechanism to another router or host and is capable of supporting bidirectional traffic. In an ATM network, a VC can be either a permanent virtual circuit (PVC) or a switched virtual circuit (SVC). A network operator must manually configure a PVC, which remains in force until it is manually torn down. An SVC is set up and torn down using an ATM signaling mechanism. On the ATM SPAs, this signaling is based on the ATM Forum User-Network Interface (UNI) specification V3.x and V4.0. PVC and SVC Encapsulations PVCs and SVCs are configured with an ATM encapsulation type that is based upon the ATM Adaptation Layer (AAL). The following types are supported: • AAL5CISCOPPP—AAL5 Cisco PPP encapsulation, which is Cisco’s proprietary PPP over ATM encapsulation. • AAL5MUX—ATM Adaptation Layer 5 MUX encapsulation, also known as null encapsulation, that supports a single protocol (IP or IPX). • AAL5NLPID—(Supported on ATM SPAs in a Cisco 7600 SIP-200 only) AAL5 Network Layer Protocol Identification (NLPID) encapsulation, which allows ATM interfaces to interoperate with High-Speed Serial Interfaces (HSSIs) that are using an ATM data service unit (ADSU) and running ATM-Data Exchange Interface (DXI).6-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Overview • AAL5SNAP—AAL5 Logical Link Control/Subnetwork Access Protocol (LLC/SNAP) encapsulation, which supports Inverse ARP and incorporates the LLC/SNAP that precedes the protocol datagram. This allows the use of multiple protocols over the same VC, and is particularly well–suited for encapsulating IP packets. Note The 1-Port OC-48c/STM-16 ATM SPA supports only AAL5MUX and AAL5SNAP encapsulations. PVC and SVC Service Classes ATM was designed with built-in quality of service capabilities to allow it to efficiently multiplex different types of traffic over the same links. To accomplish this, each PVC or SVC is configured with a service class that defines the traffic parameters, such as maximum cell rate or burst rate, for the circuit. The following service classes are available in ATM networks: • Constant Bit Rate (CBR)—The ATM router transmits ATM cells in a continuous bit-stream that is suitable for real-time traffic, such as voice and video. CBR is typically used for VCs that need a static amount of bandwidth (constant bit rate or average cell rate) that is continuously available for the duration of the active connection. The ATM router guarantees that a VC with a CBR service class can send cells at the peak cell rate (PCR) at any time, but the VC is also free to use only part of the allocated bandwidth, or none of the bandwidth, as well. • Unspecified Bit Rate (UBR)—The ATM router does not make any quality of service (QoS) commitment at all to the PVC or SVC, but instead uses a best-effort attempt to send the traffic transmitted by the PVC or SVC. UBR typically is the default configuration and is used for non-critical Internet connectivity, including e–mail, file transfers, web browsing, and so forth. The ATM router enforces a maximum peak cell rate (PCR) for the VC, to prevent the VC from using all the bandwidth that is available on the line. • Unspecified Bit Rate Plus (UBR+)—UBR+ is a special ATM service class developed by Cisco Systems. UBR+ uses MCR (Minimum Cell Rate) along with PCR (Peak Cell Rate). In UBR+, the MCR is a “soft guarantee” of minimum bandwidth. A router signals the MCR value at call setup time when a switched VC is created. The ATM router is then responsible for the guarantee of the bandwidth specified in the MCR parameter. A UBR+ VC is a UBR VC for which the MCR is signaled by the router and guaranteed by the ATM router. Therefore, UBR+ affects connection admission control and resource allocation on ATM routers. The UBR+ service class is supported only on SVCs for an ATM SPA. It is not supported on PVCs for an ATM SPA. Note UBR+ is not supported on the 1-Port OC-48c/STM-16 ATM SPA. • Variable Bit Rate–Non-Real Time (VBR–nrt)—The ATM router attempts to guarantee a minimum burst size (MBS) and sustainable cell rate (SCR) for non-real-time traffic that is bursty in nature, such as database queries or aggregation of large volumes of traffic from many different sources. The ATM router also enforces a maximum peak cell rate (PCR) for the VC, to prevent the VC from using all of the bandwidth that is available on the line. • Variable Bit Rate–Real Time (VBR–rt)—The ATM router guarantees a maximum burst size (MBS) and sustainable cell rate (SCR) for real-time traffic that is bursty in nature, such as voice, video conferencing, and multiplayer gaming. VBR-rt traffic has a higher priority than VBR-nrt traffic, allowing the real-time traffic to preempt the non-real-time traffic, if necessary. The ATM router also enforces a maximum peak cell rate (PCR) for the VC, to prevent the VC from using all the bandwidth that is available on the line. 6-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Overview Note The ATM SPAs do not support the Available Bit Rate (ABR) service class, which uses a minimum cell rate (MCR). Advanced Quality of Service In addition to the integrated QoS capabilities that are provided by the standard ATM service classes, the ATM SPA cards support a number of advanced QoS features. These features include the following: • Per-VC and Per-VP Traffic Shaping—Enables service providers to control the bandwidth provided at the VC or VP level. You cannot shape a VC that is part of a shaped VP. You can however enable both VC and VP shaping simultaneously (as long as shaped VCs use a different VPI value than the shaped VP). • Layer 3 (IP) QoS at the Per-VC Level—Allows marking and classifying traffic at the IP layer, for each VC, enabling service providers to control the individual traffic flows for a customer, so as to meet the customer’s particular QoS needs. The IP QoS can use the IP type of service (ToS) bits, the RFC 2475 Differentiated Services Code Point (DSCP) bits, and the MPLS EXP bits. WRED, LLQ, CBWFQ, policing, classification, and marking are supported. • Multiprotocol Label Switching (MPLS)—Allows service providers to provide cost-effective virtual private networks (VPNs) to their customers, while simplifying load balancing and QoS management, without incurring the overhead of extensive Layer 3 routing. • IP to ATM Mapping—Creates a mapping between the Cell Loss Priority (CLP) bit in ATM cell headers and the IP precedence or IP Differentiated Services Code Point (DSCP) bits. • VC Bundling—Selects the output VC on the basis of the IP Class of Service (CoS) bits. (Supported only when using the Cisco 7600 SIP-200 and not the Cisco 7600 SIP-400.) • MQC policy support existing on ATM VC is extended to the ATM PVP from Cisco IOS Release 12.2(33)SRE. An existing CLI is configurable under ATM L2 PVP mode. See Chapter 4, “Configuring the SIPs and SSC”, section Configuring QoS Features Using MQC, page 4-96 for details on the configuration command. The following example briefly depicts the modular QoS CLI configuration on the ATM PVC : interface atm slot/bay/port atm pvp 10 l2transport service-policy [input/output] For a complete discussion about MQC, refer to the Modular Quality of Service Command-Line Interface Overview Chapter of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2 publication at: http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/12_2sr/qos_12_2sr_book.html Note Additional QoS features are expected to be added with each Cisco IOS software release. Please see the release notes for each release for additional features that might be supported and for the restrictions that might affect existing features. 6-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Supported Features Supported Features This section provides a list of some of the primary features supported by the ATM hardware and software: • SIP-Dependent Features, page 6-7 • Basic Features, page 6-8 • SONET/SDH Error, Alarm, and Performance Monitoring, page 6-9 • Layer 2 Features, page 6-10 • Layer 3 Features, page 6-11 • High-Availability Features, page 6-12 • Enhancements to RFC 1483 Spanning Tree Interoperability, page 6-12 • Supported Supervisor Engines and Line Cards, page 6-13 • Interoperability Problem, page 6-13 • BPDU Packet Formats, page 6-13 SIP-Dependent Features Most features for the ATM SPAs are supported on both the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, but some features are supported only on a particular model of SIP. Table 6-1 lists the features that are supported on only one model of SIP. Any supported features for the ATM SPAs that are not listed in this table are supported on both SIPs. Table 6-1 SIP-Dependent Feature Support Feature Supported on Cisco 7600 SIP-200 Supported on Cisco 7600 SIP-400 AAL5NLPID encapsulation and Routed-NLPID-PDUs Yes No ATM VC Access Trunk Emulation (multi-VLAN to VC) Yes Yes Bridging of Routed Encapsulations (BRE) Yes Yes Frame Relay to ATM (FR-ATM) internetworking No No RFC-1483 ATM Half-Bridging and Routed Bridged Encapsulation (RBE) Yes No VC Bundling (Selects the output VC on the basis of the IP CoS bits) Yes No RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5, Multipoint Bridging (MPB) (also known as multi-VC to VLAN) on the 2-Port and 4-Port OC-3c/STM-1c ATM SPA Yes Yes Aggregate WRED Yes Yes Access Circuit Redundancy (ACR) No Yes QoS support on ACR interface No Yes VC QoS on VP pseudowire No Yes Network Clock and SSM support No Yes6-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Supported Features Basic Features • Bellcore GR-253-CORE SONET/SDH compliance (ITU-T G.707, G.783, G.957, G.958) • Interface-compatible with other Cisco ATM adapters Note The ATM SPA is functionally similar to other ATM port adapters on the Cisco 7600 series router, but because it is a different card type, the configuration for the slot is lost when you replace an existing ATM port adapter with an ATM SPA in a SIP. • Supports both permanent virtual circuits (PVCs) and switched virtual circuits (SVCs) • An absolute maximum of 16,384 (16K) configured VCs per ATM SPA (4,096 [4K] per interface) with the following recommended limitations: – On a Cisco 7600 SIP-400, 8000 PVCs are supported on multipoint subinterfaces. The limit of 16,384 PVCs only applies to the Cisco 7600 SIP-200. – A recommended maximum number of 2,048 PVCs on all point-to-point subinterfaces for all ATM SPAs in a SIP. – A recommended maximum number of 16,380 PVCs on all multipoint subinterfaces for all ATM SPAs in a SIP, and a recommended maximum number of 200 PVCs per each individual multipoint subinterface. – A recommended maximum number of 400 SVCs for all ATM SPAs in a SIP. – A recommended maximum number of 1,024 PVCs using service policies for all ATM SPAs in a SIP. • Up to 4,096 simultaneous segmentations and reassemblies (SARs) per interface • Supports a maximum number of 200 PVCs or SVCs using Link Fragmentation and Interleaving (LFI) for all ATM SPAs (or other ATM modules) in a Cisco 7600 series router • Supports a maximum number of 1024 PVCs or 400 SVCs configured with Modular QoS CLI (MQC) policy maps • Up to 1,000 maximum virtual templates per router • ATM adaptation layer 5 (AAL5) for data traffic • Hardware switching of multicast packets for point-to-point subinterfaces • SONET/SDH (software selectable) optical fiber (2-Port and 4-Port OC-3c/STM-1 ATM SPA, 1-Port OC-48c/STM-16 ATM SPA, or 1-Port OC-12c/STM-4 ATM SPA), depending on the model of ATM SPA • Uses small form-factor pluggable (SFP) optical transceivers, allowing the same ATM SPA hardware to support multimode (MM), single-mode intermediate (SMI), or single-mode long (SML) reach, depending on the capabilities of the SPA • ATM section, line, and path alarm indication signal (AIS) cells, including support for F4 and F5 flows, loopback, and remote defect indication (RDI) • Operation, Administration, and Maintenance (OAM) cells except OAM Emulation • Online insertion and removal (OIR) of individual ATM SPAs from the SIP, as well as OIR of the SIPs with ATM SPAs installed • Supports the Network Clocking and the Synchronization Status Message(SSM) functionality. (ATM SPAs in a Cisco 7600 SIP-400 only). The supported ATM SPAs are:6-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Supported Features – SPA-2xOC3-ATM – SPA-4xOC3-ATM – SPA-1xOC12-ATM – SPA-1xOC48-ATM – SPA-1xOC3-ATM-V2 – SPA-2xOC3-ATM-V2 – SPA-3xOC3-ATM-V2 – SPA-1xOC12-ATM-V2 For information on configuring the network clock see, Configuring Boundary Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400, page 12-29 SONET/SDH Error, Alarm, and Performance Monitoring • Fiber removed and reinserted • Signal failure bit error rate (SF-BER) • Signal degrade bit error rate (SD-BER) • Signal label payload construction (C2) • Path trace byte (J1) • Section Diagnostics: – Loss of signal (SLOS) – Loss of frame (SLOF) – Error counts for B1 – Threshold crossing alarms (TCA) for B1 (B1-TCA) • Line Diagnostics: – Line alarm indication signal (LAIS) – Line remote defect indication (LRDI) – Line remote error indication (LREI) – Error counts for B2 – Threshold crossing alarms for B2 (B2-TCA) • Path Diagnostics: – Path alarm indication signal (PAIS) – Path remote defect indication (PRDI) – Path remote error indication (PREI) – Error counts for B3 – Threshold crossing alarms for B3 (B3-TCA) – Loss of pointer (PLOP) – New pointer events (NEWPTR) – Positive stuffing event (PSE)6-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Supported Features – Negative stuffing event (NSE) • The following loopback tests are supported: – Network (line) loopback – Internal (diagnostic) loopback • Supported SONET/SDH synchronization: – Local (internal) timing (for inter-router connections over dark fiber or wavelength division multiplexing [WDM] equipment) – Loop (line) timing (for connecting to SONET/SDH equipment) – +/– 4.6 ppm clock accuracy over full operating temperature Layer 2 Features • Supports the following encapsulation types: – AAL5SNAP (LLC/SNAP) – LLC encapsulated bridged protocol – AAL5MUX (VC multiplexing) – AAL5NLPID and Routed-NLPID-PDUs (ATM SPAs in a Cisco 7600 SIP-200 only) – AAL5CISCOPPP • Supports the following ATM traffic classes and per-VC traffic shaping modes: – Constant bit rate (CBR) with peak rate – Unspecified bit rate (UBR) with peak cell rate (PCR) – Non-real-time variable bit rate (VBR-nrt) – Variable bit rate real-time (VBR-rt) – Unspecified bit rate plus (UBR+) on SVCs Note ATM shaping is supported, but class queue-based shaping is not. • ATM point-to-point and multipoint connections • Explicit Forward Congestion Indication (EFCI) bit in the ATM cell header • Frame Relay to ATM (FR-ATM) internetworking (ATM SPAs in a Cisco 7600 SIP-200 only) • Integrated Local Management Interface (ILMI) operation, including keepalive, PVC discovery, and address registration and deregistration • Link Fragmentation and Interleaving (LFI) performed in hardware • VC–to–VC local switching and cell relay • VP–to–VP local switching and cell relay • AToM VP Mode Cell Relay support • RFC 1755, ATM Signaling Support for IP over ATM • ATM User-Network Interface (UNI) signalling V3.0, V3.1, and V4.0 only • RFC 2225, Classical IP and ARP over ATM (obsoletes RFC 1577) 6-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Supported Features • Unspecified bit rate plus (UBR+) traffic service class on SVCs Post 15.0(1)S release, information for support to the static PWs using Point-to-Multipoint TE or RSVP, refer to http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_te_p2mp_static.html. Layer 3 Features • ATM VC Access Trunk Emulation (multi-VLAN to VC) (ATM SPAs in a Cisco 7600 SIP-200 only) • ATM over MPLS (AToM) in AAL5 mode (except for AToM cell packing) • ATM over MPLS (AToM) in AAL5/AAL0 VC mode • Bridging of Routed Encapsulations (BRE) (ATM SPAs in a Cisco 7600 SIP-200 and Cisco 7600 SIP-400 only) • Distributed Link Fragmentation and Interleaving (dLFI) for ATM (dLFI packet counters are supported, but dLFI byte counters are not supported) • LFI with dCRTP • No limitation on the maximum number of VCs per VPI, up to the maximum number of 4,096 total VCs per interface (so there is no need to configure this limit using the atm vc-per-vp command, which is required on other ATM SPAs) • OAM flow connectivity using OAM ping for segment or end-to-end loopback • PVC multicast (Protocol Independent Multicast [PIM] dense and sparse modes) • Quality of Service (QoS): – Policing – IP-to-ATM class of service (IP precedence and DSCP) – Per-VC class-based weighted fair queueing (CBWFQ) – Per-VC Layer 3 queueing – VC Bundling (Cisco 7600 SIP-200 only) – Weighted Random Early Detection (WRED) – Aggregate WRED • RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5: – Routed Bridge Encapsulation (RBE) (ATM SPAs in a Cisco 7600 SIP-200 only) – Half-bridging (ATM SPAs in a Cisco 7600 SIP-200 only) – PVC bridging (full-bridging) on Cisco 7600 SIP-200 and Cisco 7600 SIP-400 • Supports oversubscription by default • Routing protocols: – Border Gateway Protocol (BGP) – Enhanced Interior Gateway Routing Protocol (EIGRP) – Interior Gateway Routing Protocol (IGRP) – Integrated Intermediate System-to-Intermediate System (IS-IS) – Open Shortest Path First (OSPF) – Routing Information Protocol version 1 and version 2 (RIPv1 and RIPv2) 6-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Supported Features High-Availability Features • 1+1 Automatic Protection Switching (APS) redundancy (PVC circuits only) • Route Processor Redundancy (RPR) • RPR Plus (RPR+) • OSPF Nonstop Forwarding (NSF) • Stateful Switchover (SSO) Enhancements to RFC 1483 Spanning Tree Interoperability This section describes an interoperability feature for the various spanning tree implementations across 1483 Bridge Mode ATM PVCs. Historically, vendors have not implemented spanning tree across RFC 1483 encapsulation consistently; furthermore, some Cisco IOS releases may not support the full range of spanning tree options. This feature attempts to smooth some of the practical challenges of interworking common variations of spanning tree over RFC 1483 Bridge Mode encapsulation. Note This feature set is only supported on RFC 1483 Bridge Mode ATM permanent virtual circuits (PVCs). Some basic terms include the following: • IEEE 802.1D is a standard for interconnecting LANs through media access control (MAC) bridges. IEEE 802.1D uses the Spanning Tree Protocol to eliminate loops in the bridge topology, which cause broadcast storms. • Spanning Tree Protocol (STP) as defined in IEEE 802.1D is a link-management protocol that provides path redundancy while preventing undesirable loops in the network. An IEEE 802.1D spanning tree makes it possible to have one spanning tree instance for the whole switch, regardless of the number of VLANs configured on the switch. • Bridge Protocol Data Unit (BPDU) is the generic name for the frame used by the various spanning tree implementations. The Spanning Tree Protocol uses the BPDU information to elect the root switch and root port for the switched network, as well as the root port and designated port for each switched segment. • Per VLAN Spanning Tree (PVST) is a Cisco proprietary protocol that allows a Cisco device to support multiple spanning tree topologies on a per-VLAN basis. PVST uses the BPDUs defined in IEEE 802.1D (see Figure 6-2 on page 6-14), but instead of one STP instance per switch, there is one STP instance per VLAN. • PVST+ is a Cisco proprietary protocol that creates one STP instance per VLAN (as in PVST). However, PVST+ enhances PVST and uses Cisco proprietary BPDUs with a special 802.2 Subnetwork Access Protocol (SNAP) Organizational Unique Identifier (OUI) 1 (see Figure 6-2 on page 6-14) instead of the standard IEEE 802.1D frame format used by PVST. PVST+ BPDUs are also known as Simple Symmetric Transmission Protocol (SSTP) BPDUs. Note RFC 1483 is referenced throughout this section, although it has been superseded by RFC 2684. 1. The Organizational Unique Identifier (OUI) portion of the MAC address often identifies the vendor of the upper layer protocol or the manufacturer of the Ethernet adapter. The OUI value of 00-00-0C identifies Cisco Systems as the manufacturer of the Ethernet adapter.6-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Supported Features Supported Supervisor Engines and Line Cards The Cisco 7600 series routers support PVST to PVST+ BPDU interoperability with the Cisco 7600 SIP-200. Interoperability Problem The current interoperability problem can be summarized as follows: • When transmitting STP BPDUs, many vendors’ implementations of ATM-to-Ethernet bridging are not fully compliant with the specifications of RFC 1483, Appendix B. The most common variation of the standard is to use an ATM Common Part Convergence Sublayer (CPCS) SNAP protocol data unit (PDU) with OUI: 00-80-C2 and PID: 00-07. Appendix B reserved this OUI/PID combination for generic Ethernet frames without BPDUs. Appendix B specifies OUI: 00-80-C2 and protocol identifier (PID): 00-0E for frames with BPDU contents. • There are several varieties of the Spanning Tree Protocol used by Cisco products on ATM interfaces. The Catalyst 5000 series supports only PVST on ATM interfaces. The Cisco 7600 series router and Catalyst 6500 series switches support only PVST+ on ATM interfaces. Most other Cisco routers implement classic IEEE 802.1D on ATM interfaces. When the Cisco 7600 series router and the Catalyst 6500 series switch first implemented RFC 1483 Bridging (on Cisco IOS Release 12.1E) on the Cisco 7600 FlexWAN module, the platform used OUI: 00-80-C2 and PID: 00-0E to maximize interoperability with all other Cisco IOS products. However, there are so many implementations that do not send PVST or IEEE 802.1D BPDUs with PID: 00-0E that the Cisco 7600 series routers and the Catalyst 6500 series switches reverted to the more common implementation of RFC 1483 (with PID: 00-07) in Cisco IOS Release 12.2SX. This spanning tree interoperability feature provides the option of encapsulating BPDUs across RFC 1483 with either PID: 00-07 or PID: 00-0E. BPDU Packet Formats The various BPDU packet formats are described in this section. Figure 6-1 shows the generic IEEE 802.2/802.3 frame format, which is used by PVST+, but is not used by PVST. Figure 6-1 IEEE 802.2/802.3 SNAP Encapsulation Frame Format Destination Addr 146310 Source Addr Length DSAP AA 802.3 MAC SSAP AA Cntl 03 OUI Type Data CRC 6 6 2 1 1 1 2 4 3 38-1492 802.2 LLC 802.2 SNAP6-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Supported Features In an Ethernet SNAP frame, the SSAP and DSAP fields are always set to AA. These codes identify it as a SNAP frame. The Control field always has a value of 03, which specifies connectionless logical link control (LLC) services. The Type field identifies the upper layer protocol to which data should be passed. For example, a Type field of hex 0800 represents IP, while a value of 8137 indicates that data is meant for IPX. Catalyst 5000 PVST BPDU Packet Format The Catalyst 5000 series switches send and receive BPDUs in PVST format on ATM interfaces (see Figure 6-2). Figure 6-2 BPDU PVST Frame Format Used by the Catalyst 5000 Switch • BPDUs sent by the Catalyst 5000 series switch use a PID of 0x00-07, which does not comply with RFC 1483. The Cisco 7600 series router also has the ability to send BPDUs in this data format. • The PAD portion of the ATM encapsulation varies from 0 to 47 bytes in length to ensure complete ATM cell payloads. • By using the bridge-domain command’s ignore-bpdu-pid optional keyword, the Catalyst 5000 series switch sends this frame by default. • The Catalyst 5000 series switch cannot accept the PVST+ BPDUs and blocks the ATM port, giving the following error messages: %SPANTREE-2-RX_1QNON1QTRUNK: Rcved 1Q-BPDU on non-1Q-trun port 6/1 vlan 10 %SPANTREE-2-RX_BLKPORTPVID: Block 6/1 on rcving vlan 10 for inc peer vlan 0 Cisco 7200 and Cisco 7500 Series Routers IEEE 802.1D BPDU Frame Format Figure 6-3 shows the Cisco 7200 and Cisco 7500 series routers IEEE 802.1D BPDU frame format. Figure 6-3 Frame Format for the Cisco 7200 and Cisco 7500 Series Routers IEEE 802.1D BPDU LLC AA-AA-03 146220 OUI 00-00-0C PID 00-07 PAD 00-00 01-80-C2-00-00-00 ATM Encapsulation 802.3 Encapsulation LEN LLC 42-42-03 BPDU Payload LLC AA-AA-03 146221 OUI 00-00-0C PID 00-0E BPDU 6-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Unsupported Features Cisco 7600 Router PVST+ BPDU Frame Format The Cisco 7600 series router PVST+ BPDU packet format is shown in Figure 6-4. These BPDUs are not IEEE 802.1D BPDUs, but Cisco proprietary SSTP BPDUs. Figure 6-4 Cisco 7600 Router PVST+ BPDU Frame Format (1483 Bridge Mode) Cisco L2PT BPDU Frame Format Figure 6-5 shows the Cisco Layer 2 Protocol Tunneling (L2PT) BPDU SNAP frame format. Figure 6-5 L2PT BPDU SNAP Frame Format Unsupported Features • The following High Availability features are not supported: – APS N+1 redundancy is not supported. – APS redundancy is not supported on SVCs. – APS reflector mode (aps reflector interface configuration command) is not supported. • The atm bridge-enable command, which was used in previous releases on other ATM interfaces to enable multipoint bridging on PVCs, is not supported on ATM SPA interfaces. Instead, use the bridge option with the encapsulation command to enable RFC 1483 half-bridging on PVCs. See the “Configuring ATM Routed Bridge Encapsulation” section on page 7-23. • PVC autoprovisioning (create on-demand VC class configuration command) is not supported. • Creating SVCs with UNI signalling version 4.1 is not supported (UNI signalling v 3.0, v 3.1, and v 4.0 are supported). • Enhanced Remote Defect Indication–Path (ERDI-P) is not supported. • Fast Re-Route (FRR) over ATM is not supported. • LAN Emulation (LANE) is not supported. • Multicast SVCs are not supported. • Available Bit Rate (ABR) traffic service class is not supported. • Unspecified bit rate plus (UBR+) traffic service class is not supported on PVCs. • AAL2 is not supported 146222 DA (SSTP DA MAC) 01-00-0C-CC-CC-CD SA LEN LLC AA-AA-03 OUI 00-00-0C Type (SSTP) 01-0B BPDU LLC AA-AA-03 OUI 00-80-C2 PID 00-07 PAD 00-00 ATM Encapsulation 146223 DA (L2PTDA MAC) 01-00-0C-CD-CD-D0 SA LEN LLC AA-AA-03 OUI 00-00-0C Type (SSTP) 01-0B BPDU 6-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Prerequisites Prerequisites • The 2-Port and 4-Port OC-3c/STM-1 ATM SPAs must use either the Cisco 7600 SIP-200 or Cisco 7600 SIP-400. • The 1-Port OC-12c/STM-4 ATM SPA must use the Cisco 7600 SIP-400. • The 1-Port OC-48c/STM-16 ATM SPA must use the Cisco 7600 SIP-400. • The Cisco 7600 SIP-200 requires a Cisco 7600 series router using a SUP-720 3B and above processor that is running Cisco IOS Release 12.2(18)SXE or later release. • The Cisco 7600 SIP-400 requires a Cisco 7600 series router using a SUP-720 processor that is running Cisco IOS Release 12.2(18)SXE or later release. • Before beginning to configure the ATM SPA, have the following information available: – Protocols you plan to route on the new interfaces. – IP addresses for all ports on the new interfaces, including subinterfaces. – Bridging encapsulations you plan to use. Restrictions • The 1-Port OC-48c/STM-16 ATM SPA does not support the following features: AToM, BRE, LFI, RBE, SVCs, UBR+, RFC 2225 (formerly RFC 1577), or bridging. • The ATM SPAs in the Cisco 7600 series router do not support APS reflector and reflector channel modes. (These modes require a facing path terminating element [PTE], which is typically a Cisco ATM switch.) • The ATM SPA is functionally similar to other ATM port adapters on the Cisco 7600 series router, such as the PA-A3, but it is a different card type, so the slot’s previous configuration is lost when you replace an existing ATM port adapter with an ATM SPA. • The following restrictions apply to the operation of QoS on the ATM SPAs: – The ATM SPAs do not support bandwidth-limited priority queueing, but support only strict priority policy maps (that is, the priority command without any parameters). – A maximum of one priority command is supported in a policy map. – You cannot use the match input interface command in policy maps and class maps that are being used for ATM SPAs. – Hierarchical traffic shaping (traffic shaping on both the VC and VP for a circuit) is not supported. Traffic shaping can be configured only on the VC or on the VP, but not both. – ATM (Layer 2) output shaping is supported, but IP (Layer 3) shaping on an output (egress) interface is not supported. In particular, this means that you cannot use any shape class-map configuration commands in policy maps that are being used in the output direction. This includes the shape adaptive, shape average, shape fecn-adapt, and shape peak commands. – The ATM SPA interfaces support a maximum of six configured precedences (using the random-detect aggregate command) in each class map in a policy map. The maximum number of configurable subclass groups is seven. – STP is not supported in ATM Multi-Vlan-to-VC mode.6-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Supported MIBs • For best performance, we recommend the following maximums: – A maximum number of 2,048 PVCs on all point-to-point subinterfaces for all ATM SPAs in a SIP. – A maximum number of 16,380 PVCs on all multipoint subinterfaces for all ATM SPAs in a SIP. – A maximum number of 400 SVCs for all ATM SPAs in a SIP. – A maximum number of 1024 PVCs or SVCs s using service policies for all ATM SPAs in a router. – A maximum number of 200 PVCs or SVCs using Link Fragmentation and Interleaving (LFI) for all ATM SPAs in a router. – A maximum number of 200 PVCs on each multipoint subinterface being used on an ATM SPA. Note These limits are flexible and depend on all factors that affect performance in the router, such as processor card, type of traffic, and so on. • In the default configuration of the transmit path trace buffer, the ATM SPA does not support automatic updates of remote host name and IP address (as displayed by the show controllers atm command). This information is updated only when the interface is shut down and reactivated (using the shutdown and no shutdown commands). Information for the received path trace buffer, however, is automatically updated. • The show ppp multilink command displays only the packet counters, and not byte counters, for a dLFI configuration on an ATM SPA interface. • MLPPP is supported, but not MLPPP bundles. • Concurrent configuration of RFC-1483 bridging and Bridged Routing Encapsulation is not allowed on SIP 200 or SIP 400 Restrictions for SPA-1xOC3-ATM-V2, SPA-3xOC3-ATM-V2, and SPA-1xOC12-ATM-V2 • These are the restrictions for the 1-Port Clear Channel OC-3, 3-Port Clear Channel OC-3, and 1-Port Clear Channel OC-12 ATM SPA Version 2(SPA-1xOC3-ATM-V2, SPA-3xOC3-ATM-V2, and SPA-1xOC12-ATM-V2): – A MQC service-policy having only class-default is not supported. – The maximum mark-probablility in a WRED policy is 31. – An MQC policy with more than six user-defined queueing classes is not supported. • Ingress classification feature is not enabled on the Cisco 7600 Series router. Supported MIBs The following MIBs are supported in Cisco IOS Release 12.2(18)SXE and later releases for the ATM SPAs on the Cisco 7600 series router. Common MIBs • ENTITY-MIB 6-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs SPA Architecture • IF-MIB • MIB-II • MPLS-CEM-MIB Cisco-Specific Common MIBs • CISCO-ENTITY-EXT-MIB • OLD-CISCO-CHASSIS-MIB • CISCO-CLASS-BASED-QOS-MIB • CISCO-ENTITY-FRU-CONTROL-MIB • CISCO-ENTITY-ASSET-MIB • CISCO-ENTITY-SENSOR-MIB • CISCO-MQC-MIB • CISCO-AAL5-MIB • CISCO-ATM-MIB • CISCO-CLASS-BASED-QOS-MIB Cisco-Specific MPLS MIBs • CISCO-IETF-PW-MIB • CISCO-IETF-PW-MPLS-MIB For more information about MIB support on a Cisco 7600 series router, refer to the Cisco 7600 Series Internet Router MIB Specifications Guide. To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://tools.cisco.com/ITDIT/MIBS/servlet/index If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. SPA Architecture This section provides an overview of the data path for the ATM SPAs, for use in troubleshooting and monitoring. Figure 6-6 shows the data path for ATM traffic as it travels between the ATM optical connectors on the front panel of the ATM SPA to the backplane connector that connects the SPA to the SIP. 6-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs SPA Architecture Figure 6-6 ATM SPA Data Architecture Path of Cells in the Ingress Direction The following steps describe the path of an ingress cell as it is received from the ATM network and converted to a data packet before transmission through the SIP to the router’s processors for switching, routing, or further processing: 1. The SONET/SDH framer device receives incoming cells on a per-port basis from the SPA’s optical circuitry. (The ATM SPA supports 1, 2, or 4 optical ports, depending on the model of SPA.) 2. The SONET/SDH framer removes the SONET overhead information, performs any necessary clock and data recovery, and processes any SONET/SDH alarms that might be present. The framer then extracts the 53-byte ATM cells from the data stream and forwards each cell to the ATM segmentation and reassembly (SAR) engine. 3. The SAR engine receives the cells from the framer and reassembles them into the original packets, temporarily storing them in a per-port receive buffer until they can be forwarded to the LFI field-programmable gate array (FPGA). The SAR engine discards any packets that have been corrupted in transit. 4. The LFI FPGA receives the packets from the SAR engine and forwards them to the host processor for further routing, switching, or additional processing. The FPGA also performs LFI reassembly as needed, and collects the traffic statistics for the packets that it passes. Path of Packets in the Egress Direction The following steps describe the path of an egress packet as the SPA receives it from the router through the SIP and converts it to ATM cells for transmission on the ATM network: 1. The LFI FPGA receives the packets from the host processor and stores them in its packet buffers until the SAR engine is ready to receive them. The FPGA also performs any necessary LFI processing on the packets before forwarding them to the SAR engine. The FPGA also collects the traffic statistics for the packets that it passes. 2. The SAR engine receives the packets from the FPGA and supports multiple CBWFQ queues to store the packets until they can be fully segmented. The SAR engine performs the necessary WRED queue admission and CBWFQ QoS traffic scheduling on its queues before segmenting the packets into ATM cells and shaping the cells into the SONET/SDH framer. Catalyst 5500 switch mer N Cus L Catalyst 6500 switch Cisco 7600 router L2PT ATM 6/1/0 interface (Layer 2 protocol tunneling enabled) Gig2/1 interface (L2PT enabled) Service provider ATM network Service provider ATM network6-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Displaying the SPA Hardware Type 3. The SONET/SDH framer receives the packets from the SAR engine and inserts each cell into the SONET data stream, adding the necessary clocking, SONET overhead, and alarm information. The framer then outputs the data stream out the appropriate optical port. 4. The optical port conveys the optical data onto the physical layer of the ATM network. Displaying the SPA Hardware Type To verify the SPA hardware type that is installed in your Cisco 7600 series router, use the show interfaces, show diag, or show controllers commands. A number of other show commands also provide information about the SPA hardware. Table 6-2 shows the hardware description that appears in the show interfaces and show diag command output for each type of ATM SPA that is supported on the Cisco 7600 series router. Example of the show interfaces Command The following example shows output from the show interfaces atm command on a Cisco 7600 series router with an ATM SPA installed in the first subslot of a SIP that is installed in slot 5: Router# show interfaces atm 5/0/0 ATM5/0/0 is up, line protocol is up Hardware is SPA-4XOC3-ATM, address is 000d.2959.d780 (bia 000d.2959.d78a) MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Encapsulation(s): AAL5 4095 maximum active VCs, 1 current VCCs VC idle disconnect time: 300 seconds 0 carrier transitions Last input 00:00:09, output 00:00:09, output hang never Last clearing of "show interface" counters 00:01:26 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 5 packets input, 540 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles Table 6-2 ATM SPA Hardware Descriptions in show Commands SPA Description in show interfaces Command Description in show diag Command SPA-2XOC3-ATM Hardware is SPA-2XOC3-ATM SPA-2XOC3-ATM (0x046E) SPA-4XOC3-ATM Hardware is SPA-4XOC3-ATM SPA-4XOC3-ATM (0x3E1) SPA-1XOC12-ATM Hardware is SPA-1XOC12-ATM SPA-1XOC12-ATM (0x03E5) SPA-1XOC48-ATM Hardware is SPA-1XOC48-ATM SPA-1XOC48-ATM (0x3E6) SPA-1xOC3-ATM-V2 Hardware is SPA-1xOC3-ATM-V2 SPA-1xOC3-ATM-V2 SPA-3xOC3-ATM-V2 Hardware is SPA-3xOC3-ATM-V2 SPA-3xOC3-ATM-V2 SPA-1xOC12-ATM-V2 Hardware is SPA-1xOC12-ATM-V2 SPA-1xOC12-ATM-V26-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Displaying the SPA Hardware Type 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 5 packets output, 720 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Note The value for “packets output” in the default version of the show interfaces atm command includes the bytes used for ATM AAL5 padding, trailer and ATM cell header. To see the packet count without the padding, header, and trailer information, use the show interfaces atm statistics or show atm pvc commands. Example of the show diag Command The following example shows output from the show diag command on a Cisco 7600 series router with two ATM SPAs installed in a Cisco 7600 SIP-400 that is installed in slot 4: Router# show diag 4 Slot 4: Logical_index 8 4-adapter SIP-400 controller Board is analyzed ipc ready HW rev 0.300, board revision 08 Serial Number: Part number: 73-8272-03 Slot database information: Flags: 0x2004 Insertion time: 0x1961C (01:16:54 ago) Controller Memory Size: 384 MBytes CPU Memory 128 MBytes Packet Memory 512 MBytes Total on Board SDRAM IOS (tm) cwlc Software (sip1-DW-M), Released Version 12.2(17)SX [BLD-sipedon2 107] SPA Information: subslot 4/0: SPA-4XOC3-ATM (0x3E1), status: ok subslot 4/1: SPA-1XOC12-ATM (0x3E5), status: ok Example of the show controllers Command The following example shows output from the show controllers atm command on a Cisco 7600 series router with an ATM SPA installed in the second subslot of a SIP that is installed in slot 5: Router# show controllers atm 5/1/0 Interface ATM5/1/0 (SPA-4XOC3-ATM[4/0]) is up Framing mode: SONET OC3 STS-3c SONET Subblock: SECTION LOF = 0 LOS = 0 BIP(B1) = 603 LINE AIS = 0 RDI = 2 FEBE = 2332 BIP(B2) = 1018 PATH AIS = 0 RDI = 1 FEBE = 28 BIP(B3) = 228 LOP = 0 NEWPTR = 0 PSE = 1 NSE = 2 Active Defects: None Active Alarms: None6-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Displaying the SPA Hardware Type Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA ATM framing errors: HCS (correctable): 0 HCS (uncorrectable): 0 APS not configured PATH TRACE BUFFER : STABLE BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 Clock source: line The following are the actions performed on the peer end of a SPA on the Cisco 7600 Router: Remote SPA Cable Removal: Active Defects: SLOS Active Alarms: SLOS Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA Remote SPA removal: Active Defects: SLOS PRDI PLOP Active Alarms: SLOS Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA On a MCP with actions performed on the peer end of a Barbarian SPA: =================================================== Remote SPA Cable Removal: Active Defects: SLOF SLOS PLOP Active Alarms: SLOS Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA ATM framing errors: HCS (correctable): 823 HCS (uncorrectable): 361 Putting the cable back: Intermediate state: Active Defects: SD SLOS B1-TCA B2-TCA PRDI PLOP Active Alarms: SLOS SD B1-TCA B2-TCA Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA ATM framing errors: HCS (correctable): 1145 HCS (uncorrectable): 516 Final state: Active Defects: None Active Alarms: None6-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Displaying the SPA Hardware Type Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA ATM framing errors: HCS (correctable): 1145 HCS (uncorrectable): 516 Remote SPA removal: Active Defects: SLOS PRDI PLOP Active Alarms: SLOS Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA ATM framing errors: HCS (correctable): 1145 HCS (uncorrectable): 523 Remote SPA insertion: Intermediate state: Active Defects: SLOS B1-TCA LAIS PAIS PRDI Active Alarms: SLOS B1-TCA Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA ATM framing errors: HCS (correctable): 1145 HCS (uncorrectable): 523 Final state: Active Defects: None Active Alarms: None Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA ATM framing errors: HCS (correctable): 1145 HCS (uncorrectable): 5236-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 6 Overview of the ATM SPAs Displaying the SPA Hardware TypeC H A P T E R 7-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 7 Configuring the ATM SPAs This chapter provides information about configuring the ATM SPAs on the Cisco 7600 series router. It includes the following sections: • Configuration Tasks, page 7-1 • Verifying the Interface Configuration, page 7-108 • Configuration Examples, page 7-111 For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals Command Reference publications that correspond to your Cisco IOS software release. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Configuration Tasks This section describes the most common configurations for the ATM SPAs on a Cisco 7600 series router. It contains procedures for the following configurations: • Required Configuration Tasks, page 7-2 • Specifying the Interface Address on a SPA, page 7-3 • Modifying the Interface MTU Size, page 7-3 • Creating a Permanent Virtual Circuit, page 7-8 • Creating a PVC on a Point-to-Point Subinterface, page 7-10 • Configuring a PVC on a Multipoint Subinterface, page 7-12 • Configuring RFC 1483 Bridging for PVCs, page 7-14 • Configuring Layer 2 Protocol Tunneling Topology, page 7-17 • Configuring Layer 2 Tunneling Protocol Version 3 (L2TPv3), page 7-17 • Configuring RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling, page 7-18 • Configuring ATM RFC 1483 Half-Bridging, page 7-20 • Configuring ATM Routed Bridge Encapsulation, page 7-23 • Configuring RFC 1483 Bridging of Routed Encapsulations, page 7-257-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks • Verifying the Bridged Routed Encapsulation within an Automatic Protection Switching Group Configuration, page 7-29 • Configuring the Bridged Routed Encapsulation within an Automatic Protection Switching Group, page 7-28 • Configuring Aggregate WRED for PVCs, page 7-30 • Configuring Non-aggregate WRED, page 7-36 • Configuring Traffic Parameters for PVCs or SVCs, page 7-46 • Configuring Virtual Circuit Classes, page 7-50 • Configuring Virtual Circuit Bundles, page 7-51 • Configuring Multi-VLAN to VC Support, page 7-54 • Configuring Link Fragmentation and Interleaving with Virtual Templates, page 7-54 • Configuring the Distributed Compressed Real-Time Protocol, page 7-58 • Configuring Automatic Protection Switching, page 7-60 • Configuring SONET and SDH Framing, page 7-76 • Configuring for Transmit-Only Mode, page 7-78 • Configuring AToM Cell Relay VP Mode, page 7-79 • Configuring QoS Features on ATM SPAs, page 7-87 • Saving the Configuration, page 7-88 • Shutting Down and Restarting an Interface on a SPA, page 7-105 • Shutting Down an ATM Shared Port Adapter, page 7-107 Required Configuration Tasks The ATM SPA interface must be initially configured with an IP address to allow further configuration. Some of the required configuration commands implement default values that might or might not be appropriate for your network. If the default value is correct for your network, then you do not need to configure the command. To perform the basic configuration of each interface, use the following procedure beginning in global configuration mode: Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port on the specified ATM SPA. Step 2 Router(config-if)# ip address address mask [secondary] (Optional in some configurations) Assigns the specified IP address and subnet mask to the interface. Repeat the command with the optional secondary keyword to assign additional, secondary IP addresses to the port. Step 3 Router(config-if)# description string (Optional) Assigns an arbitrary string, up to 80 characters long, to the interface. This string can identify the purpose or owner of the interface, or any other information that might be useful for monitoring and troubleshooting. Step 4 Router(config-if)# no shutdown Enables the interface. 7-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Specifying the Interface Address on a SPA Two ATM SPAs can be installed in a SIP. SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, SPA, and interface in the CLI. The interface address format is slot/subslot/port, where: • slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. • subslot—Specifies the secondary slot of the SIP where the SPA is installed. • port—Specifies the number of the individual interface port on a SPA. The following example shows how to specify the first interface (0) on a SPA installed in the first subslot of a SIP (0) installed in chassis slot 3: Router(config)# interface serial 3/0/0 This command shows a serial SPA as a representative example, however the same slot/subslot/port format is similarly used for other SPAs (such as ATM and POS) and other non-channelized SPAs. For more information about identifying slots and subslots, see the “Identifying Slots and Subslots for SIPs, SSCs, and SPAs” section on page 4-2. Modifying the Interface MTU Size The maximum transmission unit (MTU) values might need to be reconfigured from their defaults on the ATM SPAs to match the values used in your network. Interface MTU Configuration Guidelines When configuring the interface MTU size on an ATM SPA, consider the following guidelines. The Cisco IOS software supports several types of configurable MTU options at different levels of the protocol stack. You should ensure that all MTU values are consistent to avoid unnecessary fragmentation of packets. These MTU values are the following: • Interface MTU—Configured on a per-interface basis and defines the maximum packet size (in bytes) that is allowed for traffic received on the network. The ATM SPA checks traffic coming in from the network and drops packets that are larger than this maximum value. Because different types of Layer 2 interfaces support different MTU values, choose a value that supports the maximum possible packet size that is possible in your particular network topology. • IP MTU—Configured on a per-interface or per-subinterface basis and determines the largest maximum IP packet size (in bytes) that is allowed on the IP network without being fragmented. If an IP packet is larger than the IP MTU value, the ATM SPA fragments it into smaller IP packets before forwarding it on to the next hop. Note Repeat Step 1 through Step 4 for each port on the ATM SPA to be configured. Step 5 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks • Multiprotocol Label Switching (MPLS) MTU—Configured on a per-interface or per-subinterface basis and defines the MTU value for packets that are tagged with MPLS labels or tag headers. When an IP packet that contains MPLS labels is larger than the MPLS MTU value, the ATM SPA fragments it into smaller IP packets. When a non-IP packet that contains MPLS labels is larger than the MPLS MTU value, the ATM SPA drops it. All devices on a particular physical medium must have the same MPLS MTU value to allow proper MPLS operation. Because MPLS labels are added on to the existing packet and increase the packet’s size, choose appropriate MTU values so as to avoid unnecessarily fragmenting MPLS-labeled packets. If the IP MTU or MPLS MTU values are currently the same size as the interface MTU, changing the interface MTU size also automatically sets the IP MTU or MPLS MTU values to the new value. Changing the interface MTU value does not affect the IP MTU or MPLS MTU values if they are not currently set to the same size as the interface MTU. Different encapsulation methods and the number of MPLS MTU labels add additional overhead to a packet. For example, Subnetwork Access Protocol (SNAP) encapsulation adds an 8-byte header, IEEE 802.1Q encapsulation adds a 2-byte header, and each MPLS label adds a 4-byte header. Consider the maximum possible encapsulations and labels that are to be used in your network when choosing the MTU values. Tip The MTU values on the local ATM SPA interfaces must match the values being used in the ATM network and remote ATM interface. Changing the MTU values on an ATM SPA does not reset the local interface, but be aware that other platforms and ATM SPAs do reset the link when the MTU value changes. This could cause a momentary interruption in service, so we recommend changing the MTU value only when the interface is not being used. Note The interface MTU value on the ATM SPA also determines which packets are recorded as “giants” in the show interfaces atm command. The interface considers a packet to be a giant packet when it is more than 24 bytes larger than the interface MTU size. For example, if using an MTU size of 1500 bytes, the interface increments the giants counter when it receives a packet larger than 1524 bytes.7-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Interface MTU Configuration Task To change the MTU values on the ATM SPA interfaces, use the following procedure beginning in global configuration mode: Verifying the MTU Size This example verifies the MTU sizes for an interface. Use the show interface, show ip interface, and show mpls interface commands for 2-Port and 4-Port OC-3c/STM-1 ATM SPA: Router# show interface atm 4/1/0 ATM4/1/0 is up, line protocol is up Hardware is SPA-4XOC3-ATM, address is 000d.2959.d5ca (bia 000d.2959.d5ca) MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Encapsulation(s): AAL5 4095 maximum active VCs, 0 current VCCs VC idle disconnect time: 300 seconds 0 carrier transitions Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port on the specified ATM SPA. Step 2 Router(config-if)# mtu bytes (Optional) Configures the maximum transmission unit (MTU) size for the interface. The valid range for bytes is from 64 to 9216 bytes, with a default of 4470 bytes. As a general rule, do not change the MTU value unless you have a specific application need to do so. Note If the IP MTU or MPLS MTU values are currently the same size as the interface MTU, changing the interface MTU size also automatically sets the IP MTU or MPLS MTU values to the same value. Step 3 Router(config-if)# ip mtu bytes (Optional) Configures the MTU value, in bytes, for IP packets on this interface. The valid range for an ATM SPA is 64 to 9288, with a default value equal to the MTU value configured in Step 2. Step 4 Router(config-if)# mpls mtu bytes (Optional) Configures the MTU value, in bytes, for MPLS-labeled packets on this interface. The valid range for an ATM SPA is 64 to 9216 bytes, with a default value equal to the MTU value configured in Step 2. Note Repeat Step 1 through Step 4 for each interface port on the ATM SPA to be configured. Step 5 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. 7-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Router# show ip interface atm 4/1/0 ATM4/1/0 is up, line protocol is up Internet address is 200.1.0.2/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 4470 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP Feature Fast switching turbo vector IP Null turbo vector VPN Routing/Forwarding "vpn2600-2" IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled Router# show mpls interface atm 4/1/0 detail Interface ATM3/0: IP labeling enabled (ldp) LSP Tunnel labeling not enabled MPLS operational MPLS turbo vector MTU = 4470 ATM labels: Label VPI = 1 Label VCI range = 33 - 65535 Control VC = 0/32 To view the maximum possible size for datagrams passing out the interface using the configured MTU value, use the show atm interface atm command: Router# show atm interface atm 4/1/0 Interface ATM4/1/0: AAL enabled: AAL5, Maximum VCs: 4096, Current VCCs: 2 Maximum Transmit Channels: 0 7-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Max. Datagram Size: 4528 PLIM Type: SONET - 155000Kbps, TX clocking: LINE Cell-payload scrambling: ON sts-stream scrambling: ON 8359 input, 8495 output, 0 IN fast, 0 OUT fast, 0 out drop Avail bw = 155000 Config. is ACTIVE This example verifies the MTU size for an interface. Use the show interface, show ip interface, and show mpls interface commands for 3-Port Clear Channel OC-3 ATM SPA. Router# show interface atm 0/2/2 ATM0/2/2 is up, line protocol is up Hardware is SPA-3XOC3-ATM-V2, address is 001a.3044.7522 (bia 001a.3044.7522) MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Keepalive not supported Encapsulation(s): AAL5 AAL0 4095 maximum active VCs, 1 current VCCs VC Auto Creation Disabled. VC idle disconnect time: 300 seconds 4 carrier transitions Last input never, output 00:04:11, output hang never Last clearing of "show interface" counters never Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 5 packets input, 540 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 5 packets output, 540 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out Router# show ip interface atm 0/2/2.1 ATM0/2/2.1 is up, line protocol is up Internet address is 10.4.0.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 4470 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is disabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP Flow switching is disabled IP CEF switching is enabled IP Distributed switching is disabled IP CEF switching turbo vector IP Null turbo vector Associated unicast routing topologies: Topology "base", operation state is UP IP multicast fast switching is enabled IP multicast distributed fast switching is disabled7-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled BGP Policy Mapping is disabled Input features: MCI Check WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled Router# show mpls interface atm 0/3/2.1 Interface IP Tunnel BGP Static Operational ATM0/3/2.1 Yes (ldp) No No No Yes CE1#show mpls interface atm0/3/2.1 det Interface ATM0/3/2.1: IP labeling enabled (ldp): Interface config LSP Tunnel labeling not enabled BGP labeling not enabled MPLS operational MTU = 4470 To view the maximum possible size for datagrams passing out the interface using the configured MTU value, use the show atm interface atm command: Router# show atm interface atm 0/2/2 Interface ATM0/2/2: AAL enabled: AAL0 , Maximum VCs: 4095, Current VCCs: 1 Max. Datagram Size: 4528 PLIM Type: SONET - 155000Kbps, TX clocking: LINE Cell-payload scrambling: ON sts-stream scrambling: ON 5 input, 5 output, 0 IN fast, 0 OUT fast, 0 out drop Avail bw = 149760 Config. is ACTIVE Creating a Permanent Virtual Circuit To use a permanent virtual circuit (PVC), configure the PVC in both the router and the ATM switch. PVCs remain active until the circuit is removed from either configuration. To create a PVC on the ATM interface and enter interface ATM VC configuration mode, perform the following procedure beginning in global configuration mode: Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port or Router(config)# interface atm slot/subslot/port.subinterface Enters interface or subinterface configuration mode for the indicated port on the specified ATM SPA. Step 2 Router(config-if)# ip address address mask Assigns the specified IP address and subnet mask to the interface or subinterface. 7-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Step 3 Router(config-if)# atm tx-latency milliseconds (Optional) Configures the default transmit latency for VCs on this ATM SPA interface. The valid range for milliseconds is from 1 to 200, with a default of 100 milliseconds. Step 4 Router(config-if)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI numbers and enters ATM VC configuration mode. The valid values for vpi/vci are: • vpi—Specifies the VPI ID. The valid range is 0 to 255. • vci—Specifies the VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except for 5 for the QSAAL PVC and 16 for the ILMI PVC. You can also configure the following options: • name—(Optional) An arbitrary string that identifies this PVC. • ilmi—(Optional) Configures the VC to exclusively carry ILMI protocol traffic (default). • qsaal—(Optional) Configures the VC to exclusively carry QSAAL protocol traffic. Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and automatically switches to its parent subinterface. Step 5 Router(config-if-atm-vc)# protocol protocol {protocol-address | inarp} [[no] broadcast] Configures the PVC for a particular protocol and maps it to a specific protocol-address. • protocol—Typically set to either ip or ppp, but other values are possible. • protocol-address—Destination address or virtual interface template for this PVC (if appropriate for the protocol). • inarp—Specifies that the PVC uses Inverse ARP to determine its address. • [no] broadcast—(Optional) Specifies that this mapping should (or should not) be used for broadcast packets. Step 6 Router(config-if-atm-vc)# inarp minutes (Optional) If using Inverse ARP, configures how often the PVC transmits Inverse ARP requests to confirm its address mapping. The valid range is 1 to 60 minutes, with a default of 15 minutes. Step 7 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and encapsulation type. The default and only supported type is aal5snap. Step 8 Router(config-if-atm-vc)# tx-limit buffers (Optional) Specifies the number of transmit buffers for this VC. The valid range is from 1 to 57343, with a default value that is based on the current VC line rate and on the latency value that is configured with the atm tx-latency command. Command or Action Purpose7-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Verifying a PVC Configuration To verify the configuration of a particular PVC, use the show atm pvc command: Router# show atm pvc 1/100 ATM3/0/0: VCD: 1, VPI: 1, VCI: 100 UBR, PeakRate: 149760 AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0 OAM frequency: 0 second(s), OAM retry frequency: 1 second(s) OAM up retry count: 3, OAM down retry count: 5 OAM Loopback status: OAM Disabled OAM VC status: Not Managed ILMI VC status: Not Managed InARP frequency: 15 minutes(s) Transmit priority 6 InPkts: 94964567, OutPkts: 95069747, InBytes: 833119350, OutBytes: 838799016 InPRoc: 1, OutPRoc: 1, Broadcasts: 0 InFast: 0, OutFast: 0, InAS: 94964566, OutAS: 95069746 InPktDrops: 0, OutPktDrops: 0 CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0 Out CLP=1 Pkts: 0 OAM cells received: 0 F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0 F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0 OAM cells sent: 0 F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0 F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0 OAM cell drops: 0 Status: UP VC 1/100 doesn't exist on 7 of 8 ATM interface(s) Tip To verify the configuration and current status of all PVCs on a particular interface, you can also use the show atm vc interface atm command. Creating a PVC on a Point-to-Point Subinterface Use point-to-point subinterfaces to provide each pair of routers with its own subnet. When you create a PVC on a point-to-point subinterface, the router assumes it is the only point-to-point PVC that is configured on the subinterface, and it forwards all IP packets with a destination IP address in the same subnet to this VC. To configure a point-to-point PVC, perform the following procedure beginning in global configuration mode: Note Repeat Step 4 through Step 8 for each PVC to be configured on this interface. Step 9 Router(config-if-atm-vc)# end Exits ATM VC configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port.subinterface point-to-point Creates the specified point-to-point subinterface on the given port on the specified ATM SPA, and enters subinterface configuration mode. Step 2 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to this subinterface. Step 3 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI numbers and enters ATM VC configuration mode. The valid values for vpi/vci are: • vpi—Specifies the VPI ID. The valid range is 0 to 255. • vci—Specifies the VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except for 5 for the QSAAL PVC and 16 for the ILMI PVC. You can also configure the following options: • name—(Optional) An arbitrary string that identifies this PVC. • ilmi—(Optional) Configures the PVC to use ILMI encapsulation (default). • qsaal—(Optional) Configures the PVC to use QSAAL encapsulation. Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and automatically switches to its parent subinterface. Step 4 Router(config-if-atm-vc)# protocol protocol protocol-address [[no] broadcast] Configures the PVC for a particular protocol and maps it to a specific protocol-address. • protocol—Typically set to ppp for point-to-point subinterfaces, but other values are possible. • protocol-address—Destination address or virtual template interface for this PVC (as appropriate for the specified protocol). • [no] broadcast—(Optional) Specifies that this mapping should (or should not) be used for broadcast packets. The protocol command also has an inarp option, but this option is not meaningful on point-to-point PVCs that use a manually configured address. Step 5 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and encapsulation type. The default and only supported type is aal5snap. Note Repeat Step 1 through Step 5 for each point-to-point subinterface to be configured on this ATM SPA. Step 6 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. 7-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Verifying a Point-to-Point PVC Configuration To verify the configuration of a particular PVC, use the show atm pvc command: Router# show atm pvc 3/12 ATM3/1/0.12: VCD: 3, VPI: 3, VCI: 12 UBR, PeakRate: 149760 AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0 OAM frequency: 0 second(s), OAM retry frequency: 1 second(s) OAM up retry count: 3, OAM down retry count: 5 OAM Loopback status: OAM Disabled OAM VC status: Not Managed ILMI VC status: Not Managed InARP frequency: 15 minutes(s) Transmit priority 6 InPkts: 3949645, OutPkts: 3950697, InBytes: 28331193, OutBytes: 28387990 InPRoc: 1, OutPRoc: 1, Broadcasts: 0 InFast: 0, OutFast: 0, InAS: 3949645, OutAS: 3950697 InPktDrops: 0, OutPktDrops: 0 CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0 Out CLP=1 Pkts: 0 OAM cells received: 0 F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0 F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0 OAM cells sent: 0 F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0 F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0 OAM cell drops: 0 Status: UP Tip To verify the configuration and current status of all PVCs on a particular interface, you can also use the show atm vc interface atm command. Configuring a PVC on a Multipoint Subinterface Creating a multipoint subinterface allows you to create a point-to-multipoint PVC that can be used as a broadcast PVC for all multicast requests. To create a PVC on a multipoint subinterface, use the following procedure beginning in global configuration mode: Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port.subinterface multipoint Creates the specified point-to-multipoint subinterface on the given port on the specified ATM SPA, and enters subinterface configuration mode. Step 2 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to this subinterface. Step 3 Router(config-subif)# no ip directed-broadcast (Optional) Disables the forwarding of IP directed broadcasts, which are sometimes used in denial of service (DOS) attacks. 7-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Step 4 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI numbers and enters ATM VC configuration mode. The valid values for vpi/vci are: • vpi—Specifies the VPI ID. The valid range is 0 to 255. • vci—Specifies the VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except for 5 for the QSAAL PVC and 16 for the ILMI PVC. You can also configure the following options: • name—(Optional) An arbitrary string that identifies this PVC. • ilmi—(Optional) Configures the PVC to use ILMI encapsulation (default). • qsaal—(Optional) Configures the PVC to use QSAAL encapsulation. Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and automatically switches to its parent subinterface. Step 5 Router(config-if-atm-vc)# protocol protocol {protocol-address | inarp} broadcast Configures the PVC for a particular protocol and maps it to a specific protocol-address. • protocol—Typically set to ip for multipoint subinterfaces, but other values are possible. • protocol-address—Destination address or virtual template interface for this PVC (if appropriate for the protocol). • inarp—Specifies that the PVC uses Inverse ARP to determine its address. • broadcast— Specifies that this mapping should be used for multicast packets. Step 6 Router(config-if-atm-vc)# inarp minutes (Optional) If using Inverse ARP, configures how often the PVC transmits Inverse ARP requests to confirm its address mapping. The valid range is 1 to 60 minutes, with a default of 15 minutes. Step 7 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and encapsulation type. The default and only supported type is aal5snap. Note Repeat Step 1 through Step 7 for each multipoint subinterface to be configured on this ATM SPA. Step 8 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Verifying a Multipoint PVC Configuration To verify the configuration of a particular PVC, use the show atm pvc command: Router# show atm pvc 1/120 ATM3/1/0.120: VCD: 1, VPI: 1, VCI: 120 UBR, PeakRate: 149760 AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0 OAM frequency: 0 second(s), OAM retry frequency: 1 second(s) OAM up retry count: 3, OAM down retry count: 5 OAM Loopback status: OAM Disabled OAM VC status: Not Managed ILMI VC status: Not Managed InARP frequency: 15 minutes(s) Transmit priority 6 InPkts: 1394964, OutPkts: 1395069, InBytes: 1833119, OutBytes: 1838799 InPRoc: 1, OutPRoc: 1, Broadcasts: 0 InFast: 0, OutFast: 0, InAS: 94964, OutAS: 95062 InPktDrops: 0, OutPktDrops: 0 CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0 Out CLP=1 Pkts: 0 OAM cells received: 0 F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0 F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0 OAM cells sent: 0 F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0 F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0 OAM cell drops: 0 Status: UP Note To verify the configuration and current status of all PVCs on a particular interface, you can also use the show atm vc interface atm command. Configuring RFC 1483 Bridging for PVCs RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5, specifies the implementation of point-to-point bridging of Layer 2 protocol data units (PDUs) from an ATM interface. Figure 7-1 shows an example in which the two routers receive VLANs over their respective trunk links and then forward that traffic out through the ATM interfaces into the ATM cloud. Figure 7-1 Example of RFC 1483 Bridging Topology Note RFC 1483 has been updated and superseded by RFC 2684, Multiprotocol Encapsulation over ATM Adaptation Layer 5. Switch 1 Router 1 Router 2 Switch 2 117341 Trunk ports Trunk ports RFC 1483 ports ATM7-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks RFC 1483 Bridging for PVCs Configuration Guidelines When configuring RFC 1483 bridging for PVCs, consider the following guidelines: • PVCs must use AAL5 Subnetwork Access Protocol (SNAP) encapsulation. • To use the Virtual Trunking Protocol (VTP), ensure that each main interface has a subinterface that has been configured for the management VLANs (VLAN 1 and VLANs 1002 to 1005). VTP is not supported on bridged VCs on a Cisco 7600 SIP-200. • RFC 1483 bridging in a switched virtual circuit (SVC) environment is not supported. • The 1-Port OC-48c/STM-16 ATM SPA does not support RFC 1483 bridging. RFC 1483 Bridging for PVCs Configuration Task To configure RFC 1483 bridging for PVCs, perform the following procedure beginning in global configuration mode: Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port.subinterface point-to-point (Optional) Creates the specified point-to-point subinterface on the given port on the specified ATM SPA, and enters subinterface configuration mode. Note Although it is most common to create the PVCs on subinterfaces, you can also omit this step to create the PVCs for RFC 1483 bridging on the main interface. Step 2 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI numbers and enters ATM VC configuration mode. The valid values for vpi/vci are: • vpi—Specifies the VPI ID. The valid range is 0 to 255. • vci—Specifies the VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except for 5 for the QSAAL PVC and 16 for the ILMI PVC. You can also configure the following options: • name—(Optional) An arbitrary string that identifies this PVC. • ilmi—(Optional) Configures the PVC to use ILMI encapsulation (default). • qsaal—(Optional) Configures the PVC to use QSAAL encapsulation. 7-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Verifying the RFC 1483 Bridging Configuration To verify the RFC 1483 bridging configuration and status, use the show interface atm command: Router# show interface atm 6/1/0.3 ATM6/1/0.3 is up, line protocol is up Hardware is SPA-4XOC3-ATM Internet address is 10.10.10.13/24 MTU 4470 bytes, BW 149760 Kbit, DLY 80 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM 5 packets input, 566 bytes 5 packets output, 566 bytes 1445 OAM cells input, 1446 OAM cells output Step 3 Router(config-if-atm-vc)# bridge-domain vlan-id [access | dot1q tag | dot1q-tunnel] [ignore-bpdu-pid] | {pvst-tlv CE-vlan} [increment] [split-horizon] Binds the PVC to the specified vlan-id. You can optionally specify the following keywords: • dot1q—(Optional) Includes the IEEE 802.1Q tag, which preserves the VLAN ID and class of service (CoS) information across the ATM cloud. • dot1q-tunnel—(Optional) Enables tunneling of IEEE 802.1Q VLANs over the same link. See the “Configuring RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling” section on page 7-18. • ignore-bpdu-pid—(Optional) Ignores bridge protocol data unit (BPDU) packets, to allow interoperation with ATM customer premises equipment (CPE) devices that do not distinguish BPDU packets from data packets. Without this keyword, IEEE BPDUs are sent out using a PID of 0x00-0E, which complies with RFC 1483. With this keyword, IEEE BPDUs are sent out using a PID of 0x00-07, which is normally reserved for RFC 1483 data. • pvst-tlv—When transmitting, the pvst-tlv keyword translates PVST+ BPDUs into IEEE BPDUs. When receiving, the pvst-tlv keyword translates IEEE BPDUs into PVST+ BPDUs. • split-horizon—(Optional) Enables RFC 1483 split horizon mode to globally prevent bridging between PVCs in the same VLAN. Step 4 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and encapsulation type. The default and only supported type is aal5snap. Note Repeat Step 1 through Step 4 for each interface on the ATM SPA to be configured. Step 5 Router(config-if-atm-vc)# end Exits ATM VC configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Configuring Layer 2 Protocol Tunneling Topology To enable BPDU translation for the Layer 2 Protocol Tunneling (L2PT) topologies, use the following command line: bridge-domain PE vlan dot1q-tunnel ignore-bpdu-pid pvst-tlv CE vlan Configuring Layer 2 Tunneling Protocol Version 3 (L2TPv3) Complete the following steps to configure ATM L2TPv3: Verifying L2TPv3 Configuration To verify the configuration of a PVP, use the show atm vp command in EXEC mode. Router# show atm vp 5 ATM4/1/0 VPI: 5, Cell-Relay, PeakRate: 155000, CesRate: 0, DataVCs: 0, CesVCs: 0, Status: ACTIVE VCD VCI Type InPkts OutPkts AAL/Encap Status Command or Action Purpose Step 1 Router# enable Enables privileged EXEC mode. • Enter your password if prompted. Step 2 Router# configure terminal Enters global configuration mode. Step 3 Router(config)# interface ATM type slot/port Specifies the interface by type, slot, and port number, and enters interface configuration mode. Step 4 Router(config-if)# atm pvp vpi l2transport Specifies that the PVP is dedicated to transporting ATM cells. • vpi—ATM network virtual path identifier (VPI) of the VC to multiplex on the permanent virtual path. The range is from 0 to 255. Note The l2transport keyword indicates that the PVP is for cell relay. Once you enter this command, you can enter l2transport PVP configuration mode. This configuration mode is for Layer 2 transport only; it is not for terminated PVPs. Step 5 Router(config-if)# xconnect peer-ip-address vcid pw-class pw-class-name Specifies the IP address of the peer PE router and the 32-bit virtual circuit identifier shared between the PEs at each end of the control channel. • The peer router ID (IP address) and virtual circuit ID must be a unique combination on the router. • pw-class-name—The pseudowire class configuration from which the data encapsulation type (L2TPv3) is taken. The pseudowire class parameter binds the cross-connect statement to a specific pseudowire class. The pseudowire class then serves as the template configuration for all attachment circuits bound to it.7-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks 8 3 PVC 0 0 F4 OAM ACTIVE 9 4 PVC 0 0 F4 OAM ACTIVE TotalInPkts: 0, TotalOutPkts: 0, TotalInFast: 0, TotalOutFast: 0, TotalBroadcasts: 0 Configuring RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling RFC 1483 bridging (see the “Configuring RFC 1483 Bridging for PVCs” section on page 7-14) can also include IEEE 802.1Q tunneling, which allows service providers to aggregate multiple VLANs over a single VLAN, while still keeping the individual VLANs segregated and preserving the VLAN IDs for each customer. This tunneling simplifies traffic management for the service provider, while keeping the customer networks secure. Also, the IEEE 802.1Q tunneling is configured only on the service provider routers, so it does not require any additional configuration on the customer-side routers. The customer side is not aware of the configuration. Note For complete information on IEEE 802.1Q tunneling on a Cisco 7600 series router, see the Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SX Note RFC 1483 has been updated and superseded by RFC 2684, Multiprotocol Encapsulation over ATM Adaptation Layer 5. RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling Configuration Guidelines When configuring RFC 1483 bridging for PVCs with IEEE 802.1Q tunneling, consider the following guidelines: • Customer equipment must be configured for RFC 1483 bridging with IEEE 802.1Q tunneling using the bridge-domain dot1q ATM VC configuration command. See the “Configuring RFC 1483 Bridging for PVCs” section on page 7-14 for more information. • PVCs must use AAL5 encapsulation. • RFC 1483 bridged PVCs must terminate on the ATM SPA, and the traffic forwarded over this bridged connection to the edge must be forwarded through an Ethernet port. • To use the Virtual Trunking Protocol (VTP), each main interface should have a subinterface that has been configured for the management VLANs (VLANs 1 and 1002–1005). • RFC 1483 bridging in a switched virtual circuit (SVC) environment is not supported. 7-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling Configuration Task To configure RFC 1483 bridging for PVCs with IEEE 802.1Q tunneling, perform the following procedure beginning in global configuration mode: Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port.subinterface point-to-point (Optional) Creates the specified point-to-point subinterface on the given port on the specified ATM SPA, and enters subinterface configuration mode. Note Although it is most common to create the PVCs on subinterfaces, you can also omit this step to create the PVCs for RFC 1483 bridging on the main interface. Step 2 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI numbers and enters ATM VC configuration mode. The valid values for vpi/vci are: • vpi—Specifies the VPI ID. The valid range is 0 to 255. • vci—Specifies the VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except for 5 for the QSAAL PVC and 16 for the ILMI PVC. You can also configure the following options: • name—(Optional) An arbitrary string that identifies this PVC. • ilmi—(Optional) Configures the PVC to use ILMI encapsulation (default). • qsaal—(Optional) Configures the PVC to use QSAAL encapsulation. Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and automatically switches to its parent subinterface. Step 3 Router(config-if-atm-vc)# bridge-domain vlan-id dot1q-tunnel Binds the PVC to the specified vlan-id and enables the use of IEEE 802.1Q tunneling on the PVC. This preserves the VLAN ID information across the ATM cloud. Step 4 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and encapsulation type. The default and only supported type is aal5snap. Note Repeat Step 1 through Step 4 for each interface on the ATM SPA to be configured. Step 5 Router(config-if-atm-vc)# end Exits ATM VC configuration mode and returns to privileged EXEC mode. 7-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Verifying the RFC 1483 for PVCs Bridging with IEEE 802.1Q Tunneling Configuration To verify the IEEE 802.1Q tunneling on an ATM SPA, use the show 12-protocol-tunnel command: Router# show l2protocol-tunnel CoS for Encapsulated Packets: 5 Port Protocol Shutdown Drop Encapsulation Decapsulation Drop Threshold Threshold Counter Counter Counter ------- -------- --------- --------- ------------- ------------- ------------- Gi4/2 cdp ---- ---- 0 0 0 stp ---- ---- 0 0 0 vtp ---- ---- 0 0 0 ATM6/2/1 cdp ---- ---- n/a n/a n/a stp ---- ---- n/a n/a n/a vtp ---- ---- n/a n/a n/a Note The counters in the output of the show l2protocol-tunnel command are not applicable for ATM interfaces when IEEE 802.1Q tunneling is enabled. Use the following command to display the interfaces that are configured with an IEEE 802.1Q tunnel: Router# show dot1q-tunnel LAN Port(s) ----------- Gi4/2 ATM Port(s) ----------- ATM6/2/1 Configuring ATM RFC 1483 Half-Bridging The ATM SPA supports ATM RFC 1483 half-bridging, which routes IP traffic from a stub-bridged Ethernet LAN over a bridged RFC 1483 ATM interface, without using integrated routing and bridging (IRB). This allows bridged traffic that terminates on an ATM PVC to be routed on the basis of the destination IP address. For example, Figure 7-2 shows a remote bridged Ethernet network connecting to a routed network over a device that bridges the Ethernet LAN to the ATM interface. Figure 7-2 ATM RFC 1483 Half-Bridging When half-bridging is configured, the ATM interface receives the bridged IP packets and routes them according to each packet’s IP destination address. Similarly, when packets are routed to this ATM PVC, it then forwards them out as bridged packets on its bridge connection. 117339 ATM 4/1/0.100 172.31.5.9 Ethernet subnet 172.31.5.07-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks This use of a stub network topology offers better performance and flexibility over integrated routing and bridging (IRB). This also helps to avoid a number of issues such as broadcast storms and security risks. In particular, half-bridging reduces the potential security risks that are associated with normal bridging configurations. Because the ATM interface allocates a single virtual circuit (VC) to a subnet (which could be as small as a single IP address), half-bridging limits the size of the nonsecured network that can be allowed access to the larger routed network. This makes half-bridging configurations ideally suited for customer access points, such digital subscriber lines (DSL). Note RFC 1483 has been updated and superseded by RFC 2684, Multiprotocol Encapsulation over ATM Adaptation Layer 5. However, to avoid confusion, this document continues to use the previously-used terminology of “RFC 1483 ATM half-bridging.” To configure a point-to-multipoint ATM PVC for ATM half-bridging, use the configuration task in the following section. Note Use the following configuration task when you want to configure point-to-multipoint PVCs for half-bridging operation. Use the configuration task in the “Configuring ATM Routed Bridge Encapsulation” section on page 7-23 to configure a point-to-point PVC for similar functionality. ATM RFC 1483 Half-Bridging Configuration Guidelines When configuring ATM RFC 1483 half-bridging, consider the following guidelines: • Supports only IP traffic and access lists. • Supports only fast switching and process switching. • Supports only PVCs that are configured on multipoint subinterfaces. SVCs are not supported for half-bridging. • A maximum of one PVC can be configured for half-bridging on each subinterface. Other PVCs can be configured on the same subinterface, as long as they are not configured for half-bridging as well. • The same PVC cannot be configured for both half-bridging and full bridging. ATM RFC 1483 Half-Bridging Configuration Task To configure ATM RFC 1483 half-bridging, perform the following procedure beginning in global configuration mode: Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port.subinterface multipoint Creates the specified point-to-point subinterface on the given port on the specified ATM SPA, and enters subinterface configuration mode. Step 2 Router(config-subif)# ip address address mask [secondary] Assigns the specified IP address and subnet mask to this subinterface. This IP address should be on the same subnet as the remote bridged network (the Ethernet network). 7-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Verifying the ATM RFC 1483 Half-Bridging Configuration To verify the ATM RFC 1483 half-bridging configuration, use the show atm vc command: Router# show atm vc 20 ATM4/0/0.20: VCD: 20, VPI: 1, VCI: 20 UBR, PeakRate: 149760 AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0 OAM frequency: 0 second(s) InARP frequency: 15 minutes(s), 1483-half-bridged-encap Transmit priority 6 InPkts: 2411, OutPkts: 2347, InBytes: 2242808, OutBytes: 1215746 InPRoc: 226, OutPRoc: 0 InFast: 0, OutFast: 0, InAS: 2185, OutAS: 2347 InPktDrops: 1, OutPktDrops: 0 InByteDrops: 0, OutByteDrops: 0 CrcErrors: 139, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0 Out CLP=1 Pkts: 0 OAM cells received: 0 OAM cells sent: 0 Status: UP Step 3 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI numbers and enters ATM VC configuration mode. The valid values for vpi/vci are: • vpi—Specifies the VPI ID. The valid range is 0 to 255. • vci—Specifies the VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except for 5 for the QSAAL PVC and 16 for the ILMI PVC. You can also configure the following options: • name—(Optional) An arbitrary string that identifies this PVC. • ilmi—(Optional) Configures the PVC to use ILMI encapsulation (default). • qsaal—(Optional) Configures the PVC to use QSAAL encapsulation. Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and automatically switches to its parent subinterface. Step 4 Router(config-if-atm-vc)# encapsulation aal5snap bridge (Optional) Configures the ATM adaptation layer (AAL) and encapsulation type, and specifies that half-bridging should be used. Step 5 Router(config-if-atm-vc)# end Exits ATM VC configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Configuring ATM Routed Bridge Encapsulation The ATM SPAs support ATM Routed Bridge Encapsulation (RBE), which is similar in functionality to RFC 1483 ATM half-bridging, except that ATM half-bridging is configured on a point-to-multipoint PVC, while RBE is configured on a point-to-point PVC (see the “Configuring ATM RFC 1483 Half-Bridging” section on page 7-20). Note The 1-Port OC-48c/STM-16 ATM SPA does not support RBE. Use the following configuration task to configure a point-to-point subinterface and PVC for RBE bridging. Note RFC 1483 has been updated and superseded by RFC 2684, Multiprotocol Encapsulation over ATM Adaptation Layer 5. ATM Routed Bridge Encapsulation Configuration Guidelines When configuring ATM RBE, consider the following guidelines: • Supported only on ATM SPAs in a Cisco 7600 SIP-200. RBE is not supported when using a Cisco 7600 SIP-400. • Supports only AAL5SNAP encapsulation. • Supports only IP access lists, not MAC-layer access lists. • Supports only fast switching and process switching. • Supports distributed Cisco Express Forwarding (dCEF). • Supports only PVCs on point-to-point subinterfaces. SVCs are not supported for half-bridging. • The bridge-domain command cannot be used on any PVC that is configured for RBE, because an RBE PVC acts as the termination point for bridged packets. • The atm bridge-enable command, which was used in previous releases on other ATM interfaces, is not supported on ATM SPA interfaces. • The IS-IS protocol is not supported with point-to-point PVCs that are configured for RBE bridging. RBE Configuration Limitation Supports Only One Remote MAC Address On the Cisco 7600 series router with a Supervisor Engine 720 or Route Switch Processor 720 (RSP720) and the following SPA, an ATM PVC with an RBE configuration can send packets to only a single MAC address: • ATM SPA on the Cisco 7600 SIP-200 This restriction occurs because the Cisco 7600 series router keeps only one MAC address attached to an RBE PVC. The MAC address-to-PVC mapping is refreshed when a packet is received from the host. If there are multiple hosts connected to the PVC, the mapping is not stable and traffic forwarding is affected. 7-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks The solution to this problem is as follows: 1. Configure the ATM PVC for RFC 1483 bridging using the bridge domain vlan x command line interface. 2. Configure an interface vlan vlan x with the IP address of the RBE subinterface. ATM Routed Bridge Encapsulation Configuration Task To configure ATM routed bridge encapsulation, perform the following procedure beginning in global configuration mode: Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port.subinterface point-to-point Creates the specified multipoint subinterface on the given port on the specified ATM SPA, and enters subinterface configuration mode. Step 2 Router(config-subif)# atm route-bridge ip Enables ATM RFC 1483 half-bridging (RBE bridging). Note The atm route-bridge ip command can be issued either before or after you create the PVC. Step 3 Router(config-subif)# ip address address mask [secondary] Assigns the specified IP address and subnet mask to this subinterface. This IP address should be on the same subnet as the remote bridged network (the Ethernet network). Step 4 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI numbers and enters ATM VC configuration mode. The valid values for vpi/vci are: • vpi—Specifies the VPI ID. The valid range is 0 to 255. • vci—Specifies the VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except for 5 for the QSAAL PVC and 16 for the ILMI PVC. You can also configure the following options: • name—(Optional) An arbitrary string that identifies this PVC. • ilmi—(Optional) Configures the PVC to use ILMI encapsulation (default). • qsaal—(Optional) Configures the PVC to use QSAAL encapsulation. Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and automatically switches to its parent subinterface. Step 5 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and encapsulation type. The only supported encapsulation for an RBE PVC is aal5snap. Step 6 Router(config-if-atm-vc)# end Exits ATM VC configuration mode and returns to privileged EXEC mode. 7-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Note The atm route-bridge ip command, like other subinterface configuration commands, is not automatically removed when you delete a subinterface. If you want to remove a subinterface and re-create it without the half-bridging, be sure to manually remove the half-bridging configuration, using the no atm route-bridge ip command. Verifying the ATM Routed Bridge Encapsulation Configuration To verify the RBE bridging configuration, use the show ip cache verbose command: Router# show ip cache verbose IP routing cache 3 entries, 572 bytes 9 adds, 6 invalidates, 0 refcounts Minimum invalidation interval 2 seconds, maximum interval 5 seconds, quiet interval 3 seconds, threshold 0 requests Invalidation rate 0 in last second, 0 in last 3 seconds Last full cache invalidation occurred 00:30:34 ago Prefix/Length Age Interface Next Hop 10.1.0.51/32-24 00:30:10 Ethernet3/1/0 10.1.0.51 14 0001C9F2A81D00600939BB550800 10.8.100.50/32-24 00:00:04 ATM1/1/0.2 10.8.100.50 28 00010000AA030080C2000700000007144F5D201C0800 10.8.101.35/32-24 00:06:09 ATM1/1/0.4 10.8.101.35 28 00020000AA030080C20007000000E01E8D3F901C0800 Note The show IP cache command is not supported in the RBE feature Configuring RFC 1483 Bridging of Routed Encapsulations When RFC 1483 routed ATM-based packets come into the Cisco 7600 series router through a PVC, there is no Ethernet payload header on them. Bridging of routed encapsulations (BRE) enables the router to receive RFC 1483 routed encapsulated packets and forward them as Layer 2 frames. In a BRE configuration, the PVC receives the routed PDUs, removes the RFC 1483 routed encapsulation header, and adds an Ethernet MAC header to the packet. The Layer 2 encapsulated packet is then switched by the forwarding engine to the Layer 2 interface determined by the VLAN number and destination MAC address. BRE is supported on all SIP-200 and SIP-400 ATM SPAs. The PVCs must be AAL5 encapsulated. Note The 1-Port OC-48c/STM-16 ATM SPA does not support bridging. Figure 7-3 shows a topology where an interface on an ATM SPA receives routed PDUs from the ATM cloud and encapsulates them as Layer 2 frames. It then forwards the frames to the Layer 2 customer device. 7-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Figure 7-3 Example of BRE Topology RFC 1483 Bridging of Routed Encapsulations Configuration Guidelines When configuring RFC 1483 bridging of routed encapsulations, consider the following guidelines: • BRE requires that the ATM SPAs are installed in a Cisco 7600 SIP-200. • PVCs must use AAL5 encapsulation. • RFC 1483 bridged PVCs must terminate on the ATM SPA, and the traffic forwarded over this bridged connection to the edge must be forwarded through an Ethernet port. • To use the Virtual Trunking Protocol (VTP), each main interface should have a subinterface that has been configured for the management VLANs (VLAN 1 and VLANs 1002 to 1005). • Concurrent configuration of RFC 1483 bridging and BRE on the same PVC and VLAN is not supported. • Bridging between RFC 1483 bridged PVCs is not supported. • RFC 1483 bridging in a switched virtual circuit (SVC) environment is not supported. • You should not use the same VLAN in BRE and bridge-domain. Note While configuring BRE on an ATM interface, the BRE end does not have an ip address configured (L2) whereas at the non BRE end, an ip address is configured (L3). RFC 1483 Bridging of Routed Encapsulations Configuration Task To configure RFC 1483 bridging of routed encapsulations, perform the following procedure beginning in global configuration mode: ATM CPE1 Cisco 7600 CPE2 Ethernet frames RFC 1483 Routed Encapsulated ATM PDUs 117340 Edge router CE Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port on the specified ATM SPA. Step 2 Router(config-if)# no ip address Assigns no IP address to the interface. Step 3 Router(config-if)# spanning-tree bpdufilter enable (Optional) Blocks all Spanning Tree BPDUs on the ATM interface. This command should be used if this ATM interface is configured only for BRE VLANs. Note If this ATM interface is configured for both BRE and RFC 1483 bridged VLANs, do not enter this command unless you want to explicitly block BPDUs on the interface. 7-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Verifying the RFC 1483 Bridging of Routed Encapsulations Configuration Use the following commands to verify the RFC 1483 bridging of routed encapsulations configuration: Router# show running-config interface atm Step 4 Router(config-if)# no shutdown Enables the interface. Step 5 Router(config-if)# interface atm slot/subslot/port.subinterface point-to-point Creates the specified point-to-point subinterface on the given port on the specified ATM SPA, and enters subinterface configuration mode. Step 6 Router(config-subif)# no ip address Assigns no IP address to the subinterface. Step 7 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI numbers and enters ATM VC configuration mode. The valid values for vpi/vci are: • vpi—Specifies the VPI ID. The valid range is 0 to 255. • vci—Specifies the VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except for 5 for the QSAAL PVC and 16 for the ILMI PVC. You can also configure the following options: • name—(Optional) An arbitrary string that identifies this PVC. • ilmi—(Optional) Configures the PVC to use ILMI encapsulation (default). • qsaal—(Optional) Configures the PVC to use QSAAL encapsulation. Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and automatically switches to its parent subinterface. Step 8 Router(config-if-atm-vc)# bre-connect vlan-id [mac mac-address] Enables BRE bridging on the PVC, where: • mac mac-address—(Optional) Specifies the hardware (MAC) address of the destination customer premises equipment (CPE) device at the remote end of the VLAN connection. Step 9 Router(config-if-atm-vc)# interface gigabitethernet slot/port Enters interface configuration mode for the specified Gigabit Ethernet interface. Step 10 Router(config-if)# switchport Configures the Gigabit Ethernet interface for Layer 2 switching. Step 11 Router(config-if)# switchport access vlan vlan-id (Optional) Specifies the default VLAN for the interface. This should be the same VLAN ID that was specified in the bre-connect command in Step 8. Step 12 Router(config-if)# switchport mode access Puts the interface into nontrunking mode. Step 13 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks 10/0/3.111 Building configuration... Current configuration : 149 bytes ! interface ATM10/0/3.111 point-to-point no atm enable-ilmi-trap no snmp trap link-status pvc 11/101 bre-connect 11 mac 0100.1234.1234 Router# show running-config interface gigabitethernet 1/2 interface GigabitEthernet1/2 no ip address switchport switchport access vlan 100 no cdp enable ! Router# show vlan id 100 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 100 VLAN0100 active Gi1/2, AT5/0/2 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 100 enet 100100 1500 - - - - - 0 0 Router# show atm vlan Interface Bridge VCD Vlan ID ATM4/5/0/2.1 1 100 Configuring the Bridged Routed Encapsulation within an Automatic Protection Switching Group You can configure only one VC on the same VLAN. To configure more than one VC, customers configure two different VLANS on the protected and working interface of the Automatic Protection Switching (APS) group. This workaround is not a viable long-term solution because it results in high convergence time and an inefficient use of VLANS. To resolve these limitations, you can use the BRE+APS feature to configure two VCs for the same VLAN, provided their parent interfaces too belong to the same Automatic Protection Switching (APS) group. The show atm vlan bre command is used to reflect the status of the PVCs configured. Supported Line Cards This feature is supported on the SIP-200 and SIP-400 line cards. Requirements and Restrictions Follow these requirements and restrictions when you configure the BRE+APS feature: • You can configure BRE-connect VLANS for two different VCs if the new VC: – belongs to the same APS group to which the first VC belongs. – does not belong to the same ATM interface as the first VC.7-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks • Before you change the APS parameters of an interface (changing the APS group or removing the APS configurations), first ensure that the BRE configurations on the interface are removed. Note To configure APS on an ATM interface, refer Configuring APS, page 15-9 Verifying the Bridged Routed Encapsulation within an Automatic Protection Switching Group Configuration This example shows how to verify the configuration of BRE ATM VLAN: Router# show atm vlan bre Interface Bre VCD VPI/VCI Vlan Learned MAC Virtual MAC State ATM3/0/0.1 1 0/11 100 0000.0000.0000 0000.0300.0001 UP ATM3/0/0.2 2 1/13 200 0000.0000.0000 0000.0300.0002 UP ATM4/0/0.2 2 1/13 300 0000.0000.0000 0000.0400.0002 DN Warning Messages Consider instances where you have configured APS on the main interface, and have configured BRE within a main interface and subinterface. The warning message “%ATM2/0/0 - Remove BRE configs on this interface before changing APS configs"appears when you attempt to modify the APS configurations in the main interface, without removing the BRE configurations first. Configuring MPLS over RBE The ATM SPAs support MLPS over RBE on a Cisco 7600 SIP-200. For more information on routed bridged encapsulation (RBE), see the “Configuring ATM Routed Bridge Encapsulation” section on page 7-23. To use this feature, configure both RBE and MPLS on the ATM subinterface using the following procedure: Verifying MPLS over RBE Configuration Use the following commands to verify MPLS over RBE configuration: Router# show running interfaces a4/1/0.200 interface ATM4/1/0.200 point-to-point Command or Action Purpose Step 1 Router(config)# show atm vlan bre Verifies the configuration and displays the status of the PVC. An active VC is displayed as UP and an inactive VC as DN (down). Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port on the specified ATM SPA. Step 2 Router(config-if)# ip address Assigns an IP address to the interface. Step 3 Router(config-if)# atm route-bridge ip Configures RBE. Step 4 Router(config-if)# mpls ip Configures MPLS.7-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks ip address 3.0.0.2 255.255.0.0 atm route-bridged ip tag-switching ip pvc 10/200 ! Router# show mpls interfaces Interface IP Tunnel Operational ATM4/1/0.200 Yes (ldp) No Yes Router# show mpls ldp bindings tib entry: 5.0.0.0/16, rev 2 local binding: tag: imp-null tib entry: 6.0.0.0/16, rev 4 local binding: tag: imp-null remote binding: tsr: 3.0.0.1:0, tag: imp-null Router# show mpls ldp neighbor Peer LDP Ident: 3.0.0.1:0; Local LDP Ident 3.0.0.2:0 TCP connection: 3.0.0.1.646 - 3.0.0.2.11001 State: Oper; Msgs sent/rcvd: 134/131; Downstream Up time: 01:51:08 LDP discovery sources: ATM4/1/0.200, Src IP addr: 6.0.0.1 Addresses bound to peer LDP Ident: 6.0.0.1 Router# show mpls forwarding Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 16 Pop tag 3.0.0.0/16 0 AT4/1/0.200 6.0.0.1 17 Pop tag 16.16.16.16/32 0 AT4/1/0.200 6.0.0.1 18 19 13.13.13.13/32 134 AT4/1/0.200 6.0.0.1 <<<<< 19 Pop tag 17.17.17.17/32 0 PO8/0/0.1 point2point Configuring Aggregate WRED for PVCs Weighted Random Early Detection (WRED) is the Cisco implementation of Random Early Detection (RED) for standard Cisco IOS platforms. RED is a congestion-avoidance technique that takes advantage of the congestion-control mechanism of TCP to anticipate and avoid congestion before it occurs. By dropping packets prior to periods of high congestion, RED tells the packet source (usually TCP) to decrease its transmission rate. When configured, WRED can selectively discard lower priority traffic and provide differentiated performance characteristics for different classes of service. The Aggregate WRED feature provides a means to overcome limitations of WRED implementations that can only support a limited number of unique subclasses. When an interface enables support for aggregate WRED, subclasses that share the same minimum threshold, maximum threshold, and mark probability values can be configured into one aggregate subclass based on their IP precedence value or differentiated services code point (DSCP) value. (The DSCP value is the first six bits of the IP type of service [ToS] byte.) You can also define a default aggregate subclass for all subclasses that have not been explicitly defined. For more complete information on WRED, refer to the Cisco IOS Quality of Service Solutions Configuration Guide.7-31 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Aggregate WRED Configuration Guidelines When configuring aggregate WRED on an ATM SPA interface, consider the following guidelines: • The Aggregate WRED feature requires that the ATM SPAs are installed in a Cisco 7600 SIP-200 or a Cisco 7600 SIP-400. • With the Aggregate WRED feature, the previous configuration limitation of a maximum of 6 precedence values per class per WRED policy map is no longer in effect. • When you configure a policy map class for aggregated WRED on an ATM interface, then you cannot also configure the standard random-detect commands in interface configuration or policy-map class configuration mode. • Specifying the precedence-based keyword is optional, precedence-based is the default form of aggregate WRED. • The set of subclass values (IP precedence or DSCP) defined on a random-detect precedence (aggregate) or random-detect dscp (aggregate) CLI will be aggregated into a single hardware WRED resource. The statistics for these subclasses will also be aggregated. • Defining WRED parameter values for the default aggregate class is optional. If defined, WRED parameters applied to the default aggregate class will be used for all subclasses that have not been explicitly configured. If all possible IP precedence or DSCP values are defined as subclasses, a default specification is unnecessary. If the optional parameters for a default aggregate class are not defined and packets with an unconfigured IP precedence or DSCP value arrive at the interface, these undefined subclass values will be set based on interface (VC) bandwidth. • After aggregate WRED has been configured in a service policy map, the service policy map must be applied at the ATM VC level (as shown in Step 5 through Step 8 of “Configuring Aggregate WRED Based on IP Precedence”). • The Aggregate WRED feature is not supported in a switched virtual circuit (SVC) environment. Configuring Aggregate WRED Based on IP Precedence To configure aggregate WRED to drop packets based on IP precedence values, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# policy-map policy-map-name Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy. • policy-map-name—Name of a service policy map to be created. The name can be a maximum of 40 alphanumeric characters. Step 2 Router(config-pmap)# class {class-name | class-default} Specifies the class policy to be configured. • class-name—Name of class you want to configure. Note that WRED can be defined for a user-defined class only if the class has the bandwidth/shape feature enabled. • class-default—Default class.7-32 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Step 3 Router(config-pmap-c)# random-detect [precedence-based] aggregate [minimum-thresh min-thresh maximum-thresh max-thresh mark-probability mark-prob] Enables aggregate WRED based on IP precedence values. If optional parameters for a default aggregate class are not defined, these parameters will be set based on interface (VC) bandwidth. • precedence-based—(Optional) Specifies that aggregate WRED is to drop packets based on IP precedence values. This is the default. • min-thresh—(Optional) Minimum threshold in number of packets. The value range of this argument is from 1 to 12288. • max-thresh—(Optional) Maximum threshold in number of packets. The value range of this argument is from the value of the minimum threshold argument to 12288. • mark-prob—(Optional) Denominator for the fraction of packets dropped when the average queue depth is at the maximum threshold. The value range is from 1 to 255. Step 4 Router(config-pmap-c)# random-detect precedence values sub-class-val1 [...[sub-class-val8]] minimum-thresh min-thresh maximum-thresh max-thresh [mark-probability mark-prob] Configures the WRED parameters for packets with one or more specific IP precedence values. • sub-class-val1 [...[sub-class-val8]]—One or more specific IP precedence values to which the following WRED profile parameter specifications are to apply. A maximum of 8 subclasses (IP precedence values) can be specified per CLI entry. The IP precedence value can be a number from 0 to 7. • min-thresh—Minimum threshold in number of packets. The value range of this argument is from 1 to 12288. • max-thresh—Maximum threshold in number of packets. The value range of this argument is from the value of the minimum threshold argument to 12288. • mark-prob—Denominator for the fraction of packets dropped when the average queue depth is at the maximum threshold. The value range is from 1 to 255. Repeat this command for each set of IP precedence values that share WRED parameters. Command Purpose7-33 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Verifying the Precedence-Based Aggregate WRED Configuration To verify a precedence-based aggregate WRED configuration, use the show policy-map interface command. Note that the statistics for IP precedence values 0 through 3 and 4 and 5 have been aggregated into one line each. Router# show policy-map interface a4/1/0.10 ATM4/1/0.10: VC 10/110 - Service-policy output: prec-aggr-wred Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Exp-weight-constant: 9 (1/512) Step 5 Router(config-pmap-c)# interface atm slot/subslot/port.subinterface point-to-point Creates the specified point-to-point subinterface on the given port on the specified ATM SPA, and enters subinterface configuration mode. • slot—Chassis slot number where the SIP is installed. • subslot—Secondary slot of the SIP where the SPA is installed. • port —Number of the individual interface port on the SPA. • .subinterface—Subinterface number. The number that precedes the period must match the number to which this subinterface belongs. The range is 1 to 4,294,967,293. Step 6 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to the interface. • address—IP address. • mask—Subnet mask. Step 7 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning an optional name and its VPI/VCI numbers. • name—(Optional) An arbitrary string that identifies this PVC. • vpi—VPI ID. The range is 0 to 255. • vci—VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except 5 for the QSAAL PVC and 16 for the ILMI PVC. Step 8 Router(config-subif)# service-policy output policy-map-name Attaches the specified policy map to the subinterface. • policy-map-name—Name of a service policy map to be attached. The name can be a maximum of 40 alphanumeric characters. Command Purpose7-34 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Mean queue depth: 0 class Transmitted Random drop Tail drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob 0 1 2 3 0/0 0/0 0/0 10 100 1/10 4 5 0/0 0/0 0/0 40 400 1/10 6 0/0 0/0 0/0 60 600 1/10 7 0/0 0/0 0/0 70 700 1/10 Configuring Aggregate WRED Based on DSCP To configure aggregate WRED to drop packets based on the differentiated services code point (DSCP) value, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# policy-map policy-map-name Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy. • policy-map-name—Name of a service policy map to be created. The name can be a maximum of 40 alphanumeric characters. Step 2 Router(config-pmap)# class {class-name | class-default} Specifies the class policy to be configured. • class-name—Name of class you want to configure. Note that WRED can be defined for a user-defined class only if the class has the bandwidth/shape feature enabled. • class-default—Default class. Step 3 Router(config-pmap-c)# random-detect dscp-based aggregate [minimum-thresh min-thresh maximum-thresh max-thresh mark-probability mark-prob] Enables aggregate WRED based on DSCP values. If optional parameters for a default aggregate class are not defined, these parameters will be set based on interface (VC) bandwidth. • min-thresh—(Optional) Minimum threshold in number of packets. The value range of this argument is from 1 to 12288. • max-thresh—(Optional) Maximum threshold in number of packets. The value range of this argument is from the value of the minimum threshold argument to 12288. • mark-prob—(Optional) Denominator for the fraction of packets dropped when the average queue depth is at the maximum threshold. The value range is from 1 to 255. 7-35 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Step 4 Router(config-pmap-c)# random-detect dscp values sub-class-val1 [...[sub-class-val8]] minimum-thresh min-thresh maximum-thresh max-thresh [mark-probability mark-prob] Configures the WRED parameters for packets with one or more specific DSCP values. • sub-class-val1 [...[sub-class-val8]]—One or more DSCP values to which the following WRED parameter specifications are to apply. [A maximum of 8 subclasses (IP precedence values) can be specified per CLI entry.] The DSCP value can be a number from 0 to 63, or it can be one of the following keywords: ef, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, or cs7 • min-thresh—Specifies the minimum threshold in number of packets. The value range of this argument is from 1 to 12288. • max-thresh—Specifies the maximum threshold in number of packets. The value range of this argument is from the value of the minimum threshold argument to 12288. • mark-prob—Specifies the denominator for the fraction of packets dropped when the average queue depth is at the maximum threshold. The value range is from 1 to 255. Repeat this command for each set of DSCP values that share WRED parameters. Step 5 Router(config-pmap-c)# interface atm slot/subslot/port.subinterface point-to-point Creates the specified point-to-point subinterface on the given port on the specified ATM SPA, and enters subinterface configuration mode. • slot—Chassis slot number where the SIP is installed. • subslot—Secondary slot of the SIP where the SPA is installed. • port—Number of the individual interface port on the SPA. • .subinterface—subinterface number. The number that precedes the period must match the number to which this subinterface belongs. The range is 1 to 4,294,967,293. Step 6 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to the interface. • address—IP address. • mask—Subnet mask. Command Purpose7-36 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Verifying the DSCP-Based Aggregate WRED Configuration To verify a DSCP-based aggregate WRED configuration, use the show policy-map interface command. Note that the statistics for DSCP values 0 through 3, 4 through 7, and 8 through 11 have been aggregated into one line each. Router# show policy-map interface a4/1/0.11 ATM4/1/0.11: VC 11/101 - Service-policy output: dscp-aggr-wred Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Exp-weight-constant: 0 (1/1) Mean queue depth: 0 class Transmitted Random drop Tail drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob default 0/0 0/0 0/0 1 10 1/10 0 1 2 3 4 5 6 7 0/0 0/0 0/0 10 20 1/10 8 9 10 11 0/0 0/0 0/0 10 40 1/10 Configuring Non-aggregate WRED Prior to 15.0(1)S release ATM SPA supported only aggregate Weighted Random Early Detection (WRED), where a set of subclass (IP precedence or DSCP) values is aggregated on a single hardware WRED resource on the SPA. ATM SPA has 8 queues per class of which one is reserved for priority traffic and the others for default traffic. Remaining 6 queues is used for user-defined queues. From 15.0(1)S Release, ATM SPA also supports Non-aggregate Weighted Random Early Detection (WRED) on a SIP-200 and SIP-400. ATM SPA supports limited non-aggregate WRED for the specified DSCP or precedence values (maximum of 6) and the rest non-specified DSCP or precedence goes to default profile. Step 7 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning an optional name and its VPI/VCI numbers. • name—(Optional) An arbitrary string that identifies this PVC. • vpi—VPI ID. The range is 0 to 255. • vci—VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except 5 for the QSAAL PVC and 16 for the ILMI PVC. Step 8 Router(config-subif)# service-policy output policy-map-name Attaches the specified policy map to the subinterface. • policy-map-name—Name of a service policy map to be attached. The name can be a maximum of 40 alphanumeric characters Command Purpose7-37 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Non-aggregate WRED Configuration Guidelines When configuring non-aggregate WRED on an ATM SPA interface, consider the following guidelines: • The Non-aggregate WRED feature is supported on a SIP-200 and SIP-400 requires that the ATM SPAs are installed in a SIP-200 or a SIP-400. • Non-aggregate WRED has maximum of 6 user-defined WRED queues. Configuring Non-aggregate WRED Based on IP Precedence To configure non-aggregate WRED to drop packets based on IP precedence values, use the following commands in the global configuration mode: Command Purpose Step 1 Router(config)# policy-map policy-map-name Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy. • policy-map-name—Name of a service policy map to be created. The name can be a maximum of 40 alphanumeric characters. Step 2 Router(config-pmap)# class {class-name | class-default} Specifies the class policy to be configured. • class-name—Name of class you want to configure. Note that WRED can be defined for a user-defined class only if the class has the bandwidth/shape feature enabled. • class-default—Default class. Step 3 Router(config-pmap-c)# random-detect [precedence-based] Enables non-aggregate WRED based on IP precedence values. If optional parameters for a default non-aggregate class are not defined, these parameters will be set based on interface (VC) bandwidth. • precedence-based—(Optional) Specifies that non-aggregate WRED is to drop packets based on IP precedence values. This is the default.7-38 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Step 4 Router(config-pmap-c)# random-detect precedence values sub-class-val1 [...[sub-class-val8]] min-thresh max-thresh [mark-prob] Configures the WRED parameters for packets with one or more specific IP precedence values. • sub-class-val1 [...[sub-class-val8]]—One or more specific IP precedence values to which the following WRED profile parameter specifications are to apply. A maximum of 8 subclasses (IP precedence values) can be specified per CLI entry. The IP precedence value can be a number from 0 to 7. • min-thresh—Minimum threshold in number of packets. The value range of this argument is from 1 to 12288. • max-thresh—Maximum threshold in number of packets. The value range of this argument is from the value of the minimum threshold argument to 12288. • mark-prob—Denominator for the fraction of packets dropped when the average queue depth is at the maximum threshold. The value for maximum mark probability configurable is 31. Repeat this command for each set of IP precedence values that share WRED parameters. Step 5 Router(config-pmap-c)# interface atm slot/subslot/port.subinterface point-to-point Creates the specified point-to-point subinterface on the given port on the specified ATM SPA, and enters subinterface configuration mode. • slot—Chassis slot number where the SIP is installed. • subslot—Secondary slot of the SIP where the SPA is installed. • port —Number of the individual interface port on the SPA. • .subinterface—Subinterface number. The number that precedes the period must match the number to which this subinterface belongs. The range is 1 to 4,294,967,293. Step 6 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to the interface. • address—IP address. • mask—Subnet mask. Command Purpose7-39 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Verifying the Precedence-Based Non-aggregate WRED Configuration To verify a precedence-based non-aggregate WRED configuration, use the show policy-map interface command. Note that the statistics for IP precedence values 0 through 3 and 4 and 5 have been aggregated into one line each. Router# show policy-map interface atm 3/0/2 ATM3/0/2: VC 1/100 - Service-policy output: non-agg-prec Counters last updated 00:00:02 ago Class-map: prec012 (match-any) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: ip precedence 0 Match: ip precedence 1 Match: ip precedence 2 Queueing queue limit 11009 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 bandwidth 42% (62899 kbps) Exp-weight-constant: 9 (1/512) Mean queue depth: 0 packets class Transmitted Random drop Tail drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob default 0/0 0/0 0/0 3096 5504 1/10 0 0/0 0/0 0/0 12 324 1/10 1 N/A N/A N/A N/A N/A N/A 2 N/A N/A N/A N/A N/A N/A 3 N/A N/A N/A N/A N/A N/A 4 N/A N/A N/A N/A N/A N/A 5 N/A N/A N/A N/A N/A N/A 6 N/A N/A N/A N/A N/A N/A 7 N/A N/A N/A N/A N/A N/A Step 7 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning an optional name and its VPI/VCI numbers. • name—(Optional) An arbitrary string that identifies this PVC. • vpi—VPI ID. The range is 0 to 255. • vci—VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except 5 for the QSAAL PVC and 16 for the ILMI PVC. Step 8 Router(config-subif)# service-policy output policy-map-name Attaches the specified policy map to the subinterface. • policy-map-name—Name of a service policy map to be attached. The name can be a maximum of 40 alphanumeric characters. Command Purpose7-40 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Configuring Non-aggregate WRED Based on DSCP To configure Non-aggregate WRED to drop packets based on the differentiated services code point (DSCP) value, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# policy-map policy-map-name Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy. • policy-map-name—Name of a service policy map to be created. The name can be a maximum of 40 alphanumeric characters. Step 2 Router(config-pmap)# class {class-name | class-default} Specifies the class policy to be configured. • class-name—Name of class you want to configure. Note that WRED can be defined for a user-defined class only if the class has the bandwidth/shape feature enabled. • class-default—Default class. Step 3 Router(config-pmap-c)# random-detect dscp-based Enables non-aggregate WRED based on DSCP values. Step 4 Router(config-pmap-c)# random-detect dscp values sub-class-val1 [...[sub-class-val8]] min-thresh max-thresh [mark-prob] Configures the WRED parameters for packets with one or more specific DSCP values. • sub-class-val1 [...[sub-class-val8]]—One or more DSCP values to which the following WRED parameter specifications are to apply. [A maximum of 8 subclasses (IP precedence values) can be specified per CLI entry.] The DSCP value can be a number from 0 to 63, or it can be one of the following keywords: ef, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, or cs7 • min-thresh—Specifies the minimum threshold in number of packets. The value range of this argument is from 1 to 12288. • max-thresh—Specifies the maximum threshold in number of packets. The value range of this argument is from the value of the minimum threshold argument to 12288. • mark-prob—Specifies the denominator for the fraction of packets dropped when the average queue depth is at the maximum threshold. The value range is from 1 to 255. Repeat this command for each set of DSCP values that share WRED parameters.7-41 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Tasks Verifying the DSCP-Based Non-aggregate WRED Configuration To verify a DSCP-based Non-aggregate WRED configuration, use the show policy-map interface command. Note that the statistics for DSCP values 0 through 3, 4 through 7, and 8 through 11 have been aggregated into one line each. Router# show policy-map interface a4/1/0.11 ATM3/0/2: VC 1/100 - Service-policy output: non-agg Class-map: DSCP-OUT-D1 (match-any) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: ip dscp cs3 (24) af31 (26) af32 (28) cs4 (32) Queueing queue limit 15724 packets (queue depth/total drops/no-buffer drops) 0/0/0 Step 5 Router(config-pmap-c)# interface atm slot/subslot/port.subinterface point-to-point Creates the specified point-to-point subinterface on the given port on the specified ATM SPA, and enters subinterface configuration mode. • slot—Chassis slot number where the SIP is installed. • subslot—Secondary slot of the SIP where the SPA is installed. • port—Number of the individual interface port on the SPA. • .subinterface—subinterface number. The number that precedes the period must match the number to which this subinterface belongs. The range is 1 to 4,294,967,293. Step 6 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to the interface. • address—IP address. • mask—Subnet mask. Step 7 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning an optional name and its VPI/VCI numbers. • name—(Optional) An arbitrary string that identifies this PVC. • vpi—VPI ID. The range is 0 to 255. • vci—VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except 5 for the QSAAL PVC and 16 for the ILMI PVC. Step 8 Router(config-subif)# service-policy output policy-map-name Attaches the specified policy map to the subinterface. • policy-map-name—Name of a service policy map to be attached. The name can be a maximum of 40 alphanumeric characters Command Purpose7-42 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits (pkts output/bytes output) 0/0 bandwidth 42% (62899 kbps) Mean queue depth: 0 packets dscp Transmitted Random drop Tail drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob default 0/0 0/0 0/0 2752 5504 1/10 cs3 0/0 0/0 0/0 118 235 1/20 af31 0/0 0/0 0/0 123 5243 1/34 Creating and Configuring Switched Virtual Circuits A switched virtual circuit (SVC) is created and released dynamically, providing user bandwidth on demand. To enable the use of SVCs, you must configure a signaling protocol to be used between the Cisco 7600 series router and the ATM switch. The ATM SPA supports versions 3.0, 3.1, and 4.0 of the User-Network Interface (UNI) signaling protocol, which uses the Integrated Local Management Interface (ILMI) to establish, maintain, and clear the ATM connections at the UNI. The Cisco 7600 series router does not perform ATM-level call routing when configured for UNI/ILMI operation. Instead, the ATM switch acts as the network and performs the call routing, while the Cisco 7600 series router acts only as the user end-point of the call circuit and only routes packets through the resulting circuit. Note The 1-Port OC-48c/STM-16 ATM SPA does not support SVCs. To use UNI/ILMI signaling, you must create an ILMI PVC and a signaling PVC to be used for the SVC call-establishment and call-termination messages between the ATM switch and Cisco 7600 series router. This also requires configuring the ATM interface with a network service access point (NSAP) address that uniquely identifies itself across the network. The NSAP address consists of a network prefix (13 hexadecimal digits), a unique end station identifier (ESI) of 6 hexadecimal bytes, and a selector byte. If an ILMI PVC exists, the Cisco 7600 series router can obtain the NSAP prefix from the ATM switch, and you must manually configure only the ESI and selector byte. If an ILMI PVC does not exist, or if the ATM switch does not support this feature, you must configure the entire address manually. To create and configure an SVC, use the following procedure beginning in global configuration mode: 7-43 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port on the specified ATM SPA. Step 2 Router(config-subif)# pvc [name] 0/5 qsaal Configures a new ATM PVC to be used for SVC signaling: • name—(Optional) An arbitrary string that identifies this PVC. • vpi—Specifies the VPI ID. The valid range is 0 to 255, but the recommended value for vpi for the signaling PVC is 0. • vci—Specifies the VCI ID. The valid range is 1 to 65535, but the recommended value for vci for the QSAAL signaling PVC is 5. Note The ATM switch must be configured with the same VPI and VCI values for this PVC. • qsaal—Configures the signaling PVC to use QSAAL encapsulation. Step 3 Router(config-subif)# pvc [name] 0/16 ilmi Creates a new ATM PVC to be used for ILMI signaling: • name—(Optional) An arbitrary string to identify the PVC. • vpi—Specifies the VPI ID. The valid range is 0 to 255, but the recommended value for vpi for the ILMI PVC is 0. • vci—Specifies the VCI ID. The valid range is 1 to 65535, but the recommended value for vci for the ILMI PVC is 16. • ilmi—Configures the PVC to use ILMI encapsulation. Note The signaling and ILMI PVCs must be set up on the main ATM interface, not on a subinterface. Step 4 Router(config-if-atm-vc)# exit Exits ATM PVC configuration mode and returns to interface configuration mode. Step 5 Router(config-if)# atm ilmi-keepalive [seconds] [retry counts] (Optional) Enables ILMI keepalive messages and sets the interval between them. ILMI keepalive messages are disabled by default. • seconds—(Optional) The amount of time, in seconds, between keepalive messages between the Cisco 7600 series router and the ATM switch. The valid range is 1 to 65535, with a default of 3 seconds. • retry counts—(Optional) Specifies the number of times the router should resend a keepalive message if the first message is unacknowledged. The valid range is 2 to 5, with a default of 4. 7-44 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Step 6 Router(config-if)# atm esi-address esi.selector Specifies the end station ID (ESI) and selector fields for the local portion of the interface’s NSAP address, and configures the interface to get the NSAP prefix from the ATM switch. • esi—Specifies a string of 12 hexadecimal digits, in dotted notation, for the ATM interface’s ESI value. This value must be unique across the network. • selector—Specifies a string of 2 hexadecimal digits for the selector byte for this ATM interface. To configure the ATM address, you need to enter only the ESI (12 hexadecimal digits) and the selector byte (2 hexadecimal digits). The NSAP prefix (26 hexadecimal digits) is provided by the ATM switch. or Router(config-if)# atm nsap-address nsap-address Assigns a complete NSAP address (40 hexadecimal digits) to the interface. The address consists of a network prefix, ESI, and selector byte, and must be in the following format: XX.XXXX.XX.XXXXXX.XXXX.XXXX.XXXX.XXXX.XXXX.XXXX.XX Note The above dotted hexadecimal format provides some validation that the address is a legal value. If you know that the NSAP address is correct, you may omit the dots. Note The atm esi-address and atm nsap-address commands are mutually exclusive. Configuring the Cisco 7600 series router with one of these commands automatically negates the other. Use the show interface atm command to display the NSAP address that is assigned to the interface. Step 7 Router(config-if)# interface atm slot/subslot/port.subinterface [multipoint | point-to-point] (Optional) Creates the specified subinterface on the specified ATM interface, and enters subinterface configuration mode. Note You can create SVCs on either the main ATM interface or on a multipoint subinterface. Step 8 Router(config-subif)# svc [name] nsap address Creates an SVC and specifies the destination NSAP address (40 hexadecimal digits in dotted notation). You can also configure the following option: • name—(Optional) An arbitrary string that identifies this SVC. Step 9 Router(config-if-atm-vc)# oam-svc [manage] [frequency] Enables end-to-end Operation, Administration, and Maintenance (OAM) loopback cell generation and management of the SVC. • manage—(Optional) Enables OAM management of the SVC. • frequency—(Optional) Specifies the delay between transmitting OAM loopback cells. The valid range is 0 to 600 seconds, with a default of 10 seconds. Command or Action Purpose7-45 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Verifying the SVC Configuration Use the show atm svc and show atm ilmi-status commands to verify the configuration of the SVCs that are currently configured on the Cisco 7600 series router. Router# show atm svc VCD / Peak Avg/Min Burst Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells Sts 4/0/0 1 0 5 SVC SAAL UBR 155000 UP 4/0/2 4 0 35 SVC SNAP UBR 155000 UP 4/1/0 16 0 47 SVC SNAP UBR 155000 UP 4/1/0.1 593 0 80 SVC SNAP UBR 155000 UP Tip To display all SVCs on a particular ATM interface or subinterface, use the show atm svc interface atm command. To display detailed information about a particular SVC, specify its VPI and VCI values: Router# show atm svc 0/35 ATM5/1/0.200: VCD: 3384, VPI: 0, VCI: 35, Connection Name: SVC00 UBR, PeakRate: 155000 AAL5-MUX, etype:0x800, Flags: 0x44, VCmode: 0x0 OAM frequency: 10 second(s), OAM retry frequency: 1 second(s) OAM up retry count: 3, OAM down retry count: 5 OAM Loopback status: OAM Received OAM VC status: Verified ILMI VC status: Not Managed VC is managed by OAM. InARP DISABLED Transmit priority 6 InPkts: 0, OutPkts: 4, InBytes: 0, OutBytes: 400 Step 10 Router(config-if-atm-vc)# protocol protocol {protocol-address | inarp} [[no] broadcast] Configures the SVC for a particular protocol and maps it to a specific protocol-address. • protocol—Typically set to either ip or ppp, but other values are possible. • protocol-address—Destination address or virtual interface template for this SVC (if appropriate for the protocol). • inarp—Specifies that the SVC uses Inverse ARP to determine its address. • [no] broadcast—(Optional) Specifies that this mapping should (or should not) be used for broadcast packets. Step 11 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and encapsulation type. The default and only supported type is aal5snap. Note Repeat Step 7 through Step 11 for each SVC to be created. Step 12 Router(config-if-atm-vc)# end Exits SVC configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-46 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits InPRoc: 0, OutPRoc: 4, Broadcasts: 0 InFast: 0, OutFast: 0, InAS: 0, OutAS: 0 InPktDrops: 0, OutPktDrops: 0 CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0 Out CLP=1 Pkts: 0 OAM cells received: 10 F5 InEndloop: 10, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0 F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0 OAM cells sent: 10 F5 OutEndloop: 10, F5 OutSegloop: 0, F5 OutRDI: 0 F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0 OAM cell drops: 0 Status: UP TTL: 4 interface = ATM5/1/0.200, call locally initiated, call reference = 8094273 vcnum = 3384, vpi = 0, vci = 35, state = Active(U10) , point-to-point call Retry count: Current = 0 timer currently inactive, timer value = 00:00:00 Remote Atm Nsap address: 47.00918100000000107B2B4B01.111155550001.00 , VC owner: ATM_OWNER_SMAP To display information about the ILMI status and NSAP addresses being used for the SVCs on an ATM interface, use the show atm ilmi-status command: Router# show atm ilmi-status atm 4/1/0 Interface : ATM4/1/0 Interface Type : Private UNI (User-side) ILMI VCC : (0, 16) ILMI Keepalive : Enabled/Up (5 Sec 4 Retries) ILMI State: UpAndNormal Peer IP Addr: 10.10.13.1 Peer IF Name: ATM 3/0/3 Peer MaxVPIbits: 8 Peer MaxVCIbits: 14 Active Prefix(s) : 47.0091.8100.0000.0010.11b8.c601 End-System Registered Address(s) : 47.0091.8100.0000.0010.11b8.c601.2222.2222.2222.22(Confirmed) 47.0091.8100.0000.0010.11b8.c601.aaaa.aaaa.aaaa.aa(Confirmed) Tip To display information about the SVC signaling PVC and ILMI PVC, use the show atm pvc 0/5 and show atm pvc 0/16 commands. Configuring Traffic Parameters for PVCs or SVCs After creating a PVC or SVC, you can also configure it for the type of traffic quality of service (QoS) class to be used over the circuit: • Constant Bit Rate (CBR)—Configures the CBR service class and specifies the average cell rate for the PVC or SVC. • Unspecified Bit Rate (UBR)—Configures the UBR service class and specifies the output peak rate (PCR) for the PVC or SVC. This is the default configuration. SVCs can also be configured with similar input parameters. • Unspecified Bit Rate Plus (UBR+)—Configures the UBR+ service class and specifies the output peak cell rate (PCR) and minimum cell rate (MCR) for the SVC. SVCs can also be configured with similar input parameters. Note The 1-Port OC-48c/STM-16 ATM SPA does not support UBR+.7-47 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits • Variable Bit Rate–Non-real Time (VBR-nrt)—Configures the VBR-nrt service class and specifies the output PCR, output sustainable cell rate (SCR), and output maximum burst size (MBS) for the PVC or SVC. SVCs can also be configured with similar input parameters. • Variable Bit Rate–Real Time (VBR-rt)—Configures the VBR-rt service class and the peak rate and average rate burst for the PVC or SVC. Each service class is assigned a different transmit priority, which the Cisco 7600 series router uses to determine which queued cell is chosen to be transmitted out of an interface during any particular cell time slot. This process ensures that real-time QoS classes have a higher likelihood of being transmitted during periods of congestion. Table 7-1 lists the ATM QoS classes and their default transmit priorities. Note When using a CBR VC that exceeds half of the interface line rate, it is possible in some cases that the shaping accuracy for the CBR traffic can drop from 99 percent to 98 percent when the interface is also configured for UBR VCs that are oversubscribed (that is, the UBR VCs are configured for a total line rate that exceeds the interface line rate). If this small drop in accuracy is not acceptable, then we recommend using VBR-rt or VBR-nrt instead of CBR when oversubscribing UBR traffic. You can configure a PVC or SVC for only one QoS service class. If you enter more than one type, only the most recently configured QoS class takes effect on the circuit. To configure the traffic parameters for a PVC or SVC, perform the following procedure beginning in global configuration mode: Table 7-1 ATM Classes of Service and Default Transmit Priorities Service Category Transmit Priority 1 1. The default priorities can be changed for individual VCs using the transmit-priority VC configuration command. Signaling, Operation, Administration, and Maintenance (OAM) cells, and other control cells 0 (highest) CBR when greater than 5 percent of the line rate 1 CBR when less than 5 percent of the line rate 2 Voice traffic 3 VBR-rt 4 VBR-nrt 5 UBR 6 Unused and not available or configurable 7 (lowest) Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot or Router(config)# interface atm slot/subslot/port.subinterface [multipoint | point-to-point] Enters interface or subinterface configuration mode for the indicated port on the specified ATM SPA. Step 2 Router(config-if)# pvc [name] vpi/vci or Router(config-if)# svc [name] nsap-address Specifies the PVC or SVC to be configured, and enters PVC/SVC configuration mode. 7-48 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and automatically switches to its parent subinterface. Step 3 Router(config-if-atm-vc)# cbr rate Configures constant bit rate (CBR) quality of service (QoS) and average cell rate for the PVC or SVC: • rate—Average cell rate in kbps. The valid range is 48 to 149760 (OC-3) or 599040 (OC-12). or Router(config-if-atm-vc)# ubr output-pcr [input-pcr] Configures unspecified bit rate (UBR) quality of service (QoS) and peak cell rate (PCR) for the PVC or SVC: • output-pcr—Output PCR in kbps. The valid range is 48 to 149760 (OC-3), 599040 (OC-12), or 2396160 (1-Port OC-48c/STM-16 ATM SPA). • input-pcr—(Optional for SVCs only) Input PCR in kbps. If omitted, input-pcr equals output-pcr. or Router(config-if-atm-vc)# vbr-nrt output-pcr output-scr output-mbs [input-pcr] [input-scr] [input-mbs] Configures the variable bit rate–nonreal time (VBR-nrt) QoS, the peak cell rate (PCR), sustainable cell rate (SCR), and maximum burst cell size (MBS) for the PVC or SVC: • output-pcr—Output PCR in kbps. The valid range is 48 to 149760 (OC-3), 599040 (OC-12), or 2396160 (1-Port OC-48c/STM-16 ATM SPA). • output-scr—Output SCR in kbps. The valid range is 48 to PCR, and typically is less than the PCR value. • output-mbs—Output MBS in number of cells. The valid range is 1 to 65535, depending on the PCR and SCR values. If the PCR and SCR are configured to the same value, the only valid value for MBS is 1. • input-pcr—(Optional for SVCs only) Input PCR in kbps. • input-scr—(Optional for SVCs only) Input SCR in kbps. • input-mbs—(Optional for SVCs only) Input MBS in number of cells. or Command or Action Purpose7-49 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Verifying the Traffic Parameter Configuration Use the show atm vc command to verify the configuration of the traffic parameters for a PVC or SVC: Router# show atm vc 20 ATM1/1/0.200: VCD: 20, VPI: 2, VCI: 200 UBR, PeakRate: 44209 AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0 OAM frequency: 0 second(s) InARP frequency: 5 minutes(s) Transmit priority 4 InPkts: 10, OutPkts: 11, InBytes: 680, OutBytes: 708 InPRoc: 10, OutPRoc: 5, Broadcasts: 0 InFast: 0, OutFast: 0, InAS: 0, OutAS: 6 InPktDrops: 0, OutPktDrops: 0 CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0 OAM cells received: 0 OAM cells sent: 0 Status: UP To verify the configuration of all PVCs or SVCs on an interface, use the show atm vc interface atm command: Router# show atm vc interface atm 2/1/0 ATM2/1/0.101: VCD: 201, VPI: 20, VCI: 101 UBR, PeakRate: 149760 AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0 OAM frequency: 0 second(s) InARP frequency: 15 minutes(s) Transmit priority 4 Router(config-if-atm-vc)# vbr-rt pcr scr burst Configures the variable bit rate–real time (VBR-rt) QoS, and the PCR, average cell rate (ACR), and burst cell size (BCS) for the PVC or SVC: • pcr—PCR in kbps. The valid range is 48 to 149760 (OC-3), 599040 (OC-12), or 2396160 (1-Port OC-48c/STM-16 ATM SPA). • scr—SCR in kbps. The valid range is 48 to PCR, and typically is less than the PCR value. • burst—Burst size in number of cells. The valid range is 1 to 65535, depending on the PCR and SCR values. If the PCR and SCR are configured to the same value, the only valid value for burst is 1. Step 4 Router(config-if-atm-vc)# transmit-priority level (Optional) Configures the PVC for a new transmit priority level. • level—Priority level from 1 to 6. The default value is determined by the PVC’s configured service class (see Table 7-1 on page 7-47 for the default levels). Note Repeat Step 2 through Step 4 for each PVC or SVC to be configured. Step 5 Router(config-if-atm-vc)# end Exits PVC/SVC configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-50 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits InPkts: 3153520, OutPkts: 277787, InBytes: 402748610, OutBytes: 191349235 InPRoc: 0, OutPRoc: 0, Broadcasts: 0 InFast: 211151, OutFast: 0, InAS: 0, OutAS: 0 InPktDrops: 0, OutPktDrops: 17 CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0 OAM cells received: 0 OAM cells sent: 0 Status: UP Configuring Virtual Circuit Classes When multiple PVCs or SVCs use the same or similar configurations, you can simplify the Cisco 7600 series router’s configuration file by creating virtual circuit (VC) classes. Each VC class acts as a template, which you can apply to an ATM interface or subinterface, or to individual PVCs or SVCs. When you apply a VC class to an ATM interface or subinterface, all PVCs and SVCs created on that interface or subinterface inherit the VC class configuration. When you apply a VC class to an individual PVC or SVC, that particular PVC or SVC inherits the class configuration. You can then customize individual PVCs and SVCs with further configuration commands. Any commands that you apply to individual PVCs and SVCs take precedence over those of the VC class that were applied to the interface or to the PVC/SVC. To create and configure a VC class, and then apply it to an interface, subinterface, or individual PVC or SVC, use the following procedure beginning in global configuration mode: Command or Action Purpose Step 1 Router(config)# vc-class atm vc-class-name Creates an ATM virtual circuit (VC) class and enters VC-class configuration mode. • vc-class-name—Arbitrary name to identify this particular VC class. Step 2 Router(config-vc-class)# configuration-commands Enter any PVC or SVC configuration commands for this VC class. See the “Creating a Permanent Virtual Circuit” section on page 7-8 and the “Creating and Configuring Switched Virtual Circuits” section on page 7-42 for additional information. Note You can specify both PVC and SVC configuration commands in the same VC class. If a command is not appropriate for a PVC or SVC, it is ignored when the VC class is assigned to the PVC or SVC. Step 3 Router(config-vc-class)# interface atm slot/subslot/port or Router(config-vc-class)# interface atm slot/subslot/port.subinterface [multipoint | point-to-point] Enters subinterface configuration mode for the specified ATM interface or subinterface. Step 4 Router(config-if)# class-int vc-class-name (Optional) Applies a VC class on the ATM main interface or subinterface. This class then applies to all PVCs or SVCs that are created on that interface. • vc-class-name—Name of the VC class that was created in Step 1. 7-51 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Verifying the Virtual Circuit Class Configuration To verify the virtual circuit class configuration, use the show atm vc command: Router# show atm vc VCD / Peak Avg/Min Burst Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells Sts 6/1/0 1 0 5 PVC SAAL UBR 155000 UP 6/1/0 2 0 16 PVC ILMI UBR 155000 UP 6/1/0.1 3 1 32 PVC-D SNAP UBR 155000 UP 6/1/0.2 4 2 32 PVC-D SNAP UBR 155000 UP Configuring Virtual Circuit Bundles Virtual circuit bundles are similar to VC classes, in that they allow you to configure a large group of PVCs by configuring a template (the VC bundle). The main difference between a VC bundle and a VC class is that the VC bundle management allows you to configure multiple VCs that have different QoS characteristics between any pair of ATM-connected routers. Using VC bundles, you first create an ATM VC bundle and then add VCs to it, and each VC in the bundle can have its own ATM traffic class and ATM traffic parameters. You can configure the VCs collectively at the bundle level, or you can configure the individual VC bundle members. You can also apply a VC class to a bundle to apply the VC class configuration to all of the VCs in the bundle. You can therefore create differentiated service by mapping one or more MPLS EXP levels to each VC in the bundle, thereby enabling individual VCs in the bundle to carry packets marked with different MPLS EXP levels. The ATM VC bundle manager determines which VC to use for a particular packet by matching the MPLS EXP level of the packet to the MPLS EXP levels assigned to the VCs in the bundle. The bundle manager can also use Weighted Random Early Detection (WRED) or distributed WRED (dWRED) to further differentiate service across traffic that has different MPLS EXP levels. Step 5 Router(config-if)# pvc [name] vpi/vci or Router(config-if)# svc [name] nsap-address Specifies the PVC or SVC to be configured, and enters ATM VC configuration mode. Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and automatically switches to its parent subinterface. Step 6 Router(config-if-atm-vc)# class-vc vc-class-name Assigns the specified VC class to this PVC or SVC. • vc-class-name—Name of the VC class that was created in Step 1. Step 7 Router(config-if-atm-vc)# configuration-commands Any other VC configuration commands to be applied to this particular PVC or SVC. Commands that are applied to the individual PVC or SVC supersede any conflicting commands that were specified in the VC class. Step 8 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-52 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Virtual Circuit Bundles Configuration Guidelines • VC bundles are supported only on ATM SPAs in a Cisco 7600 SIP-200. Bundles are not supported for ATM SPAs in a Cisco 7600 SIP-400. • VC bundles can be used only for PVCs, not SVCs. • VC bundles require ATM PVC management, as well as Forwarding Information Base (FIB) and Tag Forwarding Information Base (TFIB) switching functionality. • The Cisco 7600 series router at the remote end of the network must be using a version of Cisco IOS that supports MPLS and ATM PVC management. Virtual Circuit Bundles Configuration Task To create and configure a VC bundle and then apply it to an ATM interface or subinterface, perform the following procedure beginning in global configuration mode: Command or Action Purpose Step 1 Router(config)# ip cef [distributed] Enables Cisco Express Forwarding (CEF) Layer 3 switching on the Cisco 7600 series router. The Cisco 7600 series router enables CEF by default. • distributed—(Optional) Enables distributed CEF (dCEF). Step 2 Router(config)# mpls label protocol ldp Specifies the default label distribution protocol for a platform. Step 3 Router(config)# interface atm slot/subslot/port or Router(config)# interface atm slot/subslot/port.subinterface [multipoint | point-to-point] Enters interface configuration mode for the specified ATM interface or subinterface. Step 4 Router(config-if)# mpls ip Enables MPLS forwarding of IPv4 packets along normally routed paths for the interface. Step 5 Router(config-if)# bundle bundle-name Creates an ATM virtual circuit (VC) bundle and enters bundle configuration mode. • bundle-name—Arbitrary name to identify this particular VC bundle. Step 6 Router(config-if-atm-bundle)# class-bundle vc-class-name (Optional) Applies a VC class to this bundle. The class configuration is then applied to all VCs in the bundle. • vc-class-name—Name of the VC class to be applied to this bundle and its PVCs or SVCs. See the “Configuring Virtual Circuit Classes” section on page 7-50 for information on creating VC classes. Step 7 Router(config-if-atm-bundle)# configuration-commands Enter any other PVC or SVC configuration commands for this VC bundle. See the “Creating a Permanent Virtual Circuit” section on page 7-8 and the “Creating and Configuring Switched Virtual Circuits” section on page 7-42 for additional information. 7-53 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Verifying the Virtual Circuit Bundles Configuration To verify the configuration of the virtual circuit bundles and display the configuration for its interface or subinterface, use the show running-config interface atm command, as in the following example: Note Configuration commands applied directly to the VC bundle supersede a configuration that is applied through a VC class. Step 8 Router(config-if-atm-bundle)# pvc-bundle [name] vpi/vci Creates a member PVC of the bundle and enters PVC bundle configuration mode. Step 9 Router(config-if-atm-member)# mpls experimental [level | other | range] (Optional) Configures the MPLS EXP levels for the PVC bundle member. • level—MPLS EXP level for the PVC bundle member. The valid range is 0 to 7. • other—Any MPLS EXP levels in the range from 0 to 7 that are not explicitly configured (default). • range—A range of MPLS EXP levels between 0 and 7, separated by a hyphen. Step 10 Router(config-if-atm-member)# bump {implicit | explicit precedence-level | traffic} (Optional) Configures the bumping rules for the PVC bundle member. • implicit—Bumped traffic is carried by a VC with a lower precedence (default). • explicit precedence-level—Specifies the precedence level of the traffic that should be bumped when the PVC member goes down. The precedence-level can range from 0 to 9. • traffic—The PVC member accepts bumped traffic (default). Use no bump traffic to specify that the PVC member does not accept bumped traffic. Step 11 Router(config-if-atm-member)# protect {group | vc} (Optional) Specifies that the PVC bundle member is protected. • group—Specifies that the PVC bundle member is part of a protected group. When all members of a protected group go down, the bundle goes down. • vc—Specifies that the PVC bundle member is individually protected. When a protected VC goes down, it also takes the bundle down. By default, PVC bundle members are not protected. Step 12 Router(config-if-atm-member)# configuration-commands Any other VC configuration commands to be applied to this particular VC bundle member. Commands that are applied to a bundle member supersede any conflicting commands that were specified in the VC class or VC bundle. Note Repeat Step 8 through Step 12 for each PVC member of the bundle to be created. Step 13 Router(config-if-atm-member)# end Exits PVC bundle configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-54 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Router# show running-config interface atm 4/1/0.2 interface ATM4/1/0.2 point-to-point ip address 10.10.10.1 255.255.255.0 no ip directed-broadcast no atm enable-ilmi-trap bundle ABC class-bundle bundle-class pvc-bundle ABC-high 1/107 class-vc high pvc-bundle ABC-med 1/105 class-vc med pvc-bundle ABC-low 1/102 class-vc low ! ! To verify the operation and current status of a virtual circuit bundle, specify the bundle name with the show atm bundle command: Router# show atm bundle ABC ABC on ATM4/1/0.2: UP Config Current Bumping PG/ Peak Avg/Min Burst VC Name VPI/ VCI Prec/Exp Prec/Exp PrecExp/ PV Kbps kbps Cells Sts Accept ABC-high 1/107 7 7 - / Yes PV 10000 5000 32 UP ABC-med 1/105 6 6 - / Yes PV 10000 UP ABC-low 1/102 5-0 5-0 - / Yes - 10000 UP Configuring Multi-VLAN to VC Support For information on configuring multi-VLAN to VC support, see the “Configuring QoS for ATM VC Access Trunk Emulation” topic at http://www.cisco.rw/univercd/cc/td/doc/product/ core/cis7600/cfgnotes/flexport/combo/flexqos.htm#wp1162305. Configuring Link Fragmentation and Interleaving with Virtual Templates The ATM SPA supports Link Fragmentation and Interleaving (LFI) with the distributed Compressed Real-Time Protocol (dCRTP). This allows the ATM interfaces, which are cell-based, to efficiently transport packet-based IP traffic without an excessive amount of bandwidth being used for packet headers and other overhead. The LFI/dCRTP feature requires the use of multilink PPP (MLP), which can be implemented either by using virtual templates or dialer templates. Note Stateful Switch Over(SSO) is not supported with distributed Link Fragmentation and Interleaving (dLFI) over ATM. Link Fragmentation and Interleaving with Virtual Templates Configuration Guidelines • The 1-Port OC-48c/STM-16 ATM SPA does not support LFI.7-55 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits • A functional multilink PPP (MLP) bundle requires one virtual access interface operating as a PPP interface, and a second virtual access interface operating as a multilink PPP bundle interface. • The Cisco IOS software supports a maximum of 1,000 virtual template interfaces per Cisco 7600 series router. • When LFI is configured on a PVC, the output packets counter in the show atm pvc command counts all fragments of a packet as a single packet, and does not display the actual number of fragmented packets that were output. For example, if a packet is fragmented into four fragments, the output packets counter shows only one packet, not four. The output bytes counter is accurate, however, and you can also display the total number of fragmented packets on all PVCs on the interface with the show interface atm command. • LFI supports three protocol formats: AAL5CISCOPP, AAL5MUX, and AAL5SNAP • For fragmentation to function, a QoS service policy having a minimum of two QoS queues needs to be applied to the virtual template interface. • In order for dLFI to work properly and to be supported, the following commands must be already be configured on the Virtual Template interface: – ppp multilink – ppp multilink interleave – service-policy output policy name Note The service-policy attached to the Virtual-Template must have at least two queues, one of which contains the priority CLI. Note When dLFI is correctly configured on an ATM SPA PVC, which includes ppp multilink, ppp multilink interleave, and service-policy output on the Virtual-Template, the following MLP behavior occurs: 1. Packets with a smaller fragment size are sent without MLP headers as straight PPP frames 2. Packets with a greater fragment size that are classified in priority LLQ are sent straight without MLP headers as PPP frames and are interleaved between fragmented packets. 3. Packets with a greater fragment size are fragmented and sent with MLP headers. Link Fragmentation and Interleaving with Virtual Templates Configuration Task To configure LFI with virtual templates, perform the following procedure beginning in global configuration mode:7-56 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Command or Action Purpose Step 1 Router(config)# interface virtual-template number Creates a virtual template and enters interface configuration mode. • number—Arbitrary value to identify this virtual template. Step 2 Router(config-if)# bandwidth value Specifies the bandwidth, in kbps, for the interfaces that use this virtual template: • value—Bandwidth, in kilobits per second, for the interface. Step 3 Router(config-if)# service-policy input policy-name Attaches the specified policy map to the input interface that uses this virtual template: • policy-name—Name of the policy map that was created by the policy-map command to be used. Step 4 Router(config-if)# service-policy output policy-name Attaches the specified policy map to the output interface that uses this virtual template: • policy-name—Name of the policy map that was created by the policy-map command to be used. Step 5 Router(config-if)# ppp multilink [bap] Enables multilink PPP (MLP) on the interfaces that use this virtual template: • bap—(Optional) Enables bandwidth allocation control negotiation and dynamic allocation of bandwidth on a link, using the bandwidth allocation protocol (BAP). Step 6 Router(config-if)# ppp multilink fragment delay max-delay (Optional) Configures the maximum delay for the transmission of a packet fragment on an MLP bundle. • max-delay—Maximum amount of time, in milliseconds, that should be required to transmit a fragment. The range is from 1 to 1000, with a default value of 30 for MLP bundles. Step 7 Router(config-if)# ppp multilink interleave Enables interleaving of the fragments of larger packets on an MLP bundle. Step 8 Router(config-if)# interface atm slot/subslot/port.subinterface point-to-point Creates the specified point-to-point subinterface and enters interface configuration mode. 7-57 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Verifying the Link Fragmentation and Interleaving with Virtual Templates Configuration To verify a virtual template configuration, display the running configuration for the configured ATM and virtual interfaces: Router# show running-config interface virtual-template 1 ! interface Virtual-Template1 Current configuration : 373 bytes ! interface Virtual-Template1 bandwidth 300 ip address 23.0.0.1 255.255.255.0 ppp chap hostname template1 ppp multilink ppp multilink fragment-delay 8 ppp multilink interleave service-policy output lfiqos ! Router# show running-config interface atm 6/0/1 ! interface ATM6/0/1 atm idle-cell-format itu atm enable-payload-scrambling Step 9 Router(config-if)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI numbers and enters ATM VC configuration mode. The valid values for vpi/vci are: • vpi—Specifies the VPI ID. The valid range is 0 to 255. • vci—Specifies the VCI ID. The valid range is 1 to 65535. Values 1 to 31 are reserved and should not be used, except for 5 for the QSAAL PVC and 16 for the ILMI PVC. You can also configure the following options: • name—(Optional) An arbitrary string that identifies this PVC. • ilmi—(Optional) Configures the PVC to use ILMI encapsulation (default). • qsaal—(Optional) Configures the PVC to use QSAAL encapsulation. Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and automatically switches to its parent subinterface. Step 10 Router(config-if-atm-vc)# protocol ppp virtual-template number Configures the PVC for PPP with the parameters from the specified virtual template. Step 11 Router(config-if-atm-vc)# end Exits ATM VC configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-58 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits no atm ilmi-keepalive pvc 32/32 vbr-rt 640 640 256 encapsulation aal5snap protocol ppp Virtual-Template1 To display run-time statistics and other information about the currently configured multilink PPP bundles, use the show ppp multilink command: Router# show ppp multilink Virtual-Access3, bundle name is north-2 Bundle up for 00:01:51 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned 0 discarded, 0 lost received, 1/255 load 0x0 received sequence, 0x0 sent sequence Member links: 1 (max not set, min not set) Vi1, since 00:01:38, no frags rcvd, 62 weight, 54 frag size dLFI statistics: DLFI Packets Pkts In Pkts Out Fragmented 4294967288 3129990 UnFragmented 1249071 0 Reassembled 1249071 1564994 Reassembly Drops 0 Fragmentation Drops 0 Out of Seq Frags 0 Note The show ppp multilink command displays only the packet counters, and not byte counters, for a dLFI configuration on an ATM SPA interface. Also, the number of fragmented packets shows the number of fragments sent to the SAR assembly, not the number of fragments that are placed on the ATM line. It is possible that the SAR assembly might drop some of these fragments on the basis of Layer 3 QoS limits. Configuring the Distributed Compressed Real-Time Protocol The distributed Compressed Real-Time Protocol (dCRTP) compresses the 40 bytes of the IP/UDP/RTP packet headers down to between only two and four bytes in a distributed fast-switching and distributed Cisco Express Forwarding (dCEF) network. This compression reduces the packet size, improves the speed of packet transmission, and reduces packet latency, especially on cell-based interfaces, such as ATM interfaces. Distributed Compressed Real-Time Protocol Configuration Guidelines When configuring dCRTP, consider the following guidelines: • Distributed CEF switching or distributed fast switching must be enabled on the interface. • PPP must be used on the interface or subinterface. 7-59 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Distributed Compressed Real-Time Protocol Configuration Task To enable and configure dCRTP on an ATM interface, virtual template interface, or a dialer template interface, perform the following procedure beginning in global configuration mode: Verifying the Distributed Compressed Real-Time Protocol Configuration To verify the dCRTP of an ATM interface, use the show running-config interface interface virtual-template command: Router# show running-config interface interface virtual-template 1 ! interface Virtual-Template1 bandwidth 2320 ip unnumbered Loopback2 max-reserved-bandwidth 100 Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port or Router(config)# interface virtual-template number or Router(config)# interface dialer number Enters interface configuration mode for an interface on the ATM SPA, or for a virtual template or dialer template interface. Step 2 Router(config-if)# ip rcp header-compression [passive] Enables RCP header compression. • passive—(Optional) Compresses outgoing RCP packets only if incoming RCP packets on the same interface are compressed. The default compresses all RCP packets on the interface. Step 3 Router(config-if)# ip tcp header-compression [passive] Enables TCP header compression. • passive—(Optional) Compresses outgoing TCP packets only if incoming TCP packets on the same interface are compressed. The default compresses all TCP packets on the interface. Note By default, RCP and TCP header compression are enabled on ATM interfaces when they are configured with an IP address. You do not need to give the ip rcp header-compression and ip tcp header-compression commands unless you have previously disabled these features, or you want to use the passive options. Step 4 Router(config-if)# ip rcp compression-connections number Specifies the total number of RCP header compression connections that can be supported on the interface. • number—Number of RCP header compression connections. The valid range is 3 to 1000, with a default of 32 connections (16 calls). Step 5 Router(config-if)# ip tcp compression-connections number Specifies the total number of TCP header compression connections that can be supported on the interface. • number—Number of TCP header compression connections. The valid range is 3 to 1000, with a default of 32 connections (16 calls). Step 6 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. 7-60 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits ip tcp header-compression ppp multilink ppp multilink fragment delay 4 ppp multilink interleave ip rtp header-compression Configuring Automatic Protection Switching The ATM SPAs support 1+1 Automatic Protection Switching (APS) on PVCs as described in section 5.3 of the Telcordia publication GR-253-CORE SONET Transport Systems: Common Generic Criteria. APS redundancy is supported at the line layer, so that when an OC-3c, OC-12c, or OC-48c link fails, all of the PVCs that are carried by that link are switched simultaneously. Note APS is not supported for SVCs. In an APS configuration, a redundant ATM interface (the Protect interface) is configured for every active ATM interface (the Working interface). If the Working interface goes down, the Protect interface automatically switches over and continues communication over the interface’s PVCs. The APS Protect Group Protocol (PGP), which runs on top of User Datagram Protocol (UDP), provides communication between the Working and Protect interfaces. This communication occurs over a separate out-of-band (OOB) communication channel, such as an Ethernet link. In the case of degradation, loss of channel signal, or manual intervention, the APS software on the Protect interface sends APS PGP commands to activate or deactivate the Working interface as necessary. If the communication channel between the Working and Protect interfaces is lost, the Working interface assumes full control, as if no Protect interface existed. The performance enhancement of PPP/MLPPP APS does not impact the original PPP/MLPPP scalability on Cisco 7600. Figure 7-4 shows a simple example of a pair of Working and Protect interfaces on a single router. Figure 7-4 Basic Automatic Protection Switching Configuration Tip If possible, use separate SPAs to provide the Working and Protect interfaces, as shown in Figure 7-4. This technique removes the SPA as a potential single point of failure, which would be the case if the same SPA provided both the Working and Protect interfaces. Multiple routers can be using APS at the same time. For example, Figure 7-5 shows a simple example of two routers that each have one pair of Working and Protect interfaces. In this configuration, the two routers are independently configured. Router A ATM3/0/0 Working interface ATM4/0/0 Protect interface SONET network equiptment Add Drop Multiplexer (ADM) 1178527-61 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Figure 7-5 Sample Automatic Protection Switching Configuration with Multiple Routers You can also configure multiple routers with APS so that interfaces on one router can provide protection for the interfaces on another router. This provides protection in case a router experiences a major system problem, such as a processor fault. Figure 7-6 shows a basic example of two routers that each have one Working ATM interface. Each router also has one Protect interface that provides protection for the other router’s Working interface. Note that this configuration requires a separate out-of-band (OOB) communication link between the two routers, which in this case is provided by the Ethernet network. Figure 7-6 Sample Multiple Router Protection with Automatic Protection Switching An APS configuration requires the following steps: • Configure the Working interface with the desired IP addresses, subinterfaces, and PVCs. Also assign the interface to an APS group and designate it as the Working interface. • Create a loopback circuit for communication between the Working and Protect interfaces. This is optional, because you can also use any valid IP address on the router. However, we recommend using a loopback interface because it is always up and provides connectivity between the two interfaces as long as any communication path exists between them. • Configure the Protect interface with the same subinterfaces and PVCs that were configured on the Working interface. The Protect interface should also be configured with an IP address that is on the same subnet as the Working interface. Tip Always configure the Working interface before the Protect interface, so as to prevent the Protect interface from becoming active and disabling the circuits on the Working interface. ADM Router-A Router-B ATM 4/0/0 (working) ATM 4/0/1 (protect) ATM 3/1/0 (working) ATM 3/1/1 (protect) 117547 Router A E1/0/0 ATM2/0/0 Working interface 10 SONET network equipment Add Drop Multiplexer (ADM) E1/0/0 Router B ATM2/0/0 Working interface 20 117853 ATM3/0/0 Protect interface 20 ATM3/0/0 Protect interface 107-62 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Automatic Protection Switching Configuration Guidelines When configuring APS, consider the following guidelines: • The Working and Protect interfaces must be compatible (that is, both OC-3c or both OC-12c interfaces). The interfaces can be on the same SPA, different SPAs in the same router, or different SPAs in different routers. • If using interfaces on different routers, the two routers must have a network connection other than the ATM connection (such as through an Ethernet LAN). Because the APS PGP is UDP traffic, this network connection should be reliable with a minimum number of hops. • Configure the Working ATM interface with the desired IP addresses and other parameters, as described in the “Required Configuration Tasks” section on page 7-2 and the “Configuring SONET and SDH Framing” section on page 7-76. • Configure the desired PVCs on the Working interface, as described in the different procedures that are listed in the “Creating a Permanent Virtual Circuit” section on page 7-8. • The IP addresses on the Working and Protect interfaces should be in the same subnet. • APS is not supported on SVCs. Automatic Protection Switching Configuration Task To configure the Working and Protect interfaces on the ATM SPAs for basic APS operation, perform the following procedure beginning in global configuration mode. For complete information on APS, including information on additional APS features, refer to the “Configuring ATM Interfaces” chapter in the Cisco IOS Interface Configuration Guide, Release 12.2. Command or Action Purpose Step 1 Router(config)# interface loopback interface-number Creates a loopback interface and enters interface configuration mode: • interface-number—An arbitrary value from 0 to 2,147,483,647 that uniquely identifies this loopback interface. Step 2 Router(config-if)# ip address ip-address mask [secondary] Specifies the IP address and subnet mask for this loopback interface. If the Working and Protect interfaces are on the same router, this IP address should be in the same subnet as the Working interface. If the Working and Protect interfaces are on different routers, this IP address should be in the same subnet as the Ethernet interface that provides the connectivity between the two routers. Repeat this command with the secondary keyword to specify additional IP addresses to be used for this interface. Step 3 Router(config-if)# interface atm slot/subslot/port Enters interface configuration mode for the Working interface on the ATM SPA. Step 4 Router(config-if)# ip address ip-address mask [secondary] Specifies the IP address and subnet mask for the Working interface. Repeat this command with the secondary keyword to specify additional IP addresses to be used for the interface. 7-63 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Step 5 Router(config-if)# aps group group-number Enables the use of the APS Protect Group Protocol for this Working interface. • group-number—Unique number identifying this pair of Working and Protect interfaces. Note The aps group command is optional if this is the only pair of Working and Protect interfaces on the router, but is required when you configure more than one pair of Working and Protect interfaces on the same router. Step 6 Router(config-if)# aps working circuit-number Identifies the interface as the Working interface. • circuit-number—Identification number for this particular channel in the APS pair. Because only 1+1 redundancy is supported, the only valid values are 0 or 1, and the Working interface defaults to 1. Step 7 Router(config-if)# aps authentication security-string (Optional) Specifies a security string that must be included in every OOB message sent between the Working and Protect interfaces. • security-string—Arbitrary string to be used as a password between the Working and Protect interfaces. This string must match the one configured on the Protect interface. Step 8 Router(config-if)# interface atm slot/subslot/port Enters interface configuration mode for the Protect interface on the ATM SPA. Step 9 Router(config-if)# ip address ip-address mask [secondary] Specifies the IP address and subnet mask for the Protect interface. Note This should be the same address that was configured on the Working interface in Step 4. Repeat this command with the secondary keyword to specify additional IP addresses to be used for the interface. These should match the secondary IP addresses that are configured on the Working interface. Step 10 Router(config-if)# aps group group-number Enables the use of the APS Protect Group Protocol for this Protect interface. • group-number—Unique number identifying this pair of Working and Protect interfaces. Note The aps group command is optional if this is the only pair of Working and Protect interfaces on the router, but is required when you configure more than one pair of Working and Protect interfaces on the same router. Command or Action Purpose7-64 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Verifying the Automatic Protection Switching Configuration To verify the APS configuration on the router, use the show aps command without any options. The following example shows a typical configuration in which the Working interface is the active interface: Router# show aps ATM4/0/1 APS Group 1: protect channel 0 (inactive) bidirectional, revertive (2 min) PGP timers (default): hello time=1; hold time=3 state: authentication = (default) Step 11 Router(config-if)# aps protect circuit-number ip-address Identifies this interface as the Protect interface: • circuit-number—Identification number for this particular channel in the APS pair. Because only 1+1 redundancy is supported, the only valid values are 0 or 1, and the Protect interface defaults to 0. • ip-address—IP address for the loopback interface that was configured in Step 2. The Protect interface uses this IP address to communicate with the Working interface. Note If you do not want to use a loopback interface for this configuration, this IP address should be the address of the Working interface if the Protect and Working interfaces are on the same router. If the Working and Protect interfaces are on different routers, this should be the IP address of the Ethernet interface that provides interconnectivity between the two routers. Step 12 Router(config-if)# aps authentication security-string (Optional) Specifies a security string that must be included in every OOB message sent between the Working and Protect interfaces. • security-string—Arbitrary string to be used as a password between the Working and Protect interfaces. This string must match the one configured on the Working interface. Step 13 Router(config-if)# aps revert minutes (Optional) Enables the Protect interface to automatically switch back to the Working interface after the Working interface has been up for a specified number of minutes. • minutes—Number of minutes until the interface is switched back to the Working interface after the Working interface comes back up. Note If this command is not given, you must manually switch back to the Working interface using either the aps force circuit-number or the aps manual circuit-number command. Step 14 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-65 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits PGP versions (native/negotiated): 2/2 SONET framing; SONET APS signalling by default Received K1K2: 0x00 0x05 No Request (Null) Transmitted K1K2: 0x20 0x05 Reverse Request (protect) Working channel 1 at 10.10.10.41 Enabled Remote APS configuration: (null) ATM4/0/0 APS Group 1: working channel 1 (active) PGP timers (from protect): hello time=3; hold time=6 state: Enabled authentication = (default) PGP versions (native/negotiated): 2/2 SONET framing; SONET APS signalling by default Protect at 10.10.10.41 Remote APS configuration: (null) The following sample output is for the same interfaces, except that the Working interface has gone down and the Protect interface is now active: Router# show aps ATM4/0/1 APS Group 1: protect channel 0 (active) bidirectional, revertive (2 min) PGP timers (default): hello time=1; hold time=3 state: authentication = (default) PGP versions (native/negotiated): 2/2 SONET framing; SONET APS signalling by default Received K1K2: 0x00 0x05 No Request (Null) Transmitted K1K2: 0xC1 0x05 Signal Failure - Low Priority (working) Working channel 1 at 10.10.10.41 Disabled SF Pending local request(s): 0xC (, channel(s) 1) Remote APS configuration: (null) ATM4/0/0 APS Group 1: working channel 1 (Interface down) PGP timers (from protect): hello time=3; hold time=6 state: Disabled authentication = (default) PGP versions (native/negotiated): 2/2 SONET framing; SONET APS signalling by default Protect at 10.10.10.41 Remote APS configuration: (null) Tip To obtain APS information for a specific ATM interface, use the show aps atm slot/subslot/port command. To display information about the APS groups that are configured on the router, use the show aps group command. Configuring Access Circuit Redundancy on SIP-400 ATM SPA s7-66 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits The ATM Automatic Protection Switching (APS) mechanism takes a longer switchover time with pseudowire configuration, as the pseudowire needs to come UP on switchover. To reduce the switchover time, ATM provides Access Circuit Redundancy for ATM clients in a single router APS (SR APS ) environment. This ensures low data traffic downtime in case of switchover. QoS support on an ATM SPA with ACR configured supports all the QoS features allowed on Layer 2 transport PVCs on ATM SPAs. ATM Asynchronous functionality Additionally when there is a local attachment circuit fault, the data plane needs to be UP. ATM VCs and VPs are provided with an enable and disable functionality, so that the they remain provisioned even when the interface is configured with shutdown or no shutdown respectively. Earlier a fasulty scenario led to a teardown of the ATM VC/VP. This resulted in blocking all types of traffic. With the new feature a complete teardown of the the VC/VP is not executed. The VC/ VP remains provisioned in the hardware. Thhis feature supports AAL5 and AAL0 encapsulation with cell packing. The enabling and disabling of ATM VC/VP is done asynchronously. To enable the async feature, you must configure atm asynchronous under the atm interface. Local switching and pseudowire redundancy are not supported. Restrictions The following restrictions apply while configuring ACR and QoS support on ACR on the Cisco 7600 SIP-400 ATM SPAs: • The pseudowire should not have a data loss of more than 100 ms when the APS switchover is done on the physical layer. • ACR supports 4000 pseudowire configurations per chassis. • ATM interfaces that are part of an ACR group can be configured only using the virtual interface. However, there are some configurations allowed under the physical ACR members, such as the Layer 1 configuration commands • PVC or PVP and xconnect configuration are visible only under the virtual ATM interfaces. • Service-policy is supported only on PVC under an ACR interface. • Currently the interface counters on the route processor are updated by choosing incremental statistics corresponding to the active interface at any point of time. The ATM PVC statistics are also updated similarly. Given this approach, the receiving interface statistics are always accurate, but the transmitting statistics show a difference, which moves it away from the actual value for every APS switchover done. The inaccuracy reflected in the transmission interface statistics per APS switchover is approximately about 5 to 8 seconds of traffic. The MPLS counters for the ACR MPLS show accurate statistics in both directions and are reliable independent of switchover. • When the protect interface of an ACR group is active and the protect LC is hard-OIRed, APS switchover time is close to 1 second. You must do a manual APS switchover, using manual, force, or shut options on the member, and bring up the other member interface before the physical OIR of the line card or SPA.7-67 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Configuring the ACR Interface SUMMARY STEPS Step 1 interface atm interface aps group acr acr no aps working circuit number Step 2 interface atm interface aps group acr acr no aps protect circuit number ip-address aps revert minutes7-68 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits DETAILED STEPS The following commands configure the ACR Interface: Command or Action Purpose Step 1 Router (config)# interface atm interface Router(config-if)# aps group acr acr no Router (config-if)# aps working circuit number This command enters the ATM interface mode. aps group- This command configures the APS group for an interface. acr- This command configures the ACR group on top of APS. acr no—This specifies a group number between 0-255. An ACR virtual interface is created. circuit-number—Identification number for this particular channel in the APS pair. Because only 1+1 redundancy is supported, the only valid values are 0 or 1, and the Working interface defaults to 1. Step 2 Router(config-if)#interface atm interface Router(config-if)#aps group acr acr no Router(config-if)#aps protect circuit number ip-address Router(config-if)#aps revert minutes This command enters the ATM interface mode. aps group- This command configures the APS group for an interface. acr- This command configures the ACR group on top of APS. acr no— This specifies a group number between 0-255. An ACR virtual interface is created. circuit-number—Identification number for this particular channel in the APS pair. Because only 1+1 redundancy is supported, the only valid values are 0 or 1, and the Working interface defaults to 1. Note When the virtual interface is created, apart from APS no other configuration is possible under the corresponding physical interface. All interface configurations must be applied under the virtual ACR interface. aps protect- Identifies this interface as the Protect interface: • circuit-number—Identification number for this particular channel in the APS pair. Because only 1+1 redundancy is supported, the only valid values are 0 or 1, and the Protect interface defaults to 0. • ip-address—IP address for the loopback interface. The Protect interface uses this IP address to communicate with the working interface. Note The APS group can be active or inactive. Active-The interface that is currently sending and receiving data. Inactive-The interface which is currently standing by to take over when the active fails. aps revert- This command configures the ACR interface as revert. The value of the minutes argument specifies the time, in minutes, after which the revert process begins. Note Use the revert command only under the protect member of the ACR group. Note To create an ACR interface without any members attached, use the interface acr acr no command.7-69 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Enabling or Disabling the ATM Asynchronous functionality SUMMARY STEPS To Enable the Async Feature Step 1 int atm slot/bay/port Step 2 atm asynchronous To Set MCPT Timers Step 1 int atm slot/bay/port Step 2 atm mcpt-timers 100 1000 1000 To Configure Cell-Packing Step 1 int atm slot/bay/port Step 2 pvc 1/100 l2transport Step 3 atm mcpt-timers 100 1000 1000 Step 4 cell-packing 20 mcpt-timer timer value Xconnect Configuration Step 1 int atm slot/bay/port Step 2 pvc pvc id l2transport Step 3 xconnect ip_address vc_id encapsulation mpls | l2tpv3 DETAILED STEPS The following commands enable or disable the ATM Asynchronous functionality and configure the interface with MCPT timers and encapsulation type using the xconnect commands: Command or Action Purpose Step 1 Router(config)# int atm slot/bay/port This command enters the ATM interface mode. Step 2 Router(config-if)# atm asynchronous This command enables or disables the asynchronous functionality on the ATM interface Step 3 Router(config-if)#atm mcpt-timers 100 1000 1000 This command sets the mcpt-timers on the ATM interface7-70 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Examples Configuration of ACR interface and policy attachment interface ATM4 /0 /0 aps group acr 1 aps working 1 ! interface ATM4 /0 /1 aps group acr 1 aps revert 2 aps protect 1 10.7.7.7 ! This will create the virtual ATM interface. The following commands can be configured under the PVC of the virtual interface: • pvc • atm pvp • cell-packing • class-int • map-group • service-policy • atm asynchronous • atm mcpt-timers • shut interface ACR 1 no ip address The following configuration on the ATM interface enables the asynchronous functionality. Step 4 Router(config-if)#pvc 1/100 l2transport Router(config-if)#atm mcpt-timers 100 1000 1000 Router(cfg-if-atm-l2trans-pvc)#cell-pac king 20 mcpt-timer 2 Configures cell-packing on the ATM interface Step 5 Router(cfg-if-atm-l2trans-pvc)#xconnec t ip_address vc_id encapsulation mpls | l2tpv3 Sets the encapsulation method on the ATM interface using the xconnect command Command or Action Purpose7-71 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits int atm 3/0/0 atm asynchronous Other configurations supported with respect to L2VPN with this feature are: MCPT timer: conf t int atm 4/0/0 atm mcpt-timers 100 1000 1000 Cell packing: conf t int atm 4/0/0 pvc 1/100 l2transport atm mcpt-timers 100 1000 1000 cell-packing 20 mcpt-timer 2 Xconnect configuration: conf t int atm 4/0/0 pvc 1/100 l2transport xconnect 22.22.22.22 101 encapsulation mpls conf t int atm 4/0/0 pvc 1/100 l2transport xconnect 22.22.22.22 101 encapsulation l2tpv3 Configuration in VP /VC Mode interface ACR 1 pvc 1/100 l2transport xconnect 100 2.2.2.2 encapsulation mpls service-policy out foo service-policy in foo Show commands show acr group acr group no. Example: Router# show acr group 10 ACR Group Working I/f Protect I/f Currently Active Status 7-72 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits -------------------------------------------------------------------------- 10 ATM2/1/1 ATM2/1/2 ATM2/1/1 show acr group acr group no. detail Example: PE2# show acr group 10 detail ACR Group Working I/f Protect I/f Currently Active Status -------------------------------------------------------------------------- 10 ATM2/1/1 ATM2/1/2 ATM2/1/1 ATM PVC Detail VPI VCI State on Working State on Protect 16 100 Provision Success Provision Success show acr group ACR Group Working I/f Protect I/f Currently Active Status -------------------------------------------------------------------------- 99 ATM4/0/0 ATM4/1/0 ATM4/1/0 The following new show commands have been added in Release 12.2(33)SRE, for QoS support: show policy-map int ? ACR interface show policy-map int ACR ? <0-255> ACR interface number When the ATM interface is shut down the VC goes into inactive state: show atm vc Codes: DN - DOWN, IN - INACTIVE Details of the VC states can be found by: show atm vc detail ATM4/0/0: VCD: 1, VPI: 2, VCI: 200 Interface VCD/Name VPI VCI Type Encaps SC Peak Kbps Av/Min Kbps Burst Cells St 4/0/0 2 1 100 PVC SNAP UBR 149760 IN 4/0/0 1 2 200 PVC AAL5 UBR 149760 IN7-73 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits :: Status: INACTIVE Async Status: SETUP_COMP, Admin Status: DISABLED, Flags: Setup ATM4/0/0: VCD: 1, VPI: 2, VCI: 200 :: Status: UP Async Status: SETUP_COMP, Admin Status: ENABLED, Flags: Enable ACR and APS Co-existence Configuring APS with the same group number as that of ACR is allowed, but members cannot be added to it. However, you can configure a working member in APS and the protect member in ACR, and vice versa. Sample: PE1#conf t Enter configuration commands, one per line. End with CNTL/Z. PE1(config)#int atm 2/0/0 PE1(config-if)#do sh runn int atm 2/0/0 Building configuration... Current configuration : 66 bytes ! interface ATM2/0/0 no ip address no atm enable-ilmi-trap end PE1(config-if)#aps gr acr 99 % Unconfigure one of the acr groups already configured before configuring here PE1(config-if)#aps gr 99 PE1(config-if)#aps work 1 i/f 2/0: APS: Group 99 : already has a working member; command ignored PE1(config-if)#aps prot 1 2.2.2.2 i/f 2/0: APS: Group 99 : already has a protect member; command ignored PE1(config-if)#do sh runn int atm 2/0/0 Building configuration... Current configuration : 80 bytes ! interface ATM2/0/0 no ip address no atm enable-ilmi-trap aps group 99 end PE1(config-if)#do sh aps ATM4/1/0 APS Group 99: protect channel 0 (Active) (HA) Working channel 1 at 2.2.3.2 (Disabled) (HA) bidirectional, non-revertive PGP timers (extended for HA): hello time=1; hold time=10 hello fail revert time=120 SONET framing; SONET APS signalling by default Received K1K2: 0x11 0x157-74 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Do Not Revert (working); Bridging working Transmitted K1K2: 0x21 0x15 Reverse Request (working); Bridging working Remote APS configuration: (null) ATM4/0/0 APS Group 99: working channel 1 (Inactive) (HA) Protect at 2.2.3.2 PGP timers (from protect): hello time=1; hold time=10 SONET framing Remote APS configuration: (null) PE1(config-if)#end PE1# *Mar 16 12:02:59.471 IST: %SYS-5-CONFIG_I: Configured from console by console PE1#sh runn int atm 4/0/0 Building configuration... Current configuration : 74 bytes ! interface ATM4/0/0 no ip address aps group acr 99 aps working 1 end PE1#sh runn int atm 4/1/0 Building configuration... Current configuration : 82 bytes ! interface ATM4/1/0 no ip address aps group acr 99 aps protect 1 2.2.3.2 end PE1#conf t Enter configuration commands, one per line. End with CNTL/Z. PE1(config)#default int atm 4/0/0 WARNING: use of this command will result in reset of the interface. This will cause traffic outage. Are you sure you want to continue? [no]: yes Interface ATM4/0/0 set to default configuration PE1(config)# *Mar 16 12:03:57.923 IST: %SONET-4-ALARM: ATM4/0/0: APS enabling channel *Mar 16 12:03:57.927 IST: %SONET-6-APSREMSWI: ATM4/0/0 (grp 99 chn 1: ACTIVE): Remote APS status now non-aps PE1(config)#do sh runn int atm 4/0/0 Building configuration... Current configuration : 66 bytes ! interface ATM4/0/0 no ip address no atm enable-ilmi-trap end PE1(config)# *Mar 16 12:04:07.539 IST: %SONET-3-APSCOMMLOST: ATM4/1/0 (grp 99 chn 0: ACTIVE): Link to working channel lostdo sh aps ATM4/1/0 APS Group 99: protect channel 0 (Active) (HA) Working channel 1 at 2.2.3.2 (no contact) (HA) bidirectional, non-revertive 7-75 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits PGP timers (extended for HA): hello time=1; hold time=10 hello fail revert time=120 SONET framing; SONET APS signalling by default Received K1K2: 0x11 0x15 Do Not Revert (working); Bridging working Transmitted K1K2: 0x21 0x15 Reverse Request (working); Bridging working Remote APS configuration: (null) PE1(config)#int atm 4/0/0 PE1(config-if)#aps gr 99 PE1(config-if)#aps work 1 PE1(config-if)# *Mar 16 12:04:34.063 IST: %SONET-4-ALARM: ATM4/0/0: APS disabling channel *Mar 16 12:04:34.063 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/0/0, changed state to down *Mar 16 12:04:34.543 IST: %SONET-3-APSCOMMEST: ATM4/1/0 (grp 99 chn 0: ACTIVE): Link to working channel established - PGP protocol version 4 PE1(config-if)#end PE1# *Mar 16 12:04:44.991 IST: %SYS-5-CONFIG_I: Configured from console by console PE1#sh acr gr ACR Group Working I/f Protect I/f Currently Active Status -------------------------------------------------------------------------- 99 ATM4/1/0 ATM4/1/0 PE1#sh aps ATM4/1/0 APS Group 99: protect channel 0 (Active) (HA) Working channel 1 at 2.2.3.2 (Disabled) (HA) bidirectional, non-revertive PGP timers (extended for HA): hello time=1; hold time=10 hello fail revert time=120 SONET framing; SONET APS signalling by default Received K1K2: 0x11 0x15 Do Not Revert (working); Bridging working Transmitted K1K2: 0x21 0x15 Reverse Request (working); Bridging working Remote APS configuration: (null) ATM4/0/0 APS Group 99: working channel 1 (Inactive) (HA) Protect at 2.2.3.2 PGP timers (from protect): hello time=1; hold time=10 SONET framing Remote APS configuration: (null)7-76 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Configuring SONET and SDH Framing The default framing on the ATM OC-3c and OC-12c SPAs is SONET, but the interfaces also support SDH framing. Note In ATM environments, the key difference between SONET and SDH framing modes is the type of cell transmitted when no user or data cells are available. The ATM forum specifies the use of idle cells when unassigned cells are not being generated. More specifically, in Synchronous Transport Module-X (STM-X) mode, an ATM interface sends idle cells for cell-rate decoupling. In Synchronous Transport Signal-Xc (STS-Xc) mode, the ATM interface sends unassigned cells for cell-rate decoupling. Note The interface configuration command atm sonet stm-1 is not supported from 12.2(33)SRC release. If you are using 12.2(33)SRC and later versions, you should use the atm framing sdh command instead of the atm sonet stm-1 command. To change the framing type and configure optional parameters, perform the following procedure beginning in global configuration mode: Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port on the specified ATM SPAs. Step 2 Router(config-if)# atm clock internal (Optional) Configures the interface to use its own internal (onboard) clock to clock transmitted data. The default (no atm clock internal) configures the interface to use the transmit clock signal that is recovered from the receive data stream, allowing the switch to provide the clocking source. Step 3 Router(config-if)# atm framing {sdh | sonet} (Optional) Configures the interface for either SDH or SONET framing. The default is SONET. Step 4 Router(config-if)# [no] atm sonet report {all | b1-tca | b2-tca | b3-tca | default | lais | lrdi | pais | plop | pplm | prdi | ptim | puneq | sd-ber | sf-ber | slof | slos} (Optional) Enables ATM SONET alarm reporting on the interface. The default is for all reports to be disabled. You can enable an individual alarm, or you can enable all alarms with the all keyword. Note This command also supports a none [ignore] option, which cannot be used with any of the other options. See the “Configuring for Transmit-Only Mode” section on page 7-78 for details. 7-77 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Verifying the SONET and SDH Framing Configuration To verify the framing configuration, use the show controllers atm command: Router# show controllers atm 5/0/1 Interface ATM5/0/1 is up Framing mode: SONET OC3 STS-3c SONET Subblock: SECTION LOF = 0 LOS = 0 BIP(B1) = 603 LINE AIS = 0 RDI = 2 FEBE = 2332 BIP(B2) = 1018 PATH AIS = 0 RDI = 1 FEBE = 28 BIP(B3) = 228 LOP = 0 NEWPTR = 0 PSE = 1 NSE = 2 Active Defects: None Active Alarms: None Alarm reporting enabled for: LOF LOS B1-TCA B2-TCA SF LOP B3-TCA ATM framing errors: HCS (correctable): 0 HCS (uncorrectable): 0 APS COAPS = 0 PSBF = 0 State: PSBF_state = False Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 Rx Synchronization Status S1 = 00 S1S0 = 00, C2 = 00 PATH TRACE BUFFER : STABLE BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-7 B2 = 10e-6 B3 = 10e-6 Clock source: line The following example verifies the framing configuration for 1-Port and 3-Port Clear Channel OC-3 ATM SPA using the show controllers atm command: Step 5 Router(config-if)# [no] atm sonet-threshold {b1-tca value | b2-tca value | b3-tca value | sd-ber value | sf-ber value} (Optional) Configures the BER threshold values on the interface. The value specifies a negative exponent to the power of 10 (10 to the power of minus value) for the threshold value. The default values are the following: • b1-tca = 6 (10e–6) • b2-tca = 6 (10e–6) • b3-tca = 6 (10e–6) • sd-ber = 6 (10e–6) • sf-ber = 3 (10e–3) Step 6 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-78 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Router# show controllers atm 0/2/2 Interface ATM0/2/2 (SPA-3XOC3-ATM-V2[0/2]) is up Framing mode: SONET OC3 STS-3c SONET Subblock: SECTION LOF = 0 LOS = 1 BIP(B1) = 0 LINE AIS = 0 RDI = 1 FEBE = 55 BIP(B2) = 0 PATH AIS = 0 RDI = 1 FEBE = 21 BIP(B3) = 0 LOP = 1 NEWPTR = 0 PSE = 0 NSE = 0 Active Defects: None Active Alarms: None Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA ATM framing errors: HCS (correctable): 0 HCS (uncorrectable): 0 APS not configured COAPS = 0 PSBF = 0 State: PSBF_state = False Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 Rx Synchronization Status S1 = 00 S1S0 = 00, C2 = 13 PATH TRACE BUFFER : STABLE BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 Clock source: line Configuring for Transmit-Only Mode The ATM SPAs support operation in a transmit-only mode, where a receive fiber does not need to be connected. This mode is typically used for one-way applications, such as video-on-demand. By default, the lack of a receive path generates continuous framing errors, which bring the ATM interface down. To prevent this, you must configure the ATM interface to disable and ignore all ATM SONET alarms. The 1-Port OC-48c/STM-16 ATM SPA default framing is SONET. Note This configuration violates the ATM specifications for alarm reporting. Transmit-Only Mode Configuration Guidelines When an ATM interface has been configured to ignore ATM SONET alarms, you cannot configure an IP address (or other Layer 3 parameter) on the interface. Similarly, you must remove all IP addresses (and all other Layer 3 parameters) from the interface before beginning this procedure. Transmit-Only Mode Configuration Task To configure the ATM interface to disable and ignore all ATM SONET alarms, perform the following procedure beginning in global configuration mode: 7-79 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Configuring AToM Cell Relay VP Mode Transporting of ATM data not framed using AAL5 requires relaying individual celss over the MPLS cloud. Cells can be transported over the MPLS cloud using Single Cell Relay (SCR) or Packed Cell Relay (PCR) forms. Cell Relay may be based on the VP mode. This VP mode transports cells belonging to a VP (cells with the same VPI) over the MPLS cloud, either in Single or Packed form. For more information on AToM configuration, see the feature documentation for Any Transport over MPLS at: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport.html#wp1046670 To configure Any Transport over MPLS (AToM) Cell Relay in VP Mode, perform the following procedure beginning in global configuration mode: VP Mode Configuration Guidelines When configuring ATM Cell Relay over MPLS in VP mode, use the following guidelines: • You do not need to enter the encapsulation aal0 command in VP mode. Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port[.subinterface] Enters interface (or subinterface) configuration mode for the indicated port on the specified ATM SPA. Step 2 Router(config-if)# no ip address ip-address mask Removes the IP address that is assigned to this interface (if one has been configured). All IP and other Layer 3 configurations must be removed from the interface before ATM SONET alarms can be ignored. Step 3 Router(config-if)# atm sonet report none ignore Disables the generation of all ATM SONET alarms, and instructs the ATM interface to remain up and operational when such alarm conditions exist. Step 4 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port on the specified ATM SPA. Step 2 Router(config-if)# no ip address ip-address mask Removes the IP address that is assigned to this interface (if one has been configured). Step 3 Router(config-if)# atm pvp vpi l2transport Creates a permanent virtual path (PVP) used to multiplex (or bundle) one or more virtual circuits (VCs). Step 4 Router(config-if)# xconnect peer-router-id vcid encapsulation mpls Routes a Layer 2 packets over a specified point-to-point VC by using Ethernet over multiprotocol label switching (EoMPLS). Step 5 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. 7-80 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits • One ATM interface can accommodate multiple types of ATM connections. VP cell relay, VC cell relay, and ATM AAL5 over MPLS can coexist on one ATM interface. • If a VPI is configured for VP cell relay, you cannot configure a PVC using the same VPI. • VP trunking (mapping multiple VPs to one emulated VC label) is not supported in this release. Each VP is mapped to one emulated VC. • Each VP is associated with one unique emulated VC ID. The AToM emulated VC type is ATM VP Cell Transport. • The AToM control word is supported. However, if a peer PE does not support the control word, it is disabled. This negotiation is done by LDP label binding. • VP mode (and VC mode) drop idle cells. VP Mode Configuration Example The following example transports single ATM cells over a virtual path: Router# pseudowire-class vp-cell-relay encapsulation mpls int atm 1/0/0 xconnect 10.0.0.1 123 pw-class vp-cell-relay Verifying ATM Cell Relay VP Mode The following show atm vp command shows that the interface is configured for VP mode cell relay: Router# show atm vp 1 ATM5/0 VPI: 1, Cell Relay, PeakRate: 149760, CesRate: 0, DataVCs: 1, CesVCs: 0, Status: ACTIVE VCD VCI Type InPkts OutPkts AAL/Encap Status 6 3 PVC 0 0 F4 OAM ACTIVE 7 4 PVC 0 0 F4 OAM ACTIVE TotalInPkts: 0, TotalOutPkts: 0, TotalInFast: 0, TotalOutFast: 0, TotalBroadcasts: 0 TotalInPktDrops: 0, TotalOutPktDrops: 0 Configuring Packed Cell Relay over Multi-Protocol Label Switching (PCRoMPLS) on SIP-400 for CeOP and 1-Port OC-48c/STM-16 ATM SPA Interconnecting ATM Networks require relay of individual cells over the MPLS cloud. Transport of ATM data not framed using AAL5 framing also requires transport of individual cells over the MPLS cloud. Cell Relay has two versions: • Single Cell Relay • Packed Cell Relay These are available through three modes • VC mode • VP mode, and • Port mode7-81 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Configuration Steps To configure PCRoMPLS on SIP-400 for CeOP and 1-Port OC-48c/STM-16 ATM SPA, run the commands listed in the following sections. SUMMARY STEPS Step 1 atm mcpt-timers timer-values Step 2 cell-packing 2 mcpt-timer 1 Step 3 xconnect 11.11.11.11 72337 encapsulation mpls DETAILED STEPS Configuration Example interface ATM1/1/1 no ip address logging event link-status atm clock INTERNAL atm mcpt-timers 100 200 300 no atm enable-ilmi-trap cell-packing 2 mcpt-timer 1 no snmp trap link-status xconnect 11.11.11.11 72337 encapsulation mpls Or on a CHOC port: controller SONET 8/3/0 framing sonet clock source line ! sts-1 1 mode vt-15 vtg 1 t1 1 atm ! ! interface ATM8/3/0.1/1/1 no ip address atm mcpt-timers 500 1000 1500 no atm enable-ilmi-trap cell-packing 2 mcpt-timer 1 Command or Action Purpose Step 1 Router(config-if)# atm mcpt-timers timer-values Defines the value of three Maximum Cell Packing Timeout (MCPT) timers under the main ATM interface Step 1 Router(config-if)# cell-packing 2 mcpt-timer 1 Enables cell packing with the maximum number of cells allowed to be packed in a packet with the MCPT timer Step 2 Router(config-if)# xconnect 11.11.11.11 72337 encapsulation mpls Routes a Layer 2 packets over a specified point-to-point VC7-82 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits xconnect 11.11.11.11 72338 encapsulation mpls ! Sample of PCRoMPLS using pseudowire pw-class ! pseudowire-class pw_mpls encapsulation mpls ! interface ATM8/3/0.1/1/1 interface ATM8/3/0.1/1/1 no ip address atm mcpt-timers 500 1000 1500 no atm enable-ilmi-trap xconnect 11.11.11.11 72338 pw-class pw_mpls ! PCRoMPLS using the cell-packing command interface ATM8/3/0.1/1/1 no ip address atm mcpt-timers 500 1000 1500 no atm enable-ilmi-trap cell-packing 2 mcpt-timer 1 xconnect 11.11.11.11 72338 encapsulation mpls ! Or, PE1(config)#interface ATM2/1/0 PE1(config-if)#at mc PE1(config-if)#atm mcpt-timers shutdown interface before modify mcpt values PE1(config-if)#shutdown PE1(config-if)#at PE1(config-if)#atm mc PE1(config-if)#atm mcpt-timers PE1(config-if)# pvc 3/100 l2transport PE1(cfg-if-atm-l2trans-pvc)# cell-packing 20 mcpt-timer 3 PE1(cfg-if-atm-l2trans-pvc)# encapsulation aal0 PE1(cfg-if-atm-l2trans-pvc)# xconnect 10.0.0.5 100 encapsulation mpls PE1(cfg-if-atm-l2trans-pvc-xconn)# ! PE1(cfg-if-atm-l2trans-pvc-xconn)#end Sample configuration on a SONET interface using xconnect: osr3(config)#Controller SONET 8/3/0 osr3(config-controller)#sts-1 ? <1-3> sts-1 number osr3(config-ctrlr-sts1)#vtg ? <1-7> vtg number <1-7> osr3(config-ctrlr-sts1)#vtg 1 t1 ? <1-4> t1 line number <1-4> Controller SONET 8/3/0 framing sonet clock source line ! sts-1 1 mode vt-15 vtg 1 t1 1 atm ! interface ATM8/3/0.1/1/1 no ip address atm mcpt-timers 500 1000 1500 no atm enable-ilmi-trap7-83 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits cell-packing 28 mcpt-timer 3 xconnect 11.11.11.11 72338 encapsulation mpls ! Send bidirectional traffic from end to end with all different framing types (config-controller)#framing ? esf Extended Superframe sf Superframe unframed Clear T1 Verifying the PCRoMPLS configuration Use the show atm cell-packing and show atm pvc slot/bay/port commands to verify the connectivity and configuration. Sample Show Command Output Sample output for the show atm cell-packing command is given below: osr3#show atm cell-packing average average circuit local nbr of cells peer nbr of cells MCPT type MNCP rcvd in one pkt MNCP sent in one pkt (us) ATM1/1/0 vc 246/246 2 0 1 1 30 ATM1/1/1 port 2 0 2 0 100 ATM8/3/0.1/1/1 port 28 0 1 0 1500 osr3#sh xconnect all Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=Down AD=Admin Down IA=Inactive SB=Standby RV=Recovering NH=No Hardware XC ST Segment 1 S1 Segment 2 S2 ------+---------------------------------+--+---------------------------------+-- UP ac Gi8/0/0(Ethernet) UP mpls 11.11.11.11:3 UP DN ac Gi7/0/2(Ethernet) DN mpls 11.11.11.11:4 DN UP ac AT1/1/1(ATM CELL) UP mpls 11.11.11.11:72337 UP AD ac AT8/3/0.1/1/1(ATM CELL) AD mpls 11.11.11.11:72338 DN DN ac AT1/1/0:123/123(ATM VCC CEL UP mpls 11.11.11.11:88001 DN DN ac AT1/1/0:0/300(ATM VCC CELL) UP mpls 44.44.44.44:77001 DN DN ac AT1/1/0:246/246(ATM VCC CEL UP mpls 44.44.44.44:99001 DN osr3# A sample output for the show xconnect all command is given below: Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=Down AD=Admin Down IA=Inactive SB=Standby RV=Recovering NH=No Hardware XC ST Segment 1 S1 Segment 2 S2 ------+---------------------------------+--+---------------------------------+-- UP ac Gi8/0/0(Ethernet) UP mpls 11.11.11.11:3 UP DN ac Gi7/0/2(Ethernet) DN mpls 11.11.11.11:4 DN UP ac AT1/1/1(ATM CELL) UP mpls 11.11.11.11:72337 UP AD ac AT8/3/0.1/1/1(ATM CELL) AD mpls 11.11.11.11:72338 DN DN ac AT1/1/0:123/123(ATM VCC CEL UP mpls 11.11.11.11:88001 DN DN ac AT1/1/0:0/300(ATM VCC CELL) UP mpls 44.44.44.44:77001 DN DN ac AT1/1/0:246/246(ATM VCC CEL UP mpls 44.44.44.44:99001 DN7-84 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits A sample output for show mpls l2transport vc is given below: osr3#show mpls l2transport vc ? <1-4294967295> VC ID or min VC ID value destination Destination address of the VC detail Detailed information interface Local interface of the VC vcid VC ID or min-max range of the VC IDs | Output modifiers Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- AT1/1/1 ATM CELL ATM1/1/1 11.11.11.11 72337 UP AT8/3/0.1/1/1 ATM CELL ATM8/3/0.1/1/1 11.11.11.11 72338 ADMIN DOWN AT1/1/0 ATM VCC CELL 123/123 11.11.11.11 88001 DOWN AT1/1/0 ATM VCC CELL 0/300 44.44.44.44 77001 DOWN AT1/1/0 ATM VCC CELL 246/246 44.44.44.44 99001 DOWN A more detailed output of the command is shown below: PE17#show mpls l2 vc destination 11.11.11.11 detail | begin AT1/1/1 Local interface: AT1/1/1 up, line protocol up, ATM CELL ATM1/1/1 up Destination address: 11.11.11.11, VC ID: 72337, VC status: up Output interface: Gi7/0/1, imposed label stack {59 1301} Preferred path: not configured Default path: active Next hop: 47.0.0.4 Create time: 01:31:35, last status change time: 01:30:56 Signaling protocol: LDP, peer 11.11.11.11:0 up Targeted Hello: 39.39.39.39(LDP Id) -> 11.11.11.11 Status TLV support (local/remote) : enabled/supported Label/status state machine : established, LruRru Last local dataplane status rcvd: no fault Last local SSS circuit status rcvd: no fault Last local SSS circuit status sent: no fault Last local LDP TLV status sent: no fault Last remote LDP TLV status rcvd: no fault MPLS VC labels: local 1309, remote 1301 Group ID: local 0, remote 0 MTU: local n/a, remote n/a Remote interface description: Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 368219176, send 379593764 byte totals: receive 39767653888, send 40996127808 packet drops: receive 0, seq error 0, send 0 Local interface: AT8/3/0.1/1/1 admin down, line protocol down, ATM CELL ATM8/3/0.1/1/1 admin down Destination address: 11.11.11.11, VC ID: 72338, VC status: down Output interface: if-?(0), imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:44:02, last status change time: 00:33:44 Signaling protocol: LDP, peer 11.11.11.11:0 up Targeted Hello: 39.39.39.39(LDP Id) -> 11.11.11.11 Status TLV support (local/remote) : enabled/unknown (no remote binding) Label/status state machine : ldp ready, LndRnd Last local dataplane status rcvd: no fault Last local SSS circuit status rcvd: DOWN(Hard-down) Last local SSS circuit status sent: not sent7-85 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Last local LDP TLV status sent: not sent Last remote LDP TLV status rcvd: unknown (no remote binding) MPLS VC labels: local unassigned, remote unassigned Group ID: local unknown, remote unknown MTU: local unknown, remote unknown Remote interface description: Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, seq error 0, send 0 Configuring AToM Cell Relay Port Mode Transporting of ATM data not framed using AAL5 requires relaying individual cells over the MPLS cloud. Cells can be transported over the MPLS cloud using Single Cell Relay (SCR) or Packed Cell Relay (PCR) forms. Cell Relay may be based on the Port mode. The Port mode involves transporting all the cells arriving on an ATM port over the MPLS cloud, separately or packed together. Note that AToM cell relay port mode is supported only on SIP-200 and SIP-400 line cards for the 12.2(33)SRD release. For more detailed information on AToM configuration, including procedures “Configuring ATM Single Cell Relay over MPLS” and “Configuring ATM Packed Cell Relay over MPLS” refer to the Any Transport over MPLS documentation on: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport.html#wp1046670 Command or Action Purpose Step 1 enable Example: Router# enable Enables privileged EXEC mode. Enter your password if prompted. Step 2 configure terminal Example: Router# configure terminal Enters global configuration mode. Step 3 interface atm slot/bay/port Example: Router(config)# interface atm 1/1/0 Specifies an ATM interface and enters interface configuration mode.7-86 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Port Mode Configuration Guidelines When configuring ATM cell relay over MPLS in port mode, use the following guidelines: • The pseudowire VC type is set to ATM transparent cell transport (AAL0). • The AToM control word is supported. However, if the peer PE does not support a control word, the control word is disabled. This negotiation is done by LDP label binding. • Port mode and VP and VC mode are mutually exclusive. If you enable an ATM main interface for cell relay, you cannot enter any PVP or PVC commands. • If the pseudowire VC label is withdrawn due to an MPLS core network failure, the PE router sends a line AIS to the CE router. Port Mode Configuration Example The following example transports single ATM cells over a virtual path: Router# pseudowire-class vp-cell-relay encapsulation mpls int atm 1/0/0 xconnect 10.0.0.1 123 pw-class vp-cell-relay Verifying ATM Cell Relay Port Mode The following show atm route and show mpls l2transport vc commands shows that the interface is configured for port mode cell relay: Router# show atm route ATM5/0 VPI: 1, Cell Relay, PeakRate: 149760, CesRate: 0, DataVCs: 1, CesVCs: 0, Status: ACTIVE VCD VCI Type InPkts OutPkts AAL/Encap Status 6 3 PVC 0 0 F4 OAM ACTIVE 7 4 PVC 0 0 F4 OAM ACTIVE TotalInPkts: 0, TotalOutPkts: 0, TotalInFast: 0, TotalOutFast: 0, TotalBroadcasts: 0 TotalInPktDrops: 0, TotalOutPktDrops: 0 Router# show mpls l2transport vc Local intf Local circuit Dest address VC ID Status ------------- -------------------- --------------- ---------- ---------- AT1/1/0 ATM CELL ATM1/1/0 10.1.1.121 1121 UP Step 4 xconnect peer-router-id vcid encapsulation mpls Example: Router(config-if)# xconnect 10.0.0.1 123 encapsulation mpls Binds the attachment circuit to the interface. Step 5 end Example: Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. Command or Action Purpose7-87 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Configuring QoS Features on ATM SPAs The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For information about the QoS features supported by the ATM SPAs, see the “Configuring QoS Features on a SIP” section on page 4-94 of Chapter 4, “Configuring the SIPs and SSC.” ATM SPA QoS Configuration Guidelines For the 2-Port and 4-Port OC-3c/STM-1 ATM SPA, the following applies: • In the ingress direction, all Quality of Service (QoS) features are supported by the Cisco 7600 SIP-200 and SIP-400: • The following features are not supported on a ATM SPA: – Hierarchical policy maps with queuing features. – Traffic Shaping • The following features are supported on a ATM SPA: – Strict priority – Ingress, no queueing is supported. • VC QoS on VP-PW feature works only with Single Cell Relay and does not work with Packed Cell Relay. • In the egress direction: – All queueing-based features (such as class-based weighted fair queueing [CBWFQ], and ATM per-VC WFQ, WRED, and shaping) are implemented on the segmentation and reassembly (SAR) processor on the SPA. – Policing, classification, policing and marking are implemented on the SIP. – Class queue shaping is not supported. – For detailed support information, see “QoS Congestion Management and Avoidance Feature Compatibility by SIP and SPA Combination” Phase 2 Local Switching Redundancy Phase 2 Local Switching Redundancy provides a backup attachment circuit (AC) when the primary attachment circuit fails. All the ACs must be on same Cisco 7600 series router. The following combinations of ATM ACs are supported: • ATM ACs on the same SPA • ATM ACs on different SPAs on the same SIP • ATM ACs on different SIPs on the same Cisco 7600 series router Note For Cisco IOS release 12.2(33)SRC, this feature is supported on the 24-Port Channelized T1/E1 ATM CEoP SPA and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA, as well as the 2-Port and 4-Port OC-3c/STM-1 ATM SPA, the 1-Port OC-12c/STM-4 ATM SPA, and the 1-Port OC-48c/STM-16 ATM SPA.7-88 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Guidelines • Autoconfiguration of ATM interfaces is supported. • Only the tail end AC can be backed up, if head end fails there is no protection. • The circuit type of the primary and backup AC must be identical (failover operation will not switch between different types of interfaces or different CEM circuit types). • Only one backup AC is allowed for each connection. • Autoconfiguration is allowed for backup ATM Permanent Virtual Circuits (PVCs) or ATM Permanent Virtual Paths (PVPs) . • The ATM circuit used as a backup in a local switching connection cannot be used for xconnect configurations. • Dynamic modification of parameters in a local switching connection is not supported in the case where the tail-end segment is backed up to a segment using the backup command. If you want to modify the parameters in any of the three segments (head-end, tail-end, or backup segment), you must first unconfigure with the backup command, make the changes in the individual segments, and then re-configure the backup with the backup command. Configuration Configuration Example Router(config)# connect ATM atm2/0/0 0 atm3/0/0 0 Router(config-connection)# backup interface atm4/0/0 1 Verifying Use the show xconnect all command to check the status of the backup and primary circuits. Saving the Configuration To save your running configuration to nonvolatile random-access memory (NVRAM), use the following command in privileged EXEC configuration mode: Note To permanently save your configuration changes, you must write them to the nonvolatile RAM (NVRAM) by entering the copy running-config startup-config command in privileged EXEC mode. Command or Action Purpose Step 1 Router(config)# [no] connect name atma/b/c vpi/vci atmx/y/z vpi/vci Configures a local switching connection between two ATM interfaces. The no form of this command unconfigures a local switching connection between two ATM interfaces. Router(config-connection)# backup interface atm x/y/z vpi/vci Backs up a locally switched ATM connection.7-89 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits For more information about managing configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. Multi Router Automatic Protection Switching (MR-APS) Integration with Hot Standby Pseudowire The multi router automatic protection switching (MR-APS) enables interface connections to switch from one circuit to another if a circuit fails. Interfaces can be switched in response to a router failure, degradation or loss of channel signal, or manual intervention. In a multi router environment, the MR-APS allows the protected SONET interface to reside in a different router from the working SONET interface. Service providers are migrating to ethernet networks from their existing SONET or SDH equipment to reduce cost. Any transport over MPLS (AToM) pseudowires (PWs) help service providers to maintain their investment in asynchronous transfer mode (ATM) or time division multiplexing (TDM) network and change only the core from SONET or SDH to ethernet. When the service providers move from SONET or SDH to ethernet, network availability is always a concern. Therefor to enhance the network availability, service providers use PWs. The hot-standby PW support for ATM and TDM access circuits (ACs) allow the backup PW to be in a hot- standby state, so that it can immediately take over if the primary PW fails. The present hot-standby PW solution does not support access circuits (ACs) as part of the APS group. The PWs which are configured over the protected interface, remains in the down state. This increases the PW switchover time in case of an APS switchover. MR-APS integration with a hot standby pseudowire is an integration of APS with ATM or TDM hot standby PWs created over the SIP 400 line card for the Cisco 7600 platform and improves the switchover time. Figure 7-7 explains MR-APS integration with hot standby PW feature implementation. Command Purpose Router# copy running-config startup-config Writes the new configuration to NVRAM.7-90 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Figure 7-7 MR- APS Integration with Hot Standby Pseudowire Implementation In this example routers P1 and PE1 are in the same APS group G1, and routers P2 and PE2 are in the same APS group G2. In group G1, P1 is the working router and PE1 is the protected router. Similarly in group G2, P2 is the working router and PE2 is the protected router. The MR-APS integration with hot standby pseudowire deployment involves cell sites connected to the provider network using bundled T1/E1 connections. These T1/E1 connections are aggregated into the optical carrier 3 (OC3) or optical carrier 12 (OC12) links using the add-drop multiplexers (ADMs). For more information on APS, see the Automatic Protection Switching section in the Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide at the following link: http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/ 76cfstm1.html#wp1216498 Failover Operations MR-APS integration with hot standby pseudowire feature handles the following failures. • Failure 1, where the link between ADM and P1 goes down, or the connecting ports at ADM or P1 go down. • Failure 2, where the router P1 fails. • Failure 3, where the router P1 is isolated from the core. 246928 CE1 P1 PE1 P2 PE2 ADM CE2 ADM7-91 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Figure 7-8 explains the failure points in the network. Figure 7-8 Failure Points in a Network In case of failure 1, where either port at the ADM goes down, or the port at the router goes down or the link between ADM and router fails, the APS switchover triggers the pseudowires at the protect interface to become active. The same applies to failure 2 as well where the complete router fails over. In case of failure 3, where all the links carrying primary and backup traffic lose the connection, a new client is added to the inter chassis redundancy manager (ICRM) infrastructure to handle the core isolation. The client listens to the events from the ICRM. Upon receiving the core isolation event from the ICRM, the client either initiates the APS switchover, or initiates the alarm based on the peer core isolation state. If APS switchover occurs, it changes the APS inactive interface to active and hence activates the PWs at the interface. Similarly, when core connectivity goes up based upon the peer core isolation state, it clears the alarms or triggers the APS switchover. ICRM monitors the directly connected interfaces only. Hence only those failures in the directly connected interfaces can cause a core isolation event. Restrictions Following restrictions apply to the MR-APS integration with hot standby pseudowire feature: • MR-APS integration with hot standby PW is supported only on the SIP 400 line cards. • For ATM pseudowires only ATM asynchronous mode is supported. • Revertive APS mode should not be configured on the interfaces. • MR-APS integration with hot standby pseudowire is supported only on 1-port channelized OC-3 STM1 ATM CEoP SPA and 2-port and 4-port OC-3c/STM-1 ATM SPA. • APS group number should be greater than zero. • Do not configure the backup delay value command if the MR-APS integration with hot standby pseudowire feature is configured. ADM ADM CE1 CE2 P1 3 1 2 P2 PE1 PE27-92 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits • Unconfiguring mpls ip command on the core interface is not supported. • The hspw force switch command is not supported. Configuring MR-APS Integration with Hot Standby Pseudowire on an ATM Interface Complete these steps to configure the MR-APS integration with hot standby pseudowire. This involves configuring the working routers and protect routers that are part of the APS group. SUMMARY STEPS 1. enable 2. configure terminal 3. pseudo wire-class pw-class-name 4. encapsulation mpls 5. status peer topology dual-homed 6. exit 7. redundancy 8. interchassis group group-id pw-class-name 9. member ip ip-address 10. backbone interface interface ip-address 11. backbone interface interface ip-address 12. exit 13. interface atm slot/subslot/port 14. atm asynchronous 15. aps group group_id 16. aps [working | protect] aps-group-number [ip-address] 17. aps hspw-icrm-grp icrm-group-number 18. atm pvc vpi/vci l2transport 19. xconnect peer-ip-address vc-id pw-class pw-class-name 20. backup peer ip-address vc-id pw-class pw-class-name 21. end 7-93 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Detailed Steps Command Purpose Step 1 enable Example: Router> enable Enables the privileged EXEC mode. If prompted, enter your password. Step 2 configure terminal Example: Router# configure terminal Enters the global configuration mode. Step 3 pseudowire-class pw-class-name Example: Router(config)# pseudowire-class hw_aps Specifies the name of a pseudowire class and enters pseudowire class configuration mode. Step 4 encapsulation mpls Example: Router(config-pw-class)# encapsulation mpls Specifies that MPLS is used as the data encapsulation method for tunneling Layer 2 traffic over the pseudowire. Step 5 status peer topology dual-homed Example: Router(config-pw-class)# status peer topology dual-homed Enables the reflection of the attachment circuit status on both the primary and secondary pseudowires. This configuration is necessary if the peer PEs are connected to a dual-homed device. Step 6 exit Example: Router(config-pw-class)# exit Exits pseudowire class configuration mode. Step 7 redundancy Example: Router(config)# redundancy Enters the redundancy configuration mode. Step 8 interchassis group group-id Example: Router(config-red)# interchassis group 50 Configures an interchassis group within the redundancy configuration mode and enters the interchassis redundancy mode. Step 9 member ip ip-address Example: Router(config-r-ic)# member ip 60.60.60.2 Configures the IP address of the peer member group.7-94 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Step 10 backbone interface interface Example: Router(config-r-ic)# backbone interface GigabitEthernet 2/3 Specifies the backbone interface. Step 11 exit Example: Router(config-r-ic)# exit Exits the redundancy mode. Step 12 exit Example: Router(config-if)# exit Exits the interface configuration mode. Step 13 interface atm slot/subslot/port Example: Router(config)# interface atm 3/1/0 Enters interface configuration mode for the indicated port on the specified ATM SPA. slot/subslot/port—Specifies the location of the interface. Step 14 atm asynchronous Example: Router(config-if)# atm asynchronous Enables or disables the asynchronous functionality on the ATM interface Step 15 aps group group_id Example: Router(config-if)# aps group 1 Configures the APS group for ATM. Step 16 aps [working | protect] aps-group-number Example: Router(config-if)# aps working 1 Configures the APS group as the working interface. Step 17 aps hspw-icrm-grp icrm-group-number Example: Router(config-if)# aps hspw-icrm-grp 1 Associates the APS group to an interchassis redundancy manager (ICRM) group number. Command Purpose7-95 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Examples Figure 7-9 is a sample configuration for MR-APS integration with hot standby pseudowire. Step 18 pvc vpi/vci l2transport Example: Router(config-if)# pvc 1/100 l2transport Assigns a virtual path identifier (VPI) and VCI and enters ATM PVC l2transport configuration mode. • vpi—ATM network virtual path identifier (VPI) of the VC to multiplex on the permanent virtual path. The range is from 0 to 255. • vci— VCI specifies the virtual channel identifier. Note The l2transport keyword indicates that the PVC is a switched PVC instead of a terminated PVC. Step 19 xconnect peer-ip-address vcid pseudowire-class pw-class-name Example: Router(config-if)# xconnect 3.3.3.3 1 pseudowire-class hw_aps Specifies the IP address of the peer PE router and the 32-bit virtual circuit identifier shared between the PEs at each end of the control channel. The peer router ID (IP address) and virtual circuit ID must be a unique combination on the router. pw-class-name —The pseudowire class configuration from which the data encapsulation type is taken. Step 20 backup peer peer-id vc-id pseudowire-class pw-class-name Example: Router(config-if-srv)# backup peer 4.3.3.3 90 pseudowire-class hw_aps Specifies a redundant peer for a pseudowire virtual circuit. Step 21 end Example: Router(config-if-srv)# end Exits the configuration session. Command Purpose7-96 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Figure 7-9 Sample Configuration for MR-APS Integration with Hot Standby Pseudowire This example shows how to configure the MR-APS integration with hot standby pseudowire on the working router P1 shown in Figure 7-9. RouterP1> enable RouterP1# configure terminal RouterP1(config)# pseudowire-class hspw_aps RouterP1(config-pw-class)# encapsulation mpls RouterP1(config-pw-class)# status peer topology dual-homed RouterP1(config-pw-class)# exit RouterP1(config)# redundancy RouterP1(config-red)# interchassis group 1 RouterP1(config-r-ic)# member ip 14.2.0.2 RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/0 RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/1 RouterP1(config-r-ic)# exit RouterP1(config)# interface ATM 4/0/0 RouterP1(config-if)# atm asynchronous RouterP1(config-if)# aps group 3 RouterP1(config-if)# aps working 1 RouterP1(config-if)# aps hspw-icrm-grp 1 RouterP1(config-if)# pvc 1/100 l2transport RouterP1(config-if)# xconnect 3.3.3.3 1 encapsulation mpls pw-class hspw_aps RouterP1(config-if)# backup peer 4.4.4.4 2 pw-class hspw_aps RouterP1(config-if)# exit RouterP1(config)# end This example shows how to configure the MR-APS integration with hot standby pseudowire on the protect router PE1 shown in Figure 7-9. RouterPE1> enable RouterPE1# configure terminal RouterPE1(config)# pseudowire-class hspw_aps RouterPE1(config-pw-class)# encapsulation mpls RouterPE1(config-pw-class)# status peer topology dual-homed RouterPE1(config-pw-class)# exit RouterPE1(config)# redundancy RouterPE1(config-red)# interchassis group 1 300153 ADM ADM CE1 CE2 P1 P2 PE1 PE2 Gig1/0/1 Gig2/0/4 Gig3/2/0 Gig3/0/1 Gig1/0/0 Gig2/0/3 Gig3/2/0 Gig3/0/2 ATM4/0/0 ATM2/1/0 ATM3/1/1 ATM3/1/0 Gig1/2/0 Gig2/0/2 Gig2/2/0 Gig3/0/07-97 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits RouterPE1(config-r-ic)# member ip 14.2.0.1 RouterPE1(config-r-ic)# backbone interface GigabitEthernet 2/2/1 RouterPE1(config-r-ic)# backbone interface GigabitEthernet 3/2/0 RouterPE1(config-r-ic)# exit RouterPE1(config)# interface ATM 3/1/1 RouterPE1(config-if)# atm asynchronous RouterPE1(config-if)# aps group 3 RouterPE1(config-if)# aps protect 1 14.2.0.2 RouterPE1(config-if)# aps hspw-icrm-grp 1 RouterPE1(config-if)# pvc 1/100 l2transport RouterPE1(config-if)# xconnect 3.3.3.3 3 encapsulation mpls pw-class hspw_aps RouterPE1(config-if)# backup peer 4.4.4.4 4 pw-class hspw_aps RouterPE1(config-if)# exit RouterPE1(config)# end This example shows how to configure the MR-APS integration with hot standby pseudowire on the working router P2 shown in Figure 7-9. RouterP2> enable RouterP2# configure terminal RouterP2(config)# pseudowire-class hspw_aps RouterP2(config-pw-class)# encapsulation mpls RouterP2(config-pw-class)# status peer topology dual-homed RouterP2(config-pw-class)# exit RouterP2(config)# redundancy RouterP2(config-red)# interchassis group 1 RouterP2(config-r-ic)# member ip 14.6.0.2 RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/4 RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/3 RouterP2(config-r-ic)# exit RouterP2(config)# interface ATM 2/1/0 RouterP2(config-if)# atm asynchronous RouterP2(config-if)# aps group 4 RouterP2(config-if)# aps working 1 RouterP2(config-if)# aps hspw-icrm-grp 1 RouterP2(config-if)# pvc 1/100 l2transport RouterP2(config-if)# xconnect 1.1.1.1 1 encapsulation mpls pw-class hspw_aps RouterP2(config-if)# backup peer 2.2.2.2 3 pw-class hspw_aps RouterP2(config-if)# exit RouterP2(config)# end This example shows how to configure the MR-APS integration with hot standby pseudowire on the protect router PE2 shown in Figure 7-9. RouterPE2> enable RouterPE2# configure terminal RouterPE2(config)# pseudowire-class hspw_aps RouterPE2(config-pw-class)# encapsulation mpls RouterPE2(config-pw-class)# status peer topology dual-homed RouterPE2(config-pw-class)# exit RouterPE2(config)# redundancy RouterPE2(config-red)# interchassis group 1 RouterPE2(config-r-ic)# member ip 14.6.0.1 RouterPE2(config-r-ic)# backbone interface GigabitEthernet 3/0/1 RouterPE2(config-r-ic)# backbone interface GigabitEthernet 3/0/2 RouterPE2(config-r-ic)# exit RouterPE2(config)# interface ATM 3/1/0 RouterPE2(config-if)# atm asynchronous RouterPE2(config-if)# aps group 4 RouterPE2(config-if)# aps protect 1 14.6.0.2 RouterPE2(config-if)# aps hspw-icrm-grp 17-98 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits RouterPE2(config-if)# pvc 1/100 l2transport RouterPE2(config-if)# xconnect 1.1.1.1 2 encapsulation mpls pw-class hspw_aps RouterPE2(config-if)# backup peer 2.2.2.2 4 pw-class hspw_aps RouterPE2(config-if)# exit RouterPE2(config)# end Verification Use these commands to verify the MR-APS integration with hot standby pseudowire configuration. Table 7-2 Verification This example shows the output of show mpls l2transport vc command when routers P1 and P2 are in active APS status and PE1 and PE2 are in APS inactive status. P1# show mpls l2 vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- AT4/0/0 ATM AAL5 20/100 3.3.3.3 1 UP AT4/0/0 ATM AAL5 20/100 4.4.4.4 2 STANDBY P2# show mpls l2 vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- AT2/1/0 ATM AAL5 20/100 1.1.1.1 1 UP AT2/1/0 ATM AAL5 20/100 2.2.2.2 3 STANDBY PE1# show mpls l2 vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- AT3/1/1 ATM AAL5 20/100 3.3.3.3 3 STANDBY AT3/1/1 ATM AAL5 20/100 4.4.4.4 4 STANDBY PE2# show mpls l2 vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- AT3/1/0 ATM AAL5 20/100 1.1.1.1 2 STANDBY AT3/1/0 ATM AAL5 20/100 2.2.2.2 4 STANDBY Command Purpose show mpls l2transport vc Displays information about AToM VCs that have been enabled to route Layer 2 packets on a router. show hspw-aps-icrm group group-id Displays information about a specified hot standby pseudowire APS group. show hspw-aps-icrm all Displays information about all hot standby pseudowire APS and ICRM groups. show redundancy interchassis Displays information about interchassis redundancy group configuration. show xconnect all Displays information about all xconnect attachment circuits and pseudowires.7-99 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits This example shows the output of show hspw-aps-icrm group group-id command when routers P1 and P2 are in active status and PE1 and PE2 are in APS inactive status. P1# show hspw-aps-icrm group 1 ICRM group id 1, Flags : My core isolated No,Peer core isolated No, State Connect APS Group id 1 hw_if_index 35 APS valid:Yes Total aps grp attached to ICRM group 1 is 1 PE1# show hspw-aps-icrm group 1 ICRM group id 1, Flags : My core isolated No,Peer core isolated No, State Connect APS Group id 1 hw_if_index 41 APS valid:Yes Total aps grp attached to ICRM group 1 is 1 P2# show hspw-aps-icrm group 2 ICRM group id 2, Flags : My core isolated No,Peer core isolated No, State Connect APS Group id 2 hw_if_index 22 APS valid:Yes Total aps grp attached to ICRM group 2 is 1 PE2# show hspw-aps-icrm group 2 ICRM group id 2, Flags : My core isolated No,Peer core isolated No, State Connect APS Group id 2 hw_if_index 15 APS valid:Yes Total aps grp attached to ICRM group 2 is 1 This example shows the output of show hspw-aps-icrm all command when routers P1 and P2 are in active status and PE1 and PE2 are in APS inactive status. P1# show hspw-aps-icrm all ICRM group id 1, Flags : My core isolated No,Peer core isolated No, State Connect APS Group id 1 hw_if_index 35 APS valid:Yes Total aps grp attached to ICRM group 1 is 1 ICRM group count attached to MR-APS HSPW feature is 1 PE1# show hspw-aps-icrm all ICRM group id 1, Flags : My core isolated No,Peer core isolated No, State Connect APS Group id 1 hw_if_index 41 APS valid:Yes Total aps grp attached to ICRM group 1 is 1 ICRM group count attached to MR-APS HSPW feature is 1 P2# show hspw-aps-icrm all ICRM group id 2, Flags : My core isolated No,Peer core isolated No, State Connect APS Group id 2 hw_if_index 22 APS valid:Yes Total aps grp attached to ICRM group 2 is 1 ICRM group count attached to MR-APS HSPW feature is 1 PE2# show hspw-aps-icrm all ICRM group id 2, Flags : My core isolated No,Peer core isolated No, State Connect APS Group id 2 hw_if_index 15 APS valid:Yes Total aps grp attached to ICRM group 2 is 1 ICRM group count attached to MR-APS HSPW feature is 1 This example shows the output of the show redundancy interchassis command when routers P1 and P2 are in active status and PE1 and PE2 are in APS inactive status. P1# show redundancy interchassis Redundancy Group 1 (0x1) Applications connected: MR-APS with HSPW Monitor mode: Route-watch member ip: 14.2.0.2 “PE1", CONNECTED Route-watch for 14.2.0.2 is UP MR-APS with HSPW state: CONNECTED backbone int GigabitEthernet1/0/0: UP (IP)7-100 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits backbone int GigabitEthernet1/0/1: UP (IP) ICRM fast-failure detection neighbor table IP Address Status Type Next-hop IP Interface ========== ====== ==== =========== ========= 14.2.0.2 UP RW PE1# show redundancy interchassis Redundancy Group 1 (0x1) Applications connected: MR-APS with HSPW Monitor mode: Route-watch member ip: 14.2.0.1 “P1", CONNECTED Route-watch for 14.2.0.1 is UP MR-APS with HSPW state: CONNECTED backbone int GigabitEthernet2/2/1: UP (IP) backbone int GigabitEthernet3/2/0: UP (IP) ICRM fast-failure detection neighbor table IP Address Status Type Next-hop IP Interface ========== ====== ==== =========== ========= 14.2.0.1 UP RW This example shows the outputs of the show xconnect all command when routers P1 and P2 are in active status and PE1 and PE2 are in APS inactive status. P1# show xconnect all Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=Down AD=Admin Down IA=Inactive SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware XC ST Segment 1 S1 Segment 2 S2 ------+---------------------------------+--+---------------------------------+-- UP pri ac AT4/0/0:20/100(ATM AAL5) UP mpls 3.3.3.3:1 UP IA sec ac AT4/0/0:20/100(ATM AAL5) UP mpls 4.4.4.4:2 SB PE1# show xconnect all Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=Down AD=Admin Down IA=Inactive SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware XC ST Segment 1 S1 Segment 2 S2 ------+---------------------------------+--+---------------------------------+-- SB pri ac AT3/1/1:20/100(ATM AAL5) UP mpls 3.3.3.3:3 SB IA sec ac AT3/1/1:20/100(ATM AAL5) UP mpls 4.4.4.4:4 SB P2# show xconnect all Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=Down AD=Admin Down IA=Inactive SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware XC ST Segment 1 S1 Segment 2 S2 ------+---------------------------------+--+---------------------------------+-- UP pri ac AT2/1/0:20/100(ATM AAL5) UP mpls 1.1.1.1:1 UP IA sec ac AT2/1/0:20/100(ATM AAL5) UP mpls 2.2.2.2:3 SB PE2# show xconnect all Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=Down AD=Admin Down IA=Inactive SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware XC ST Segment 1 S1 Segment 2 S2 ------+---------------------------------+--+---------------------------------+-- SB pri ac AT3/1/0:20/100(ATM AAL5) UP mpls 1.1.1.1:2 SB IA sec ac AT3/1/0:20/100(ATM AAL5) UP mpls 2.2.2.2:4 SB7-101 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Troubleshooting Tips Table 7-3 Troubleshooting Tips N:1 PVC Mapping to Pseudowires with Non-Unique VPI Asynchronous Transfer Mode (ATM) over Multi Protocol Label Switching (MPLS) pseudowire is used to carry ATM cells over an MPLS network. You can configure ATM over MPLS in N-to-1 cell mode or 1-to-1 cell mode. N-to-1 cell mode maps one or more ATM Virtual Channel Connections (VCCs) or Permanent Virtual Circuits (PVCs) to a single pseudowire and 1-to-1 cell mode maps a single ATM VCC or PVC to a single pseudowire. Currently, Cisco 7600 supports N-to-one mode with N=1 only. Effective with Cisco IOS release 15.2(1)S, N-to-1 cell mode where N greater than 1 is also supported for ATM pseudowires. Restrictions for N:1 PVC Mapping to Pseudowires with Non-Unique VPI Following restrictions apply to the N:1 PVC mapping to pseudowires with non unique Virtual Path Identifier (VPI) feature. • Supported only on SIP 400 line cards with 1 GB memory, SPAs SPA-3XOC3-ATM-V2, SPA-1xOC12-ATM-V2 and all versions of RSP720 and SUP720. • Ingress and egress queuing features like shaping, bandwidth and priority not supported. • The following ingress QoS features are supported on the ATM multipoint subinterface: – Classification based on the ATM Cell Loss Priority (CLP) bit – Marking for the MPLS Experimental (EXP) bit – Frame based policing • The following egress QoS features are supported on the ATM multipoint subinterface: – Marking for the ATM CLP bit – Classification based on the MPLS EXP bit • Operations, Administration, and Maintenance (OAM) is not supported for PVCs belonging to N:1 pseudowire group. • Up to 16000 pseudowires are supported per chassis and 4000 pseudowires per SIP 400. • Supports up to 32000 PVCs per router, 8000 PVCs per SIP400, and 4000 PVCs per SPA. • In the ingress direction, on the Provider Edge (PE) router, cell packs are packed per PVC and not per sub interface. Cells belonging to a single PVC are packed in a single frame. • A service policy can be applied at the sub interface level for N:1 PVC mapping to pseudowire configuration. Command Purpose debug hspw-aps errors Displays information about hot standby pseudowire APS group errors. debug hspw-aps events Displays information about events related to hot standby pseudowire APS group configuration.7-102 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits • ATM classes of service including Constant Bit Rate (CBR), Variable Bit Rate-real time (VBR-rt), and Variable Bit Rate-non-real time (VBR-nrt), that are currently supported are also supported on PVCs for N:1 PVC mapping to pseudowire configuration. Configuring N:1 PVC Mapping to Pseudowires with Non-Unique VPI Perform these steps to configure N:1 PVC mapping to pseudowires with non-unique VPI. SUMMARY STEPS 1. enable 2. configure terminal 3. interface atm slot/subslot/port 4. atm mcpt-timers timer-1 timer-2 timer-3 5. exit 6. interface atm slot/subslot/port.subinterface multipoint 7. no ip address 8. cell-packing cells mcpt-timer timer 9. xconnect ip_address vc_id encapsulation mpls 10. pvc pvc-id l2transport 11. exit 12. end 7-103 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Detailed Steps Command Purpose Step 1 enable Example: Router> enable Enables the privileged EXEC mode and enter your password if prompted. Step 2 configure terminal Example: Router# configure terminal Enters the global configuration mode. Step 3 interface atm slot/subslot/port Example: Router(config)# interface atm 3/1/0 Enters interface configuration mode for the indicated port on the specified ATM SPA. slot/subslot/port—Specifies the location of the interface. Step 4 atm mcpt-timers timer1 timer2 timer3 Example: Router(config-if)# atm mcpt-timers 100 1000 1000 Sets the Martini Cell Packing Timer (MCPT) values in microseconds. MCPT timer sets the time that the router waits for the raw cells to be packed into a single packet. The range for timer1 and timer2 is 10 to 4095. The range for timer 3 is 20 to 4095. Step 5 exit Example: Router(config-if)# exit Exits the interface configuration mode. Step 6 interface atm slot/subslot/port.subslot multipoint Example: Router(config)# interface atm 9/1/1.1 multipoint Creates the specified point-to-multipoint subinterface on the given port on the specified ATM SPA, and enters the subinterface configuration mode. Step 7 cell-packing cells mcpt-timer timer-number Example: Router(config-subif)# cell-packing 20 mcpt-timer 2 Enables ATM over MPLS to pack multiple ATM cells into each MPLS packet within the MCPT timing. Step 8 xconnect peer-ipaddress vc-id encapsulation mpls Example: Router(config-subif)# xconnect 2.2.2.2 100 encapsulation mpls Enables the attachment circuit. • peer-ipaddress - Specify the IP address of the peer router. • vc-id- Specifies the virtual circuit identifier. The range of the VC ID is from 1 to 4294967295. 7-104 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Examples This example shows how to configure the N:1 ATM PVC mapping to pseudowires with a non unique VPI on the Cisco 7600 router. Also, a service policy p-map is applied in the ingress direction. Router> enable Router# configure terminal Router(config)# class-map match all c-map Router(config-cmap)# match atm clp Router(config-cmap)# exit Router(config)# policy-map p-map Router(config-pmap)# class c-map Router(config-pmap-c)# set mpls experimental imposition 5 Router(config-pmap-c)# exit Router(config-pmap)# exit Router(config)# interface atm 9/1/1 Router(config-if)# atm mcpt-timers 20 30 40 Router(config-if)# exit Router(config)# interface atm 9/1/1.1 multipoint Router(config-subif)# no ip address Router(config-subif)# xconnect 2.2.2.2 100 encapsulation mpls Router(config-subif)# service-policy input p-map Router(config-subif)# pvc 10/100 l2transport Router(config-subif)# pvc 11/122 l2transport Router(config-subif)# pvc 19/231 l2transport Router(config-subif)# exit Router(config)# end This example shows how to configure the N:1 ATM PVC mapping to pseudowires with non unique VPI on a Cisco 7600 router with a service policy p-map applied in the egress direction. Router> enable Router# configure terminal Router(config)# class-map match all c-map Router(config-cmap)# mpls experimental topmost 5 Step 9 pvc vpi/vci l2transport Example: Router(config-subif)# pvc 10/100 l2transport Assigns a VPI and VCI and enters ATM PVC l2transport configuration mode. • vpi— Specifies the ATM network virtual path identifier (VPI) of the VC to multiplex on the permanent virtual path. The accepted range is from 0 to 255. • vci— VCI specifies the virtual circuit identifier. The l2transport keyword indicates that the PVC is a switched PVC instead of a terminated PVC. Step 10 exit Example: Router(config-subif)# exit Exits the interface configuration mode. Step 11 end Example: Router(config-subif)# end Exits the configuration session. Command Purpose7-105 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Router(config-cmap)# exit Router(config)# policy-map p-map Router(config-pmap)# class c-map Router(config-pmap-c)# set atm clp Router(config-pmap-c)# exit Router(config-pmap)# exit Router(config)# interface atm 9/1/1 Router(config-if)# atm mcpt-timers 20 30 40 Router(config-if)# exit Router(config)# interface atm 9/1/1.1 multipoint Router(config-subif)# no ip address Router(config-subif)# xconnect 3.3.3.3 100 encapsulation mpls Router(config-subif)# service-policy output p-map Router(config-subif)# pvc 10/100 l2transport Router(config-subif)# pvc 11/122 l2transport Router(config-subif)# pvc 19/231 l2transport Router(config-subif)# exit Router(config)# end Verification Use these commands to verify the N:1 ATM PVC mapping to pseudowires with non unique VPI configuration. The show mpls l2 transport vc-id command displays information about Any Transport over MPLS (AToM) Virtual Circuits (VCs) that are enabled to route layer 2 packets on a router. This example shows the output of the show mpls transport vc-id command for a specified AToM virtual circuit. Router# show mpls l2transport 100 Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- -------- AT9/1/1.1 ATM CELL ATM9/1/1.1 2.2.2.2 100 UP The show atm cell-packing command displays information about cell packing related information for the layer 2 attachment circuits (ACs) configured on the router. Router# show atm cell-packing average average circuit local nbr of cells peer nbr of cells MCPT type MNCP rcvd in one pkt MNCP sent in one pkt (us) ------------- ----- --------------- ------- -------------- ---- ATM1/0/1.1 vc 1/100 30 0 1 0 30 ATM1/0/1.1 vc 2/100 30 0 1 0 30 Shutting Down and Restarting an Interface on a SPA Shutting down an interface puts it into the administratively down mode and takes it offline, stopping all traffic that is passing through the interface. Shutting down an interface, though, does not change the interface configuration. 7-106 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits As a general rule, you do not need to shut down an interface if you are removing it and replacing it with the same exact model of SPA in an online insertion and removal (OIR) operation. However, we recommend shutting down an interface whenever you are performing one of the following tasks: • When you do not need to use the interface in the network. • Preparing for future testing or troubleshooting. • Changing the interface configuration in a way that would affect the traffic flow, such as changing the encapsulation. • Changing the interface cables. • Removing a SPA that you do not expect to replace. • Replacing the SIP with another type of SIP (such as replacing a Cisco 7600 SIP-200 with a Cisco 7600 SIP-400). • Replacing an interface card with a different model of card. Shutting down the interface in these situations prevents anomalies from occurring when you reinstall the new card or cables. It also reduces the number of error messages and system messages that might otherwise appear. Tip If you are planning on physically removing the SPA from the SIP, also shut down the SPA, using the procedure given in the “Shutting Down an ATM Shared Port Adapter” section on page 7-107. Note If you plan to replace an existing ATM port adapter with an ATM SPA in the Cisco 7600 series router and want to use the same configuration, save the slot’s configuration before physically replacing the hardware. This is because all slot configuration is lost when you replace one card type with another card type, even if the two cards are functionally equivalent. You can then re-enter the previous configuration after you have inserted the ATM SPA. To shut down an interface, perform the following procedure beginning in global configuration mode: Tip When you shut down an interface, the show interface command indicates that the interface is administratively down until the SPA is physically removed from the chassis or until the SPA is re-enabled. The following shows a typical example of shutting down an ATM SPA interface: Router> enable Router# configure terminal Router(config)# interface atm 4/0/0 Router(config-if)# shutdown Command or Action Purpose Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port on the specified ATM SPA. Step 2 Router(config-if)# shutdown Shuts down the interface. Note Repeat Step 1 and Step 2 for each interface to be shut down. Step 3 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. 7-107 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Creating and Configuring Switched Virtual Circuits Router(config-if)# end Router# show interface atm 4/0/0 ATM4/0/0 is administratively down, line protocol is down Hardware is SPA-4XOC3-ATM, address is 000d.2959.d5ca (bia 000d.2959.d5ca) Internet address is 10.10.10.16/24 MTU 4470 bytes, sub MTU 4470, BW 599040 Kbit, DLY 80 usec, reliability 255/255, txload 42/255, rxload 1/255 Encapsulation ATM, loopback not set Encapsulation(s): AAL5 4095 maximum active VCs, 1 current VCCs VC idle disconnect time: 300 seconds 0 carrier transitions Last input 01:01:16, output 01:01:16, output hang never Last clearing of "show interface" counters 01:10:21 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 702176000 bits/sec, 1415679 packets/sec 1000 packets input, 112000 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 2948203354 packets output, 182788653886 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Shutting Down an ATM Shared Port Adapter Shutting down an ATM SPA shuts down all ATM interfaces on the SPA, and puts the SPA and its interfaces into the administratively down state. This takes all interfaces offline, stopping all traffic that is passing through the SPA. Shutting down an ATM SPA, though, does not change the configuration of the SPA and its interfaces. As a general rule, you do not need to shut down an ATM SPA if you are removing it and replacing it with the same exact model of SPA in an online insertion and removal (OIR) operation. However, you should shut down the ATM SPA whenever you are performing one of the following tasks: • Removing an interface that you do not expect to replace. • Replacing the SIP with another type of SIP (such as replacing a Cisco 7600 SIP-200 with a Cisco 7600 SIP-400). • Replacing the ATM SPA with a different model of SPA. To shut down the ATM SPA, use the following procedure beginning in global configuration mode:7-108 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Verifying the Interface Configuration The following shows a typical example of shutting down ATM SPAs. In this example, the SPA in subslot 0 is put into reset mode, while the SPA in subslot 1 is powered down. Router> enable Router# hw-module subslot 4/0 shutdown powered Router# hw-module subslot 4/1 shutdown unpowered Tip The ATM SPA remains shut down, even after a new SPA is installed or after a reset of the Cisco 7600 series router, until you re-enable the SPA using the no hw-module subslot shutdown command. Verifying the Interface Configuration See the following sections to obtain configuration and operational information about the ATM SPA and its interfaces: • Verifying Per-Port Interface Status, page 7-109 • Monitoring Per-Port Interface Statistics, page 7-110 For additional information on using these and other commands to obtain information about the configuration and operation of the ATM SPAs and interfaces, see Chapter 8, “Troubleshooting the ATM Shared Port Adapter.” Command or Action Purpose Step 1 Router(config)# hw-module subslot slot/subslot shutdown [powered | unpowered] Shuts down the ATM SPA. • powered—(Optional) Shuts down the ATM SPA and leaves it in the reset state. This is the default and is typically done when you want to shut down the SPA but leave it physically installed and cabled in the Cisco 7600 series router. • unpowered—(Optional) Shuts down the ATM SPA and leaves it in the unpowered state. Typically, this is done before removing the ATM SPA from the chassis. Note Repeat this step for each ATM SPA to be shut down. Note The hw-module subslot shutdown command can be given in both the global configuration and privileged EXEC modes. If this command is given in global configuration mode, it can be saved to the startup configuration so that it is automatically executed after each reload of the router. If given in privileged EXEC mode, the command takes effect immediately, but it is not saved to the configuration. In either case, the hw-module subslot shutdown command remains in effect during the current session of the Cisco 7600 series router until it is reversed using the no form of the command. Step 2 Router(config)# end Exits configuration mode and returns to privileged EXEC mode. 7-109 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Verifying the Interface Configuration Verifying Per-Port Interface Status Use the show interfaces atm command to display detailed status information about an interface port in an ATM SPA that is installed in the Cisco 7600 series router. The following example provides sample output for interface port 1 (the second port) on the ATM SPA that is located in subslot 0 (the left-most subslot), of the SIP that is installed in slot 3 of a Cisco 7600 series router: Router# show interface atm 3/0/1 ATM3/0/1 is up, line protocol is up Hardware is SPA-4XOC3-ATM, address is 000a.f330.7dc0 (bia 000a.f330.7dca) Internet address is 10.13.21.31/24 MTU 4470 bytes, sub MTU 4470, BW 599040 Kbit, DLY 80 usec, reliability 255/255, txload 140/255, rxload 129/255 Encapsulation ATM, loopback not set Encapsulation(s): AAL5 4095 maximum active VCs, 1 current VCCs VC idle disconnect time: 300 seconds 0 carrier transitions Last input never, output never, output hang never Last clearing of "show interface" counters 00:45:35 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 304387000 bits/sec, 396342 packets/sec 5 minute output rate 329747000 bits/sec, 396334 packets/sec 1239456438 packets input, 118987818048 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1239456287 packets output, 128903453848 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out The following example displays detailed status information about an interface port in 3-Port Clear Channel OC-3 ATM SPA that is installed on the Cisco 7600 series router: Router# show interfaces atm 0/2/2 ATM0/2/2 is up, line protocol is up Hardware is SPA-3XOC3-ATM-V2, address is 001a.3044.7522 (bia 001a.3044.7522) MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Keepalive not supported Encapsulation(s): AAL5 AAL0 4095 maximum active VCs, 1 current VCCs VC Auto Creation Disabled. VC idle disconnect time: 300 seconds 4 carrier transitions Last input never, output 00:04:11, output hang never Last clearing of "show interface" counters never Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 5 packets input, 540 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 5 packets output, 540 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out7-110 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Verifying the Interface Configuration Monitoring Per-Port Interface Statistics Use the show controllers atm command to display detailed status and statistical information on a per-port basis for an ATM SPA. The following example provides sample output for interface port 0 (the first port) on the ATM SPA that is located in subslot 0 (the left-most subslot) of the SIP that is installed in slot 4 of a Cisco 7600 series router: Router# show controllers atm 4/0/0 Interface ATM4/0/0 is up Framing mode: SONET OC3 STS-3c SONET Subblock: SECTION LOF = 0 LOS = 0 BIP(B1) = 603 LINE AIS = 0 RDI = 2 FEBE = 2332 BIP(B2) = 1018 PATH AIS = 0 RDI = 1 FEBE = 28 BIP(B3) = 228 LOP = 0 NEWPTR = 0 PSE = 1 NSE = 2 Active Defects: None Active Alarms: None Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA ATM framing errors: HCS (correctable): 0 HCS (uncorrectable): 0 APS COAPS = 0 PSBF = 0 State: PSBF_state = False Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 Rx Synchronization Status S1 = 00 S1S0 = 00, C2 = 00 PATH TRACE BUFFER : STABLE Remote hostname : fecao7609_2 Remote interface: ATM9/0/0 Remote IP addr : 0.0.0.0 Remote Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 Clock source: line The following examples displays detailed status and statistical information on a per-port basis for 3-Port Clear Channel OC-3 ATM SPAs. Router# show controllers atm 0/2/2 Interface ATM0/2/2 (SPA-3XOC3-ATM-V2[0/2]) is up Framing mode: SONET OC3 STS-3c SONET Subblock: SECTION LOF = 0 LOS = 1 BIP(B1) = 0 LINE AIS = 0 RDI = 1 FEBE = 55 BIP(B2) = 0 PATH AIS = 0 RDI = 1 FEBE = 21 BIP(B3) = 0 LOP = 1 NEWPTR = 0 PSE = 0 NSE = 07-111 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples Active Defects: None Active Alarms: None Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA ATM framing errors: HCS (correctable): 0 HCS (uncorrectable): 0 APS not configured COAPS = 0 PSBF = 0 State: PSBF_state = False Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 Rx Synchronization Status S1 = 00 S1S0 = 00, C2 = 13 PATH TRACE BUFFER : STABLE BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 Clock source: line Configuration Examples This section includes the following configuration examples for the ATM SPAs: • Basic Interface Configuration Example, page 7-112 • MTU Configuration Example, page 7-112 • Permanent Virtual Circuit Configuration Example, page 7-112 • PVC on a Point-to-Point Subinterface Configuration Example, page 7-113 • PVC on a Multipoint Subinterface Configuration Example, page 7-114 • RFC 1483 Bridging for PVCs Configuration Example, page 7-115 • RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling Configuration Example, page 7-116 • ATM RFC 1483 Half-Bridging Configuration Example, page 7-116 • ATM Routed Bridge Encapsulation Configuration Example, page 7-116 • Precedence-Based Aggregate WRED Configuration Example, page 7-116 • DSCP-Based Aggregate WRED Configuration Example, page 7-118 • Switched Virtual Circuits Configuration Example, page 7-118 • Traffic Parameters for PVCs or SVCs Configuration Example, page 7-119 • Virtual Circuit Classes Configuration Example, page 7-120 • Virtual Circuit Bundles Configuration Example, page 7-120 • Link Fragmentation and Interleaving with Virtual Templates Configuration Example, page 7-121 • Distributed Compressed Real-Time Protocol Configuration Example, page 7-122 • Automatic Protection Switching Configuration Example, page 7-123 • SONET and SDH Framing Configuration Example, page 7-123 • Layer 2 Protocol Tunneling Topology with a Cisco 7600, Catalyst 5500, and Catalyst 6500 Configuration Example, page 7-124 • Layer 2 Protocol Tunneling Topology with a Cisco 7600 and Cisco 7200 Configuration Example, page 7-125 • Cisco 7600 Basic Back-to-Back Scenario Configuration Example, page 7-1267-112 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples • Catalyst 5500 Switch and Cisco 7600 Series Routers in Back-to-Back Topology Configuration Example, page 7-126 • Cisco 7600 and Cisco 7200 in Back-to-Back Topology Configuration Example, page 7-127 Basic Interface Configuration Example ! interface ATM5/1/0 mtu 9216 no ip address atm clock INTERNAL ! interface ATM5/1/0.1 point-to-point mtu 9216 ip address 70.1.1.1 255.255.0.0 pvc 52/100 ! ! interface ATM5/1/1 mtu 9216 no ip address atm clock INTERNAL ! interface ATM5/1/1.1 point-to-point mtu 9216 ip address 70.2.1.1 255.255.0.0 pvc 53/100 ! ! interface ATM5/1/2 no ip address atm clock INTERNAL ! interface ATM5/1/3 no ip address atm clock INTERNAL ! MTU Configuration Example ! interface ATM4/1/0 ip address 192.168.100.13 255.255.255.0 mtu 9216 ip mtu 9188 mpls mtu 9288 atm clock INTERNAL ! Permanent Virtual Circuit Configuration Example ! interface ATM5/0/0 no ip address pvc 1/100 protocol ip 1.1.1.37-113 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples protocol ip 20.1.1.1 broadcast ! ! interface ATM5/0/1 no ip address ! interface ATM5/1/1 ip address 1.1.1.1 255.255.255.0 load-interval 30 pvc 1/100 protocol ip 1.1.1.3 protocol ip 20.1.1.1 cbr 140000 broadcast oam-pvc manage ! pvc 1/101 protocol ip 9.9.9.2 encapsulation aal5ciscoppp Virtual-Template1 ! PVC on a Point-to-Point Subinterface Configuration Example The following example shows a simple configuration of several PVCs that are configured on point-to-point subinterfaces: interface ATM3/1/0 no ip address ! interface ATM3/1/0.1 point-to-point pvc 4/44 l2transport mpls l2transport route 22.22.22.22 400 ! ! interface ATM3/1/0.2 point-to-point pvc 5/55 l2transport encapsulation aal0 mpls l2transport route 22.22.22.22 500 ! ! interface ATM3/1/0.3 point-to-point ip address 99.0.0.2 255.0.0.0 pvc 9/99 ! ! interface ATM5/0/0 description flexwan_6_0_0 no ip address logging event link-status atm clock INTERNAL ! interface ATM5/0/0.1 point-to-point ip address 50.1.1.1 255.255.255.0 pvc 50/11 ! ! interface ATM5/0/0.2 point-to-point ip address 50.2.2.1 255.255.255.0 pvc 50/12 !7-114 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples ! interface ATM5/0/0.3 point-to-point ip address 50.3.3.1 255.255.255.0 pvc 50/13 ! ! interface ATM5/0/0.4 point-to-point ip address 50.4.4.1 255.255.255.0 pvc 50/14 ! ! interface ATM5/0/0.5 point-to-point ip address 50.5.5.1 255.255.255.0 pvc 50/15 ! ! interface ATM5/1/0.1 point-to-point ip address 2.0.0.2 255.255.255.0 ! interface ATM5/1/0.2 point-to-point ip address 2.0.1.2 255.255.255.0 ! interface ATM5/1/0.3 point-to-point ip address 39.0.0.1 255.0.0.0 ! PVC on a Multipoint Subinterface Configuration Example ! interface ATM4/1/0 no ip address atm clock INTERNAL ! interface ATM4/1/0.2 multipoint ip address 1.1.1.1 255.0.0.0 pvc 0/121 protocol ip 1.1.1.23 broadcast vbr-nrt 2358 2358 encapsulation aal5snap ! pvc 0/122 protocol ip 1.1.1.24 broadcast vbr-nrt 2358 2358 encapsulation aal5snap ! pvc 0/123 protocol ip 1.1.1.25 broadcast vbr-nrt 2358 2358 encapsulation aal5snap ! pvc 0/124 protocol ip 1.1.1.26 broadcast vbr-nrt 2358 2358 encapsulation aal5snap ! pvc 0/125 protocol ip 1.1.1.27 broadcast ! ... interface ATM5/1/1 ip address 1.1.1.1 255.255.255.07-115 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples load-interval 30 pvc 1/100 protocol ip 1.1.1.3 protocol ip 20.1.1.1 cbr 140000 broadcast oam-pvc manage ! pvc 1/101 protocol ip 9.9.9.2 encapsulation aal5ciscoppp Virtual-Template1 ! ! interface ATM5/1/1.200 multipoint ip address 7.7.7.1 255.255.255.0 bundle bundle pvc-bundle high 2/100 class-vc high pvc-bundle med 2/101 class-vc med pvc-bundle low 2/102 class-vc low ! ! interface ATM5/1/2 no ip address ! interface ATM5/1/3 no ip address ! RFC 1483 Bridging for PVCs Configuration Example The following shows a simple example of an ATM interface and PVC that have been configured for RFC 1483 bridging with a Fast Ethernet interface: vlan 30 ! interface FastEthernet7/1 no ip address duplex full speed 100 switchport switchport access vlan 30 switchport mode access ! interface ATM9/1/0 no ip address mtu 4096 bandwidth 2000 pvc 0/39 bridge-domain 30 encapsulation aal5snap ! interface ATM9/1/0.2 point-to-point ip address 10.10.12.2 255.255.255.0 ip access-group rbe-list in atm route-bridged ip no mls ip pvc 10/200 ! 7-116 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples router rip network 10.0.0.0 network 30.0.0.0 ! RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling Configuration Example The following shows a simple example of an ATM interface that has been configured for RFC 1483 bridging using IEEE 802.1Q tunneling: interface ATM6/2/0 no ip address shutdown atm clock INTERNAL atm mtu-reject-call no atm ilmi-keepalive pvc 2/101 bridge-domain 99 dot1q-tunnel ! mls qos trust dscp spanning-tree bpdufilter enable ATM RFC 1483 Half-Bridging Configuration Example The following simple example shows an ATM subinterface configured for half-bridging: ! interface ATM5/1/0.100 multipoint ip address 192.168.100.14 255.255.0.0 mtu 1500 pvc 10/200 encapsulation aal5snap bridge ! ATM Routed Bridge Encapsulation Configuration Example The following simple example shows an ATM subinterface configured for RBE, also known as RFC 1483 half-bridging: ! interface ATM5/1/0.100 point-to-point ip address 10.10.10.121 255.255.0.0 mtu 1500 atm route-bridged ip pvc 100/100 encapsulation aal5snap ! Precedence-Based Aggregate WRED Configuration Example The following example shows a precedence-based aggregate WRED configuration: ! Create a policy map named prec-aggr-wred. !7-117 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples Router(config)# policy-map prec-aggr-wred ! ! Configure a default class for the policy map. ! Router(config-pmap)# class class-default ! ! Enable precedence-based (the default setting) aggregate WRED for the default class. ! Router(config-pmap-c)# random-detect aggregate ! ! Define an aggregate subclass for packets with IP Precedence values of 0-3 and assign the ! WRED profile parameter values for this subclass. ! Router(config-pmap-c)# random-detect precedence values 0 1 2 3 minimum thresh 10 maximum-thresh 100 mark-prob 10 ! ! Define an aggregate subclass for packets with IP Precedence values of 4 and 5 and assign ! the WRED profile parameter values for this subclass. ! Router(config-pmap-c)# random-detect precedence values 4 5 minimum-thresh 40 maximum-thresh 400 mark-prob 10 ! ! Define an aggregate subclass for packets with an IP Precedence value of 6 and assign the ! WRED profile parameter values for this subclass. ! Router(config-pmap-c)# random-detect precedence values 6 minimum-thresh 60 maximum-thresh 600 mark-prob 10 ! ! Define an aggregate subclass for packets with an IP Precedence value of 7 and assign the ! WRED profile parameter values for this subclass. ! Router(config-pmap-c)# random-detect precedence values 7 minimum-thresh 70 maximum-thresh 700 mark-prob 10 ! ! Attach the policy map prec-aggr-wred to the interface. Note all ATM SPA service policies ! are applied at the atm vc level. ! Router(config-pmap-c)# interface ATM4/1/0.10 point-to-point Router(config-subif)# ip address 10.0.0.2 255.255.255.0 Router(config-subif)# pvc 10/110 Router(config-subif)# service policy output prec-aggr-wred7-118 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples DSCP-Based Aggregate WRED Configuration Example The following example shows a DSCP-based aggregate WRED configuration: ! Create a policy map named dscp-aggr-wred. ! Router(config)# policy-map dscp-aggr-wred ! ! Configure a default class for the policy map. ! Router(config-pmap)# class class-default ! ! Enable dscp-based aggregate WRED for the default class and assign the ! default WRED profile parameter values to be used for all subclasses that have not been ! specifically configured.. ! Router(config-pmap-c)# random-detect dscp-based aggregate minimum-thresh 1 maximum-thresh 10 mark-prob 10 ! ! Define an aggregate subclass for packets with DSCP values of 0-7 and assign the WRED ! profile parameter values for this subclass ! Router(config-pmap-c)# random-detect dscp values 0 1 2 3 4 5 6 7 minimum-thresh 10 maximum-thresh 20 mark-prob 10 ! ! Define an aggregate subclass for packets with DSCP values of 8-11 and assign the WRED ! profile parameter values for this subclass. ! Router(config-pmap-c)random-detect dscp values 8 9 10 11 minimum-thresh 10 maximum-thresh 40 mark-prob 10 ! ! Attach the policy map dscp-aggr-wred to the interface. Note all ATM SPA service policies ! are applied at the atm vc level. ! Router(config)# interface ATM4/1/0.11 point-to-point Router(config-subif)# ip address 10.0.0.2 255.255.255.0 Router(config-subif) pvc 11/101 Router(config-subif)# service policy output dscp-aggr-wred Switched Virtual Circuits Configuration Example interface ATM4/0/2 ip address 10.23.33.2 255.255.255.0 atm clock INTERNAL atm pvp 244 atm esi-address 111111111111.11 pvc 0/5 qsaal ! pvc 0/16 ilmi ! ! interface ATM4/0/2.1 multipoint ip address 10.20.0.2 255.0.0.0 atm esi-address 333333333333.33 ! svc nsap 47.009181000000001011B8C601.222222222222.22 protocol ip 10.20.0.1 ubr 1000 ! !7-119 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples interface ATM4/0/2.2 multipoint ip address 10.13.3.1 255.255.255.0 atm esi-address 510211111111.11 ! svc nsap 47.009181000000001011B8C601.410233333333.33 protocol ip 10.13.3.3 ! interface ATM4/0/2.3 multipoint svc SVC1 nsap 47.009181000000BBBBBB000001.222222222222.22 protocol ip 33.33.33.1 broadcast encapsulation aal5snap Traffic Parameters for PVCs or SVCs Configuration Example ! interface ATM5/1/1.100 point-to-point ip address 10.1.1.1 255.255.255.0 load-interval 30 pvc 1/100 protocol ip 1.1.1.3 protocol ip 20.1.1.1 cbr 100 broadcast ! ! interface ATM5/1/1.110 point-to-point ip address 10.2.2.2 255.255.255.0 pvc 1/110 ubr 1000 ! ! interface ATM5/1/1.120 point-to-point ip address 10.3.3.3 255.255.255.0 no ip directed-broadcast pvc 1/120 vbr-nrt 50000 50000 encapsulation aal5snap ! ! interface ATM5/1/1.130 point-to-point ip address 10.4.4.4 255.255.255.0 pvc 1/130 vbr-rt 445 445 encapsulation aal5snap ! ! interface ATM5/1/1.140 point-to-point ip address 10.5.5.5 255.255.255.0 atm arp-server nsap 47.00918100000000107B2B4B01.111155550000.00 atm esi-address 111155550001.00 ! svc SVC00 nsap 47.00918100000000107B2B4B01.222255550001.00 protocol ip 10.5.5.6 broadcast oam-svc manage encapsulation aal5mux ip ubr 1000 !7-120 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples Virtual Circuit Classes Configuration Example vc-class atm high-class ilmi manage oam-pvc manage 5 oam retry 10 7 3 ! vc-class atm low-class ! interface ATM4/1/0 no ip address class-int high-class atm ilmi-pvc-discovery subinterface pvc 0/5 qsaal ! pvc 0/16 ilmi ! ! interface ATM4/1/0.1 multipoint pvc 1/110 protocol 10.10.10.14 ! interface ATM4/1/1 ip address 10.10.11.2 255.255.255.0 class-int low-class atm uni-version 4.0 atm pvp 1 atm esi-address AAAAAAAAAAAA.AA interface ATM4/1/1.2 multipoint pvc 2/100 protocol ip 10.10.11.1 ! Virtual Circuit Bundles Configuration Example ! interface ATM5/1/1 ip address 1.1.1.1 255.255.255.0 load-interval 30 pvc 1/100 protocol ip 1.1.1.3 protocol ip 20.1.1.1 cbr 140000 broadcast oam-pvc manage ! pvc 1/101 protocol ip 9.9.9.2 encapsulation aal5ciscoppp Virtual-Template1 ! ! interface ATM5/1/1.200 multipoint ip address 7.7.7.1 255.255.255.0 bundle atm-bundle pvc-bundle high 2/100 class-vc high pvc-bundle med 2/101 class-vc med pvc-bundle low 2/102 class-vc low !7-121 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples Link Fragmentation and Interleaving with Virtual Templates Configuration Example The following simple example shows a sample LFI configuration using a virtual template interface: ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! class-map match-all prec4 match ip precedence 4 class-map match-all prec5 match ip precedence 5 class-map match-all prec6 match ip precedence 6 class-map match-all prec7 match ip precedence 7 class-map match-all prec0 match ip precedence 0 class-map match-all prec1 match ip precedence 1 class-map match-all prec2 match ip precedence 2 class-map match-all dscp2 match dscp 2 class-map match-all prec3 match ip precedence 3 class-map match-all prec8 match precedence 0 2 4 6 class-map match-any all class-map match-all any match any ! ! policy-map pmap1 class prec1 bandwidth percent 10 class prec2 police 100000000 3125000 3125000 conform-action transmit exceed-action drop priority ! ! ! interface ATM2/1/0 no ip address atm clock INTERNAL ! interface ATM2/1/0.1 point-to-point pvc 0/100 encapsulation aal5snap protocol ppp Virtual-Template1 ! ! interface ATM2/1/0.1000 point-to-point pvc 1/1000 encapsulation aal5ciscoppp Virtual-Template2 ! ! interface ATM2/1/0.1001 point-to-point pvc 1/1001 protocol ip 10.10.11.12 encapsulation aal5ciscoppp Virtual-Template3 7-122 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples ! interface ATM2/1/1 no ip address shutdown ! interface ATM2/1/2 no ip address shutdown ! interface ATM2/1/3 no ip address ! interface Virtual-Template1 bandwidth 100 ip address 10.34.0.2 255.255.255.0 no keepalive ppp chap hostname north-21 ppp multilink ppp multilink fragment-delay 5 ppp multilink interleave multilink max-fragments 16 service-policy output pmap1 ! interface Virtual-Template2 ip address 10.36.0.2 255.255.255.0 no keepalive ppp chap hostname north-22 ppp multilink ppp multilink fragment-delay 5 ppp multilink interleave service-policy output pmap1 ! interface Virtual-Template3 ppp chap hostname north-23 ppp multilink ppp multilink fragment-delay 5 ppp multilink interleave service-policy output pmap1 ! interface Vlan1 no ip address shutdown ! Distributed Compressed Real-Time Protocol Configuration Example ! interface ATM5/1/0.200 point-to-point pvc 10/300 encapsulation aal5mux ppp Virtual-Template200 ! ... ! interface Virtual-Template200 bandwidth 2000 ip address 10.1.200.2 255.255.255.0 ip rcp header-compression passive ip tcp header-compression passive ppp chap hostname template200 ppp multilink ppp multilink fragment-delay 8 ppp multilink interleave7-123 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples ip rtp header-compression passive ip tcp compression-connections 64 ! Automatic Protection Switching Configuration Example ! interface ATM4/0/0 description working ip address 10.5.5.1 255.255.255.0 no shutdown aps group 1 aps working 1 pvc 1/100 protocol ip 10.5.5.2 ! interface ATM4/0/1 description protect ip address 10.5.5.1 255.255.255.0 aps group 1 aps revert 2 aps protect 0 10.7.7.7 pvc 1/100 protocol ip 10.5.5.2 ! interface Loopback1 ip address 10.7.7.7 255.255.255.0 SONET and SDH Framing Configuration Example ! interface ATM2/0/0 description Example of SONET framing-“atm framing sonet” is default and doesn’t appear ip address 10.16.2.2 255.255.255.0 logging event link-status atm sonet report all atm sonet threshold sd-ber 3 atm sonet threshold sf-ber 6 atm sonet overhead c2 0x00 ! interface ATM2/0/1 description Example of SDH framing-”atm framing sdh” appears in configuration ip address 10.16.3.3 255.255.255.0 logging event link-status atm framing sdh atm sonet report all atm sonet overhead c2 0x00 !7-124 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples Layer 2 Protocol Tunneling Topology with a Cisco 7600, Catalyst 5500, and Catalyst 6500 Configuration Example Figure 7-10 shows one sample network topology in which data packets are sent between a Catalyst 6500 series switch and a Cisco 7600 series router. Figure 7-10 Catalyst 5500 Switch, 6500 Switch, and Cisco 7600 Series Router in an L2PT Topology As shown in Figure 7-10, Layer 2 Protocol Tunneling (L2PT) is configured at the Cisco 7600 ATM 6/1/0 interface and also at the Catalyst 6500 switch Gig 2/1 interface. PVST packets are sent from the Catalyst 5500 switch to the Cisco 7600 series router. The Cisco 7600 series router transports those BPDUs by way of L2PT and sends them to the Catalyst 6500 series switch. Those BPDUs are decapsulated and restored before sending the packets out to the customer network. The Cisco 7600 series router and the Catalyst 6500 series switch are provider edge (PE) devices and the rest are customer edge (CE) devices. ATM Configuration Example Any traffic coming in must be sent via a dot1q-tunnel. If the PE VLAN is 200 and the CE VLAN is 100, you have the following configuration: Router(config)# interface atm 6/1/0 Router(config-if)# pvc 6/200 Router(config-if-atm-vc)# bridge-domain 200 dot1q-tunnel ignore-bpdu-pid pvst-tlv 100 Ethernet Configuration Example An example of the Ethernet configuration follows: Router(config)# interface gig2/1 Router(config-if)# switchport Router(config-if)# switchport access vlan 200 Router(config-if)# switchport mode dot1q-tunnel Router(config-if)# l2protocol-tunnel CE VLAN 100 is what is used at the customer sites. The Catalyst 5500 switch sends the IEEE BPDU in data format. The Cisco 7600 series router receives the BPDU and first converts it to PVST+ format. Then the destination address (DA) MAC of the frame is changed to the protocol tunnel MAC address and sent out into the Layer 2 cloud. At the other end, when the frame leaves the Gig 2/1 interface, the DA MAC is changed back to the PVST+ DA MAC and the PVST+ BPDU is sent to the customer premises equipment (CPE) device. Catalyst 5500 switch Customer LAN Customer LAN Catalyst 6500 switch Cisco 7600 router L2PT ATM 6/1/0 interface (Layer 2 protocol tunneling enabled) Gig2/1 interface (L2PT enabled) Service provider ATM network Service provider ATM network 1462247-125 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples Layer 2 Protocol Tunneling Topology with a Cisco 7600 and Cisco 7200 Configuration Example Figure 7-11 shows how a Cisco 7600 series router needs to communicate with a Cisco 7200 series router. Figure 7-11 Cisco 7600 and Cisco 7200 Routers in an L2PT Topology PE Configuration On the PE routers, the configuration appears as follows: !On PE 1 interface ATM2/0/0 no ip address atm mtu-reject-call pvc 7/101 bridge-domain 200 dot1q-tunnel ! end !On PE 2 interface ATM3/0/0 no ip address pvc 2/101 bridge-domain 200 dot1q-tunnel pvst-tlv 100 ! end Cisco 7600 CE Configuration The configuration for the Cisco 7600 CE 1 router would be as follows: !On CE 1 interface ATM1/1/0 no ip address atm mtu-reject-call pvc 7/101 bridge-domain 101 ! end Cisco 7200 CE Configuration The configuration for the Cisco 7200 CE 2 router would be as follows: !On CE 2 interface ATM4/0 no ip address no atm ilmi-keepalive pvc 2/101 ! bridge-group 101 end CE 1 ATM 1/1/0 Cisco 7600 ATM network ATM network ATM network 146225 PE 1 Cisco 7600 PE 2 Cisco 7600 CE 2 Cisco 7200 ATM 2/0/0 ATM 3/0/0 ATM 4/07-126 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples Data Transmission Sequence from the Cisco 7200 CE to the Cisco 7600 CE Given the configurations and topologies shown in these examples, the data transmission sequence from the Cisco 7200 CE to the Cisco 7600 CE is as follows: 1. The Cisco 7200 CE 2 router sends BPDUs without the MAC header in RFC 1483 format. 2. The Cisco 7600 PE router receives the packets and then translates the IEEE BPDU into PVST+ BPDU format. 3. VLAN 100 is inserted into the PVST+ BPDU. 4. The frame’s destination address (DA) MAC value is rewritten to use the protocol tunnel DA MAC and is sent out into the ATM network cloud. 5. The L2PT BPDU must go out of the PE 1 ATM 2/0/0 interface. The DA MAC is restored to the PVST+ DA MAC. 6. Finally, the PVST+ BPDU is sent to the Cisco 7600 CE 1 router. Cisco 7600 Basic Back-to-Back Scenario Configuration Example Figure 7-12 shows an example of a basic back-to-back scenario. Figure 7-12 Cisco 7600 Routers in Basic Back-to-Back Topology The PDUs exchanged are PVST+ BPDUs. The PVST+ BPDUs are sent using a PID of 0x00-07. The configuration is set as follows: Router(config)# interface atm 2/1/0 Router(config-if)# pvc 2/202 Router(config-if-atm-vc)# bridge-domain 101 Catalyst 5500 Switch and Cisco 7600 Series Routers in Back-to-Back Topology Configuration Example Figure 7-13 shows another sample topology with a simple back-to-back setup, which serves to test basic Catalyst 5500 and Cisco 7600 interoperability. Figure 7-13 Catalyst 5500 Switch and Cisco 7600 Routers in Back-to-Back Topology ATM 2/1/0 Cisco 7600 Service provider ATM network Cisco 7600 146226 ATM 4/1/0 Customer network Customer network Catalyst 5500 switch Cisco 7600 router ATM network ATM 2/1/0 1462277-127 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration Examples When connected to a device that sends and receives IEEE BPDUs in data format (PID 0x00-07) such as the Catalyst 5000’s ATM module, the configuration must be something like this: Router(config)# interface atm 2/1/0 Router(config-if)# pvc 2/202 Router(config-if-atm-vc)# bridge-domain 101 ignore-bpdu-pid pvst-tlv 101 The Cisco 7600 series router translates its outgoing PVST+ BPDUs into IEEE BPDUs. Because the ignore-bpdu-pid keyword is also enabled, the BPDU uses a PID of 0x00-07, which is exactly what the Catalyst 5500 switch requires. Cisco 7600 and Cisco 7200 in Back-to-Back Topology Configuration Example When connecting to a device that is completely RFC 1483-compliant, in which the IEEE BPDUs are sent using a PID of 0x00-0E, you must use the new ignore-bpdu-pid keyword in the bridge-domain command. Figure 7-14 shows an example of such a configuration. Figure 7-14 Cisco 7600 Router Series and Cisco 7200 Router Series in Back-to-Back Topology For example, when a Cisco 7600 series router is connected to a Cisco 7200 series router, the configuration would be as follows: Router(config)# interface atm 2/1/0 Router(config-if)# pvc 2/202 Router(config-if-atm-vc)# bridge-domain 101 pvst-tlv 101 Note In this configuration scenario, the CE’s VLAN number must be identical to the bridge-domain VLAN number. An example of the Ethernet configuration is shown in the “Ethernet Configuration Example” section on page 7-124. Cisco 7600 router ATM network 146228 Cisco 7200 router ATM 4/0 ATM 2/1/07-128 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 7 Configuring the ATM SPAs Configuration ExamplesC H A P T E R 8-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 8 Troubleshooting the ATM SPAs This chapter describes how to monitor and troubleshoot the asynchronous transfer mode (ATM) shared port adapters (SPAs) in a Cisco 7600 series router. This document covers the 1-Port OC-48c/STM-16 ATM SPA, 1-Port OC-12c/STM-4 ATM SPA, and the 2-Port and 4-Port OC-3c/STM-1 ATM SPA. • General Troubleshooting Information, page 8-1 • Monitoring the ATM SPA, page 8-2 • Troubleshooting the ATM Shared Port Adapter, page 8-15 • Preparing for Online Insertion and Removal of a SPA, page 8-27 For more information about troubleshooting your hardware installation, refer to the Cisco 7600 Series Router SIP, SSC, and SPA Hardware Installation Guide. General Troubleshooting Information This section provides the following general information for troubleshooting ATM SPA cards and their SPA interface processor (SIP) carrier cards: • Interpreting Console Error and System Messages, page 8-1 • Using debug Commands, page 8-2 • Using show Commands, page 8-2 Interpreting Console Error and System Messages To view the explanations and recommended actions for Cisco 7600 series router error messages, including messages related to Cisco 7600 series router SIPs and SPAs, refer to the Cisco 7600 Series Cisco IOS System Message Guide, Cisco IOS Release 12.2 SX. System error messages are organized in the documentation according to the particular system facility that produces the messages. The SIP and SPA error messages use the following facility names: • Cisco 7600 SIP-200 • Cisco 7600 SIP-400 • 1-Port OC-12c/STM-4 ATM SPA • 1-Port OC-48c/STM-16 ATM SPA • 2-Port and 4-Port OC-3c/STM-1 ATM SPA8-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA Using debug Commands Along with the other debug commands supported on the Cisco 7600 series router, you can obtain specific debug information for SPAs on the Cisco 7600 series router using the debug hw-module subslot privileged exec command. Caution Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead can affect system use. The debug hw-module subslot command is intended for use by Cisco Systems technical support personnel. For more information about the debug hw-module subslot command and about other debug commands that can be used on a Cisco 7600 series router, refer to the Cisco 7600 Series Cisco IOS Command Reference, 12.2 SXand to the Cisco IOS Debug Command Reference, Release 12.2 SR. Using show Commands There are several show commands that you can use to monitor and troubleshoot the SIP and SPA cards on a Cisco 7600 series router. For more information on these commands, see the “Monitoring the ATM SPA” section on page 8-2. Also see the following chapters in this guide for additional information about these show commands: • Chapter 7, “Configuring the ATM SPAs” Monitoring the ATM SPA This section contains the following subsections that describe commands that can be used to display information about the ATM SPA hardware, interfaces, PVCs, SVCs, and APS configuration: • Displaying Hardware Information, page 8-2 • Displaying Information About ATM Interfaces, page 8-5 • Displaying Information About PVCs and SVCs, page 8-7 • Displaying Information About Automatic Protection Switching, page 8-13 Note The outputs in this document are samples only. The actual output that appears on your router depends on the model of router, type of cards that are installed, and their configuration. Displaying Hardware Information Use the following commands to display different types of hardware and system information: • show version—Displaying System Information, page 8-3 • show hw-module subslot fpd and show idprom module—Displaying Information About the ATM SPA Hardware Revision Levels, page 8-38-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA • show controllers atm—Displaying Information About the ATM Controller Hardware, page 8-4 • show diag—Displaying Information About ATM Ports, page 8-5 Displaying System Information To display information about the router, its system hardware and software, and the number of each type of interface that is installed, use the show version command. The following sample output shows a Cisco 7606 router that has two four-port OC-3c ATM SPA cards installed in a Cisco 7600 SIP-400 carrier card, along with a number of Gigabit Ethernet interfaces: Router# show version Cisco Internetwork Operating System Software IOS (tm) c6sup2_rp Software (c6sup2_rp-JSV-M), Released Version 12.2(XX) [BLD-sipedon2 187] Copyright (c) 1986-2004 by cisco Systems, Inc. Compiled Tue 16-Mar-04 05:13 by jrstu Image text-base: 0x40020F94, data-base: 0x424B0000 ROM: System Bootstrap, Version 12.2(14r)S1, RELEASE SOFTWARE (fc1) sup2_7606 uptime is 44 minutes Time since sup2_7606 switched to active is 43 minutes System returned to ROM by power-on (SP by power-on) System image file is "disk0:c6k222-jsv-mz_022204" cisco CISCO7606 (R7000) processor (revision 1.0) with 458752K/65536K bytes of memory. Processor board ID TBM06402027 SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2, 2048KB L3 Cache Last reset from power-on Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). TN3270 Emulation software. 1 FlexWAN controller (2 ATM). 2 SIP-400 controllers (7 ATM). 1 Dual-port OC12c ATM controller (2 ATM). 1 Virtual Ethernet/IEEE 802.3 interface(s) 8 Gigabit Ethernet/IEEE 802.3 interface(s) 11 ATM network interface(s) 1917K bytes of non-volatile configuration memory. 8192K bytes of packet buffer memory. 65536K bytes of Flash internal SIMM (Sector size 512K). Configuration register is 0x2102 Displaying Information About the ATM SPA Hardware Revision Levels To display information about the hardware revision of the SPA, as well as the version of the field-programmable device (FPD) that is onboard the SPA, use the show hw-module subslot fpd command. Cisco technical engineers might need this information to debug or troubleshoot problems with a SPA installation. Router# show hw-module subslot fpd ==== ====================== ====== ============================================= H/W Field Programmable Current Min. Required Slot Card Type Ver. Device: "ID-Name" Version Version ==== ====================== ====== ================== =========== ============== 5/0 4xOC-3 ATM SPA 1.0 1-I/O FPGA 0.70 0.70 ---- ---------------------- ------ ------------------ ----------- --------------8-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA 5/1 4xOC-3 ATM SPA 1.0 1-I/O FPGA 0.70 0.70 ==== ====================== ====== ============================================= In addition, the show idprom module command also displays the serial number and board revisions for the ATM SPA. Router# show idprom module 5/2 IDPROM for SPA module #5/2 (FRU is '4-port OC3/STM1 ATM Shared Port Adapter') Product Identifier (PID) : SPA-4XOC3-ATM Version Identifier (VID) : V01 PCB Serial Number : PRTA0304088 Top Assy. Part Number : 68-2177-01 73/68 Board Revision : 04 73/68 Board Revision : 10 Hardware Revision : 0.17 CLEI Code : UNASSIGNED Displaying Information About the ATM Controller Hardware To display information about the controller hardware for an ATM interface, including framing and alarm configuration, as well as port, packet, and channel performance statistics, use the show controllers atm command, which has the following syntax: show controllers atm slot/sublot/port The following example shows typical output for an ATM SPA interface: Router# show controllers atm 5/1/0 Interface ATM5/1/0 is up Framing mode: SONET OC3 STS-3c SONET Subblock: SECTION LOF = 0 LOS = 0 BIP(B1) = 603 LINE AIS = 0 RDI = 2 FEBE = 2332 BIP(B2) = 1018 PATH AIS = 0 RDI = 1 FEBE = 28 BIP(B3) = 228 LOP = 0 NEWPTR = 0 PSE = 1 NSE = 2 Active Defects: None Active Alarms: None Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA ATM framing errors: HCS (correctable): 0 HCS (uncorrectable): 0 APS COAPS = 0 PSBF = 0 State: PSBF_state = False Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 Rx Synchronization Status S1 = 00 S1S0 = 00, C2 = 00 PATH TRACE BUFFER : STABLE BER thresholds: SF = 10e-3 SD = 10e-68-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 Clock source: line Note The ATM SPA does not support automatic updates of the remote host information, if any, in the Path Trace Buffer section of the show controllers atm command. Displaying Information About ATM Ports To display information about the type of port adapters that are installed in the router, use the show diag command, which has the following syntax: show diag slot where slot is the slot number that contains the port adapter. The following example shows typical output for a 4-port OC-3c ATM SPA that is in slot 4 in the router: Router# show diag 4 Slot 4: Logical_index 8 4-adapter SIP-200 controller Board is analyzed ipc ready HW rev 0.300, board revision 08 Serial Number: Part number: 73-8272-03 Slot database information: Flags: 0x2004 Insertion time: 0x1961C (01:16:54 ago) Controller Memory Size: 384 MBytes CPU Memory 128 MBytes Packet Memory 512 MBytes Total on Board SDRAM IOS (tm) cwlc Software (sip1-DW-M), Released Version 12.2(17)SX [BLD-sipedon2 107] SPA Information: subslot 4/0: 4xOC-3 ATM SPA (0x3E1), status: ok subslot 4/1: 4xOC-3 ATM SPA (0x3E1), status: ok Displaying Information About ATM Interfaces Use the following commands to display information about ATM interfaces: • show interface atm—Displaying Layer 2 Information About an ATM Interface, page 8-5 • show atm interface atm—Displaying ATM-Specific Information About an ATM Interface, page 8-6 • show ip interface—Displaying Layer 3 IP Information About an ATM Interface, page 8-7 Displaying Layer 2 Information About an ATM Interface To display Layer 2 information about an ATM interface or subinterface, along with the current status and packet counters, use the show interface atm command. The following example shows sample output for an ATM interface on an ATM SPA: Router# show interface atm 5/1/08-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA ATM5/1/0 is up, line protocol is up Hardware is ATM SPA, address is 000a.f330.2a80 (bia 000a.f330.2a80) MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Encapsulation(s): AAL5 4095 maximum active VCs, 21 current VCCs VC idle disconnect time: 300 seconds Signalling vc = 1, vpi = 0, vci = 5 UNI Version = 4.0, Link Side = user 6 carrier transitions Last input 01:47:05, output 00:00:01, output hang never Last clearing of "show interface" counters 01:03:35 Input queue: 0/75/33439/80 (size/max/drops/flushes); Total output drops: 963306 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 9502306 packets input, 6654982829 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 45011 input errors, 131042 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 27827569 packets output, 21072150159 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 output buffer failures, 0 output buffers swapped out The following example shows sample output for a subinterface on this same ATM interface: Router# show interface atm 5/1/0.200 ATM5/1/0.200 is up, line protocol is up Hardware is ATM SPA, address is 000a.f330.2a80 (bia 000a.f330.2a80) Internet address is 10.10.10.16/24 MTU 4470 bytes, BW 149760 Kbit, DLY 80 usec, reliability 255/255, txload 1/255, rxload 1/255 NSAP address: 47.00918100000000107B2B4B01.222255550001.00 Encapsulation ATM 12630 packets input, 10521156 bytes 4994 packets output, 4176213 bytes 3753 OAM cells input, 4366 OAM cells output AAL5 CRC errors : 0 AAL5 SAR Timeouts : 0 AAL5 Oversized SDUs : 0 Note The value for “packets output” in the default version of the show interfaces atm command includes the bytes used for ATM AAL5 padding, trailer and ATM cell header. To see the packet count without the padding, header, and trailer information, use the show interfaces atm statistics or show atm pvc commands. Displaying ATM-Specific Information About an ATM Interface To display Layer 2 ATM-specific information about an ATM interface or subinterface, use the show atm interface atm command: Router# show atm interface atm 3/1/0 Interface ATM3/1/0: AAL enabled: AAL5 , Maximum VCs: 1023, Current VCCs: 1 Maximum Transmit Channels: 648-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA Max. Datagram Size: 4528 PLIM Type: SONET - 155000Kbps, TX clocking: LINE Cell-payload scrambling: ON sts-stream scrambling: ON 0 input, 0 output, 0 IN fast, 0 OUT fast, 0 out drop Avail bw = 155000 Config. is ACTIVE Displaying Layer 3 IP Information About an ATM Interface To display Layer 3 (IP-layer) information about an ATM interface, use the show ip interface command. To display a brief summary about all interfaces, use the following command: show ip interface brief To display information about a specific ATM interface, use the following command: show ip interface atm slot/subslot/port The following output shows a typical example for the brief version of the show ip interface command: Router# show ip interface brief Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES NVRAM down down GigabitEthernet1/1 172.18.76.57 YES NVRAM up up GigabitEthernet1/2 unassigned YES NVRAM administratively down down ATM3/0/0 unassigned YES manual up up ATM3/0/0.1 unassigned YES manual up up ATM3/0/0.2 10.1.1.1 YES manual up up ATM3/1/0 unassigned YES manual up up ATM3/1/0.1 unassigned YES manual up up ATM3/1/0.2 unassigned YES unset up up ATM3/1/0.3 11.1.1.1 YES manual up up Displaying Information About PVCs and SVCs Use the following commands to display information about PVCs and SVCs, including mapping, traffic, and VLAN configuration information: • show atm vp—Displaying Information About Virtual Paths, page 8-8 • show atm vc—Displaying Information About Virtual Channels, page 8-8 • show atm pvc—Displaying Information About PVCs, page 8-9 • show atm svc and show atm ilmi-status—Displaying Information About SVCs, page 8-10 • show atm map—Displaying Information About Layer 2/Layer 3 Mappings, page 8-11 • show atm traffic—Displaying Information About ATM Traffic, page 8-12 • show atm vlan—Displaying Information About VLAN Mappings, page 8-12 • show atm class-links—Displaying Information About VC Bundles, page 8-138-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA Displaying Information About Virtual Paths To display information about the virtual paths (VPs) that are configured on the router’s ATM interfaces, use the show atm vp command: Router# show atm vp Data CES Peak CES Interface VPI VCs VCs Kbps Kbps Status ATM5/0/3 1 1 0 149760 0 ACTIVE ATM5/0/3 1 2 0 299520 299000 ACTIVE ATM5/0/3 2 0 0 1000 0 ACTIVE Router# To display detailed information about a specific virtual path, including its current PVCs and SVCs, specify the VPI with the show atm vp command: Router# show atm vp 30 ATM8/1/0 VPI: 30, ATM8/1/0 VPI: 30, PeakRate: 149760, CesRate: 0, DataVCs: 1, CesVCs: 0, Status: ACTIVE VCD VCI Type InPkts OutPkts AAL/Encap Status 2 3 PVC 0 0 F4 OAM ACTIVE 3 4 PVC 0 0 F4 OAM ACTIVE 4 300 PVC 5 5 AAL5-SNAP ACTIVE 6 11 PVC 12 1 AAL5-SNAP ACTIVE TotalInPkts: 17, TotalOutPkts: 6, TotalInFast: 0, TotalOutFast: 6, TotalBroadcasts: 0 TotalInPktDrops: 0, TotalOutPktDrops: 0 Displaying Information About Virtual Channels To display information about all of the virtual channels that are currently configured on the ATM interfaces, use the show atm vc command without any options: Router# show atm vc VCD / Peak Avg/Min Burst Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells Sts 3/0/0 1 1 100 PVC SNAP UBR 149760 UP 3/0/1 1 2 100 PVC SNAP UBR 149760 UP 3/0/2 1 3 100 PVC SNAP UBR 149760 UP 3/0/2 2 3 300 PVC SNAP UBR 149760 UP 3/0/3 1 4 100 PVC SNAP UBR 149760 UP To display detailed information about a specific virtual connection, specify its VC descriptor (VCD) along with the command: Router# show atm vc 20 ATM1/1/0.200: VCD: 20, VPI: 2, VCI: 200 UBR, PeakRate: 44209 AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0 OAM frequency: 0 second(s) InARP frequency: 5 minutes(s) Transmit priority 4 InPkts: 10, OutPkts: 11, InBytes: 680, OutBytes: 708 InPRoc: 10, OutPRoc: 5, Broadcasts: 0 InFast: 0, OutFast: 0, InAS: 0, OutAS: 6 InPktDrops: 0, OutPktDrops: 0 8-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0 OAM cells received: 0 OAM cells sent: 0 Status: UP You can also display information about the VCs on a specific ATM interface and its subinterfaces: Router# show atm vc interface atm 2/1/0 ATM2/0.101: VCD: 201, VPI: 20, VCI: 101 UBR, PeakRate: 149760 AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0 OAM frequency: 0 second(s) InARP frequency: 15 minutes(s) Transmit priority 4 InPkts: 3153520, OutPkts: 277787, InBytes: 402748610, OutBytes: 191349235 InPRoc: 0, OutPRoc: 0, Broadcasts: 0 InFast: 211151, OutFast: 0, InAS: 0, OutAS: 0 InPktDrops: 0, OutPktDrops: 17 CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0 OAM cells received: 0 OAM cells sent: 0 Status: UP To display information about the traffic over a particular VC, use the show atm vc command with the following syntax: show atm vc traffic interface atm slot/subslot/port vpi vci Router# show atm vc traffic interface atm 1/0/1 1 101 Interface VPI VCI Type rx-cell-cnts tx-cell-cnts ATM1/0/1 1 101 PVC 9345 7231 Displaying Information About PVCs Use the show atm pvc command to provide information about the PVCs that are currently configured on the router. To display all PVCs that are currently configured on the router’s ATM interfaces and subinterfaces, use the show atm pvc command: Router# show atm pvc VCD / Peak Avg/Min Burst Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells Sts 2/1/0 1 2 32 PVC SNAP UBR 0 UP 2/1/0.1 0 0 33 PVC MUX UBR 599040 UP 2/1/0.2 2 0 34 PVC MUX UBR 599040 INAC 2/1/0.3 3 0 35 PVC MUX UBR 599040 INAC 2/1/0.4 4 0 36 PVC MUX UBR 599040 INAC 2/1/1.1 0 0 33 PVC MUX UBR 599040 UP 2/1/1.2 2 0 34 PVC MUX UBR 599040 INAC 2/1/1.3 3 0 35 PVC MUX UBR 599040 INAC 2/1/1.4 4 0 36 PVC MUX UBR 599040 INAC Tip To display all PVCs on a particular ATM interface or subinterface, use the show atm pvc interface atm command. To display detailed information about a particular PVC, specify its VPI/VCI values: Router# show atm pvc 1/1008-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA ATM3/0/0: VCD: 1, VPI: 1, VCI: 100 UBR, PeakRate: 149760 AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0 OAM frequency: 0 second(s), OAM retry frequency: 1 second(s) OAM up retry count: 3, OAM down retry count: 5 OAM Loopback status: OAM Disabled OAM VC status: Not Managed ILMI VC status: Not Managed InARP frequency: 15 minutes(s) Transmit priority 6 InPkts: 94964567, OutPkts: 95069747, InBytes: 833119350, OutBytes: 838799016 InPRoc: 1, OutPRoc: 1, Broadcasts: 0 InFast: 0, OutFast: 0, InAS: 94964566, OutAS: 95069746 InPktDrops: 0, OutPktDrops: 0 CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0 Out CLP=1 Pkts: 0 OAM cells received: 0 F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0 F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0 OAM cells sent: 0 F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0 F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0 OAM cell drops: 0 Status: UP VC 1/100 doesn't exist on 7 of 8 ATM interface(s) Displaying Information About SVCs Use the show atm vc and show atm ilmi-status commands to provide information about the SVCs that are currently configured on the router. To display all SVCs that are currently configured on the router’s ATM interfaces and subinterfaces, use the show atm svc command: Router# show atm svc VCD / Peak Avg/Min Burst Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells Sts 4/0/0 1 0 5 SVC SAAL UBR 155000 UP 4/0/2 4 0 35 SVC SNAP UBR 155000 UP 4/1/0 16 0 47 SVC SNAP UBR 155000 UP 4/1/0.1 593 0 80 SVC SNAP UBR 599040 UP Tip To display all SVCs on a particular ATM interface or subinterface, use the show atm svc interface atm command. To display detailed information about a particular SVC, specify its VPI/VCI values: Router# show atm svc 0/35 ATM5/1/0.200: VCD: 3384, VPI: 0, VCI: 35, Connection Name: SVC00 UBR, PeakRate: 155000 AAL5-MUX, etype:0x800, Flags: 0x44, VCmode: 0x0 OAM frequency: 10 second(s), OAM retry frequency: 1 second(s) OAM up retry count: 3, OAM down retry count: 5 OAM Loopback status: OAM Received OAM VC status: Verified ILMI VC status: Not Managed VC is managed by OAM. InARP DISABLED Transmit priority 6 InPkts: 0, OutPkts: 4, InBytes: 0, OutBytes: 4008-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA InPRoc: 0, OutPRoc: 4, Broadcasts: 0 InFast: 0, OutFast: 0, InAS: 0, OutAS: 0 InPktDrops: 0, OutPktDrops: 0 CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0 Out CLP=1 Pkts: 0 OAM cells received: 10 F5 InEndloop: 10, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0 F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0 OAM cells sent: 10 F5 OutEndloop: 10, F5 OutSegloop: 0, F5 OutRDI: 0 F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0 OAM cell drops: 0 Status: UP TTL: 4 interface = ATM5/1/0.200, call locally initiated, call reference = 8094273 vcnum = 3384, vpi = 0, vci = 35, state = Active(U10) , point-to-point call Retry count: Current = 0 timer currently inactive, timer value = 00:00:00 Remote Atm Nsap address: 47.00918100000000107B2B4B01.111155550001.00 , VC owner: ATM_OWNER_SMAP To display information about the ILMI status and NSAP addresses being used for the SVCs on an ATM interface, use the show atm ilmi-status command: Router# show atm ilmi-status atm 4/1/0 Interface : ATM4/1/0 Interface Type : Private UNI (User-side) ILMI VCC : (0, 16) ILMI Keepalive : Enabled/Up (5 Sec 4 Retries) ILMI State: UpAndNormal Peer IP Addr: 10.10.13.1 Peer IF Name: ATM 3/0/3 Peer MaxVPIbits: 8 Peer MaxVCIbits: 14 Active Prefix(s) : 47.0091.8100.0000.0010.11b8.c601 End-System Registered Address(s) : 47.0091.8100.0000.0010.11b8.c601.2222.2222.2222.22(Confirmed) 47.0091.8100.0000.0010.11b8.c601.aaaa.aaaa.aaaa.aa(Confirmed) Tip To display information about the SVC signaling PVC and ILMI PVC, use the show atm pvc 0/5 and show atm pvc 0/16 commands. Displaying Information About Layer 2/Layer 3 Mappings To display the mapping between the mappings between virtual circuits and Layer 3 IP addresses, use the show atm map command: Router# show atm map Map list ATM3/1/0.100_ATM_INARP : DYNAMIC ip 10.11.11.2 maps to VC 19, VPI 2, VCI 100, ATM3/1/0.100 ip 10.11.11.1 maps to VC 4, VPI 0, VCI 60, ATM3/1/0.102 ip 10.11.13.4 maps to VC 1, VPI 5, VCI 33, ATM3/1/0 ip 10.10.9.20 maps to bundle vc-group1, 0/32, 0/33, 0/34, ATM3/1/0.1, broadcast Map list ATM3/1/1.200_ATM_INARP : DYNAMIC ip 10.2.3.2 maps to VC 20, VPI 2, VCI 200, ATM1/1/0.200 ip 10.2.3.10 maps to bundle vc-group2, 0/32, 0/33, 0/34, ATM3/1/1.1, broadcast Map list ATM4/0/3.95_pvc1 : PERMANENT ip 10.4.4.4 maps to NSAP CD.CDEF.01.234567.890A.BCDE.F012.3456.7890.1234.12, broadcast, aal5mux, multipoint connection up, VC 68-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA ip 10.4.4.6 maps to NSAP DE.CDEF.01.234567.890A.BCDE.F012.3456.7890.1234.12, broadcast, aal5mux, connection up, VC 15, multipoint connection up, VC 6 ip 10.4.4.16 maps to VC 1, VPI 13, VCI 95, ATM4/0/3.95, aal5mux Displaying Information About ATM Traffic To display general information about the traffic over the ATM interfaces, use the show atm traffic command: Router# show atm traffic 276875 Input packets 272965 Output packets 2 Broadcast packets 0 Packets received on non-existent VC 6 Packets attempted to send on non-existent VC 272523 OAM cells received F5 InEndloop: 272523, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0 F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0 272963 OAM cells sent F5 OutEndloop: 272963, F5 OutSegloop: 0, F5 OutRDI: 0 0 OAM cell drops To display information about traffic shaping on the ATM interfaces in a particular slot, use the show atm traffic shaping slot command: Router# show atm traffic shaping slot 3 Traffic Shaping CAM State : ACTIVE Shaper Configuration Status : Shapers In Use By Config : 3, Shapers Available for Config : 3 Shaper Status in Hardware : Shaper 0 : In Use - Port : 0/0/0 Class : best-effort Shaper 1 : Not In Use Shaper 2 : Not In Use Shaper 3 : Not In Use Statistics : Total cell discards : 0, clp0 discards : 0, clp1 discards : 0 Free cell buffers : 262143 Total cells queued : 0 Tip You can also use the show atm vc traffic command to display traffic information for a particular VC. Displaying Information About VLAN Mappings To display the mappings of VLAN IDs to VCs, use the show atm vlan command: Router# show atm vlan VCD VLAN-ID 101 1 102 2 103 3 104 4 105 5 106 6 107 7 108 8 109 9 110 10 8-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA 111 11 112 12 113 13 114 14 115 15 116 16 117 17 118 18 119 19 120 20 121 21 122 22 ... 800 11 801 11 802 11 803 11 804 326 805 326 806 326 807 326 808 327 809 327 810 327 811 327 Tip To display the ports being used by a VLAN, use the show vlan id command. Displaying Information About VC Bundles To display the relationship between a particular VC and its parent VC class, including the parameters that were inherited from the class and those that were set manually, use the show atm class-link command: Router# show atm class-links 0/66 Displaying vc-class inheritance for ATM2/0.3, vc 0/66: broadcast - VC-class configured on main-interface encapsulation aal5mux ip - VC-class configured on subinterface no ilmi manage - Not configured - using default oam-pvc manage 3 - VC-class configured on vc oam retry 3 5 1 - Not configured - using default ubr 10000 - Configured on vc directly Displaying Information About Automatic Protection Switching When you have configured automatic protection switching (APS) on one or more router, you can show the current APS configuration and status with the show aps command, which has the following syntax: show aps [atm interface | controller | group [number] ] You can display information about the overall APS configuration and about the specific APS groups that include interfaces that are present in the router. 8-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Monitoring the ATM SPA Displaying the Current APS Status The show aps command, without any options, displays information for all interfaces in the router that are configured as Working or Protect APS interfaces. The following shows sample output for a router with one Working interface and one Protect interface: Router# show aps ATM4/0/1 APS Group 1: protect channel 0 (inactive) bidirectional, revertive (2 min) PGP timers (default): hello time=1; hold time=3 state: authentication = (default) PGP versions (native/negotiated): 2/2 SONET framing; SONET APS signalling by default Received K1K2: 0x00 0x05 No Request (Null) Transmitted K1K2: 0x20 0x05 Reverse Request (protect) Working channel 1 at 10.10.10.41 Enabled Remote APS configuration: (null) ATM4/0/0 APS Group 1: working channel 1 (active) PGP timers (from protect): hello time=3; hold time=6 state: Enabled authentication = (default) PGP versions (native/negotiated): 2/2 SONET framing; SONET APS signalling by default Protect at 10.10.10.41 Remote APS configuration: (null) The following sample output is for the same interfaces, except that the Working interface has gone down and the Protect interface is now active: Router# show aps ATM4/0/1 APS Group 1: protect channel 0 (active) bidirectional, revertive (2 min) PGP timers (default): hello time=1; hold time=3 state: authentication = (default) PGP versions (native/negotiated): 2/2 SONET framing; SONET APS signalling by default Received K1K2: 0x00 0x05 No Request (Null) Transmitted K1K2: 0xC1 0x05 Signal Failure - Low Priority (working) Working channel 1 at 10.10.10.41 Disabled SF Pending local request(s): 0xC (, channel(s) 1) Remote APS configuration: (null) ATM4/0/0 APS Group 1: working channel 1 (Interface down) PGP timers (from protect): hello time=3; hold time=6 state: Disabled authentication = (default) PGP versions (native/negotiated): 2/2 SONET framing; SONET APS signalling by default Protect at 10.10.10.41 Remote APS configuration: (null)8-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter Tip To display the same information for a specific ATM interface, use the show aps atm slot/subslot/port command. Displaying Information About APS Groups To display information about the APS groups that are configured on the router, use the show aps group command. You can display information for all groups or for a single group. For example, the following example shows a typical display for an individual group: Router# show aps group 2 ATM4/0/0 APS Group 2: working channel 1 (active) PGP timers (from protect): hello time=3; hold time=6 SONET framing; SONET APS signalling by default Protect at 10.10.10.7 Remote APS configuration: (null) ATM4/0/1 APS Group 2: protect channel 0 (inactive) bidirectional, revertive (2 min) PGP timers (default): hello time=1; hold time=3 SONET framing; SONET APS signalling by default Received K1K2: 0x00 0x05 No Request (Null) Transmitted K1K2: 0x20 0x05 Reverse Request (protect) Working channel 1 at 10.10.10.7 Enabled Remote APS configuration: (null) Note In the above example, both the Working and Protect interfaces in the APS group are on the same router. If the two interfaces are on different routers, the show aps group command shows information only for the local interface that is a member of the APS group. Troubleshooting the ATM Shared Port Adapter This section describes the following commands and messages that can provide information in troubleshooting the ATM SPA and its interfaces: • Understanding Line Coding Errors, page 8-16 • Using the Ping Command to Verify Network Connectivity, page 8-16 • Using the Ping Command to Verify Network Connectivity, page 8-16 • Using Loopback Commands, page 8-17 • Using ATM Debug Commands, page 8-26 • Using the Cisco IOS Event Tracer to Troubleshoot Problems, page 8-26 Tip For additional information on troubleshooting specific problems related to PVCs and SVCs, see the TAC tech note web page, at the following URL: http://www.cisco.com/en/US/tech/tk39/tk48/tech_tech_notes_list.html8-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter Understanding Line Coding Errors This section provides a brief description of line coding and of the types of errors and alarms that can occur on a line: • Alarm Indication Signal (AIS)—An AIS alarm indicates that an alarm was raised by a device on a line upstream to the ATM interface. Typically, the device creating the alarm is the adjacent network neighbor, but the AIS signal could also be generated by a device in the service provider’s ATM cloud. • Loss of Frame (LOF)—An LOF alarm occurs when the local interface is using a framing format that does not match the framing format being used on the line. LOF errors could also occur when the line or a device on the line is generating bit errors that are corrupting frames. • Rx Cell HCS Error (HCSE)—The interface detected an error in the cell’s header checksum (HCS) field, which indicates that one or more header bits were corrupted. (This field does not indicate whether any errors occurred in the cell’s 48-bit payload.) • Remote Alarm Indication (RAI) and Far-end Receive Failure (FERF)—An RAI/FERF error indicates that a problem exists between the local ATM interface and the far end, and that the error might not be in the local segment between the local interface and adjacent node. Using the Ping Command to Verify Network Connectivity The ping command is a convenient way to test the ability of an interface to send and receive packets over the network. The ping command sends ICMP echo request packets to a specified destination address, which should send an equal number of ICMP echo reply packets in reply. By measuring the numbering of packets that are successfully returned, as well as how long each packet takes to be returned, you can quickly obtain a rough idea of the Layer 3 to Layer 3 connectivity between two interfaces. The IP ping command has the following syntax: ping or ping ip-address [repeat count] [data hex] [size datagram-size] If you enter just ping, the command interactively prompts you for all other parameters. Otherwise, you must specify at least a specific IP address as the destination for the ping. You can also optionally specify the following parameters: • repeat count—Number of ICMP echo request packets to send. The default is five packets. • data hex—The data pattern, in hexadecimal, to be sent in the ICMP echo request packets. • size datagram-size—Specifies the size, in bytes, of the ICMP echo request packets to be sent. The range is 40 to 18024 bytes, with a default of 100 bytes. Examples The following shows a typical example of the ping command: Router# ping 10.10.10.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 10.10.10.10, timeout is 2 seconds:8-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/15/64 ms Note You must have at least one PVC or SVC defined on an ATM interface before it can respond to an ICMP ping packet. Using Loopback Commands The loopback commands place an interface in loopback mode, which enables you to use the ping command to send packets through the local interface and line, so as to test connectivity. These commands are especially useful when an interface is experiencing a high number of cyclic redundancy check (CRC) errors, so that you can pinpoint where the errors are occurring. Use the following procedures to perform the different loopback tests: • Using loopback diagnostic to Create a Local Loopback, page 8-17 • Using loopback line, page 8-22 Tip For more information about using loopbacks to troubleshoot CRC errors on an interface, see the CRC Troubleshooting Guide for ATM Interfaces tech note, at the following URL: http://www.cisco.com/en/US/tech/tk39/tk48/technologies_tech_note09186a00800c93ef.shtml Using loopback diagnostic to Create a Local Loopback To perform a local loopback test, in which the transmit data is looped back to the receive data at the physical (PHY) layer, use the loopback diagnostic command on an ATM interface. This loopback tests connectivity on the local ATM interface, verifying that the interface’s framing circuitry and segmentation and reassembly (SAR) circuitry is operating correctly. This loopback, however, does not test the interface’s optics circuitry and ports. Tip If an ATM interface is currently connected to another ATM interface and passing traffic, shut down the remote ATM interface before giving the loopback diagnostic command on the local ATM interface. Otherwise, the remote interface continues to send traffic to the local interface, and the remote network could also start reporting interface and network errors. Figure 8-1 shows a router-level diagram of a local loopback. Figure 8-2 shows a block-level diagram of a local loopback, as it is performed within the ATM interface circuitry. Figure 8-1 Performing a Local Loopback—Router Level Router 1 Router 2 TX RX Loopback cells 117335 ATM cloud8-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter Figure 8-2 Performing a Local Loopback—Block Level FPGA ATM SAR SONET/SDH Framer ATM optics TX RX 1173368-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter DETAILED STEPS Command or Action Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port on the specified ATM SPA card. Step 3 Router(config-if)# loopback diagnostic Puts the ATM interface into the local loopback mode, so that data that is transmitted out the interface is internally routed back into the receive data line. Step 4 Router(config-if)# atm clock internal Specifies that the AMT interface should derive its clocking from its local oscillator, which is required, because the loopback command isolates the interface from the network and from the clocking signals that are derived from the network line. Step 5 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. Step 6 Router# show interface atm slot/subslot/port (Optional) Verifies that the interface has been configured for loopback mode. The output should show the words “loopback set” when the interface is operating in loopback mode. Step 7 Router# debug atm packet interface atm slot/subslot/port (Optional) Enables packet debugging on the ATM interface. Note This command generates several lines of debug output for each packet transmitted and received on the interface. Do not use it on a live network, or you could force the processor to 100% utilization. Step 8 Router(config-if)# ping ip-address [repeat count] [data hex] [size datagram-size] Sends an ICMP echo request packet to the specified IP address. • ip-address—Destination IP address for the ICMP echo request packet. Because the interface has been put into loopback mode, the exact IP address does not matter—any valid IP address can be specified. • repeat count—(Optional) Specifies the number of ICMP echo request packets to be sent. The default is 5. • data hex—(Optional) The data pattern, in hexadecimal, to be sent in the ICMP echo request packets. • size datagram-size—(Optional) Specifies the size, in bytes, of the ICMP echo request packets to be sent. The range is 40 to 18024 bytes, with a default of 100 bytes. Note Because the interface is in loopback mode, the ping command will report that it failed. This is to be expected. 8-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter Examples The following sample output shows a local loopback being set with the loopback diagnostic command. The ping command then sends two PING packets, and the resulting output from the show interface command shows that two CRC errors occurred. Router# configure terminal Router(config)# interface atm 4/1/0 Router(config-if)# loopback diagnostic Router(config-if)# atm clock internal Router(config-if)# end Router# show interface atm 4/1/0 ATM4/1/0 is up, line protocol is up Hardware is ATM SPA, address is 000a.f330.2a80 (bia 000a.f330.2a80) MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback set Encapsulation(s): AAL5 4095 maximum active VCs, 21 current VCCs VC idle disconnect time: 300 seconds Signalling vc = 1, vpi = 0, vci = 5 UNI Version = 4.0, Link Side = user 6 carrier transitions Last input 01:47:05, output 00:00:01, output hang never Last clearing of "show interface" counters 01:03:35 Input queue: 0/75/33439/80 (size/max/drops/flushes); Total output drops: 963306 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 9502306 packets input, 6654982829 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 27827569 packets output, 21072150159 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 output buffer failures, 0 output buffers swapped out Step 9 Router# show interface atm slot/subslot/port Displays interface statistics, including whether any CRC or other errors occurred during the ping test. For example: Router# show interface atm 5/0/1 ... Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 5 input errors, 5 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort ... Router# Step 10 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port on the specified ATM SPA card. Step 11 Router(config-if)# no loopback diagnostic Removes the local loopback and return the ATM interface to normal operations. Note Also remember to restore the proper clocking on the local ATM interface and to reenable the remote ATM interface. Command or Action Purpose8-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter Router# debug atm packet interface atm 4/1/0 ATM packets debugging is on Displaying packets on interface ATM4/1/0 Router# ping 10.10.10.10 count 2 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: 1w1d: ATM4/1/0(O): VCD:0x5 VPI:0x0 VCI:0x55 DM:0x100 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70 1w1d: 4500 0064 001A 0000 FF01 B77A 0101 0102 0101 0101 0800 119A 13A2 07C5 0000 1w1d: 0000 2D41 2408 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 1w1d: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 1w1d: ABCD ABCD ABCD ABCD ABCD 1w1d: 1w1d: ATM4/1/0(I): VCD:0x5 VPI:0x0 VCI:0x55 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70 1w1d: 4500 0064 001A 0000 0101 B57B 0101 0102 0101 0101 0800 119A 13A2 07C5 0000 1w1d: 0000 2D41 2408 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 1w1d: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 1w1d: ABCD ABCD ABCD ABCD ABCD 1w1d: . 1w1d: ATM4/1/0(O): VCD:0x5 VPI:0x0 VCI:0x55 DM:0x100 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70 1w1d: 4500 0064 001B 0000 FF01 B779 0101 0102 0101 0101 0800 09C9 13A3 07C5 0000 1w1d: 0000 2D41 2BD8 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 1w1d: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 1w1d: ABCD ABCD ABCD ABCD ABCD 1w1d: 1w1d: ATM4/1/0(I): VCD:0x5 VPI:0x0 VCI:0x55 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70 1w1d: 4500 0064 001B 0000 0101 B57A 0101 0102 0101 0101 0800 09C9 13A3 07C5 0000 1w1d: 0000 2D41 2BD8 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 1w1d: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 1w1d: ABCD ABCD ABCD ABCD ABCD 1w1d: . Success rate is 0 percent (0/2) Router# configure terminal Router(config)# interface atm 4/1/0 Router(config-if)# no loopback diagnostic Router(config-if)# end Router# show interface atm 4/1/0 ATM4/1/0 is up, line protocol is up Hardware is ATM SPA, address is 000a.f330.2a80 (bia 000a.f330.2a80) MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Encapsulation(s): AAL5 4095 maximum active VCs, 21 current VCCs VC idle disconnect time: 300 seconds Signalling vc = 1, vpi = 0, vci = 5 UNI Version = 4.0, Link Side = user 6 carrier transitions Last input 01:47:05, output 00:00:01, output hang never Last clearing of "show interface" counters 01:03:35 Input queue: 0/75/33439/80 (size/max/drops/flushes); Total output drops: 963306 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 9502306 packets input, 6654982829 bytes, 0 no buffer8-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 2 input errors, 2 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 27827569 packets output, 21072150159 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 output buffer failures, 0 output buffers swapped out Using loopback line If an ATM interface can perform a local loopback successfully, without reporting errors, you can next try a line loopback (loopback line command) to determine if packet errors are being generated by the ATM network between the local and remote router. In a line loopback, the interface on the remote router is configured with the loopback line command, so that it reflects every packet that it receives back to the originating router. The local router then generates traffic with the ping command to determine whether the line through the network is generating the packet errors. Figure 8-3 shows a router-level diagram of a line loopback. Figure 8-4 shows a block-level diagram of a line loopback, as it is performed within the ATM interface circuitry. Figure 8-3 Performing a Local Loopback—Router Level Figure 8-4 Performing a Line Loopback—Block Level Router 1 Router 2 TX RX Loopback cells 117337 ATM cloud FPGA ATM SAR SONET/SDH Framer ATM Optics TX RX 1173388-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter DETAILED STEPS Command or Action Purpose Perform the following steps on the remote router: Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port on the specified ATM SPA card. Step 3 Router(config-if)# loopback line Puts the ATM interface into the line loopback mode, so that it reflects any data it receives back to the originator. Step 4 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. Step 5 Router# show interface atm slot/subslot/port (Optional) Verifies that the interface has been configured for loopback mode. The output should show the words “loopback set” when the interface is operating in loopback mode. Perform the following steps on the local router: Step 1 Router# debug atm packet interface atm slot/subslot/port (Optional) Enables packet debugging on the ATM interface. Note This command generates several lines of debug output for each packet transmitted and received on the interface. Do not use it on a live network, or you could force the processor to 100% utilization. Step 2 Router(config-if)# ping ip-address [repeat count] [data hex] [size datagram-size] Sends an ICMP echo request packet to the specified IP address. • ip-address—Destination IP address for the ICMP echo request packet. Because the interface has been put into loopback mode, the exact IP address does not matter—any valid IP address can be specified. • repeat count—(Optional) Specifies the number of ICMP echo request packets to be sent. The default is 5. • data hex—(Optional) The data pattern, in hexadecimal, to be sent in the ICMP echo request packets. The default is 0x0000. • size datagram-size—(Optional) Specifies the size, in bytes, of the ICMP echo request packets to be sent. The range is 40 to 18024 bytes, with a default of 100 bytes. Note Because the interface is in loopback mode, the ping command will report that it failed. This is to be expected. Step 3 Router(config-if)# end Exits interface configuration mode and returns to privileged EXEC mode. 8-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter Examples The following shows typical output when performing a line loopback. The following is the output on the remote router: Router# configure terminal Router(config)# interface atm 3/1/2 Router(config)# loopback line Router(config)# end Router# show interface atm 3/1/2 ATM3/1/2 is up, line protocol is up Hardware is ATM SPA, address is 000a.330e.2b08 (bia 000a.330e.2b08) MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback set Encapsulation(s): AAL5 4095 maximum active VCs, 103 current VCCs VC idle disconnect time: 300 seconds Signalling vc = 1, vpi = 0, vci = 5 UNI Version = 4.0, Link Side = user 6 carrier transitions Last input 00:00:02, output 00:00:01, output hang never Last clearing of "show interface" counters 01:03:35 Input queue: 0/75/13/80 (size/max/drops/flushes); Total output drops: 37 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 932603 packets input, 6798282 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 387275 packets output, 371031501 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out On the Local Router Perform the following on the local router: Router# debug atm packet interface atm 4/0/0 ATM packets debugging is on Displaying packets on interface ATM4/0/0 Step 4 Router# show interface atm slot/subslot/port Displays interface statistics, including whether any CRC or other errors during the ping test. For example: Router# show interface atm 5/0/1 ... Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 5 input errors, 5 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort ... Router# Note Also remember to remove the loopback mode on the remote ATM interface, using the no loopback line command. Command or Action Purpose8-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter Router# ping 192.168.100.13 repeat 2 size 128 Type escape sequence to abort. Sending 2, 128-byte ICMP Echos to 192.168.100.13, timeout is 2 seconds: .. Success rate is 0 percent (0/2) 00:52:00: ATM4/0/0(O): VCD:0x1 VPI:0x0 VCI:0x55 DM:0x100 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70 00:52:00: 4500 0064 000F 0000 FF01 B785 0101 0102 0101 0101 0800 CE44 121D 0009 0000 00:52:00: 0000 002F 9DB0 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:00: ABCD ABCD ABCD ABCD 00:52:00: 00:52:00: ATM4/0/0(I): VCD:0x1 VPI:0x0 VCI:0x55 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70 00:52:00: 4500 0064 000F 0000 0101 B586 0101 0102 0101 0101 0800 CE44 121D 0009 0000 00:52:00: 0000 002F 9DB0 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:00: ABCD ABCD ABCD ABCD 00:52:00: 00:52:02: ATM4/0/0(O): VCD:0x1 VPI:0x0 VCI:0x55 DM:0x100 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70 00:52:02: 4500 0064 0010 0000 FF01 B784 0101 0102 0101 0101 0800 C673 121E 0009 0000 00:52:02: 0000 002F A580 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:02: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:00: ABCD ABCD ABCD ABCD 00:52:02: 00:52:02: ATM4/0/0(I): VCD:0x1 VPI:0x0 VCI:0x55 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70 00:52:02: 4500 0064 0010 0000 0101 B585 0101 0102 0101 0101 0800 C673 121E 0009 0000 00:52:02: 0000 002F A580 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:02: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 00:52:00: ABCD ABCD ABCD ABCD Router# show interface atm 4/0/0 ATM4/0/0 is up, line protocol is up Hardware is ATM SPA, address is 000a.12f0.80b1 (bia 000a.12f0.80b1) MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Encapsulation(s): AAL5 4095 maximum active VCs, 103 current VCCs VC idle disconnect time: 300 seconds Signalling vc = 1, vpi = 0, vci = 5 UNI Version = 4.0, Link Side = user 6 carrier transitions Last input 00:00:02, output 00:00:01, output hang never Last clearing of "show interface" counters 01:03:35 Input queue: 0/75/13/80 (size/max/drops/flushes); Total output drops: 37 Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 94917 packets input, 1638383 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles8-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Troubleshooting the ATM Shared Port Adapter 0 input errors, 2 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 102898 packets output, 2042785 bytes, 0 underruns 0 output errors, 0 collisions, 5 interface resets 0 ouput buffer failures, 0 output buffers swapped out Using ATM Debug Commands The following debug commands can be useful when troubleshooting problems on an ATM interface or subinterface: • debug atm bundle errors—Displays information about VC bundle errors. • debug atm bundle events—Displays information about events related to the configuration and operation of VC bundles, such as VC bumping, when bundles are brought up, when they are taken down, and so forth. • debug atm errors—Displays errors that occur on an ATM interface, such as encapsulation and framing errors, as well as any errors that might occur during configuration of the ATM interfaces. • debug atm events—Displays information about events that occur on the ATM interfaces, such as changes to the ATM SPA and ATM interface configuration, card and interface resets, and PVC or SVC creation. Note The output of debug atm events can be extremely verbose and can cause problems if large numbers of ATM VCs are configured. The command should only be used when a few VCs are configured. • debug atm oam—Displays the contents of ATM operation and maintenance (OAM) cells as they arrive from the ATM network. • debug atm packet—Displays a hexadecimal dump of each packet’s SNAP/NLPID/SMDS header, followed by the first 40 bytes of the packet. Tip Use the no debug all command to turn off all debugging displays. For more information about these commands, see the Cisco IOS Debug Command Reference, Release 12.2. Using the Cisco IOS Event Tracer to Troubleshoot Problems Note This feature is intended for use as a software diagnostic tool and should be configured only under the direction of a Cisco Technical Assistance Center (TAC) representative. The Event Tracer feature provides a binary trace facility for troubleshooting Cisco IOS software. This feature gives Cisco service representatives additional insight into the operation of the Cisco IOS software and can be useful in helping to diagnose problems in the unlikely event of an operating system malfunction or, in the case of redundant systems, route processor switchover. Event tracing works by reading informational messages from specific Cisco IOS software subsystem components that have been preprogrammed to work with event tracing, and by logging messages from those components into system memory. Trace messages stored in memory can be displayed on the screen or saved to a file for later analysis. 8-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Preparing for Online Insertion and Removal of a SPA The SPAs currently support the “spa” component to trace SPA OIR-related events. Preparing for Online Insertion and Removal of a SPA The Cisco 7600 series router supports online insertion and removal (OIR) of the SIP, in addition to each of the SPAs. Therefore, you can remove a SIP with its SPAs still intact, or you can remove a SPA independently from the SIP, leaving the SIP installed in the router. This means that a SIP can remain installed in the router with one SPA remaining active, while you remove another SPA from one of the SIP subslots. If you are not planning to immediately replace a SPA into the SIP, then be sure to install a blank filler plate in the subslot. The SIP should always be fully installed with either functional SPAs or blank filler plates. For more information about activating and deactivating SPAs in preparation for OIR, see the “Preparing for Online Insertion and Removal of SIPs and SPAs” topic in the “Troubleshooting a SIP” chapter in this guide.8-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 8 Troubleshooting the ATM SPAs Preparing for Online Insertion and Removal of a SPA P A R T 4 CEoP Shared Port Adapters C H A P T E R 9-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 9 Overview of the CEoP and Channelized ATM SPAs This chapter provides an overview of the release history, features, and MIB support for the Circuit Emulation over Packet (CEoP) shared port adapters (SPAs) that are available for Cisco 7600 series routers. This chapter includes the following sections: • Release History, page 9-1 • Overview, page 9-2 • Supported Features, page 9-9 • Unsupported Features, page 9-15 • Prerequisites, page 9-15 • Restrictions, page 9-16 • Supported MIBs, page 9-16 • Displaying the SPA Hardware Type, page 9-17 Release History Release Modification 12.2(33) SRE3 Added new CLI options for configuring hardware timer to bring up the controller. 15.0(1)S Support was added for the following features: • Network Clocking and SSM functionality support was added • VC QoS on VP-PW 12.2(33)SRE Support was added for VP and VC mode on CeOP and 1-Port OC-48c/STM-16 ATM SPA 12.2(33)SRC Support was added for the following features: • Support was introduced for the 2-Port Channelized T3/E3 ATM CEoP SPA. • Support was added for Inverse multiplexing over ATM (IMA). • KEOPS Phase 2 Local Switching Redundancy • KEOPS Phase 2 TDM Local Switching9-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Overview Overview The CEoP SPAs are single-width, single-height, cross-platform Circuit Emulation over Packet (CEoP) shared port adapters (SPAs) for Cisco 7600 series routers. CEoP SPAs come in the following models: • 24-Port Channelized T1/E1 ATM CEoP SPA (SPA-24CHT1-CE-ATM=) • 2-Port Channelized T3/E3 ATM CEoP SPA (SPA-2CHT3-CE-ATM=) • 1-Port Channelized OC-3 STM1 ATM CEoP SPA (SPA-1CHOC3-CE-ATM=) The 24-Port Channelized T1/E1 ATM CEoP SPA and 1-Port Channelized OC-3 STM1 ATM CEoP SPA must be installed in a Cisco 7600 SIP-400 SPA interface processor (SIP) before they can be used in the Cisco 7600 series router. A maximum of four CEoP SPAs can be installed in each SIP, and these SPAs can be different models. You can install the SPA in the SIP before or after you insert the SIP into the router chassis. This allows you to perform online insertion and removal (OIR) operations either by removing individual SPAs from the SIP, or by removing the entire SIP (and its contained SPAs) from the router chassis. Pseudowire Emulation over Packet (PWEoP) is one of the key components to migrate customers to a packet-based multi-service network. Circuit Emulation over Packet (CEoP) is a subset of PWEoP and is a technology to migrate to all-packet networks from legacy TDM networks, yet providing transport for legacy applications transparently over a packet network. CEoP is the imitation of a physical connection. Many service providers and enterprises operate both packet switched networks and time division multiplexed (TDM) networks. These service providers and enterprises have moved many of their data services from the TDM network to their packet network for scalability and efficiency. Cisco provides routing and switching solutions capable of transporting Layer 2 and Layer 3 protocols such as Ethernet, IP, and Frame Relay. While most applications and services have been migrated to the packet-based network, some, including voice and legacy applications, still rely on a circuit or leased line for transport. CEoP SPAs implement Circuit Emulation over Packet by transporting circuits over a packet-based network. CEoP SPAs help service providers and enterprises migrate to one packet network capable of efficiently delivering both data and circuit services. CEoP SPAs also support ATM and ATM pseudowire. For an overview of ATM, see the “ATM Overview” section on page 6-4. Note In Cisco IOS Release 12.2(33)SRC, the 2-Port Channelized T3/E3 ATM CEoP SPA does not support Circuit Emulation (CEM) mode. The SPA supports ATM mode only. CEoP Frame Formats The CEoP SPAs support the structured or Circuit Emulation Service over Packet Switched Networks (CESoPSN) and the Structure-Agnostic TDM over Packet (SAToP) encapsulations. 12.2(33)SRB1 Support was added for the following new features: • ATM pseudowire redundancy. • Out-of-band clocking. 12.2(33)SRB Support was introduced for the 1-Port Channelized OC-3 STM1 ATM CEoP SPA and 24-Port Channelized T1/E1 ATM CEoP SPA.9-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Overview Circuit Emulation Services over Packet Switched Network (CESoPSN) mode Circuit Emulation Services over Packet Switched Network (CESoPSN) mode is used to encapsulate T1/E1 structured (channelized) services over PSN. Structured mode (CESoPSN) identifies framing and sends only payload, which can be channelized T1s within DS3 and DS0s within T1. DS0s can be bundled to the same packet. This mode is based on IETF RFC 5086. SPAs can aggregate individual interfaces and flexibly bundle them together. They can be configured to support either structured or unstructured CES modes of operation per each T1/E1/J1 as well as clear channel DS3 interfaces. Note that DS3 does not support CESoPSN/SAToP currently. It is only supported on 1-Port Channelized OC-3 STM1 ATM CEoP SPA channelized to T1/E1, or on 24-Port Channelized T1/E1 ATM CEoP SPA. Each supported interface can be configured individually to any supported mode. The supported services comply with IETF and ITU drafts and standards. Figure 9-1 shows the frame format in CESoPSN mode. Figure 9-1 Structured Mode Frame Format ''For CESoPSN, Table 9-1 shows the payload and jitter for DS0 lines. Table 9-1 CESoPSN DS0 Lines: Payload and Jitter Limits Encapsulation header CE Control (4Bytes) RTP (optional 12B) Frame#1 Timeslots 1-N Frame#2 CEoP Timeslots 1-N Payload Frame#3 Timeslots 1-N Frame#m Timeslots 1-N 230546 DS0 Maximum Payload Maximum Jitter Minimun Jitter Minimum Payload Maximum Jitter Minimun Jitter 1 40 320 10 32 256 8 2 80 320 10 32 128 4 3 120 320 10 33 128 4 4 160 320 10 32 64 2 5 200 320 10 40 64 2 6 240 320 10 48 64 2 7 280 320 10 56 64 29-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP Circuit Emulation Services over Packet Switched Network (CESoPSN) provides the infrastructure for the emulation of TDM circuits like T1/E1 unstructured and structured over Packet Switched Network (PSN) infrastructure. Existing Pseudowire Emulation over Packet (PWE) solution on the Cisco 7600 series router only supports MPLS as the transport for circuit emulation whereas Circuit Emulation Services over Packet Switched Network over User Datagram Protocol (CESoUDP) extends the support adding UDP over Internet Protocol (IP) as the transport mechanism for circuit emulation over PSN. 8 320 320 10 64 64 2 9 360 320 10 72 64 2 10 400 320 10 80 64 2 11 440 320 10 88 64 2 12 480 320 10 96 64 2 13 520 320 10 104 64 2 14 560 320 10 112 64 2 15 600 320 10 120 64 2 16 640 320 10 128 64 2 17 680 320 10 136 64 2 18 720 320 10 144 64 2 19 760 320 10 152 64 2 20 800 320 10 160 64 2 21 840 320 10 168 64 2 22 880 320 10 176 64 2 23 920 320 10 184 64 2 24 960 320 10 192 64 2 25 1000 320 10 200 64 2 26 1040 320 10 208 64 2 27 1080 320 10 216 64 2 28 1120 320 10 224 64 2 29 1160 320 10 232 64 2 30 1200 320 10 240 64 2 31 1240 320 10 248 64 2 32 1280 320 10 256 64 2 DS0 Maximum Payload Maximum Jitter Minimun Jitter Minimum Payload Maximum Jitter Minimun Jitter9-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP Restrictions and Usage Guidelines • CESoUDP supports all the existing modes of HA (RPR and SSO). • CESoUDP is supported on 24-Port Channelized T1/E1 ATM CEoP SPA, 2-Port Channelized T3/E3 ATM CEoP SPA, and 1-Port Channelized OC-3 STM1 ATM CEoP SPA. • CESoPSN on Cisco 7600 series router is supported only with SIP400 on the CE facing side. Both the decapsulation and the encapsulation are done by the CE facing line card. • The Cisco 7600 series router supports up to 8192 CESoUDP pseudowires. But a SIP400 supports only maximum of 2304 pseudowires. • Since CLI on RP is used to install the Access Control List (ACL) entry, the ACL programming is decoupled from the L2VPN control plane update. As a result, when a pseudowire circuit goes down, the ACL is still present. Any traffic coming in from the core which matches the ACL is redirected to the egress line card, where it is dropped due to the absence of appropriate entries in the disposition table. • Pseudowires redundancy is not supported. • Fragmentation of IP packets is not supported. The DF bit is set when the IP header is inserted. • Path MTU is not supported. • Differential synchronization mode is not supported. • The supported pseudowires, payload size ranges from 40 to 1312 Bytes. • The Time To Live (TTL) value in the IP header is configurable under the pseudowire class. The default value is 255. • Only thebasic CESoPSN over UDP/IP encapsulation without the optional Real-Time Protocol (RTP) header is supported. Configuring CESoPSN with UDP Encapsulation Complete the following steps to configure CESoPSN with UDP encapsulation on the Cisco 7600 series router. SUMMARY STEPS Step 1 enable Step 2 configure terminal Step 3 interface loopback interface-number Step 4 ip address ip-address mask [secondary] Step 5 mls cemoudp reserve slot Step 6 pseudowire-class pseudowire-class-name Step 7 encapsulation udp Step 8 ip local interface loopback interface-number Step 9 ip tos value value number Step 10 ip ttl number Step 11 exit9-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP Step 12 controller {e1|t1} slot/subslot/port Step 13 clock source {internal | line| loop} Step 14 cem-group number timeslots number Step 15 exit Step 16 interface cem slot/subslot/port Step 17 cem group-number Step 18 xconnect peer-router-id vcid {pseudowire-class name} Step 19 udp port local remote Step 20 exit DETAILED STEPS Command Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Step 2 configure terminal Enters global configuration mode. Step 3 interface loopback interface-number Creates a loopback interface and enters interface configuration mode: interface-number: An arbitrary value from 0 to 2,147,483,647 that uniquely identifies this loopback interface. Step 4 ip address ip-address mask [secondary] Specifies the IP address and subnet mask for this loopback interface. Step 5 mls cemoudp reserve slot Used to reserve a loopback interface used as source for the CESoPSN circuit for a particular line card. Slot number refers to the module number of the line card where the CEoP SPA resides. Step 6 pseudowire-class pseudowire-class-name Creates a new pseudowire class. Step 7 encapsulation udp Specifies the UDP transport protocol. Step 8 ip local interface loopback interface-number Configures the IP address of the provider edge (PE) router interface as the source IP address for sending tunneled packets. Step 9 ip tos value value number Specifies the type of service (ToS) level for IP traffic in the pseudowire. Step 10 ip ttl number Specifies a value for the time-to-live (TTL) byte in the IP headers of Layer 2 tunneled packets. Step 11 exit Exits pseudowire-class configuration mode. Step 12 controller {e1|t1} slot/subslot/port Enters E1/T1 controller configuration mode.9-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP Configuration Examples This is an example for configuring CESoPSN with UDP encapsulation on the Cisco 7600 series router: Router> enable Router# configure terminal Router(config)# interface loopback 0 Router(config-if)# ip address 2.2.2.8 255.255.255.255 Router(config-if)# mls cemoudp reserve slot 2 Router(config)# pseudowire-class udpClass Router(config-pw-class)# encapsulation udp Router(config-pw-class)# ip local interface loopback 0 Router(config-pw-class)# ip tos value 100 Router(config-pw-class)# ip ttl 100 Router(config-pw-class)# exit Router(config)# controller e1 2/0/0 Router(config-controller)# clock source internal Router(config-controller)# cem-group 5 timeslots 1-24 Router(config-controller)# exit Step 13 clock source {internal | line| loop} Sets the clock source on the interface to: • Internal: The system clock selection process does not select clock source as the interface but it uses the system clock for TX. • Line: The system clock selection process selects the clock source line as the interface and uses the system clock for TX. • Loop: The system clock selection process selects the clock source line as the interface. For TX clock the interface uses the clock source received on the same interface. Note By default, the clock source on the interface is set to internal. Step 14 cem-group number timeslots number Assigns channels on the T1/E1 circuit to the circuit emulation (CEM) channel. This example uses the timeslots parameter to assign specific timeslots to the CEM channel. Step 15 exit Exits controller configuration. Step 16 interface cem slot/subslot/port Selects the CEM interface where the CEM circuit (group) is located (where slot/subslot is the SPA slot and subslot and port is the SPA port where the interface exists). Step 17 cem group-number Defines a CEM channel. Step 18 xconnect peer-router-id vcid {pseudowire-class name} Binds an attachment circuit to the CEM interface to create a pseudowire. This example creates a pseudowire by binding the CEM circuit 5 to the remote peer 30.30.30.2. Note When creating IP routes for a pseudowire configuration, we recommend that you build a route from the cross-connect address (LDP router-ID or loopback address) to the next hop IP address, such as ip route 30.30.30.2 255.255.255.255 1.2.3.4. Step 19 udp port local remote Specifies a local and remote UDP port for the connection. Valid port values for CESoPSN pseudowires using UDP are from 49152–57343. Step 20 exit Exits the CEM interface. Command Purpose9-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP Router(config)# interface cem 2/0/0 Router(config-if)# cem 5 Router(config-if-cem)# xconnect 30.30.30.2 305 pw-class udpClass Router(config-if-cem)# udp port local 50000 remote 55000 Router(config-if-cem)# exit Verifying the Configuration This section provides the commands to verify the configuration of CESoPSN with UDP encapsulation on the Cisco 7600 series router: Router# show xcon all Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=Down AD=Admin Down IA=Inactive SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware XC ST Segment 1 S1 Segment 2 S2 ------+---------------------------------+--+---------------------------------+-- UP ac CE3/0/0:1(CESoPSN Basic) UP udp 66.66.66.66:180 UP UP ac CE3/0/0:6(CESoPSN Basic) UP udp 66.66.66.66:181 UP Router# show pw vc Local intf Local circuit VC ID Status -------------- -------------------------- ---------- -------- CE3/0/0 CESoPSN Basic 180 established LAddr: 55.55.55.55 LPort: 50002 RAddr: 66.66.66.66 RPort: 50002 CE3/0/0 CESoPSN Basic 181 established LAddr: 55.55.55.55 LPort: 50004 RAddr: 66.66.66.66 RPort: 50004 Troubleshooting the CESoPSN with UDP Encapsulation Configuration Use these debug commands to troubleshoot CESoPSN with UDP encapsulation when the pseudowire is down: • debug pw-udp event: Provides details on all events occurring on the pseudowire UDP. • debug pw-udp error: Provides debugging information on pseudowire UDP error. • debug pw-udp fsm: Debugs the pseudowire UDP finite state machine (FSM). Structure-Agnostic TDM over Packet (SAToP) mode Structure-Agnostic TDM over Packet (SAToP) mode is used to encapsulate T1/E1 or T3/E3 unstructured (unchannelized) services over packet switched networks. In unstructured (SAToP) mode, bytes are sent out as they arrive on the TDM line. Bytes do not have to be aligned with any framing. In this mode the interface is considered as a continuous framed bit stream. The packetization of the stream is done according to IETF RFC 4553. All signaling is carried transparently as a part of a bit stream. 9-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Supported Features Figure 9-2 Unstructured Mode Frame Format For SAToP frame format the following table shows the payload and jitter limits for the T1 lines. Table 9-2 SAToP T1 Frame: Payload and Jitter Limits For SAToP frame format the following table shows the payload and jitter limits for the E1 lines. Table 9-3 SAToP E1 Frame: Payload and Jitter Limits Supported Features This section provides a list of some of the primary features supported by the CEoP hardware and software: • Basic Features, page 9-9 • SONET/SDH Error, Alarm, and Performance Monitoring, page 9-11 • Layer 2 Features, page 9-13 • Layer 3 Features, page 9-14 • High Availability Features, page 9-15 Basic Features • Circuit emulation compliant with IETF standards for CESoPSN and SAToP • The 24-Port Channelized T1/E1 ATM CEoP SPA supports T1 or E1, which can be channelized to DS0 for circuit emulation (CEM). Maximum Payload Maximum Jitter Minimun Jitter Minimum Payload Maximum Jitter Minimun Jitter 960 320 10 192 64 2 Maximum Payload Maximum Jitter Minimun Jitter Minimum Payload Maximum Jitter Minimun Jitter 1280 320 10 256 64 2 Encapsulation header CE Control (4Bytes) RTP (optional 12B) Bytes 1-N CEoP Payload 2305479-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Supported Features • The 2-Port Channelized T3/E3 ATM CEoP SPA is supported in Cisco IOS Release 12.2(33)SRC and later releases. • The 1-Port Channelized OC-3 STM1 ATM CEoP SPA supports VT1.5 SONET channelization, and VC-11 and VC-12 SDH channelizations. ATM can be configured on T1s, while CEM can be configured down to DS0. • Maintenance Digital Link (MDL) and Far End Alarm Control (FEAC) features (T3/E3) • Facility Data Link (FDL) support (T1/E1) • Adaptive clock recovery compliant with G.823 and G.824 Traffic interface ITU specification • Compliant with Y.1411 ATM-MPLS network interworking—cell mode user plane interworking • Compliant with Y.1413 TDM-MPLS network interworking—user plane interworking • Compliant with Y.1453 TDM-IP network interworking—user plane interworking • ATM MPLS encapsulation IETF RFC and drafts • ATM over channelized T1 lines • Full channelization down to DS0 (CEM only) • Simultaneous multiple interface support (for example, ATM and circuit emulation) • Bellcore GR-253-CORE SONET/SDH compliance (ITU-T G.707, G.783, G.957, G.958) • Supports both permanent virtual circuits (PVCs) and switched virtual circuits (SVCs) • The absolute maximum for the sum of VPs at VCs is 2048 per CEoP SPA. Each interface can have a maximum of 2047 VCs with the following recommended limitations: – On a Cisco 7600 SIP-400, 8000 PVCs are supported on multipoint subinterfaces. – A recommended maximum number of 2048 PVCs on all point-to-point subinterfaces for all CEoP SPAs in a SIP. – A recommended maximum number of 16,380 PVCs on all multipoint subinterfaces for all CEoP SPAs in a SIP, and a recommended maximum number of 200 PVCs per each individual multipoint subinterface. – A recommended maximum number of 400 SVCs for all CEoP SPAs in a SIP. – A recommended maximum number of 1024 PVCs or 400 SVCs using service policies for all CEoP SPAs in a SIP. • Up to 4096 simultaneous segmentations and reassemblies (SARs) per interface • Supports a maximum number of 200 PVCs or SVCs using Link Fragmentation and Interleaving (LFI) for all CEoP ATM SPAs (or other ATM modules) in a Cisco 7600 series router • Up to 1000 maximum virtual templates per router • ATM adaptation layer 5 (AAL5) for data traffic • Hardware switching of multicast packets for point-to-point subinterfaces • The 1-Port Channelized OC-3 STM1 ATM CEoP SPA uses small form-factor pluggable (SFP) optical transceivers, allowing the same CEoP SPA hardware to support multimode (MM), short reach (SR), intermediate reach (IR1), and long reach (LR1 and LR2) fiber, depending on the capabilities of the SPA. • ATM section, line, and path alarm indication signal (AIS) cells, including support for F4 and F5 flows, loopback, and remote defect indication (RDI) • Operation, Administration, and Maintenance (OAM) cells 9-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Supported Features • Online insertion and removal (OIR) of individual CEoP SPAs from the SIP, as well as OIR of the SIPs with CEoP SPAs installed Cisco IOS Release 12.2SRC adds support for the following new features: • 2-Port Channelized T3/E3 ATM CEoP SPA (supports clear-channel T3 ATM mode only) • Inverse multiplexing over ATM (IMA) • CEM local switching and local switching redundancy • ATM cell packing (VC and VP modes) (both SCR and PCR) on 2-Port and 4-Port OC-3c/STM-1 ATM SPA on both SIP-200 and SIP-400, and for SCR on CEoP SPAs (24xT1/E1-CE, 2xT3/E3-CE and 1xCHOC3-CE) on SIP-400. • ATM local switching and local switching redundancy In Cisco IOS Release 12.2(33)SRD support was added for PMCRoMPLS-single or packed-cell relay for the 2-Port and 4-Port OC-3c/STM-1 ATM SPA on SIP-200 and SIP-400, and single cell relay for the CEoP SPAs (24xT1/E1-CE, 2xT3/E3-CE, 1xCHOC3-CE) on the SIP400. In Cisco IOS Release 12.2(33)SRE support was added for VP and VC mode on CeOP and 1-Port OC-48c/STM-16 ATM SPA. • Cisco IOS Release 15.0(1)S adds support for Network Clocking and Synchronization Status Message(SSM) functionality for the CEoP SPAs in a Cisco 7600 SIP-400 only. The supported CEoP SPAs are: – -SPA-1CHOC3-CE-ATM – -SPA-24CHT1-CE-ATM For more information on configuring the network clock see, Configuring Boundary Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400, page 12-29 Beginning in Cisco IOS Release12.2(33)SRE support is added for: • Modular QoS CLI (MQC) policy support existing on ATM VC is extended to the ATM PVP on 2-Port and 4-Port OC-3c/STM-1 ATM SPA and the below three flavors of CEoP SPA: – SPA-24XT1E1-CE – SPA-1XOC3-CE – SPA-2XT3E3-CE • ATM VCI (match atm-vci command)—Input ATM PVP Interface is added to the ATM VP. SONET/SDH Error, Alarm, and Performance Monitoring • To configure variable soak period for line, use delay alarm triggers line. • To configure path alarm reporting, use path msecs command. • To configure clearing on 1Port Channelized OC-3 STM1 ATM CEoP SPA, use delay alarm clear line/path msecs. • Fiber removed and reinserted • Signal failure bit error rate (SF-BER) • Signal degrade bit error rate (SD-BER) • Signal label payload construction (C2) • Path trace byte (J1)9-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Supported Features • Section Diagnostics: – Loss of signal (SLOS) – Loss of frame (SLOF) – Error counts for B1 – Threshold crossing alarms (TCA) for B1 (B1-TCA) • Line Diagnostics: – Line alarm indication signal (LAIS) – Line remote defect indication (LRDI) – Line remote error indication (LREI) – Error counts for B2 – Threshold crossing alarms for B2 (B2-TCA) • Path Diagnostics: – Path alarm indication signal (PAIS) – Path remote defect indication (PRDI) – Path remote error indication (PREI) – Error counts for B3 – Threshold crossing alarms for B3 (B3-TCA) – Loss of pointer (PLOP) – New pointer events (NEWPTR) – Positive stuffing event (PSE) – Negative stuffing event (NSE) • The following loopback tests are supported: – Network (line) loopback – Internal (diagnostic) loopback • Supported SONET/SDH synchronization: – Local (internal) timing (for inter-router connections over dark fiber or wave division multiplexing [WDM] equipment) – Loop (line) timing (for connecting to SONET/SDH equipment) – +/– 4.6 ppm clock accuracy over full operating temperature T1/E1 Errors and Alarms The 24-Port Channelized T1/E1 ATM CEoP SPA reports the following types of T1/E1 errors and alarms: • Cyclic redundancy check (CRC) errors • Far end block error (FEBE) • Alarm indication signal (AIS) • Remote alarm indication (RAI) • Loss of signal (LOS) • Out of frame (OOF) 9-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Supported Features • Failed seconds • Bursty seconds • Bipolar violations • Error events • Failed signal rate • Line and Path Diagnostics: – Errored Second–Line (ES-L) – Severely Errored Second–Line (SES-L) – Coding violation–Line (CV-L) – Failure Count–Path (FC-P) – Errored Second–Path (ES-P) – Severely Errored Second–Path (SES-P) – Unavailable Seconds–Path (UAS-P) T3/E3 Errors and Alarms The 2-Port Channelized T3/E3 ATM CEoP SPA reports the following errors and alarms: • AIS (Alarm Indication Signal) • Far end bit error (FEBE) • Far end receive failure (FERF) • Frame error • Out of frame (OOF) • Path parity error • Parity bit (P-bit) disagreements • Receive Alarm Indication Signal (RAIS) • Yellow alarm bit (X-bits) disagreements Layer 2 Features • Supports the following encapsulation types: – AAL5SNAP (LLC/SNAP) – LLC encapsulated bridged protocol – AAL5MUX (VC multiplexing) – AAL5CISCOPPP • Supports the following ATM traffic classes and per-VC traffic shaping modes: – Constant bit rate (CBR) with peak rate – Unspecified bit rate (UBR) with peak cell rate (PCR) – Non-real-time variable bit rate (VBR-nrt) – Variable bit rate real-time (VBR-rt) 9-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Supported Features Note ATM shaping is supported, but class queue-based shaping is not. • ATM point-to-point and multipoint connections • Explicit Forward Congestion Indication (EFCI) bit in the ATM cell header • Integrated Local Management Interface (ILMI) operation, including keepalive, PVC discovery, and address registration and deregistration • Link Fragmentation and Interleaving (LFI) performed in hardware • VC–to–VC local switching and cell relay • VP–to–VP local switching and cell relay • AToM VP Mode Cell Relay support • RFC 1755, ATM Signaling Support for IP over ATM • ATM User-Network Interface (UNI) signalling V3.0, V3.1, and V4.0 only • RFC 2225, Classical IP and ARP over ATM (obsoletes RFC 1577) • Unspecified bit rate plus (UBR+) traffic service class on SVCs and PVCs Layer 3 Features • ATM VC Access Trunk Emulation (multi-VLAN to VC) • ATM over MPLS (AToM) in AAL5 mode (except for AToM cell packing) • ATM over MPLS (AToM) in AAL5/AAL0 VC mode • Distributed Link Fragmentation and Interleaving (dLFI) for ATM (dLFI packet counters are supported, but dLFI byte counters are not supported) • 2047 is the maximum number of VCs per interface (assuming no VPs). Each AToM L2transport PVP reduces the total number of VCs by 3 per CEoP SPA. • OAM flow connectivity using OAM ping for segment or end-to-end loopback • Multicast SVCs are supported if there is only one VC on the subinterface • PVC multicast (Protocol Independent Multicast [PIM] dense and sparse modes) • Quality of Service (QoS): – Policing – IP-to-ATM class of service (IP precedence and DSCP) – ATM CLP bits matching for ingress and set ATM CLP bits for egress through MQC for PVC • RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5: – PVC bridging (full-bridging) • Routing protocols: – Border Gateway Protocol (BGP) – Enhanced Interior Gateway Routing Protocol (EIGRP) – Interior Gateway Routing Protocol (IGRP) – Integrated Intermediate System-to-Intermediate System (IS-IS) 9-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Unsupported Features – Open Shortest Path First (OSPF) – Routing Information Protocol version 1 and version 2 (RIPv1 and RIPv2) High Availability Features • 1+1 Automatic Protection Switching (APS) redundancy (PVC circuits only) • Route Processor Redundancy (RPR) • RPR Plus (RPR+) • OSPF Nonstop Forwarding (NSF) Cisco IOS Release 12.2SRC adds support for the following high-availability feature: • NonStop Forwarding and Stateful switchover (NSF/SSO) support for CEM and ATM pseudowires Unsupported Features • MLPPP and MLFR are not supported • Primary surge protection for the 24-Port Channelized T1/E1 ATM CEoP SPA • The following High Availability features are not supported: – APS 1:N redundancy is not supported. – APS redundancy is not supported on SVCs. – APS reflector mode (aps reflector interface configuration command) is not supported. • PVC autoprovisioning (create on-demand VC class configuration command) is not supported. • Creating SVCs with UNI signalling version 4.1 is not supported (UNI signalling v 3.0, v 3.1, and v 4.0 are supported). • Enhanced Remote Defect Indication–Path (ERDI-P) is not supported. • Fast Re-Route (FRR) over ATM is not supported. • LAN Emulation (LANE) is not supported. • Available Bit Rate (ABR) traffic service class is not supported. • Oversubscription of the Cisco 7600 SIP-400 is not supported (in either CEM or ATM mode). Prerequisites • The Cisco 7600 SIP-400 requires a Cisco 7600 series router using either of the following processors running the Cisco IOS Release 12.2(33)SRB or a later release: – Supervisor Engine 720 (SUP-720) processor, or – Route Switch Processor 720 (RSP720-GE and RSP720-10GE), or – Supervisor Engine 32 (SUP-32) processor9-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Restrictions Note Before configuring the CEoP SPA, have the following information available: IP addresses for all ports on the new interfaces, including subinterfaces. Restrictions • The 1-Port Channelized OC-3 STM1 ATM CEoP SPA and 24-Port Channelized T1/E1 ATM CEoP SPA do not support mixed line modes (for example, T1 or E1, or T3). A reset of the SPA is required to change modes. • The 1-Port Channelized OC-3 STM1 ATM CEoP SPA,the 2-Port Channelized T3/E3 ATM CEoP SPA, and the 24-Port Channelized T1/E1 ATM CEoP SPA do not support the following features: BRE, LFI, RBE, or bridging. • The 2-Port Channelized T3/E3 ATM CEoP SPA can receive data over distances of up to 1350 ft (411.5 meters). • When a pseudowire is configured on an interface, APS for the interface is useful only in conjunction with pseudowire redundancy. • VC QoS on VP-PW feature works only with Single Cell Relay and does not work with Packed Cell Relay. Supported MIBs The following MIBs are supported in Cisco IOS Release 12.2(33)SRB and later releases for the CEoP SPAs on the Cisco 7600 series router. Common MIBs • ENTITY-MIB • IF-MIB • MIB-II • MPLS-CEM-MIB Cisco-Specific MPLS MIBs • CISCO-IETF-PW-MIB • CISCO-IETF-PW-MPLS-MIB Cisco-Specific Common MIBs • CISCO-ENTITY-EXT-MIB • OLD-CISCO-CHASSIS-MIB • CISCO-CLASS-BASED-QOS-MIB • CISCO-ENTITY-FRU-CONTROL-MIB • CISCO-ENTITY-ASSET-MIB • CISCO-ENTITY-SENSOR-MIB • CISCO-MQC-MIB 9-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Displaying the SPA Hardware Type For more information about MIB support on a Cisco 7600 series router, refer to the Cisco 7600 Series Internet Router MIB Specifications Guide at the following URL: http://www.cisco.com/en/US/docs/routers/7600/technical_references/7600_mib_guides/MIB_Guide_v er_6/7600mib2.html To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator at the following URL: http://tools.cisco.com/ITDIT/MIBS/servlet/index If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Displaying the SPA Hardware Type To verify the SPA hardware type that is installed in your Cisco 7600 series router, use the show interfaces or show diag commands. A number of other show commands also provide information about the SPA hardware. Table 9-4 shows the hardware description that appears in the show command output for each type of CEoP SPA that is supported on the Cisco 7600 series router: Example of the show interfaces cem Command The following example shows output from the show interfaces cem command on a Cisco 7600 series router with an CEoP SPA installed in the first subslot of a SIP that is installed in slot 2: Router# show interfaces cem 2/1/3 CEM2/1/3 is up, line protocol is up Hardware is Circuit Emulation Interface MTU 1500 bytes, BW 10000000 Kbit, DLY 0 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation CEM, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec Table 9-4 CEoP SPA Hardware Descriptions in show Commands SPA Description in show interfaces Command SPA-24CHT1-CE-ATM “Hardware is SPA-24CHT1-CE-ATM” SPA-1CHOC3-CE-ATM “Hardware is SPA-1CHOC3-CE-ATM” SPA-2CHT3-CE-ATM “Hardware is SPA-2CHT3-CE-ATM”9-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 9 Overview of the CEoP and Channelized ATM SPAs Displaying the SPA Hardware Type 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped outC H A P T E R 10-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 10 Configuring the CEoP and Channelized ATM SPAs This chapter provides information about configuring the Circuit Emulation over Packet (CEoP) shared port adapters (SPAs) on the Cisco 7600 series router. It contains the following sections: • Configuration Tasks, page 10-2 • Configuring Circuit Emulation, page 10-13 • Configuring ATM, page 10-20 • Configuring Pseudowire Redundancy (Optional), page 10-23 • Configuring T1, page 10-24 • Configuring E1, page 10-24 • Configuring T3, page 10-25 • Configuring SONET (OC-3), page 10-28 • Configuring Inverse Multiplexing over ATM, page 10-29 • Configuring Clocking, page 10-37 • Configuring CEM Parameters, page 10-50 • Configuring Access Circuit Redundancy on CEoP and ATM SPAs, page 10-51 • Configuring Layer 3 QoS on CEoP SPAs, page 10-57 • Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs, page 10-61 • Verifying the Interface Configuration, page 10-82 For information about managing your system images and configuration files, see the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals Command Reference publications for your Cisco IOS software release. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 12.2SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii.10-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuration Tasks Configuration Tasks This section describes the most common configurations for the CEoP SPAs on a Cisco 7600 series router. It contains procedures for the following: • Specifying the Interface Address on a SPA, page 10-2 • Configuring Port Usage (Overview), page 10-2 Specifying the Interface Address on a SPA Four CEoP SPAs can be installed in a SPA interface processor (SIP). Ports are numbered from left to right, beginning with 0. Single-port SPAs use only the port number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, SPA, and interface in the command-line-interface (CLI). The interface address format is slot/subslot/port, where: • slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed • subslot—Specifies the secondary slot of the SIP where the SPA is installed • port—Specifies the number of the individual interface port on a SPA The following example shows how to specify the first interface (0) on a SPA installed in subslot 1 of the SIP in chassis slot 3: Router(config)# interface cem 3/1/0 For more information about how to identify slots and subslots, see the “Identifying Slots and Subslots for SIPs, SSCs, and SPAs” section on page 4-2. Configuring Port Usage (Overview) The 24-Port Channelized T1/E1 ATM CEoP SPA and 1-Port Channelized OC-3 STM1 ATM CEoP SPA can be configured to run in the following modes: • Circuit emulation (CEM) • Channelized Asynchronous Transfer Mode (ATM) • Inverse Multiplexing over ATM (IMA) The 2-Port Channelized T3/E3 ATM CEoP SPA, introduced in Cisco IOS Release 12.2(33)SRC, can be configured to run in ATM mode. The SPA does not currently support CEM or IMA mode. The following tables show the commands to configure each of the SPAs for CEM or ATM. Detailed configuration instructions are provided in the sections that follow. Configuring the 24-Port Channelized T1/E1 ATM CEoP SPA To configure the 24-Port Channelized T1/E1 ATM CEoP SPA, perform the following steps: Command or Action Purpose Step 1 Router(config)# card type {t1 | e1} slot subslot Selects a card type. Step 2 Router(config)# controller {t1 | e1} slot/subslot/port Selects the controller for the SPA port to configure.10-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuration Tasks Configuring the 2-Port Channelized T3/E3 ATM CEoP SPA To configure the 2-Port Channelized T3/E3 ATM CEoP SPA, complete these steps: SUMMARY STEPS Step 1 enable Step 2 configure terminal Step 3 card type {t3 | e3} slot subslot Step 4 controller {t3 | e3} slot/subslot/port Step 5 channelized mode {t1 | e1} Step 6 cem-group group unframed or {t1} 1-28 cem-group group timeslots 1-24 {e1} 1-21 cem-group group timeslots 1-31 or atm or {t1} 1-28 ima-group group-number {e1} 1-21 ima-group group-number Step 7 exit DETAILED STEPS Step 3 Router(config-controller)# cem-group group unframed Creates a SAToP CEM group and configures the port for clear-channel CEM mode. Router(config-controller)# cem-group group timeslots 1-24 Creates a CESoPSN CEM group and configures the port for channelized CEM mode. Router(config-controller)# atm Configures the port for ATM and creates an ATM interface. Router(config-controller)# ima-group group-number Configures the interface to run in IMA mode, and assigns the interface to an IMA group. Command or Action Purpose Command or Action Purpose Step 4 Router # enable Enables privileged EXEC mode. Step 5 Router# configure terminal Enters global configuration mode. Step 6 Router(config)# card type {t3 | e3} slot subslot or Router(config)# [no] card type {t3 | e3} slot subslot Selects a card type. or Use no command to remove the card type.10-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuration Tasks Note See “Configuring T3” section on page 10-25 for information about the features that are not supported on the CEoP SPA in Cisco IOS Release 12.2SRC. Restrictions and Usage Guidelines Follow these restrictions and usage guidelines while configuring 2-Port Channelized T3/E3 CEoP SPA: • CEoP SPAs does not support Layer 3QoS. • Bridging featues such as bridging routed encapsulations (BRE), multipoint bridging(MPB), routed bridge encapsulation(RBE), and multi VLAN are not supported on CEoP. • E3 Channelization to E1 is not supported. Step 7 Router(config)# controller {t3 | e3} slot/subslot/port Selects the controller for the SPA port to configure. Note Effective from Cisco IOS Release 15.1(1)S release, T3 and E3 card types are supported. Step 8 Router(config-controller)# channelized mode {t1 | e1} Swaps between the CT3-T1 and CT3-E1 modes. This is applicable only if the card type is T3. Step 9 Router(config-controller)# cem-group group unframed or Router(config-controller)# [no] cem-group group unframed Creates a SAToP CEM group and configures the port for clear-channel CEM mode. or To delete the CEM circuit and release the time slots, use the no cem-group group-number command. Router(config-controller)# {t1} 1-28 cem-group group timeslots 1-24 Router(config-controller)# {e1} 1-21 cem-group group timeslots 1-31 Creates a CESoPSN CEM group and configures the port for channelized CEM mode. Group number range is from 0 to 671. Router(config-controller)# atm or Router(config-controller)# [no] atm Configures the port to run in clear-channel ATM mode and creates an ATM interface to represent the port. or Use the no form of the command remove the link from the ATM. Router(config-controller)# {t1} 1-28 ima-group group-number Router(config-controller)# {e1} 1-21 ima-group group-number or Router(config-controller)# [no] {t1} 1-28 ima-group group-number Router(config-controller)# [no] {e1} 1-21 ima-group group-number Configures the interface to run in IMA mode, and assigns the interface to an IMA group. Group number range is from 0 to 41. or Use the no form of the command remove the link from the IMA group. Step 10 Router (config-if)# exit Exits interface configuration mode and returns to privileged EXEC mode. Command or Action Purpose10-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuration Tasks • Maintenance Digital Link (MDL) is supported only for DSX3-C bit framing. • CEoP SPAs simultaneously supports multiple interface types. • Adaptive clock recovery is supported on 2-Port Channelized T3/E3 CEoP SPA. • Out-of-Band(OOB) clock recovery for CEM is not supported. • E3 or T3 ATM is not supported. Sample Configuration for 2-Port Channelized T3/E3 CEoP SPA on Clear channel T3 Configure SPA in a T3 mode Router(config)# card type T3 5 0 Router(config)# controller T3 5/0/0 Create an T3 ATM interface Router(config-controller)# atm Create CEM group Router(config-controller)# cem-group 0 unframed Sample Configuration for 2-Port Channelized T3/E3 CEoP SPA on Clear channel E3 mode Configure SPA in a E3 mode Router(config)# card type E3 5 0 Router(config)# controller E3 5/0/0 Create an E3 ATM interface Router(config-controller)# atm Create CEM group Router(config-controller)# cem-group 0 unframed Sample Configuration for 2-Port Channelized T3/E3 CEoP SPA on CT3-T1 Channelization mode Configure SPA in a T3 mode Router(config)# card type T3 5 0 Router(config)# controller T3 5/0/0 Create an T3 ATM interface Router(config-controller)# t1 1 atm Create a NxDS0 T1 CEM group router(config-controller)# t1 2 cem-group 0 timeslots 1-12 Create two IMA groups (1 with two T1 members) Router(config-controller)# t1 3 ima-group 5 Router(config-controller)# t1 4 ima-group 5 Sample Configuration for 2-Port Channelized T3/E3 CEoP SPA on CT3-E1 Channelization mode Configure SPA in a T3 mode10-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuration Tasks Router(config)# card type T3 5 0 Router(config)# controller T3 5/0/0 Changing channelization to E1 Router(config)# controller T3 5/0/0 router(config-controller)# channelized mode e1 Create an E1 ATM interface Router(config-controller)# e1 1 atm Create a NxDS0 E1 CEM group Router(config-controller)# e1 2 cem-group 0 timeslots 1-12 Create two IMA groups (1 with two E1 members) Router(config-controller)# e1 3 ima-group 5 Router(config-controller)# e1 4 ima-group 5 Verifying 2-Port Channelized T3/E3 CEoP SPA configuration Router# show controller t3 2/1/0 T3 2/1/0 is up. Hardware is SPA-2CHT3-CE-ATM Applique type is Clearchannel T3 ATM No alarms detected. Framing is M23, Line Code is B3ZS, Cablelength is 224 Clock Source is internal Equipment customer loopback Data in current interval (827 seconds elapsed): 0 Line Code Violations, 7 P-bit Coding Violation 0 C-bit Coding Violation, 2 P-bit Err Secs 0 P-bit Severely Err Secs, 3 Severely Err Framing Secs 17 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs 0 Severely Errored Line Secs 0 Far-End Errored Secs, 0 Far-End Severely Errored Secs 0 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 2 Far-end path failures 0 Far-end code violations, 10 FERF Defect Secs 0 AIS Defect Secs, 4 LOS Defect Secs Router# show ip interface br ATM2/1/0 unassigned YES unset up up ATM2/1/1/1 unassigned YES unset up up ATM2/1/ima0 unassigned YES unset up up Router# show interface atm2/1/0 ATM2/1/0 is up, line protocol is up Hardware is SPA-2CHT3-CE-ATM, address is 000c.862c.4d40 (bia 000c.862c.4d40) MTU 4470 bytes, sub MTU 4470, BW 44209 Kbit/sec, DLY 0 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Keepalive not supported Encapsulation(s): AAL5 AAL0 2047 maximum active VCs, 0 current VCCs VC Auto Creation Disabled. VC idle disconnect time: 300 seconds 1 carrier transitions Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 010-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuration Tasks Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out Router# show interface ATM2/1/0 ATM2/1/0 is up, line protocol is up Hardware is SPA-2CHT3-CE-ATM, address is 000c.862c.4d40 (bia 000c.862c.4d40) MTU 4470 bytes, sub MTU 4470, BW 44209 Kbit/sec, DLY 0 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Keepalive not supported Encapsulation(s): AAL5 AAL0 2047 maximum active VCs, 0 current VCCs VC Auto Creation Disabled. VC idle disconnect time: 300 seconds 1 carrier transitions Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out Router# show atm int atm2/1/0 Interface ATM2/1/0: AAL enabled: AAL5, AAL0, Maximum VCs: 2047, Current VCCs: 0 Max. Datagram Size: 4528 PLIM Type: DS3 - 45000Kbps, Framing is C-bit ADM, DS3 lbo: short, TX clocking: LINE Cell-payload scrambling: OFF 0 input, 0 output, 0 IN fast, 0 OUT fast Avail bw = 44209 Config. is ACTIVE Router# show atm pvc VCD / Peak Av/Min Burst Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells St 2/1/0 1 1 33 PVC SNAP UBR 44209 UP Router# show interface atm2/1/ima0 ATM2/1/ima0 is up, line protocol is up Hardware is ATM IMA, address is 000c.862c.4d40 (bia 000c.862c.4d40) MTU 4470 bytes, sub MTU 4470, BW 1523 Kbit/sec, DLY 0 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set10-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuration Tasks Keepalive not supported Encapsulation(s): AAL5 AAL0 2047 maximum active VCs, 0 current VCCs VC Auto Creation Disabled. VC idle disconnect time: 300 seconds 7 carrier transitions Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out Router#show ima int atm2/1/ima0 ATM2/1/ima0 is up, ACTIVATION COMPLETE Slot 2 Slot Unit 65 unit 256, CTRL VC 256, Vir -1, VC 4097 IMA Configured BW 1523, Active BW 1523 IMA version 1.1, Frame length 128 Link Test: Disabled Auto-Restart: Disabled ImaGroupState: NearEnd = operational, FarEnd = operational ImaGroupFailureStatus = noFailure IMA Group Current Configuration: ImaGroupMinNumTxLinks = 1 ImaGroupMinNumRxLinks = 1 ImaGroupDiffDelayMax = 25 ImaGroupNeTxClkMode = common(ctc) ImaGroupFrameLength = 128 ImaTestProcStatus = disabled ImaGroupTestLink = None ImaGroupTestPattern = 0x0 ImaGroupConfLink = 1 ImaGroupActiveLink = 1 IMA Link Information: ID Link Link State - Ctlr/Chan/Prot Test Status ---- -------------- ------------------------------ --------------- 0 T3 2/1/1 T1 2 Up Up Up Up disabled Router# show cem cir 100 CEM2/2/0, ID: 100, Line: UP, Admin: UP, Ckt: ACTIVE Controller state: up, T1/E1 state: up Idle Pattern: 0xFF, Idle CAS: 0x8 Dejitter: 8 (In use: 4) Payload Size: 32 Framing: Framed (DS0 channels: 5) CEM Defects Set None Signalling: No CAS RTP: No RTP Ingress Pkts: 2500 Dropped: 0 Egress Pkts: 2500 Dropped: 0 CEM Counter Details Input Errors: 0 Output Errors: 0 Pkts Missing: 0 Pkts Reordered: 0 Misorder Drops: 0 JitterBuf Underrun: 0 Error Sec: 0 Severly Errored Sec: 0 Unavailable Sec: 0 Failure Counts: 0 10-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuration Tasks Pkts Malformed: 0 JitterBuf Overrun: 0 Router# show cem cir detail | b 100 CEM2/2/0, ID: 100, Line: UP, Admin: UP, Ckt: ACTIVE Controller state: up, T1/E1 state: up Idle Pattern: 0xFF, Idle CAS: 0x8 Dejitter: 8 (In use: 4) Payload Size: 32 Framing: Framed (DS0 channels: 5) CEM Defects Set None Signalling: No CAS RTP: No RTP Ingress Pkts: 15000 Dropped: 0 Egress Pkts: 15000 Dropped: 0 CEM Counter Details Input Errors: 0 Output Errors: 0 Pkts Missing: 0 Pkts Reordered: 0 Misorder Drops: 0 JitterBuf Underrun: 0 Error Sec: 0 Severly Errored Sec: 0 Unavailable Sec: 0 Failure Counts: 0 Pkts Malformed: 0 JitterBuf Overrun: 0 Router# show cem circuit interface CEM2/2/0 100 CEM2/2/0, ID: 100, Line: UP, Admin: UP, Ckt: ACTIVE Controller state: up, T1/E1 state: up Idle Pattern: 0xFF, Idle CAS: 0x8 Dejitter: 8 (In use: 4) Payload Size: 32 Framing: Framed (DS0 channels: 5) CEM Defects Set None Signalling: No CAS RTP: No RTP Ingress Pkts: 27500 Dropped: 0 Egress Pkts: 27500 Dropped: 0 CEM Counter Details Input Errors: 0 Output Errors: 0 Pkts Missing: 0 Pkts Reordered: 0 Misorder Drops: 0 JitterBuf Underrun: 0 Error Sec: 0 Severly Errored Sec: 0 Unavailable Sec: 0 Failure Counts: 0 Pkts Malformed: 0 JitterBuf Overrun: 0 Router# show cem circuit summary CEM Int. Total Active Inactive -------------------------------------- CEM2/0/0 13 13 0 CEM2/1/0 7 7 0 CEM2/2/0 576 576 0 Router# show cem circuit CEM Int. ID Ctrlr Admin Circuit AC -------------------------------------------------------------- CEM2/0/0 0 UP UP Active UP CEM2/0/0 1 UP UP Active UP CEM2/0/0 2 UP UP Active UP CEM2/0/0 3 UP UP Active UP 10-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuration Tasks CEM2/0/0 4 UP UP Active UP CEM2/0/0 5 UP UP Active UP CEM2/0/0 6 UP UP Active UP CEM2/0/0 7 UP UP Active UP CEM2/0/0 8 UP UP Active UP CEM2/0/0 9 UP UP Active UP CEM2/0/0 21 UP UP Active UP CEM2/0/0 22 UP UP Active UP CEM2/0/0 23 UP UP Active UP Router# show class cem TDM-class-B Class: TDM-class-B Dejitter: 320, Payload Size: 40 Router# show class cem all Class: TDM-class-A Dejitter: 10, Payload Size: 40 Class: TDM-class-B Dejitter: 320, Payload Size: 40 Router# show class cem detail *Oct 26 05:43:12.846 IST: %SYS-5-CONFIG_I: Configured from console by console -Traceback= 4084BB0Cz 40856A84z 41CAF9ACz 41CAF990z Class: TDM-class-A Dejitter: 10, Payload Size: 40 Circuits inheriting this Class: None Interfaces inheriting this Class: None Class: TDM-class-B Dejitter: 320, Payload Size: 40 Circuits inheriting this Class: CEM2/2/0: Circuit 100 CEM2/2/0: Circuit 50 Interfaces inheriting this Class: None Note See the “Configuring T3” section on page 10-25 for information about the features that are not supported on the SPA in Cisco IOS Release 12.2SRC. Configuring the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SONET VT1.5 To configure the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SONET VT 1.5, perform the following steps: Command or Action Purpose Step 1 Router(config)# controller sonet 5/1/0 Selects the controller to configure. Step 2 Router(config-controller)# framing sonet Specifies SONET framing. Step 3 Router(config-controller)# sts-1 2 Specifies the STS identifier. Step 4 Router(config-ctrlr-sts1)# mode vt-15 Specifies VT-15 as the STS-1 mode of operation.10-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuration Tasks Configuring the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SDH AU-4 C-12 To configure the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SDH AU-4 C-12, perform the following steps: Configuring the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SDH AU-3 C-11 To configure the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SDH AU-3 C-11, perform the following steps: Step 5 Router(config-ctrlr-sts1)# vtg 3 t1 2 atm Creates a T1 (VT1.5) ATM interface. OR, Router(config-ctrlr-sts1)# vtg 1 t1 1 ima-group group-number Configures the interface to run in IMA mode and assigns the interface to an IMA group. OR, Router(config-ctrlr-sts1)# vtg 2 t1 1 cem-group 1 unframed Creates a single SAToP CEM group. OR, Router(config-ctrlr-sts1)# vtg 2 t1 4 cem-group 2 timeslots 1-5,14 Creates a CESoPSN CEM group. Command or Action Purpose Command or Action Purpose Step 1 Router(config)# controller sonet 5/1/0 Selects the controller to configure. Step 2 Router(config-controller)# framing sdh Specifies SDH as the framing mode. Step 3 Router(config-controller)# aug mapping au-4 Specifies AUG mapping. Step 4 Router(config-controller)# au-4 1 tug-3 2 Selects the AU-4, TUG-3 to configure. Step 5 Router(config-ctrlr-tug3)# mode c-12 Specifies the channelization mode for the TUG-3. Step 6 Router(config-ctrlr-tug3)# tug-2 7 e1 3 atm Creates an ATM interface. Router(config-ctrlr-tug3)# tug-2 1 e1 1 ima-group group-number Configures the interface to run in IMA mode and assigns the interface to an IMA group. Router(config-ctrlr-tug3)# tug-2 1 e1 1 cem-group 1 unframed Creates a SAToP CEM group. Router(config-ctrlr-tug3)# tug-2 1 e1 1 cem-group 1 timeslots 1-31 Creates a CESoPSN CEM group. Command or Action Purpose Step 1 Router(config)# controller sonet 5/1/0 Selects the controller to configure. Step 2 Router(config-controller)# framing sdh Specifies the framing mode. Step 3 Router(config-controller)# aug mapping au-3 Specifies AUG mapping. Step 4 Router(config-controller)# au-3 3 Selects the AU-3 to configure. Step 5 Router(config-ctrlr-au3)# mode c-11 Specifies the channelization mode for the link.10-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuration Tasks Step 6 Router(config-ctrlr-au3)# tug-2 7 t1 4 atm Creates an ATM interface. Router(config-ctrlr-tug3)# tug-2 1 e1 1 ima-group group-number Configures the interface to run in IMA mode and assigns the interface to an IMA group. Router(config-ctrlr-au3)# tug-2 1 t1 2 cem-group 1 unframed Creates a SAToP CEM group. Router(config-ctrlr-au3)# tug-2 1 t1 2 cem-group 2015 timeslots 1-12 Creates a CESoPSN CEM group. Command or Action Purpose10-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Circuit Emulation Configuring Circuit Emulation This section provides information about how to configure circuit emulation on a CEoP SPA. Circuit emulation provides a bridge between a time division multiplexed (TDM) network and a packet network (such as Multiprotocol Label Switching [MPLS]). The router encapsulates TDM data in MPLS packets and sends the data over a CEM pseudowire to the remote provider edge (PE) router. Thus, circuit emulation acts like a physical communication link across the packet network. To configure circuit emulation on a CEoP SPA port, you must do the following: 1. Configure one or more CEM groups on the port. Each CEM group represents a set of time slots from the TDM circuit attached to the port. When you configure a CEM group on the port, the router creates an interface that has the same slot/subslot/port number as the port (for example, cem2/1/0). 2. Configure a pseudowire for each CEM group. The router maps the data from the time slots in each group onto its pseudowire and sends the data over the MPLS network to the remote PE router. Use the xconnect command with encap mpls to create a pseudowire for each CEM group. Figure 10-1 shows the following sample configuration for a CEoP SPA: • A TDM circuit is connected to port 0 on a SPA installed in slot 1, subslot 0 (T1 controller 1/0/0). • Two pseudowires (PW10 and PW20) are configured to carry TDM data across the MPLS network. • Two CEM groups (2 and 3) are configured for the data in the TDM time slots: – Time slots 1 through 6 are sent over pseudowire 10 to the remote PE router at 10.0.0.0. – Time slots 8 through 13 are sent to PE router 11.0.0.0 over pseudowire 20. Figure 10-1 TDM Time Slots to Pseudowire Mappings MPLS network PW10 PW20 191977 controller T1 1/0/0 cem-group 2 timeslots 1–6 cem-group 3 timeslots 8–13 interface cem 1/0/0 cem 2 xconnect 10.0.0.0 10 encap mpls cem 3 xconnect 11.0.0.0 20 encap mpls CEM group 2 time slots 1 – 6 CEM group 3 time slots 8 – 13 TDM data stream 10.0.0.0 11.0.0.010-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Circuit Emulation Table 10-1lists the number of CEM groups you can configure for each CEoP SPA on the SIP 400. Table 10-1 Number of CEM Groups Supported for Each CEoP SPA Configuration Guidelines and Restrictions Not all combinations of payload-size and dejitter-buffer size are supported. Payload size, or dejitter configurations are rejected at the CLI level in CEM circuit mode on the SPA if they are not compatible. Any incompatible parameter modifications will be rejected and the configuration will fall back to the old dejitter and payload parameters if the parameters are being applied through the cem class template. For relation between the payload size and the dejitter buffer size on CeoPSN and SaToP T1/E1 frames see Table 9- 1, CESoPSN DS0 Lines: Payload and Jitter Limits, Table 9- 2, SAToP T1 Frame: Payload and Jitter Limits and Table 9-3, SAToP E1 Frame: Payload and Jitter Limits. Configuring a CEM Group To configure a CEM group to represent a CEM circuit on a SPA port, use the following procedure. Note • The first cem-group command under the controller creates a CEM interface that has the same slot/subslot/port information as the controller. The CEM interface is removed when all of the CEM groups under the interface have been deleted. • The CEM interface is always up, even if the controller state is down. This allows the CEM pseudowire to carry alarm information to the remote end. CEoP SPA Number of Supported CEM Groups 24 T1/E1 Channelized ATM CEoP SPA 191 2-Port Channelized T3/E3 ATM CEoP SPA 576 1-Port Channelized OC-3 STM1 ATM CEoP SPA 57610-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Circuit Emulation Configuring a CEM Class (Optional) To assign CEM parameters to one or more CEM interfaces, you can create a CEM class (template) that defines the parameters and then apply the class to the interfaces. CEM class parameters can be configured directly on the CEM circuit. The inheritance is as follows: • CEM circuit (highest level) • Class attached to CEM circuit • Class attached to the CEM interface Command or Action Purpose Step 1 Router(config)# controller type slot/subslot/port Examples Router(config)# controller t1 3/1/ Router(config)# controller sonet 2/0/1 Selects the controller for the port being configured: • type identifies the port type. Depending on the card type, valid values are t1, e1, t3, e3, or sonet. For additional information, see the sections for configuring those port types. • slot/subslot/port identifies the SPA slot, subslot, and port. Step 2 Router(config-controller)# [no] cem-group group-number {unframed | timeslots timeslot} Examples Router(config)# controller t1 3/2/0 Router(config-controller)# cem-group 1 unframed Router(config)# controller t1 3/2/1 Router(config-controller)# cem-group 1 timeslots 1,3,5-11 Router(config-controller)# cem-group 2 timeslots 12-24 Router(config)#controller t3 3/2/0 Router(config-controller)# t1 1 cem-group 1 timeslots 1 Router(config)# controller t3 3/2/1 Router(config-controller)# e1 1 cem-group 1 unframed Creates a CEM circuit (group) from one or more time slots of the line connected to this port. To delete the CEM circuit and release the time slots, use the no cem-group group-number command. • group-number assigns a CEM circuit number: – For 24 T1/E1 Channelized ATM CEoP SPA, you can configure up to 191 CEM groups. – For 2-Port Channelized T3/E3 ATM CEoP SPA, you can configure up to 576 CEM groups. – For 1-Port Channelized OC-3 STM1 ATM CEoP SPA, you can configure up to 576 CEM groups. • unframed creates a single CEM circuit from all of the time slots, and uses the framing on the line. Use this keyword for SAToP mode. • timeslots timeslot specifies the time slots to include in the CEM circuit. Use this keyword for CESoPSN mode. The list of time slots can include commas and hyphens with no spaces between the numbers, commas, and hyphens. Note Each time slot operates at 64 kilobits per second (kbps). Step 3 Router(config-controller)# exit Exits interface configuration mode. 10-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Circuit Emulation If the same parameter is configured on the CEM interface and CEM circuit, the value on the CEM circuit takes precedence. To configure a CEM class, use the following procedure: In the following example, a CEM class (TDM-Class-A) is configured to set the payload-size and dejitter-buffer parameters: class cem TDM-Class-A payload-size 512 dejitter-buffer 80 exit In the next example, the CEM parameter settings from TDM-Class-A are applied to CEM interface 2/1/0. Any CEM circuits created under this interface inherit these parameter settings. int cem 2/1/0 class int TDM-Class-A cem 6 xconnect 10.10.10.10 2 encap mpls exit Command or Action Purpose Step 1 Router(config)# class cem name Creates a CEM class to help in configuring parameters in a template and applying parameters at the CEM interface level. • name argument is a string of up to 80 characters that identifies the CEM class. Note that the name is truncated to the first 15 characters. Step 2 Router(config-cem-class)# command Configure CEM parameters by issuing the appropriate commands. See the “Configuring CEM Parameters” section on page 10-50 for commands. 10-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Circuit Emulation Configuring a CEM Pseudowire To configure a pseudowire to transport a CEM circuit across the MPLS network, follow this procedure. Note When the T1 controller that carries a particular CEM circuit traffic goes down, a message is sent about a failure between PE and CE routers. This results in pseudowire status as down, but the data plane is kept up for the alarms to be carried over. The following sample configuration shows a T1 port on which two CEM circuits (groups) are configured. Each CEM circuit carries data from time slots of the TDM circuit attached to the port. The two xconnect commands create pseudowires to carry the TDM data across the MPLS network. Pseudowire 2 carries the data from time slots 1, 2, 3, 4, 9, and 10 to the remote PE router at 10.10.10.10. Pseudowire 5 carries the data in time slots 5, 6, 7, 8, and 11 to the remote PE router at 10.10.10.11. controller t1 2/1/0 cem-group 6 timeslots 1-4,9,10 cem-group 7 timeslots 5-8,11 framing esf linecode b8zs clock source adaptive 6 cablelength long -15db crc-threshold 512 description T1 line to 3rd floor PBX loopback network no shutdown Command or Action Purpose Step 1 Router(config)# interface cemslot/subslot/port Selects the CEM interface where the CEM circuit (group) is located (where slot/subslot is the SPA slot and subslot and port is the SPA port where the interface exists). Step 2 Router(config-if)# cem group-number Selects the CEM circuit (group) to configure a pseudowire for. Step 3 Router(config-if-cem)# command (Optional) Defines the operating characteristics for the CEM circuit. For command details, see the “Configuring CEM Parameters” section on page 10-50. Step 4 Router(config-if)# xconnect peer-router-id vcid {encapsulation mpls | pseudowire-class name} Configures a pseudowire to transport TDM data from the CEM circuit across the MPLS network. • peer-router-id is the IP address of the remote PE peer router. • vcid is a 32-bit identifier to assign to the pseudowire. The same vcid must be used for both ends of the pseudowire. • encapsulation mpls sets MPLS for tunneling mode. • pseudowire-class name specifies a pseudowire class that includes the encapsulation mpls command. Note The peer-router-id and vcid combination must be unique on the router. Step 5 Router(config-if)# exit Exits interface configuration mode. 10-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Circuit Emulation int cem2/1/0 cem 6 xconnect 10.10.10.10 2 encap mpls cem 7 xconnect 10.10.10.11 5 encap mpls Configuring TDM Local Switching TDM Local Switching allows switching of Layer 2 data between two CEM interfaces on the same router. The two CEM groups can be on the same physical interface or different physical interfaces; they can be on the same SPA, the same line card, or different line cards. Note For Cisco IOS Release 12.2(33)SRC, this feature is supported on the 24-Port Channelized T1/E1 ATM CEoP SPA and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA. Use the following guidelines for CEoP Phase 2 TDM Local Switching: • Autoprovisioning is not supported. • Out-of-band signaling is not supported. • Port mode local switching is not supported on the CEM interface. • Interworking with other interface types is not supported. • The same CEM circuit cannot be used for both local switching and xconnect. • You can use CEM local switching between two CEM circuits on the same CEM interface. • CEM local switching can be across a 24-Port Channelized T1/E1 ATM CEoP SPA and a 1-Port Channelized OC-3 STM1 ATM CEoP SPA. Use the following procedure to configure CEoPS Phase 2 TDM Local Switching: Configuration Example The following is an example: Router(config)# interface CEM4/3/0 Router(config)# connect cem cem2/1/0 1 cem4/2/0 2 Command or Action Purpose Step 1 Router(config)# interface cemslot/subslot/port Selects the CEM interface to configure the pseudowire for. This is the interface that the TDM circuit is attached to. Step 2 Router(config)# [no] connect name cemx/y/z cemckt1 cema/b/c cemckt2 Configures a local switching connection between cemckt1 of the CEM interface x/y/z and cemckt2 of the CEM interface a/b/c. The no form of this command unconfigures a local switching connection between cemckt1 of the CEM interface x/y/z and cemckt2 of the CEM interface a/b/c.10-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Circuit Emulation Verifying Use the show connection, show connection all, show connection id conn id, and show connection conn name commands to verify. Local Switching Redundancy Local Switching Redundancy provides a backup attachment circuit (AC) when the primary attachment circuit fails. All the ACs must be on same Cisco 7600 series router. Note For Cisco IOS Release 12.2(33)SRC, this feature is supported on the 24-Port Channelized T1/E1 ATM CEoP SPA and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA, as well as the 2-Port and 4-Port OC-3c/STM-1 ATM SPA, the 1-Port OC-12c/STM-4 ATM SPA, and the 1-Port OC-48c/STM-16 ATM SPA. The following combinations of CEM ACs are supported: • CEM ACs on the same SPA • CEM ACs on different SPAs on the same SIP • CEM ACs on different SIPs on the same Cisco 7600 series router Guidelines Local Switching Redundancy guidelines are as follows: • Autoconfiguration of CEM interfaces is not supported. • Only the tail end AC can be backed up, if head end fails, there is no protection. • The circuit type of the primary and backup AC must be identical (failover operation will not switch between different types of interfaces or different CEM circuit types). • Backs up a local switching connection to cem-ckt3 of CEM interface cem3.Only one backup AC is allowed for each connection. • Autoconfiguration of backup CEM circuits is not allowed. Autoconfiguration is allowed for backup ATM Permanent Virtual Circuits (PVCs) or ATM Permanent Virtual Paths (PVPs) . • The CEM circuit used as a backup in a local switching connection cannot be used for xconnect configurations. • Dynamic modification of parameters in a local switching connection is not supported in the case where the tail-end segment is backed up to a segment using the backup command. If you want to modify the parameters in any of the three segments (head-end, tail-end, or backup segment), you must first unconfigure with the backup command, make the changes in the individual segments, and then reconfigure the backup with the backup command.10-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring ATM Configuration Configuration Example The following is a configuration example for Local Switching Redundancy: Router(config)# connect cem cem2/1/0 1 cem4/2/0 2 Router(config)# backup interface cem 3/0/0 3 Verifying Use the show xconnect all command to check the status of the backup and primary circuits. Configuring ATM In addition to CEM mode, CEoP SPAs support ATM. When configured to operate in ATM mode, CEoP SPAs support the ATM features listed in Chapter 9, “Overview of the CEoP and Channelized ATM SPAs.” CEoP SPAs also support inverse multiplexing over ATM (IMA), which allows you to combine multiple ATM links into a single high-bandwidth logical link. For more information on IMA, see the “Configuring Inverse Multiplexing over ATM” section on page 10-29. CEoP SPAs support ATM operation in clear-channel or channelized mode: • In clear-channel mode, each SPA port provides a single high-speed ATM connection operating at the line rate of the port. • In channelized mode, each port can be divided into multiple logical channels, each providing a separate ATM connection operating at the channelized line rate (for example, T3 channelized to T1). Note ATM does not support DS0s. ATM can only be channelized down to T1s. ATM Connections Per SPA Use the following guidelines: Command or Action Purpose Step 1 Router(config)# [no] connect name cema/b/c cemckt1 cemx/y/z cemckt2 Configures a local switching connection between cemckt1 of the CEM interface x/y/z and cemckt2 of the CEM interface a/b/c. The no form of this command unconfigures a local switching connection between cemckt1 of the CEM interface x/y/z and cemckt2 of the CEM interface a/b/c. Step 2 Router(config-connection)# backup interface cemx/y/z cemckt Backs up a locally switched CEM connection.10-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring ATM • The 24-Port Channelized T1/E1 ATM CEoP SPA provides 24 ATM connections (one for each port) operating at T1 or E1 line rates. • The 1-Port Channelized OC-3/STM-1 ATM CEoP SPA cannot be configured for clear-channel (OC-3) ATM. Instead, you must channelize the port to T1s or E1s. The number of ATM connections available depends on the configuration mode: – Channelized T1 mode provides 84 ATM connections (3 T3 x 28 T1 = 84). – Channelized E1 mode provides 63 ATM connections (3 TUG-3/AU-3 x 7 TUG-2 x 3 E1 = 63). • In clear-channel mode, each port in the 2-Port Channelized T3/E3 ATM CEoP SPA provides a single ATM connection operating at T3 line rate. ATM Configuration Overview To configure a port on a CEoP SPA for ATM operation, you must: 1. Set the port to ATM mode. You can also configure IMA (optional). 2. Configure an ATM permanent virtual circuit (PVC) for the port. 3. Configure a pseudowire for the ATM or IMA interface. ATM and IMA Interfaces IMA interfaces may consist of groups of T1s or E1s. IMA is not supported on the 2-Port Channelized T3/E3 ATM CEoP SPA. The router creates an ATM interface for each T3 or E3 port (or channelized T1 or E1) that is configured for ATM mode. The interface has the format atmslot/subslot/port (where slot/subslot identifies the SPA slot and subslot and /port identifies the port [for example, atm2/1/0]). If you configure IMA, the router creates an interface to represent each IMA group (link bundle). The interface has the format atmslot/subslot/imagroup-id (where slot/subslot identifies the SPA slot and subslot and group-id identifies the IMA group number [for example, atm2/1/ima0]). Configuring VC QoS on VP-PW CEoP SPAs The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For configuration information on Modular QoS CLI (MQC) policy support and ATM VCI (match atm-vci command), see the “Configuring QoS Features on a SIP” section on page 4-94 of Chapter 4, “Configuring the SIPs and SSC.” Restriction VC QoS on VP-PW feature works only with Single Cell Relay and does not work with Packed Cell Relay.10-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring ATM Configuring an ATM Pseudowire To configure a pseudowire for an ATM connection or an IMA link bundle, perform these steps. The pseudowire is used to carry the ATM data across the MPLS network. Command or Action Purpose Step 1 Router(config)# interface atmslot/subslot/port or Router(config)# interface atmslot/subslot/imagroup-id Selects the ATM interface to configure the pseudowire for (where slot/subslot is the SPA slot and subslot, and /port is the SPA port where the interface exists). For IMA, the format is atmslot/subslot/imagroup-id (where slot/subslot/ identifies the SPA slot and subslot and group-id is the IMA group number). Step 2 Router(config-if)# pvc vpi/vci Creates a permanent virtual circuit for the ATM or IMA interface and assigns the PVC a VPI and VCI: • vpi specifies the virtual path identifier (0 to 255). • vci specifies the virtual channel identifier. Valid values are 32 to 1 less than the value specified by the atm vc-per-vp command. Note Do not specify 0 for both the VPI and VCI. Step 3 Router(config-if-atm-vc)# encapsulation {aal0 | aal5 | aal5snap} Specifies the ATM adaptation layer (AAL) for the PVC: • aal0—Selects ATM adaptation layer 0 (cell mode). • aal5—Selects ATM adaptation layer 5 (packet mode). • aal5snap—Supports Inverse Address Resolution Protocol (ARP). Logical link control/Subnetwork Access Protocol (LLC/SNAP) precedes protocol datagram. Step 4 Router(config-if-atm-vc)# command Configures the ATM operating characteristics of the PVC. CEoP SPAs support the ATM features in Chapter 9. Step 5 Router(config-if-atm-vc)# exit Returns you to interface configuration mode. Step 6 Router(config-if)# xconnect peer-router-id vcid {encapsulation mpls | pseudowire-class name} Configures a pseudowire to transport data from the ATM or IMA interface across the MPLS network. • peer-router-id is the IP address of the remote PE peer router. • vcid is a 32-bit identifier to assign to the pseudowire. The same vcid must be used for both ends of the pseudowire. • encapsulation mpls sets MPLS for tunneling mode. • pseudowire-class name specifies a pseudowire class that includes the encapsulation mpls command. Note The peer-router-id and vcid combination must be unique on the router. Step 7 Router(config-if)# exit Exits interface configuration mode. 10-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Pseudowire Redundancy (Optional) Configuring Pseudowire Redundancy (Optional) CEoP SPAs support the L2VPN Pseudowire Redundancy feature, which provides backup service for ATM and circuit emulation (CEM) pseudowires. The L2VPN Pseudowire Redundancy feature enables the network to detect a failure and reroute the Layer 2 (L2) service to another endpoint that can continue to provide service. This feature provides the ability to recover from a failure either of the remote PE router or of the link between the PE and CE routers. You configure pseudowire redundancy by configuring two pseudowires for an ATM or CEM interface: a primary pseudowire and a backup (standby) pseudowire. If the primary pseudowire goes down, the router uses the backup pseudowire in its place. When the primary pseudowire comes back up, the backup pseudowire is brought down and the router resumes using the primary. Figure 10-2 shows an example of pseudowire redundancy. Figure 10-2 Pseudowire Redundancy Following is a summary of the steps to perform to configure pseudowire redundancy on a CEoP SPA. Although an ATM interface is shown, the configuration is the same for CEM. Note You must configure the backup pseudowire to connect to a different router than the primary pseudowire. 1. enable 2. configure terminal 3. interface atmslot/subslot/port 4. xconnect peer-router-id vcid {encapsulation mpls | pw-class pw-class-name} 5. backup peer peer-router-ip-addr vcid [pw-class pw-class-name] 6. backup delay enable-delay {disable-delay | never} The following example shows pseudowire redundancy configured for a CEM circuit (group). In the example, the xconnect command configures a primary pseudowire for CEM group 0. The backup peer command creates a redundant pseudowire for the group. int cem8/1/1 no ip address cem 0 xconnect 10.10.10.1 1 encap mpls backup peer 10.10.10.2 200 exit Primary pseudowire CE1 PE1 PE2 CE2 Backup pseudowire 135058 Redundant attachment circuits10-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring T1 Configuring T1 To configure T1 on a 24-Port Channelized T1/E1 ATM CEoP SPA, use the following procedure and observe these guidelines: • There can be 0 to 23 channels under a T1 controller, one for each T1 time slot. • Each channel can be configured as a CEM group. • Maximum channels under a CEM group is 24. • Each CEM group number under a controller must be unique. • A maximum of 191 CEM circuits can be configured. Configuring E1 To configure E1 on a 24-Port Channelized T1/E1 ATM CEoP SPA, use the following procedure: Command or Action Purpose Step 1 Router(config)# controller t1 slot/subslot/port Selects the T1 controller. Step 2 Router(config-controller)# [no] cem-group group-number {unframed | timeslots timeslot} Creates a CEM interface and assigns it a CEM group number. Step 3 Router(config-controller)# framing {sf | esf} Selects the T1 framing type. Step 4 Router(config-controller)# exit Exits controller configuration mode and returns you to global configuration mode. Step 5 Router(config)# interface cemslot/subslot/port Selects the CEM interface. Step 6 Router(config-controller)# cem group-number Selects the specified CEM group. Step 7 Router(config-controller)# xconnect peer-ip-address encap mpls Configures a pseudowire for the T1 time slots identified by the CEM group. Step 8 Router(config-controller)# exit Exits controller configuration mode. Command or Action Purpose Step 1 Router(config)# controller e1 slot/subslot/port Selects the controller for the E1 port being configured. Step 2 Router(config-controller)# [no] cem-group group-number {unframed | timeslots timeslot} Creates a CEM interface and assigns a CEM group number. Step 3 Router(config-controller)# framing {crc4 | no-crc4} Selects the framing type. Step 4 Router(config-controller)# exit Exits controller configuration mode and returns you to global configuration mode. Step 5 Router(config)# interface cemslot/subslot/port Selects the CEM interface. Step 6 Router(config-controller)# cem group-number Selects the specified CEM group. Step 7 Router(config-controller)# xconnect peer-ip-address encap mpls Configures a pseudowire for the E1 time slots identified by the CEM group. Step 8 Router(config-controller)# exit Exits controller configuration mode.10-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring T3 Configuring T3 This section describes how to configure the 2-Port Channelized T3/E3 ATM CEoP SPA. The SPA can be configured to operate in the following modes: • T3 (clear-channel) • ATM The router creates a logical interface to represent the mode that the SPA port is configured to run in. An ATM interface is created for each T3 port that is configured for ATM mode. The interface has the format atm slot/subslot/port (where slot/subslot identifies the SPA slot and subslot and /port identifies the port). An example is atm2/1/0. The following sections provide instructions for configuring the SPA: • T3 Configuration Guidelines, page 10-25 • Configuring Port Usage, page 10-25 • Configuring the SPA for Clear-Channel ATM, page 10-27 T3 Configuration Guidelines This section lists the guidelines for configuring the 2-Port Channelized T3/E3 ATM CEoP SPA. For information about supported features, see Chapter 9, “Overview of the CEoP and Channelized ATM SPAs.” Note For a list of features that are not supported in Cisco IOS Release 12.2SRC, see the “Unsupported Features” section on page 9-15. T3 Mode In clear-channel T3 mode, each SPA port provides a single high-speed data channel operating at 44210 kilobits per second (kbps). ATM Mode For ATM mode up to 4000 point-to-point ATM VCs (per SIP) are supported. Configuring Port Usage Perform the following steps to configure a SPA port for T3: Note E3 is not supported with Cisco IOS Release 12.2(33)SRC.10-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring T3 Command or Action Purpose Step 1 Router(config)# controller {t3} slot/subslot/port Selects the T3 controller for the port you are configuring (where slot/subslot identifies the SPA slot and subslot and /port identifies the port). Step 2 Router(config-controller)# [no] framing {auto-detect | c-bit | m23} For the clear-channel ATM mode, configure framing as: • auto-detect—Detects the framing type at the device at the end of the line and switches to that framing type. If both devices are set to auto-detect, c-bit framing is used. • c-bit—Specifies C-bit parity framing. • m23—Specifies M23 framing. Step 3 Router(config-controller)# clock source {internal | line} (Optional) Specifies the clock source. • internal—Selects the internal clock. • line—Selects the network clock. Step 4 Router(config-controller)# cablelength feet (Optional) Specifies the length of the cable attached to the port (in feet). Valid values are 0 to 450 ft. The default is 224 ft. Step 5 Router(config-controller)# [no] loopback {local | network | remote {line | payload}} (Optional) Runs a loopback test, which is useful for troubleshooting problems. The no form of the command stops the test. The default is no loopback. • local—Loops the signal from Tx to Rx path. Sends alarm indication signal (AIS) to network. • network—Loops the signal from Rx to Tx path. • remote {line | payload}—(C-bit framing only) Sends a loopback request to the remote end: line loops back the unframed signal and payload loops back the framed signal. Step 6 Router(config-controller)# [no] bert pattern [2^11 | 2^15 | 2^20 O.153 | 2^20 QRSS | 2^23 | 0s | 1s | alt-0-1] interval [1-1440] (Optional) Configures bit-error-rate (BER) testing. 10-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring T3 Configuring the SPA for Clear-Channel ATM To configure a T3/E3 SPA port for clear-channel ATM, follow these steps: Step 7 Router(config-controller)# mdl {string {eic | fic | generator | lic | pfi | port | unit} string} | {transmit {idle-signal | path | test-signal}} Example Router(config-controller)# mdl string eic ID Router(config-controller)# mdl string fic Building B Router(config-controller)# mdl string unit ABC Router(config-controller)# mdl string pfi Facility Z Router(config-controller)# mdl string port Port 7 Router(config-controller)# mdl transmit path Router(config-controller)# mdl transmit idle-signal (Optional) Configures maintenance data link (MDL) messages, which communicate information between local and remote ports. Valid only with C-bit framing. • mdl string specifies the type of identification information to include in MDL messages: – eic string specifies the Equipment Identification Code, up to 10 characters. – fic string specifies the Frame Identification Code, up to 10 characters. – generator string specifies the Generator Number for test-signal messages, up to 38 characters. – lic string is the Location Identification Code, up to 11 characters. – pfi string specifies the Path Facility Identification Code for path messages, up to 38 characters. – port string is the port number for idle-signal messages, up to 38 characters. – unit string—Specifies the Unit Identification Code, up to 6 characters. • mdl transmit specifies the type of MDL messages to transmit: – idle-signal—Enables idle-signal messages. – path—Enables path messages. – test-signal—Enables test-signal messages. Step 8 Router(config-controller)# exit Returns you to global configuration mode. Command or Action Purpose Command or Action Purpose Step 1 Router(config)# controller {t3} slot/subslot/port Selects the T3 controller for the port you are configuring (where slot/subslot identifies the SPA location and /port identifies the port). Step 2 Router(config-controller)# atm Configures the port (interface) for clear-channel ATM. The router creates an ATM interface whose format is atm/slot/subslot/port (where slot/subslot identifies the SPA slot and subslot and /port is the SPA port). Step 3 Router(config-controller)# exit Returns you to global configuration mode. Step 4 Router(config)# interface atmslot/subslot/port Selects the ATM interface for the SPA port in Step 1. 10-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring SONET (OC-3) Configuring SONET (OC-3) To configure SONET (OC-3) on the1-Port Channelized OC-3 STM1 ATM CEoP SPA, use the following procedure and observe these guidelines: • One OC-3 has three SONET paths, each of which can have a T3. Each T3 has 28 T1s. • Each T3 has a submode for T1 configuration. • Each T1 can be configured to operate in CEM, ATM, or IMA mode. • ATM can be configured on T1s only. These modes cannot be configured on T1s that are channelized to DS0s. • CEM groups can be configured on a T1 directly. • CEM groups can be channelized to DS0s. • A maximum of 2016 DS0s can be configured. • A maximum of 576 CEM circuits can be configured. SONET Controller Configuration To configure the SONET controller, perform this task: Step 5 Router(config-if)# pvc vpi/vci Configures a PVC for the interface and assigns the PVC a VPI and VCI. Do not specify 0 for both the VPI and VCI. See the “Configuring an ATM Pseudowire” section on page 10-22 for details on this command and the next. Step 6 Router(config-if)# xconnect peer-router-id vcid {encapsulation mpls | pseudowire-class name} Configures a pseudowire to carry data from the clear-channel ATM interface over the MPLS network. Step 7 Router(config-if)# end Exits configuration mode. Command or Action Purpose Command or Action Purpose Step 1 Router(config)# controller sonet slot/subslot/port Example Router(config)# controller sonet 5/1/0 Enters the SONET controller configuration submode. Step 2 Router(config-controller)# framing sonet Configures the controller framing for SONET framing (default). Step 3 Router(config-controller)# sts-1 number Specifies the STS identifier. Step 4 Router(config-ctrlr-sts1)# mode vt-15 Specifies VT-15 as the STS-1 mode of operation. Step 5 Router(config-controller-stsl)# vtg 5 t1 1 cem-group 15 timeslots 1-5,20-23 Creates a virtual tributary group carrying a T1. Step 6 Router(config-controller-stsl)# exit Exits controller configuration mode.10-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Inverse Multiplexing over ATM SDH Configuration for AU-4 C-12 This section describes how to enable an interface under SDH framing with AU-4 mapping after configuring the SONET controller. SDH Configuration for AU-3 C-11 This section describes how to enable an interface under SDH framing with AU-3 mapping after configuring the SONET controller. Configuring Inverse Multiplexing over ATM Inverse multiplexing over ATM (IMA) allows multiple T1 or E1 links to be bundled together into a high-bandwidth logical link. The rate of the logical IMA link is approximately the sum of the rate of the physical links in the IMA group, although some overhead is required for ATM header and control cells. Command or Action Purpose Step 1 Router(config)# controller sonet 5/1/0 Selects the controller to configure. Step 1 Router(config-controller)# framing sdh Specifies SDH as the framing mode. Step 2 Router(config-controller)# aug mapping au-4 Specifies AUG mapping. Step 3 Router(config-controller)# au-4 1 tug-3 2 Selects the AU-4, TUG-3 to configure. Step 4 Router(config-ctrlr-tug3)# mode c-12 Specifies the channelization mode for the TUG-3. Step 5 Router(config-ctrlr-tug3)# tug-2 7 e1 3 atm Creates an ATM interface. Step 6 Router(config-ctrlr-tug3)# tug-2 1 e1 1 ima-group group-number Configures the interface to run in IMA mode and assigns the interface to an IMA group. Step 7 Router(config-ctrlr-tug3)# tug-2 1 e1 1 cem-group 1 unframed Creates a SAToP CEM group. Router(config-ctrlr-tug3)# tug-2 1 e1 1 cem-group 1 timeslots 1-31 Creates a CESoPSN CEM group. Command or Action Purpose Step 1 Router(config)# controller sonet 5/1/0 Selects the controller to configure. Step 2 Router(config-controller)# framing sdh Specifies the framing mode. Step 3 Router(config-controller)# aug mapping au-3 Specifies AUG mapping. Step 4 Router(config-controller)# au-3 3 Selects the AU-3 to configure. Step 5 Router(config-ctrlr-au3)# mode c-11 Specifies the channelization mode for the link. Step 6 Router(config-ctrlr-au3)# tug-2 7 t1 4 atm Creates an ATM interface. Step 7 Router(config-ctrlr-au3)# tug-2 1 t1 2 cem-group 1 unframed Creates a SAToP CEM group. Router(config-ctrlr-au3)# tug-2 1 t1 2 cem-group 2015 timeslots 1-12 Creates a CESoPSN CEM group.10-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Inverse Multiplexing over ATM Note IMA is available in Cisco IOS Release 12.2SRC and later releases and is supported on the 24-Port Channelized T1/E1 ATM CEoP SPA and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA. The inverse multiplexing operation is transparent to the ATM layer protocols, and therefore the ATM layer can operate normally, as if only a single physical interface is being used. In the transmit direction, IMA takes cells from the ATM layer and sends them in round-robin manner over the individual T1 or E1 links in the IMA group. At the receiving end, the cells are recombined to form the original cell stream and are passed up the ATM layer. An IMA device always sends a continuous stream. If no ATM layer cells are being sent, an IMA filler cell is transmitted to provide a constant stream at the physical layer. IMA Control Protocol (ICP) cells are periodically transmitted between IMA interfaces. ICP cells control the inverse multiplexing function, provide sequencing for the ATM cell stream, and define the IMA frame. Using an IMA frame length of 128 cells, one out of every 128 cells on each link is an ICP cell. Figure 10-3 shows how IMA works. In the figure, IMA performs inverse multiplexing and demultiplexing with four bundled links, providing 5.52 Mbps of bandwidth for T1s for packet traffic, after subtracting the overhead of ATM cell headers and ICP cells. The transmitting side, from which cells are distributed across the links, is referred to as Tx, and the receiving side, where cells are recombined, is called Rx. Figure 10-3 IMA Operation IMA Configuration Guidelines Follow these guidelines as you configure the CEoP SPA for inverse multiplexing ATM: • IMA is supported on the Cisco 7600 SIP-400 with the following CEoP SPAs: – 24-Port Channelized T1/E1 ATM CEoP SPA (24 IMA groups per SPA) – 1-Port Channelized OC-3 STM1 ATM CEoP SPA (42 IMA groups per SPA) – 2-Port T3/E3 ATM CEoP SPA (42 IMA groups per SPA) • When a T1 or E1 interface is configured for IMA mode, the interface no longer operates as an individual ATM link. • IMA group numbers (IDs) must be unique on the SPA. • You cannot mix T1 and E1 lines in the same IMA group. • The T1 or E1 lines in an IMA group must be on the same CEoP SPA. An IMA group cannot contain T1 or E1 lines from different SPAs. • Both ends of the T1 or E1 link must be in IMA mode. 23260 Single stream from ATM layer Data distribution over links in IMA group (Tx direction) Data reassembled according to IMA group (Rx direction) T1 or E1 links Single stream to ATM layer Incoming ATM cells Outgoing ATM cells10-31 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Inverse Multiplexing over ATM • IMA is compliant with nonstop forwarding with stateful switchover (NSF/SSO). This means that when a switchover occurs, IMA connections remain up and continue to pass traffic, with no interruption in service. • IMA Control Protocol (ICP) cells and filler cells are discarded by the receiving end; therefore, any counters displayed in show command output do not include these cells. • The Cisco 7600 SIP-400 supports a maximum transmission unit (MTU) size of 4470 bytes. To ensure that IMA groups synchronize correctly after a restart, observe the following guidelines as you configure IMA links. For information about restarts, see the description of ima autorestart in the “Configuring IMA Group Parameters” section on page 10-34. • Each end of an IMA link should have a different IMA group ID. This way, after a restart the router can detect links in loopback mode, which means that a link is communicating with itself instead of the remote end. When both ends of a link have the same group ID, the link is in loopback mode. • If both ends of an IMA link have the same group ID, loopbacked links might be the first to respond after a restart, in which case the IMA group could be communicating with itself instead of the far end. • Effective from Cisco IOS release 15.1(01)S, the number of IMA groups supported on the different flavours of the CEoP SPA are: – 24 T1/E1/J1 port SPA (12 IMA groups per SPA) – 2XT3/E3 port SPA (42 IMA groups per SPA) – 1xOC3 port SPA (42 IMA groups per SPA) • When the atm bandwidth dynamic command is enabled, all of the permanent virtual circuits (PVCs) configured on an IMA group interface are re-created if the total available IMA group bandwidth changes. • Maximum of 16 links can be configured on an IMA group. IMA Link Bundle Configuration Overview You bundle T1 or E1 links together by assigning the links to the same IMA group and configuring a PVC for the links in the group to use. To assign a T1 or E1 link to an IMA group, issue the ima group group-number command under the T1 or E1 controller for the port that the link is attached to. Bundle a set of links together by issuing ima group under the controller for each of the links that you want to add to the bundle, and specify the same group number for each. The router creates an IMA interface to represent the IMA group (link bundle). The interface has the same slot/subslot information as the SPA, followed by the IMA group ID, as shown here (for example, atm2/1/ima0): interface atmslot/subslot/imagroup-id The IMA interface has all of the characteristics of an ATM interface and supports any currently supported ATM features. When all of the T1/E1 interfaces are removed from an IMA group, the IMA interface that represents the group is removed. To configure the IMA group for operation, you must: • Configure a PVC for the links in the IMA group to use. • Define the operating characteristics of the IMA link bundle by configuring IMA group parameters. (See the “Configuring IMA Group Parameters” section on page 10-34.) 10-32 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Inverse Multiplexing over ATM Configuration Example The following steps provide an example of the steps to configure an IMA link bundle on the 24-Port Channelized T1/E1 ATM CEoP SPA. Detailed steps are provided in the section that follows. 1. Bundle T1 or E1 links together by creating an IMA group and adding each link to the group. In this example, the T1 links attached to ports 0, 1, and 2 of the CEoP SPA in chassis slot 2, SPA subslot 1, are assigned to the same IMA link bundle (IMA group 0). Likewise, the E1 links attached to ports 0 and 1 of the SPA in chassis slot 5, SPA subslot 1 are assigned to another bundle (IMA group 1). controller t1 2/1/0 ima-group 0 exit controller t1 2/1/1 ima-group 0 exit controller t1 2/1/2 ima-group 0 exit controller e1 5/1/0 ima-group 1 exit controller e1 5/1/1 ima-group 1 exit 2. Configure a PVC and MPLS pseudowire for the links in the IMA group to use. In the following example, PVC 0/100 is configured for the T1 links in IMA group 0 and PVC 0/101 is configured for the E1 links in IMA group 1: interface atm2/1/ima0 pvc 0/100 l2transport xconnect 10.2.0.1 10 encapsulation mpls exit interface atm5/1/ima1 pvc 0/101 l2transport xconnect 10.20.0.4 11 encapsulation mpls exit 3. Configure IMA group parameters to define how the links in the group are to operate. In the following example, IMA group 0 is being configured to operate with a minimum of 2 active links, independent clock mode, and a frame length of 256: interface atm2/1/ima0 ima active-links-minimum 2 ima clock-mode independent ima frame-length 256 exit10-33 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Inverse Multiplexing over ATM Configuring an IMA Link Bundle To configure an IMA link bundle on a 24-Port Channelized T1/E1 ATM CEoP SPA, perform the following steps from global configuration mode: Command or Action Purpose Step 1 Router(config)# controller {t1 | e1} slot/subslot/port Selects the controller for the link you want to add to an IMA link bundle (an IMA group). • slot/subslot/port identifies the chassis slot, SPA subslot, and port being configured. Step 2 Router(config-controller)# [no] ima-group group-number Creates an IMA group and adds the link to the group. Use the no form of the command remove the link from the IMA group. • group-number is a unique ID to assign to the group. Valid values are 0 through 41. Note The group number must be unique for the SPA. The 24-Port Channelized T1/E1 ATM CEoP SPA supports 24 IMA groups. Step 3 Router(config-controller)# exit Returns to global configuration mode. Repeat steps 1 through 3 to add additional links to the IMA link bundle. Note All links in an IMA group must be located on the same CEoP SPA. Step 4 Router(config)# interface atmslot/subslotimagroup-number Selects the IMA interface for the link bundle you just created and enters interface configuration mode. • atmslot/subslot specifies the location of the interface. • imagroup-number identifies the IMA group. Step 5 Router(config-if)# pvc vpi/vci Configures a PVC for the IMA group and assigns the PVC a VPI and VCI. • vpi is the VPI of the PVC. Valid values are 0 to 255. • vci is the VCI of the PVC. Valid values are 32 to 1 less than the value set by the atm vc-per-vp command. Note Do not specify 0 for both the VPI and VCI. Step 6 Router(config-if)# xconnect peer-router-id vcid {encapsulation mpls | pseudowire-class name} Configures a pseudowire to carry data from the IMA link bundle over the MPLS network. See the “Configuring an ATM Pseudowire” section on page 10-22 for details on the command. Step 7 Router(config-if)# ima command Configures parameters for the IMA interface. See Table 10-2 for the configuration commands. Step 8 Router(config-if)# end Returns you to privileged EXEC mode. 10-34 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Inverse Multiplexing over ATM Configuring IMA Group Parameters Use the commands in Table 10-2 to configure parameters for an IMA group. Issue the commands in interface configuration mode under the IMA interface of the IMA group being configured. Use the no form of each command to turn off a feature or to revert to its default setting. Note If you modify parameters on an IMA interface, the interface is automatically restarted. Table 10-2 IMA Interface Parameters Command Name Description [no] ima version {1.0 | 1.1} Selects which version of IMA to use. The default is version 1.1. [no] ima active-links-minimum number Specifies the minimum number of IMA links that must be active for the IMA group to be active, where: • number is the number of links. Valid values are 1 through 16. The default is 1. The IMA group is active as long as the specified number of links is active; otherwise, the group is brought down and remains out of service until the minimum number of links becomes active again. To determine an appropriate value, consider your application needs and performance requirements, and the number of links in the group. [no] ima clock-mode {common | independent} Sets the transmit clock mode for the links in the IMA group. The default is common. • common—All links use the same clock (which is derived from the specified port). • independent—Each link uses a different clock. [no] ima frame-length {32 | 64 | 128 | 256} Specifies the number of cells in an IMA frame. The default is 128. Because each IMA frame contains an ICP cell, this parameter also controls how often ICP cells are sent over the links in the IMA group. For example, with a frame length of 64, 1 out of every 64 cells on the link is an ICP cell. The smaller the IMA frame length, the more often ICP cells are sent, which reduces the amount of link bandwidth that is available for data. [no] ima test [link link number] pattern pattern-id Sends a continuous test pattern over an IMA link to verify that the link is operational. The pattern is looped back at the receiving end, which is useful for troubleshooting the physical link or configuration problems at the remote end. Use the no form of the command to stop the test. • link link number identifies the IMA link to test. For link number, specify the link ID that is displayed by the show ima interface interface command. Valid values are 0 through 15. • pattern pattern-id specifies the pattern to use. Valid values are 0 through 255 (0 to 0xFF), although 255 is not recommended. Note If you do not specify a link, the test pattern is sent over the first available link. 10-35 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Inverse Multiplexing over ATM [no] ima differential-delay-maximum milliseconds Specifies the maximum allowable differential delay (in milliseconds) among links in the IMA group. If the delay on any link exceeds this value, that link is dropped from the IMA group. IMA sends cells round-robin over the T1 or E1 links in an IMA group, and every link adds some delay. To enable the router to correctly reconstruct the original data stream, IMA adjusts for differences in link delay. However, if a link’s delay is greater than the specified maximum, the data stream cannot be reconstructed correctly. Valid values for milliseconds are: • 25 to 250 milliseconds (T1) • 25 to 190 milliseconds (E1) A shorter delay allows less adjustment among link delay variations. However, a longer delay can affect overall group performance by adding more latency to traffic or causing retransmission. [no] ima autorestart {near-end-id near-end-group-id [far-end-id far-end-group-id]} Enables the auto restart feature, which controls how IMA groups sync up after a restart. The no form of the command disables auto restart if it is enabled. See “IMA Auto Restart Examples” for examples. When an IMA group stops operating correctly (for example, due to a failure with the CEoP SPA, an IMA link, or the router), the group must be restarted. When a restart occurs, the local IMA group must sync up with an IMA group at the remote end: • If auto restart is disabled (the default), IMA learns the ID of the remote group each time a restart occurs. In this case, the remote IMA group ID might change between restarts. • If auto restart is enabled, you can specify which remote IMA group the local group should sync up with. This allows you to keep an IMA group from syncing up with any group ID. The near-end-id and far-end-id keywords identify the IMA groups. Valid values for near-end-id is 0-41. Valid values for far-end-id are 0-255 . • near-end-id near-end-group-id is the local IMA group. • far-end-id far-end-group-id is the remote IMA group. If you specify near-end-id only, the local IMA group learns the ID of the remote group to sync up with (which will be the first remote IMA group to become active). This learned remote group ID remains active until the SPA is reloaded. If you specify both near-end-id and far-end-id, the local IMA group will only synchronize with this remote IMA group. Both the near-end and far-end IDs must be the same. ima restart Manually restarts an IMA group. When an IMA group stops operating correctly (for example, due to a link failure), you can use this command to restart the group after the problem has been corrected. Table 10-2 IMA Interface Parameters (continued) Command Name Description10-36 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Inverse Multiplexing over ATM Verifying the IMA Configuration To display information about all configured IMA groups, or a specific group, use the show ima interface command in privileged EXEC mode: show ima interface atmslot/subslot/imagroup-number [detail] In the following example, information is displayed for IMA group 1 (on the SPA in slot 5, subslot 0): Router# show ima interface atm5/0/ima1 ATM5/0/ima1 is up, ACTIVATION COMPLETE Slot 5 Slot Unit 0 unit 257, CTRL VC 257, Vir 0, VC -1 IMA Configured BW 12186, Active BW 3046 IMA version 1.0, Frame length 128 Link Test: Disabled Auto-Restart: Disabled ImaGroupState: NearEnd = operational, FarEnd = operational ImaGroupFailureStatus = noFailure IMA Group Current Configuration: ImaGroupMinNumTxLinks = 1 ImaGroupMinNumRxLinks = 1 ImaGroupDiffDelayMax = 25 ImaGroupNeTxClkMode = common(ctc) ImaGroupFrameLength = 128 ImaTestProcStatus = disabled ImaGroupTestLink = None ImaGroupTestPattern = 0x0 ImaGroupConfLink = 8 ImaGroupActiveLink = 2 IMA Link Information: ID Link Link Status Test Status ---- -------------- ------------------------------ --------------- 0 T1 5/0/0 Up - controller Up disabled 1 T1 5/0/1 Up - controller Up disabled 2 T1 5/0/2 Down - controller Up disabled 3 T1 5/0/3 Down - controller Up disabled 4 T1 5/0/4 Down - controller Up disabled 5 T1 5/0/5 Down - controller Up disabled 6 T1 5/0/6 Down - controller Up disabled 7 T1 5/0/7 Down - controller Up disabled IMA Auto Restart Examples IMA auto restart is disabled by default, which means that IMA learns the ID of the remote IMA group each time a restart occurs. To see the current settings for auto restart, issue the show ima interface command and view the Auto-Restart section of the command output. Following are several examples of different ways to enable auto restart: • To enable auto restart so that the local IMA group synchronizes with the first remote IMA group that becomes active, issue the command as follows (where near-end-group-id identifies the local IMA group). The learned remote group ID remains active until the SPA is reloaded. ima autorestart near-end-id near-end-group-id • To specify which remote IMA group the local IMA group should sync up with, issue the command as follows (where near-end-group-id identifies the local IMA group and far-end-group-id identifies the remote IMA group). Both near-end and far-end IDs must be the same. ima autorestart near-end-id near-end-group-id far-end-id far-end-group-id • To disable auto restart and have IMA learn the remote IMA group ID after each restart, issue the command as follows: no ima autorestart10-37 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking Configuring Clocking This section provides information about how to configure clocking on the 24-Port Channelized T1/E1 ATM CEoP SPA and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA. It describes the following topics: • BITS Clock Support—Receive and Distribute—CEoP SPA on SIP-400, page 10-37 • Configuring Clock Recovery, page 10-40 • Verifying Clock Recovery, page 10-41 • Configuring Out-of-Band Clocking, page 10-42 BITS Clock Support—Receive and Distribute—CEoP SPA on SIP-400 You can use the BITS Clock Support—Receive and Distribute—CEoP SPA on SIP-400 feature to select and configure a clock and distribute it across the chassis to be used as the Transmit reference on all SPA ports. The BITS Clock support - Receive and Distribute - CEoP SPA on SIP-400 feature is supported on Cisco IOS Release 12.2SRB on the SPA-24CHT1-CE-ATM and the SPA-1CHOC3-CE-ATM, SPA-4XOC3 ATM, SPA-1xOC12/STM4 POS SPAs. The line card operates in three different modes, dependiing on the configuration and the configured source state. • Free-running—A line card that is not participating in network-clocking or a line card that is actively sourcing the clock operates in free-running mode. In this mode, the line card internal oscillator generates the reference clock to the backplane. Note In a nonpartcipating mode or a disabled mode, the line card distributes a Stratum 3-quality timing signal to an external reference clock. Other interfaces on different line cards receive either the backplane reference clock or the external reference clock depending on their configurations. • Normal—In normal mode, the module synchronizes with an externally supplied network timing reference, sourced from one of the chassis BITS inputs or recovered from a network interface. In this mode, the accuracy and stability of the output signal is determined by the accuracy and stability of the input reference. Note Line card operation is in free-running mode only if the SIP-400 is configured as the active sources; otherwise the line cards operate in normal mode. • Holdover—In holdover mode, the network timing module generates a timing signal based on the stored timing reference used when operating in normal mode. Holdover mode is automatically selected when the recovered reference is lost or has drifted excessivley. Note You cannot configure the drift range; it is set internally on the line card to +/-9.2 phase shifts per minute (ppm) by default.10-38 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking Note All line cards operate in the free-running mode until network clock is configured. Guidelines Use the following guidelines: • The SIP-400 operates in free-running mode until network clock is configured. • When the network clocking configuration is present in the startup configuration, the clocking configuration is not applied until five minutes after the configuration has been parsed. This prevents clocking instability on the backplane when the interfaces/controllers come up out of order. • Network clocking is enabled by default for the SIP-400. • Cisco IOS Release 12.2SRB does not support local network clock configurations or synchronization status messaging (SSM). • If there is a source flap, there is an interval of 180 seconds before the source becomes valid and active. • In the event of an Out-of-Range (OOR) switchover (revertive mode), the source switchover occurs when the clock offset crosses the -9.2 ppm or +9.2 ppm threshold. If this occurs, you must reconfigure the source. Configuration Tasks To configure Network Clocking for the Cisco 7600/SIP-400, use the following commands: Command or Action Purpose Router# [no] network-clock select priority interface | controller | slot | system interface name [global][local] Selects an interface, controller, and configures it as a network clock source at a particular priority. • system—Required for platforms that have an internal clock generator. Not applicable for the Cisco 7600 series routers. • priority—Configures the priority of network clock source. Values range from 1 to 6. • interface name—Configures the network-clock-source to the selected interface. • global—Configures the network clock to use a global configuration. • local—Configures the network clock to use a local configuration. Note Configure only one source at a time. Router# [no] network-clock participate slotnum Enables a line card to participate in network clocking feature. This is default mode. The no form of this command prevents a line card from participating in network clocking feature. When a slot is disabled, it can neither source nor take the clock from the backplane.10-39 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking Verifying Use the show platform hardware network-clocks command to verify. SIP-400-4# show plat hardware network-clocks SONET Clock Register = 0x20CA8000 SONET Clock Interrupt Enable Register = 0x0 SONET Clock Interrupt Status Register = 0x0 MT90401 Reference : Primary Free Running Primary : SPA 0 Secondary : SPA 0 Backplane Reference Primary DISABLED : SPA 0 Secondary DISABLED : SPA 0 Status : Lock : 0 HoldOver : 0 SecOOR : 1 PriOOR : 1 CLK_2M_OK : 1 Router# [no] network-clock revertive Configures revertive behavior on the network clock. When revertive mode is configured and a previously unavailable higher priority source comes up, then this source becomes the active clock and the previous active source becomes the standby clock. Revertive mode is the default mode and is applicable for all types of interface failures. The alternate source is selected only if there is an interface failure, the alternate source is not selected when a source is supplying the bad clock. The no form of this command configures nonrevertive mode. Router(config)# [no] network-clock switchover marginal-source Prevents an interface from sending an OOR clock. A clock that exceeds the +/-9.2 ppm threshold goes into an OOR state and next alternate source is selected as active. Use the no form of this command to disable it. The default is that switchover occurs on a bad clock. Router# clock source {line | internal | network} Enables network clocking and configures clocking on the interface. • line—Specifies clock recovered from line • internal—Specifies SPA internal clock or clock from the host • network—Specifies network clock or the host card’s internal oscillator Router# show network-clocks Displays details about the configured clocks and the current operational clocks and provides status information. Router# show platform hardware network-clocks Shows the mode of operation of the line cards along with relevant SONET clock register settings. This command is available for line card consoles only. Router# debug network-clock This command when enabled helps in debugging network clocking feature operation. Router# debug network-clock redundancy Enables high availability (HA) related debugging. Command or Action Purpose10-40 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking Config : PCCI : 0 FLOCK : 0 ModeSel : 2 SI5321 CAL Signal : 0 SI5321 LOS Signal : 0 SI5321 HoldOver : 0 SIP-400-4# use the show network-clock command to verify output on RP Router# show network-clocks Active source = SONET 1/3/0 Active source backplane reference line = Primary Backplane Clock All Network Clock Configuration --------------------------------- Priority Clock Source State Reason 1 SONET 1/3/0 Valid Current operating mode is Revertive Current OOR Switchover mode is Switchover There are no slots disabled from participating in network clocking Configuring Clock Recovery When configuring clock recovery, consider the following guidelines: Adaptive Clock Recovery • Clock source: – In Cisco IOS Release 12.2(33)SRC and later, both the 1-Port Channelized OC-3 STM1 ATM CEoP SPA and the 24-Port Channelized T1/E1 ATM CEoP SPA can be used as a clock source. – In earlier releases, only the 24-Port Channelized T1/E1 ATM CEoP SPA can be a clock source. – Effective from Cisco IOS Release 15.1(1)S release, 2XT3E3 CE/ATM SPA supports adaptive clock recovery for T3/E3 CEM. Out of Band (OOB) Clocking for T3/E3 CEM is not supported due to lack of hardware support. • Number of clock sources allowed: – In Cisco IOS Release 12.2(33)SRC and later, multiple clocks can be sourced for the router: one clock for each SPA. – In earlier releases, only a single clock can be sourced for a router. • The clock must be the same as used by the router as the network clock. Any pseudowire in this case can carry the clock. • The minimum bundle size of CEM pseudowires on the network that delivers robust clock recovery is 4 DS0s. • The minimum packet size of CEM pseudowires on the network that delivers robust clock recovery is 64 bytes. Differential Clocking • The maximum number of differential clocks sourced from a 24-Port Channelized T1/E1 ATM CEoP SPA is 24. • The 24-Port Channelized T1/E1 ATM CEoP SPA can recover up to 24 T1/E1 clocks.10-41 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking • There are several bundles sent from the same port. The bundle that is used for carryingthe clock of the port is the first created bundle of the port. Only pseudowires that include the first DS0 of a port can carry differential clock. To configure clock recovery on a 24-Port Channelized T1/E1 ATM CEoP SPA, use the following procedure: To apply the recovered clock to the controller, use the following procedure: Verifying Clock Recovery To verify clock recovery, use the show recovered-clock command. In Cisco IOS Release 12.2SRB1 and later, command output has been expanded to include the port number and CEM group number. Router# show recovered-clock Recovered clock status for subslot 3/0 ---------------------------------------- Clock Mode Port CEM Status Frequency Offset(ppb) 1 ADAPTIVE 0 1 HOLDOVER 0 Router# show recovered-clock Recovered clock status for subslot 3/0 ---------------------------------------- Clock Mode Port CEM Status Frequency Offset(ppb) 1 ADAPTIVE 0 1 ACQUIRING -694 Use the show platform network-clock command to display the contents of network clocking registers. Router# show platform network-clock SONET Clock Register = 0x20EB80C8 Command or Action Purpose Step 1 Router(config)# controller {e1 | t1} slot/subslot/port Selects the controller. Step 2 Router(config-controller)# recovered-clock slot/subslot Specifies the interface for the recovered clock. Step 3 Router(config-controller)# clock recovered clock-id {adaptive | differential} cem port cem-group Specifies the recovered clock number and the clock recovery type. Step 4 Router(config-controller)# clock reference {enhanced | internal} Specifies the clock reference. Step 5 Router(config-controller)# clock master Configures the clock master. Step 6 Router(config-controller)# clock slave Configures the clock slave. Command or Action Purpose Step 1 Router(config)# controller {e1 | t1} slot/subslot/port Selects the controller. Step 2 Router(config-controller)# clock source recovered number Assigns a number to the recovered clock. Step 3 Router(config-controller)# cem-group number timeslots number Creates a circuit emulation channel from one or more time slots of a T1 or E1. Step 4 Router(config-controller)# recovered-clock slot/subslot Applies the recovered clock to the interface. Step 5 Router(config-controller)# clock recovered clock-id {adaptive | differential} cem port cem-group Specifies the recovered clock number and the clock recovery type.10-42 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking SONET Clock Interrupt Enable Register = 0x0 SONET Clock Interrupt Status Register = 0x2 MT90401 Reference : Primary Reserved Primary : SPA 0 Secondary : SPA 0 Backplane Reference Primary ENABLE : SPA 0 Secondary ENABLE : MT90401 Status : Lock : 0 HoldOver : 1 SecOOR : 1 PriOOR : 1 CLK_2M_OK : 1 Config : PCCI : 0 FLOCK : 0 ModeSel : 3 SI5321 CAL Signal : 0 SI5321 LOS Signal : 0 SI5321 HoldOver : 0 Configuring Out-of-Band Clocking A TDM network requires a synchronized clock at each end of the connection (the source and destination). This means that the source and destination clock signals must be synchronized to each other in order to maintain data integrity on the communication link. On the other hand, a packet-switched network (PSN) does not use a clocking strategy, which means that the PSN does not provide frequency synchronization between source and destination routers. Therefore, to transmit TDM data across a PSN (such as an MPLS network), we need a way to deliver the clocking signal between the source and destination routers. Out-of-band clocking provides a way to deliver a clock signal between two CEoP SPAs, which allows TDM devices connected to the SPAs to communicate with each other. Dedicated pseudowires (called out-of-band clock channels) carry the timing signal between the sending and receiving SPAs. When a TDM device sends data to a destination TDM device, the receiving SPA uses the out-of-band clock channel to recover the clock signal that was used to send the data. By keeping the timing packets separate from data packets, out-of-band clocking delivers an extremely accurate timing signal. This timing accuracy is important for mobile wireless applications and other specialized applications that have very low tolerances for such things as packet delay variation (PDV), jitter, and latency in the network. In-band clocking (where timing information is derived from the data stream) does not provide a clock that is accurate enough for these applications. To set up out-of-band clock channels, you must configure a master clock interface and a slave clock interface on the SPAs and configure pseudowires to connect the master and slave clocks. Instructions for performing these steps are provided later in this section. Benefits Out-of-band clocking provides the following benefits: • Enables mobile wireless providers to migrate from TDM networks to PSNs in order to save on costs and improve scalability. • CEoP equipment can ignore the contents of the timing packets that are sent over the out-of-band clock channel because the packets do not contain data. • Allows the CEoP SPA to be used for applications that use something other than constant bit rate (CBR) data. For example, out-of-band clocking allows the SPA to be used for 3G (data) wireless applications, which use AAL2 in variable bit rate (VBR) mode. In addition, out-of-band clocking allows the SPA to be used for 2G (voice) applications. 10-43 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking • Provides recovered clock accuracy that complies with ITU-T specifications G.823 and G.824, which enables the CEoP SPA to be used in mobile and wireless applications (including voice) that require extreme synchronization accuracy. • Provides an alternative clock-recovery mechanism when adaptive clocking cannot be deployed. • Enables the CEoP SPA to be the master clock in a PSN. • Makes it possible to have two master clocks. Previously, only one master clock was possible. Configuration Guidelines The following guidelines apply to out-of-band clocking on CEoP SPAs: • The default packet size for out-of-band clock channels (CEM circuits) is 910 bytes. • Out-of-band clocking can co-exist with Stateful SwitchOver (SSO), but it is not SSO compliant. Therefore, if a switchover occurs, the out-of-band clocking functionality is not available for a brief period of time while the feature is brought back online. • A CEoP SPA cannot be configured as both a master and slave clock. To reconfigure a SPA’s clock type, you must first remove the existing clock configuration (master or slave). • Pseudowires for out-of-band clocking are configured under the virtual CEM interface that represents the recovered clock interface. This process differs from normal CEM pseudowires, which are configured under the port (controller interface). When no network clock is available, the virtual CEM interface goes down and the pseudowire is disabled. This process is reversed when a valid network clock becomes available again. Normal CEM interfaces never go down, even if the associated physical link is down. • The master clock pseudowire and slave clock pseudowire should be on different CEoP SPAs. Router Sending Clock (Master Clock) • You must select the common telecom 19.44MHz clock as the recovered clock to use for the master clock. • A maximum of 64 out-of-band clock channels can be configured from the CEoP SPA that provides the master clock signal. • The out-of-band clock channel (pseudowire) is configured under the virtual CEM interface that represents the SPA from which the master clock is recovered. The xconnect command used to create the clock channel must specify the destination for the clock signal. • The out-of-band clock stream is sent in SAToP (unframed) format. Router Recovering Clock (Slave Clock) • The out-of-band clock signal is always recovered in adaptive mode. The clock signal can then be used to drive all of the ports on the CEoP SPA. • Two CEM circuits (a primary and a secondary out-of-band channel) can be configured under a slave clock interface, one for each of two master clock signals. This way, the SPA can receive a master clock signal from two separate sources (that is, two master clocks). • Under the slave clock interface, the xconnect command (used to create the out-of-band clock channel) must specify the router from which the master clock is recovered. 10-44 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking Configuration Overview The following steps provide a high-level overview of the procedure for configuring out-of-band clocking between two CEoP SPAs. Detailed steps are provided in the sections that follow. Before you begin, determine which CEoP SPAs have TDM devices connected to them. You must configure an out-of-band clock channel to deliver the clock signal from each SPA that sends TDM data to every destination SPA that receives the data. 1. Use the recovered clock command to identify the CEoP SPA that is to send TDM data across the MPLS network. This SPA’s clock is used as the master clock for out-of-band clocking. 2. Configure master and slave clock interfaces to represent the source (clock master) and destination (clock slave) for the out-of-band clock signal. The master and slave clock interfaces (and pseudowires) should be configured on different SPAs. a. The master clock interface represents the master clock, which is distributed to all destination CEoP SPAs that receive data from the source TDM device connected to this SPA. (See the “Creating and Configuring the Master Clock Interface” section on page 10-45 for instructions.) b. Configure a slave clock interface on each of the SPAs connected to TDM devices that can receive data from the source TDM device. (See the “Configuring the Slave Clock Interface” section on page 10-46 for detailed instructions.) Note When you configure a master or slave clock interface, the router creates a virtual CEM interface to represent this out-of-band clock. The virtual CEM interface has the same slot and subslot information as the CEoP SPA from which the master clock is recovered. The port number is always 24. For example, if the clock signal is recovered from the SPA in slot 8, subslot 1 (recovered-clock 8 1), the virtual CEM interface is virtual-cem8/1/24. 3. Under both the master and slave clock interfaces, use the cem circuit-id command to configure CEM circuits to represent the out-of-band channels that will distribute the clock signal over the MPLS network. Each CEM circuit represents a separate out-of-band channel for delivering the clock signal from the source (master clock) to a destination TDM device (slave clock). The out-of-band clock channel is created when you issue the xconnect command in the next step. – Under the master clock interface, you can configure up to 64 CEM circuits, one for each of the destination TDM devices that will use this clock signal as its master clock. – Under the slave clock interface (on the destination TDM device), you can configure one or two CEM circuits. Two CEM circuits are allowed because the clock slave can receive a clock signal from two master clocks. Note Each out-of-band clock channel requires two CEM circuits (one on the master clock interface and one on the slave clock interface). Each CEM circuit represents the CEM attachment circuit at one end of the out-of-band clock channel. 4. Create the out-of-band channel for the clock signal by using the xconnect command to configure two pseudowires between the CEM circuit on the master clock interface and the CEM circuit on the slave clock interface. The master clock pseudowire and slave clock pseudowire should be on different SPAs; however, you should use the same VCID for both pseudowires. a. Under the master clock interface, configure a pseudowire to the destination device (slave clock). b. Under the slave clock interface (on the SPA that connects to the destination TDM device), configure a pseudowire to the router that contains the master clock interface. 10-45 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking Creating and Configuring the Master Clock Interface To create the master clock interface for out-of-band clocking, perform the following steps: To configure the out-of-band channel to use for the master clock signal, perform the following steps: Note A CEoP SPA cannot be configured as both master and slave at the same time. To reconfigure a SPA’s clock type, you must first remove the existing clock configuration. Command or Action Purpose Step 1 Router(config)# recovered-clock slot/subslot Specifies the slot and subslot of the CEoP SPA to recover the master clock signal from. This is the SPA from which the TDM data will be sent. Note You must specify the 19.44MHz clock as the recovered clock to use as the clock master. Step 2 Router(config)# clock master Specifies that the recovered clock is to be used as the master clock signal for out-of-band clocking. The router creates a virtual CEM interface for the master clock. Go to the following steps to configure an out-of-band channel to use for the master clock. Command or Action Purpose Step 1 Router(config)# int virtual-cem slot/subslot/port Selects the virtual CEM interface for the master clock and enters interface configuration mode. The interface has the same slot and subslot as the SPA from which the master clock was recovered (Step 1 in the preceding task), and the port number is always 24. Step 2 Router(config-if)# cem circuit-id Creates a CEM attachment circuit for the master clock signal. Valid values for circuit-id are 0 to 63. Note You can configure up to 64 CEM circuits under the master clock interface. Step 3 Router(config-if-cem)# xconnect peer-router-id vcid encapsulation mpls Configures an out-of-band channel (pseudowire) to carry the master clock signal. • peer-router-id is the IP address of the router that is connected to the destination TDM device. • vcid is a 32-bit identifier for the pseudowire. • encapsulation mpls sets MPLS for the tunneling mode. Note Use the same vcid for the master and slave clock pseudowires; otherwise, the clock channel does not come up. Step 4 Router(config-if-cem-xconn)# end Exits CEM interface configuration mode and returns you to privileged EXEC mode. 10-46 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking Configuring the Slave Clock Interface To configure the slave clock interface and out-of-band channel to use for out-of-band clocking, perform the following steps. Configure a slave clock interface on every CEoP SPA that receives TDM data from the SPA configured as the master clock in the preceding section. Command or Action Purpose Step 1 Router(config)# recovered-clock slot/subslot Specifies the slot and subslot of the CEoP SPA from which the master clock is recovered. Step 2 Router(config)# clock slave Creates a virtual CEM interface to represent the clock slave for out-of-band clocking. Step 3 Router(config)# int virtual-cem slot/subslot/port Enters configuration mode for the virtual CEM interface that represents the clock slave. • slot/subslot is the slot and subslot of the SPA from which the master clock was recovered (Step 1 above). • port is always 24. Step 4 Router(config-if)# cem circuit-id Creates a CEM attachment circuit for the clock slave. The circuit-id value can be: • 0—The primary clock source. • 1—The secondary clock source. Note You can configure up to two CEM circuits, one for each of two master clock signals. Step 5 Router(config-if-cem)# xconnect peer-router-id vcid encapsulation mpls Configures an out-of-band channel (pseudowire) to carry the clock signal. • peer-router-id is the IP address of the router that is connected to the source TDM device. • vcid is a 32-bit identifier for the pseudowire. • encapsulation mpls sets MPLS for the tunneling mode. Note Use the same VCID for the master and slave clock pseudowires; otherwise, the clock channel does not come up. Step 6 Router(config-if-cem-xconn)# end Exits CEM interface configuration mode and returns you to privileged EXEC mode. 10-47 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking Verifying Out-of-Band Clocking This section lists the show commands that you can use to verify the out-of-band clocking configuration. • Use the show ip interface brief command to display the virtual CEM interfaces that the router created to represent master and slave clock interfaces. The output in the following example shows only the virtual CEM interface. Information for all other interfaces is omitted from the display. Router# show ip int brief . . . Virtual-cem8/1/24 unassigned YES unset up up . . . • Use the show cem circuit command to display a list of CEM circuits configured on the SPA. The command displays both normal and out-of-band clocking CEM circuits. Router# show cem circuit CEM Int. ID Line Admin Circuit AC -------------------------------------------------------------- CEM8/1/1 1 DOWN DOWN Active --/-- Virtual-cem8/1/1 DOWN UP Active UP • Use the show cem interface virtual-cem slot/subslot/port command to display information about a particular virtual CEM interface: Router# show cem interface virtual-cem 8/1/24 (Virtual-cem8/1/24) State: CONFIG COMPLETE Virtual CEM Slave Clock Interface Slot 8, Slot Unit 88, VC -1 Total cem circuits: 1 Cem circuits up : 1 Cem circuits down : 0 • Use the show run interface virtual-cem slot/subslot/port command to dislay the current running configuration for the specified interface: Router# show run int virtual-cem 8/1/24 Building configuration... Current configuration : 117 bytes ! interface Virtual-cem8/1/24 no ip address cem 1 rtp-present xconnect 20.0.0.1 300 encapsulation mpls ! end • Use the show run | begin recovered command to display the recovered clock being used for out-of-band clocking: Router# show run | begin recovered recovered-clock 8 1 clock master • On the clock slave, you can use the show recovered-clock command to display the status of the out-of-band clock: Router# show recovered-clock Recovered clock status for subslot 3/0 ---------------------------------------- Clock Mode Port CEM Status Frequency Offset(ppb) 10-48 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking ENHANCED PRIMARY 0 HOLDOVER 0 Removing the Out-of-Band Clocking Configuration Use the following commands to delete the various components used for out-of-band clocking: • To remove a CEM circuit, use the no cem circuit-id command (where circuit-id is the number assigned to the circuit). Issue the command under the virtual CEM interface where the circuit exists. Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# int virtual-cem 8/1/24 Router(config-if)# no cem 1 Router(config-if)# end • To remove a virtual CEM interface, use the no clock master or no clock slave command in recovered-clock configuration mode, as shown in the following examples. Note that the virtual CEM interface is not deleted when you remove the last CEM circuit under the interface. Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# recovered-clock 8 1 Router(config-clock)# no clock master Router(config-clock)# end Router# In the following example, the no clock slave command deletes the slave clock interface for the recovered clock (which is 8/1): Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# recovered-clock 8 1 Router(config-clock)# no clock slave Router(config-clock)# end Router# Out-of-Band Clocking Configuration Example This section provides an example of how to configure out-of-band clocking between two CEoP SPAs. It is divided into several different configuration sections. Configuring the Master Clock Interface The following example shows how to configure a CEoP SPA as a master clock and verify the configuration: Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Router (config)# recovered-clock ? <0-14> Slot number Router (config)# recovered-clock 8 1 Router(config-clock)# clock ? master Configure clock master on the card recovered Configure recovered clock on the card reference Configure reference clock on the card slave Configure clock slave on the card Router(config-clock)# clock master Router(config-clock)# end Router# show run | begin recovered10-49 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Clocking recovered-clock 8 1 clock master Configuring the Slave Clock Interface Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# recovered-clock 8 1 Router(config-clock)# clock slave Router(config-clock)# end Router# Router# show run | begin recovered-clock recovered-clock 8 1 clock slave Verifying the Virtual CEM Interface Configuration The router creates a virtual CEM interface when you configure either the master or slave clock interface. You can view the interface using the show ip interface brief command: Router# show ip int br … Virtual-cem8/1/24 unassigned YES unset up up … Router# sh run int Virtual-cem 8/1/24 Building configuration... Current configuration : 50 bytes ! interface Virtual-cem8/1/24 no ip address end Configuring CEM Circuits for Out-of-Band Clocking Example This section provides an example of how to configure CEM circuits and pseudowires for out-of-band clocking. The sample configuration shows the circuits and pseudowires configured on a CEoP SPA in PE1, which sends TDM data to another CEoP SPA in PE2. You configure CEM circuits for the master and slave clocks under the virtual CEM interface that represents the recovered clock that is being used for out-of-band clocking. This differs from normal CEM circuits, which are configured under the SPA controller through the cem-group command. Issuing the xconnect command under the master and slave CEM circuits configures an out-of-band clock channel to use to send the clock signal from the sending SPA to the receiving SPA. Note that normal CEM pseudowires are configured under the SPA controller interface. Out-of-Band Clocking (PE1) PE1# conf t PE1(config)# int virtual-cem 8/1/24 PE1(config-if)# cem 1 PE1(config-if-cem)# xconnect 20.0.0.1 200 encap mpls PE1(cfg-if-cem-xconn)# end PE1# show run int Virtual-CEM 8/1/24 Building configuration... Current configuration : 117 bytes ! interface Virtual-cem8/1/2410-50 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring CEM Parameters no ip address cem 1 rtp-present xconnect 20.0.0.1 200 encapsulation mpls ! end Out-of-Band Clocking (PE2) PE2# conf t PE2(config)# int virtual-cem 8/1/24 PE2(config-if)# cem 1 PE2(config-if-cem)# xconnect 10.0.0.1 200 encap mpls PE2(cfg-if-cem-xconn)# end PE2# show run int Virtual-CEM 8/1/24 Building configuration... Current configuration : 117 bytes ! interface Virtual-cem8/1/24 no ip address cem 1 rtp-present xconnect 10.0.0.1 200 encapsulation mpls ! end Configuring CEM Parameters The following sections describe the parameters you can configure for CEM circuits. Note The CEM parameters at the local and remote ends of a CEM circuit must match; otherwise, the pseudowire between the local and remote PE routers will not come up. Configuring Payload Size (Optional) To specify the number of bytes encapsulated into a single IP packet, use the pay-load size command. The size argument specifies the number of bytes in the payload of each packet. The range is from 32 to 1313 bytes. Default payload sizes for an unstructured CEM channel are as follows: • E1 = 56 bytes • T1 = 192 bytes • T3/E3 = 1024 bytes Default payload sizes for a structured CEM channel depend on the number of time slots that constitute the channel. Payload size (L in bytes), number of time slots (N), and packetization delay (D in milliseconds) have the following relationship: L = 8*N*D. The default payload size is selected in such a way that the packetization delay is always 1 millisecond. For example, a structured CEM channel of 16xDS0 has a default payload size of 128 bytes. The payload size must be an integer of the multiple of the number of time slots for structured CEM channels.10-51 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Access Circuit Redundancy on CEoP and ATM SPAs Setting the Dejitter Buffer Size To specify the size of the dejitter buffer used to compensate for the network filter, use the dejitter-buffer size command. The configured dejitter buffer size is converted from milliseconds to packets and rounded up to the next integral number of packets. Use the size argument to specify the size of the buffer, in milliseconds. The range is from 1 to 500 ms; the default is 5 ms. Setting the Idle Pattern (Optional) To specify the idle pattern, use the [no] idle-pattern pattern1 command. The payload of each lost CESoPSN data packet must be replaced with the equivalent amount of the replacement data. The range for pattern is from 0x0 to 0xFF; the default idle pattern is 0xFF. Enabling Dummy Mode Dummy mode enables a bit pattern for filling in for lost or corrupted frames. To enable dummy mode, use the dummy-mode [last-frame | user-defined] command. The default is last-frame. The following is an example: Router(config-cem)# dummy-mode last-frame Setting the Dummy Pattern If dummy mode is set to user defined, you must use the dummy-pattern pattern command to configure the dummy pattern. The range for pattern is from 0x0 to 0xFF. The default dummy pattern is 0xFF. The following is an example: Router(config-cem)# dummy-pattern 0x55 Shutting Down a CEM Channel To shut down a CEM channel, use the shutdown command in CEM configuration mode. The shutdown command is supported only under CEM mode and not under the CEM class. Configuring Access Circuit Redundancy on CEoP and ATM SPAs Access Circuit Redundancy (ACR) is supported on CEoP and ATM SPAs. The support enables local switching for ATM, IMA and CEM interfaces. Similar to the virtual ACR interface for ATM SPAs, the virtual CEM-ACR, IMA-ACR and ATM-ACR interfaces are created depending on the configuration. For configuring ACR and virtual ACR interface for ATM SPAs, see Configuring Access Circuit Redundancy on SIP-400 ATM SPA s, page 7-65. Restrictions and Usage Guidelines Follow these restrictions and usage guidelines while configuring ACR on CEoP and ATM SPAs: 10-52 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Access Circuit Redundancy on CEoP and ATM SPAs • ACR support for CEoP SPAs is applicable for ATM, IMA, and CEM interfaces on the same router. The support is not extended for multi level routers. • Configure the frame manually under the virtual controller and two physical member controllers. This is consistent across the interfaces. • You can configure a maximum of 256 controllers on the ACR groups on a single router. But the Cisco 7600 router can hold a maximum of 44 CEoP SPAs, which restricts the maximum number of ACR controllers to 22. • You cannot configure ACRs within the physical ATM, CEM, or IMA interfaces that are part of the ACR group, but allowed on the ATM-ACR, CEM-ACR, IMA-ACR interfaces. Configuring the ACR Group This section provides the configuration for ACR in ATM, IMA, and CEM interfaces. SUMMARY STEPS Step 1 enable Step 2 configure terminal Step 3 controller sonet slot/subslot/port Step 4 aps group acr acr no Step 5 aps working circuit number Step 6 exit Step 7 controller sonet slot/subslot/port Step 8 aps group acr acr no Step 9 aps protect circuit number ip-address Step 10 aps revert minutes Step 11 exit DETAILED STEPS Command or Action Purpose Step 1 Router # enable Enables privileged EXEC mode.. Step 2 Router# configure terminal Enters global configuration mode. Step 3 Router (config)# controller sonet slot/subslot/port Select the controller to configure and enter controller configuration mode. Step 4 Router(config-controller)# aps group acr acr no This command configures the APS group for the controller. acr- This command configures the ACR group on top of APS. acr no—This specifies a group number between 0 and 255. An ACR virtual controller is created.10-53 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Access Circuit Redundancy on CEoP and ATM SPAs Step 5 Router (config-controller)# aps working circuit number Identifies the interface as the Working interface. circuit-number—Identification number for this particular channel in the APS pair. Since the interface only supports 1 + 1 redundancy, the valid values are 0 or 1, and the default value for working interface is 1. Step 6 Router (config-controller)# exit Exits interface configuration mode and returns to privileged EXEC mode. Step 7 Router (config)# controller sonet slot/subslot/port Select the controller to configure and enter controller configuration mode. Step 8 Router(config-controller)# aps group acr acr no Enables the use of the APS Protect Group Protocol for the working interface. Step 9 Router(config-controller)#aps protect circuit number ip-address aps protect- Identifies this interface as the Protect interface: • circuit-number—Identification number for this particular channel in the APS pair. Because only 1+1 redundancy is supported, the only valid values are 0 or 1, and the Protect interface defaults to 0. • ip-address—IP address for the loopback interface. The Protect interface uses this IP address to communicate with the working interface. The APS group can be active or inactive. Active-The interface that is currently sending and receiving data. Inactive-The interface which is currently standing by to take over when the active fails. Step 10 Router(config-controller)#aps revert minutes aps revert- This command configures the ACR interface as revert. The value of the minutes argument specifies the time, in minutes, after which the revert process begins. Note Use the revert command only under the protect member of the ACR group. To create an ACR interface without any members attached, use the interface acr acr no command. Step 11 Router (config-controller)# exit Exits interface configuration mode and returns to privileged EXEC mode. Command or Action Purpose10-54 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Access Circuit Redundancy on CEoP and ATM SPAs Example 10-1 Configuring ACR Interface This is an example for configuring ACR interface: ACR-PE2# Configure terminal ACR-PE2(config)# Controller sonet 4/1/0 ACR-PE2(config-controller)# aps group acr 1 ACR-PE2(config-controller)# aps working 1 ACR-PE2(config-controller)# exit ACR-PE2(config)# controller sonet 3/1/0 ACR-PE2(config-controller)# aps group acr 1 ACR-PE2(config-controller)# aps protect 1 4.1.1.1 ACR-PE2(config-controller)# do show ip interface br | incl Loop Loopback0 4.1.1.1 YES NVRAM up up ACR-PE2(config-controller)#end Verifying ACR Group ACR-PE2# show acr group ACR Group Working I/f Protect I/f Currently Active Status -------------------------------------------------------------------------- 1 SONET 4/1/0 SONET 3/1/0 SONET 4/1/0 Configuring CEM, ATM, and IMA Interfaces This section provides the configuration for CEM, ATM, and IMA interfaces: SUMMARY STEPS Step 1 enable Step 2 configure terminal Step 3 controller sonet 5/1/0 Step 4 sts-1 2 Step 5 vtg 3 t1 2 atm or vtg 1 t1 1 ima-group group-number or vtg 2 t1 1 cem-group 1 unframed or vtg 2 t1 4 cem-group 2 timeslots 1-5,14 Step 6 exit10-55 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Access Circuit Redundancy on CEoP and ATM SPAs DETAILED STEPS: Example 10-2 Configuring CEM Interface ACR-PE2# Configure terminal ACR-PE2(config)# controller sonet-acr 1 ACR-PE2(config-ctrlr-sts1)# sts-1 1 ACR-PE2(config-ctrlr-sts1)# vtg 1 t1 1 cem-group 1 timeslots 1-10 ACR-PE2(config-ctrlr-sts1)# sts-1 2 ACR-PE2(config-ctrlr-sts1)# vtg 1 t1 2 atm ACR-PE2(config-ctrlr-sts1)# vtg 1 t1 2 ima 10 ACR-PE2(config-ctrlr-sts1)# end ACR-PE2# show run | sec SONET-ACR 1 controller SONET-ACR 1 framing sonet ! sts-1 1 mode vt-15 vtg 1 t1 1 cem-group 1 timeslots 1-10 >>>> CEM configs vtg 1 t1 2 ima-group 10 >>>>>>>>>>>>>>>>> IMA configs ! sts-1 2 mode vt-15 vtg 1 t1 2 atm >>>>>>>>>>>>>>>>>>>>>>>> ATM configs ! sts-1 3 mode vt-15 ACR-PE2# show ip int br | incl ACR CEM-ACR1 unassigned YES unset up up ATM-ACR1.2/1/2 unassigned YES unset down down Command or Action Purpose Step 1 Router # enable Enables privileged EXEC mode.. Step 2 Router# configure terminal Enters global configuration mode. Step 3 Router(config)# controller sonet 5/1/0 Selects the controller to configure. Step 4 Router(config-controller)# sts-1 2 Specifies the STS identifier. Step 5 Router(config-ctrlr-sts1)# vtg 3 t1 2 atm Creates a T1 (VT1.5) ATM interface. OR, Router(config-ctrlr-sts1)# vtg 1 t1 1 ima-group group-number Configures the interface to run in IMA mode and assigns the interface to an IMA group. OR, Router(config-ctrlr-sts1)# vtg 2 t1 1 cem-group 1 unframed Creates a single SAToP CEM group. OR, Router(config-ctrlr-sts1)# vtg 2 t1 4 cem-group 2 timeslots 1-5,14 Creates a CESoPSN CEM group. Step 6 Router (config-controller)# exit Exits interface configuration mode and returns to privileged EXEC mode.10-56 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Access Circuit Redundancy on CEoP and ATM SPAs IMA-ACR1/ima10 unassigned YES unset up up Verifying CEM Interface ACR-PE2# show cem circuit CEM Int. ID Ctrlr Admin Circuit AC -------------------------------------------------------------- CEM-ACR1 1 UP UP Active --/-- Configure IMA-ACR Interface ACR-PE2# configure terminal ACR-PE2(config)# int IMA-ACR1/ima10 ACR-PE2(config-controller)# pvc 89/90 l2trans ACR-PE2(cfg-if-atm-l2trans-pvc)# end Show Commands This section includes show commands for ACR: ACR-PE2# show acr group 1 detail cem ACR Group Working I/f Protect I/f Currently Active Status -------------------------------------------------------------------------- CE1 CEM4/1/0 CEM3/1/0 CEM4/1/0 CEM CKT Details Cktid State on Working State on Protect 1 Provision Success Provision Success ACR-PE2# show acr group 1 detail atm ACR Group Working I/f Protect I/f Currently Active Status -------------------------------------------------------------------------- AT1.2/1/2 ATM4/1/0.2/1/2 ATM3/1/0.2/1/2 ATM4/1/0.2/1/2 ATM PVC Detail VPI VCI State on Working State on Protect 23 34 Unknown Unknown ACR-PE2# show acr group 1 detail ima ACR Group Working I/f Protect I/f Currently Active Status -------------------------------------------------------------------------- IM1/ima10 ATM4/1/ima10 ATM3/1/ima10 ATM4/1/ima10 ATM PVC Detail VPI VCI State on Working State on Protect 89 90 Provision Success Provision Success Troubleshooting the ACR configuration This section provides the supported debug commands to troubleshoot the ACR configuration: • debug acr events: Provides details on all events occurring on the ACR interface. • debug acr errors: Provides debugging information on errors. • debug acr state: Provides debugging information on state change – when there is a switchover. • debug cem events: Debugging informationto create and delete CEM circuits.10-57 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Layer 3 QoS on CEoP SPAs • debug cem errors: Debugging information about possible errors while creating and deleting of CEM circuits. • debug cem states: Debugs to show the state changes of CEM circuits. Configuring Layer 3 QoS on CEoP SPAs The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For more information about the QoS features supported by the CEoP SPAs, see the Configuring QoS Features on a SIP, page 4-94 of Chapter 4, “Configuring the SIPs and SSC.” Restrictions and Guidelines Follow these restrictions and guidelines for the 24-Port Channelized T1/E1 ATM CEoP SPA, the 2-Port Channelised T3/E3 ATM CEoP SPA, and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA: • In the ingress direction, all QoS features are supported by the Cisco 7600 SIP-400. • The VC QoS on VP-PW feature works only with the single cell relay function and not with packed cell relay. • In the egress direction: – All queueing-based features such as class-based weighted fair queueing (CBWFQ), ATM per-VC weighted fair queueing (WFQ), Weighted Random Early Detection (WRED), and shaping are implemented on the SIP-400 unlike the ATM SPA. – Policing, classification, and marking are also implemented on the SIP-400. – Class based shaping is supported. For more support information, see QoS Congestion Management and Avoidance Feature Compatibility by SIP and SPA Combination. Supported Interface for CEoP SPA The following interfaces are supported: • P2P and Multipoint permanent virtual circuit (PVC) under the main interface • P2P and Multipoint PVC under the sub-interface • P2P and Multipoint L2 PVC under the main interface – AAL5 and AAL0 (sustainable cell rate (SCR) and peak cell rate (PCR)) • P2P and Multipoint L2PVC under the sub-interface – AAL5 and AAL0 (SCR and PCR) • Any transport over MPLS (AToM) Interworking • Inverse multiplexing (IMA)10-58 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Layer 3 QoS on CEoP SPAs Configuration To configure the QoS features on the CEoP SPA, complete these steps: SUMMARY STEPS Step 1 enable Step 2 configure terminal Step 3 interface atm slot/subslot/port subinterface point-to-point Step 4 ip address address mask Step 5 pvc vpi/vci Step 6 service-policy in policy-map-name Step 7 service-policy out policy-map-name Step 8 end DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Step 2 configure terminal Enters global configuration mode. Step 3 interface atm slot/subslot/port subinterface point-to-point Specifies or creates a subinterface, and enters subinterface configuration mode. These are the parameters: • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. • subinterface—Specifies the number of the subinterface on the interface port. • point-to-point—Specifies a point-to-point subinterface. Step 4 ip address address mask [secondary] (Optional) Assigns the specified IP address and subnet mask to the interface. Repeat the command with the optional secondary keyword to assign additional, secondary IP addresses to the port. Step 5 pvc vpi/vci Assigns a virtual path identifier (VPI) and a virtual circuit identifier (VCI). Step 6 service-policy in policy-map-name Attaches ingress QoS to the configuration.10-59 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Layer 3 QoS on CEoP SPAs Sample Configuration This is an example for configuring layer 3 QOS on CEoP SPAs. Router# configure terminal Router(config)# interface ATM3/0/0.1/1/1 point-to-point Router(config-if)# ip address 24.0.0.1 255.255.255.0 Router(config-if)# pvc 1/40 Router(config-if-atm-vc)# service-policy in omni_flat_ingress10 Router(config-if-atm-vc)# service-policy out flat_brr10 Router(config-if-atm-vc)# end Verifying the Configuration This section provides the commands to verify the configuration. Router# show run interface ATM3/0/0.1/1/1.1 interface ATM3/0/0.1/1/1.1 point-to-point ip address 24.0.0.1 255.255.255.0 no atm enable-ilmi-trap bfd interval 50 min_rx 100 multiplier 3 pvc 10/100 protocol ip 24.0.0.2 oam-pvc manage service-policy in omni_flat_ingress11 service-policy out omni_flat11 ! end Router# show policy-map interface ATM3/0/0.1/1/1 ATM3/0/0.1/1/1: VC 1/40 - Service-policy input: omni_flat_ingress10 Counters last updated 00:00:03 ago Class-map: prec4 (match-all) 0 packets, 0 bytes 30 second offered rate 0000 bps, drop rate 0000 bps Match: precedence 4 police: cir 52500 bps, bc 4470 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0000 bps, exceeded 0000 bps Class-map: prec5 (match-all) 0 packets, 0 bytes 30 second offered rate 0000 bps, drop rate 0000 bps Match: precedence 5 police: cir 54000 bps, bc 4470 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0000 bps, exceeded 0000 bps Step 7 service-policy out policy-map-name Attaches egress QoS to the configuration. Step 8 end Exits interface configuration mode and returns to privileged EXEC mode. Command or Action Purpose10-60 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring Layer 3 QoS on CEoP SPAs Class-map: prec6 (match-all) 391 packets, 29584 bytes 30 second offered rate 0000 bps, drop rate 0000 bps Match: precedence 6 police: cir 56000 bps, bc 4470 bytes conformed 391 packets, 29584 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0000 bps, exceeded 0000 bps Class-map: class-default (match-any) 255775 packets, 194214265 bytes 30 second offered rate 1325000 bps, drop rate 1275000 bps Match: any police: cir 51000 bps, bc 4470 bytes conformed 30423 packets, 7439395 bytes; actions: transmit exceeded 225352 packets, 186774870 bytes; actions: drop conformed 51000 bps, exceeded 1275000 bps Service-policy output: omni_flat10 Counters last updated 00:00:03 ago queue stats for all priority classes: Queueing priority level 1 queue limit 12 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 43602/7460616 queue stats for all priority classes: Queueing priority level 2 queue limit 14 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: prec4 (match-all) 0 packets, 0 bytes 30 second offered rate 0000 bps, drop rate 0000 bps Match: precedence 4 Queueing queue limit 13 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 bandwidth 52 kbps Class-map: prec5 (match-all) 0 packets, 0 bytes 30 second offered rate 0000 bps, drop rate 0000 bps Match: precedence 5 Queueing queue limit 13 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 bandwidth 54 kbps Class-map: prec6 (match-all) 393 packets, 29724 bytes 30 second offered rate 0000 bps, drop rate 0000 bps10-61 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs Match: precedence 6 police: cir 56000 bps, bc 4470 bytes conformed 393 packets, 29724 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0000 bps, exceeded 0000 bps Priority: Strict, b/w exceed drops: 0 Priority Level: 2 Class-map: class-default (match-any) 1055920 packets, 803961420 bytes 30 second offered rate 5452000 bps, drop rate 5401000 bps Match: any police: cir 51000 bps, bc 4470 bytes conformed 43617 packets, 7433658 bytes; actions: transmit exceeded 1012303 packets, 796527762 bytes; actions: drop conformed 51000 bps, exceeded 5401000 bps Priority: Strict, b/w exceed drops: 0 Priority Level: 1 Troubleshooting For specific troubleshooting information, contact Cisco Technical Assistance Center (TAC) at this location: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs Cisco IOS Release 12.2(33)SRD3 introduces the ability to configure on a per-T1/E1 basis the forwarding of AIS and RAI alarms towards peer CE devices via the TDM attachment circuit. This feature allows grooming of traffic from several different cell-site fractional T1/E1s via CEM, through an MPLS cloud, onto a single aggregate T1/E1 going to the BSC. This feature provides the following functionality: • By default, AIS and RAI alarms are not forwarded on T1/E1s having CESoPSN mode configured on the 1-Port Channelized OC-3 STM1 ATM CEoP SPA and 24-Port Channelized T1/E1 ATM CEoP SPA, SIP-400 line cards, even if one or all CESoPSN groups terminating on the T1/E1 are receiving AIS or RAI from the corresponding remote CESoPSN peers across the PSN. • AIS forwarding can be enabled on a per-T1/E1 basis on the 1-Port Channelized OC-3 STM1 ATM CEoP SPA and 24-Port Channelized T1/E1 ATM CEoP SPA. This ensures that the PE transmits AIS on the T1/E1 whenever one or more CESoPSN groups configured on it are receiving AIS notification from remote CESoPSN peers across the PSN. • RAI forwarding can be enabled on a per-T1/E1 basis on the 1-Port Channelized OC-3 STM1 ATM CEoP SPA and 24-Port Channelized T1/E1 ATM CEoP SPA. This ensures that the PE will transmit RAI on the T1/E1 whenever one or more CESoPSN groups configured on it are receiving RAI notification from remote CESoPSN peers across the PSN.10-62 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs Configuring SONET Mode Use the following commands to enable AIS/RAI forwarding on the CEoP SPAs on the SIP-400 line card interface for SONET mode: Configuring SDH AU-4 Mode Use the following commands to enable AIS/RAI forwarding on the CEoP SPAs on the SIP-400 line card interface for SDH AU-4 Mode: Command or Action Purpose R1(config)#controller sonet slot/bay/port R1(config-controller)#sts-1 id Router(config-controller-sts)#vtg identifier t1 identifier forward-alarm ais/rai Example: R1(config)#controller sonet 2/2/0 R1(config-controller)#sts-1 1 R1(config-ctrlr-sts1)#vtg 1 t1 1 forward-alarm ais Enables AIS/RAI alarm forwarding on the selected interface for SONET mode. Command or Action Purpose R1(config-controller)#au-4 id tug-3 id R1(config-ctrlr-tug3)#tug-2 id e1 id forward-alarm ais/rai Example: R1(config-controller)#au-4 1 tug-3 1 R1(config-ctrlr-tug3)#tug-2 1 e1 1 forward-alarm rai Enables AIS/RAI alarm forwarding on the selected SDH mode for AU-4 mode.10-63 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs Configuring SDH AU-3 Mode Use the following commands to enable AIS/RAI forwarding on the CEoP SPAs on the SIP-400 line card interface for SDH AU-3 Mode: Configuring T1 Mode Use the following commands to enable AIS/RAI forwarding on the CEoP SPAs on the SIP-400 line card interface for T1 mode: Configuring E1 Mode Use the following commands to enable AIS/RAI forwarding on the CEoP SPAs on the SIP-400 line card interface for E1 mode: Command or Action Purpose R1(config-controller)#au-3 id R1(config-ctrlr-tug3)#tug-2 id t1 id forward-alarm ais/rai Example: R1(config-controller)#au-3 1 R1(config-ctrlr-au3)#tug-2 1 t1 1 forward-alarm ais R1(config-ctrlr-au3)#tug-2 1 t1 1 forward-alarm rai Enables AIS/RAI alarm forwarding on the selected SDH mode for AU-3 mode. Command or Action Purpose R1(config)#controller t1 slot/bay/port R1(config-controller)#forward-alarm ais/rai Example: R1(config)#controller t1 2/0/0 R1(config-controller)#forward-alarm rai Enables AIS/RAI alarm forwarding on the selected T1 controller interface for the 24-Port Channelized T1/E1 ATM CEo P S PA Command or Action Purpose R1(config)#controller e1 slot/bay/port R1(config-controller)#forward-alarm ais/rai Example: R1(config)#controller e1 2/0/0 R1(config-controller)#forward-alarm ais Enables AIS/RAI alarm forwarding on the selected E1 controller interface for the 24-Port Channelized T1/E1 ATM CEo P S PA10-64 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire Note These commands are available only for T1s that support CEM group configuration on them. Configuration Restrictions The following restrictions apply while configuring AIS/alarm RAI forwarding: • Alarms cannot be suppressed in unframed CEM mode (SAToP). Alarms received from the remote SAToP peer across the PSN will always be propagated over the attachment circuit. • Forward-alarm -ais/rai- is a hidden command and is not available in the option list. You must type the full command. • Starting Cisco IOS Release 12.233)SRD3 changing modes of the T1 or E1 from CEoPSN to ATM or IMA is not allowed MR-APS Integration with Hot Standby Pseudowire The multi router automatic protection switching (MR-APS) enables interface connections to switch from one circuit to another if a circuit fails. Interfaces can be switched in response to a router failure, degradation or loss of channel signal, or manual intervention. In a multi router environment, the MR-APS allows the protected SONET interface to reside in a different router from the working SONET interface. Service providers are migrating to ethernet networks from their existing SONET or SDH equipment to reduce cost. Any transport over MPLS (AToM) pseudowires (PWs) help service providers to maintain their investment in asynchronous transfer mode (ATM) or time division multiplexing (TDM) network and change only the core from SONET or SDH to ethernet. When the service providers move from SONET or SDH to ethernet, network availability is always a concern. Therefor to enhance the network availability, service providers use PWs. The hot-standby PW support for ATM and TDM access circuits (ACs) allow the backup PW to be in a hot- standby state, so that it can immediately take over if the primary PW fails. The present hot-standby PW solution does not support access circuits (ACs) as part of the APS group. The PWs which are configured over the protected interface, remains in the down state. This increases the PW switchover time in case of an APS switchover. MR-APS integration with a hot standby PW is an integration of APS with ATM or TDM hot standby PWs created over the SIP 400 line card for the Cisco 7600 platform and improves the switchover time. Figure 10-4 explains MR-APS integration with hot standby PW feature implementation.10-65 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire Figure 10-4 MR-APS Integration with Hot Standby Pseudowire Implementation In this example routers P1 and PE1 are in the same APS group G1, and routers P2 and PE2 are in the same APS group G2. In group G1, P1 is the working router and PE1 is the protected router. Similarly in group G2, P2 is the working router and PE2 is the protected router. The MR-APS integration with hot standby PW deployment involves cell sites connected to the provider network using bundled T1/E1 connections. These T1/E1 connections are aggregated into the optical carrier 3 (OC3) or optical carrier 12 (OC12) links using the add-drop multiplexers (ADMs). For more information on APS, see the Automatic Protection Switching section in the Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide at the following link: http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/ 76cfstm1.html#wp1216498 Failover Operations MR-APS integration with hot standby PW feature handles the following failures. • Failure 1, where the link between ADM and P1 goes down, or the connecting ports at ADM or P1 go down. • Failure 2, where the router P1 fails. • Failure 3, where the router P1 is isolated from the core. 246928 CE1 P1 PE1 P2 PE2 ADM CE2 ADM10-66 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire Figure 10-5 explains the failure points in the network. Figure 10-5 Failure Points in the Network In case of failure 1, where either port at the ADM goes down, or the port at the router goes down or the link between ADM and router fails, the APS switchover triggers the pseudowires at the protect interface to become active. The same applies to failure 2 as well where the complete router fails over. In case of failure 3, where all the links carrying primary and backup traffic lose the connection, a new client is added to the inter chassis redundancy manager (ICRM) infrastructure to handle the core isolation. The client listens to the events from the ICRM. Upon receiving the core isolation event from the ICRM, the client either initiates the APS switchover, or initiates the alarm based on the peer core isolation state. If APS switchover occurs, it changes the APS inactive interface to active and hence activates the PWs at the interface. Similarly, when core connectivity goes up based upon the peer core isolation state, it clears the alarms or triggers the APS switchover. ICRM monitors the directly connected interfaces only. Hence only those failures in the directly connected interfaces can cause a core isolation event. Restrictions Following restrictions apply to the MR-APS integration with hot standby PW feature: • MR-APS integration with hot standby PW is supported only on the SIP 400 line cards. • For ATM pseudowires only ATM asynchronous mode is supported. • Revertive APS mode should not be configured on the interfaces. • MR-APS integration with hot standby PW is supported only on 1-port channelized OC-3 STM1 ATM CEoP SPA and 2-port and 4-port OC-3c/STM-1 ATM SPA. • APS group number should be greater than zero. • Do not configure the backup delay value command if the MR-APS integration with hot standby PW feature is configured. ADM ADM CE1 CE2 P1 3 1 2 P2 PE1 PE210-67 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire • Unconfiguring mpls ip command on the core interface is not supported. • The hspw force switch command is not supported. Configuring MR-APS Integration with Hot Standby Pseudowire MR-APS integration with hot standby PW can be configured on a CEM interface or IMA interface on the 1-port channelized OC-3 STM1 ATM CEoP SPA. Perform the steps in the corresponding section to configure the MR-APS integration with hot standby PW feature on a CEM or IMA interface. Configuring MR-APS Integration with Hot Standby Pseudowire on a CEM Interface Complete these steps to configure MR-APS integration with hot standby PW on a CEM interface. The configuration involves configuring the working routers and protect routers that are part of the APS group. SUMMARY STEPS 1. enable 2. configure terminal 3. pseudowire-class pw-class-name 4. encapsulation mpls 5. status peer topology dual-homed 6. exit 7. redundancy 8. interchassis group group-id pw-class-name 9. member ip ip-address 10. backbone interface interface 11. backbone interface interface 12. exit 13. controller sonet slot/bay/port 14. framing [sonet|sdh] 15. clock source line 16. sts-1 sts1-number 17. mode vt-15 18. vtg vtg_number t1 t1_line_number cem-group channel-number timeslots list-of-timeslots 19. exit 20. aps group group_id 21. aps [working | protect] aps-group-number [ip-address] 22. aps hspw-icrm-group icrm-group-number 23. exit 24. interface cem slot/subslot/port 10-68 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire 25. cem cem-group 26. xconnect peer-ip-address vc-id pw-class pw-class-name 27. backup peer ip-address vc-id pw-class pw-class-name 28. end 10-69 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire Detailed Steps Command Purpose Step 1 enable Example: Router> enable Enables the privileged EXEC mode. If prompted, enter your password. Step 2 configure terminal Example: Router# configure terminal Enters the global configuration mode. Step 3 pseudowire-class pw-class-name Example: Router(config)# pseudowire-class hw_aps Specifies the name of a PW class and enters PW class configuration mode. Step 4 encapsulation mpls Example: Router(config-pw-class)# encapsulation mpls Specifies that MPLS is used as the data encapsulation method for tunneling Layer 2 traffic over the pseudowire. Step 5 status peer topology dual-homed Example: Router(config-pw-class)# status peer topology dual-homed Enables the reflection of the attachment circuit status on both the primary and secondary pseudowires. This configuration is necessary if the peer PEs are connected to a dual-homed device. Step 6 exit Example: Router(config-pw-class)# exit Exits PW class configuration mode. Step 7 redundancy Example: Router(config)# redundancy Enters the redundancy configuration mode. Step 8 interchassis group group-id Example: Router(config-red)# interchassis group 50 Configures an interchassis group within the redundancy configuration mode and enters the interchassis redundancy mode. Step 9 member ip ip-address Example: Router(config-r-ic)# member ip 60.60.60.2 Configures the IP address of the peer member group.10-70 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire Step 10 backbone interface interface Example: Router(config-r-ic)# backbone interface GigabitEthernet 2/3 Specifies the backbone interface. Step 11 exit Example: Router(config-r-ic)# exit Exits the redundancy mode. Step 12 controller SONET slot/bay/port Example: Router(config)# controller SONET 1/1/0 Selects and configures a SONET controller and enters controller configuration mode. slot/subslot/port—Specifies the location of the interface. Step 13 framing [SDH|SONET] Example: Router(config-controller)# framing SONET Configures the controller with framing type. SONET framing is the default option. Step 14 clock source line Example: Router(config-controller)# clock source line Sets the clocking for individual T1 or E1 links. Step 15 sts-1 sts1-number Example: Router(config-controller)# sts-1 1 Specifies the STS identifier. Step 16 mode vt-15 Example: Router(config-ctrlr-sts1)# mode vt-15 Specifies the STS-1 mode of operation. Step 17 vtg vtg_number t1 t1_line_number cem-group channel-number timeslots list-of-timesolts Example: Router(config-ctrlr-sts1)# vtg 1 t1 1 cem-group 0 timeslots 1-24 Creates a Circuit Emulation Services over Packet Switched Network circuit emulation (CESoPSN) CEM group. Step 18 exit Example: Working-Router(config-ctrlr-sts1)# exit Exits from the STS configuration mode. Command Purpose10-71 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire Step 19 aps group group_id Example: Router(config-controller)# aps group 1 Configures the APS group for CEM Step 20 aps [working | protect] aps-group-number Example: Router(config-controller)# aps working 1 Configures the APS group as working or protect interface. Step 21 aps hspw-icrm-grp group-number Example: Router(config-controller)# aps hspw-icrm-group 1 Associates the APS group to an ICRM group number. Step 22 exit Example: Router(config-ctrlr)# end Ends the controller session and returns to the configuration mode. Step 23 interface cem slot/subslot/port Example: Router(config-if)# interface cem 1/1/0 Configures a serial interface and enter the interface configuration mode. Step 24 cem group-number Example: Router(config-if)# cem 0 Selects the CEM circuit (group) to configure a PW for. Step 25 xconnect peer-ip-address vcid pw-class pw-class-name Example: Router(config-if-srv)# xconnect 3.3.3.3 1 pw-class hspw_aps Specifies the IP address of the peer PE router and the 32-bit virtual circuit identifier shared between the PEs at each end of the control channel. pw-class-name —The PW class configuration from which the data encapsulation type is taken. Note The peer router IP address and virtual circuit ID must be a unique combination on the router. Command Purpose10-72 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire Example This example shows how to configure the MR-APS integration with hot standby PW on a CEM interface on the working router with framing mode as SONET on router P1. RouterP1> enable RouterP1# configure terminal RouterP1(config)# pseudowire-class hspw_aps RouterP1(config-pw-class)# encapsulation mpls RouterP1(config-pw-class)# status peer topology dual-homed RouterP1(config-pw-class)# exit RouterP1(config)# redundancy RouterP1(config-red)# interchassis group 1 RouterP1(config-r-ic)# member ip 14.2.0.2 RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/0 RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/1 RouterP1(config-r-ic)# exit RouterP1(config)# controller SONET 1/1/0 RouterP1(config-controller)# framing sonet RouterP1(config-controller)# clock source line RouterP1(config-controller)# sts-1 1 RouterP1(config-ctrlr-sts1)# mode vt-15 RouterP1(config-ctrlr-sts1)# vtg 1 t1 1 cem-group 0 timeslots 1-24 RouterP1(config-ctrlr-sts1)# exit RouterP1(config-controller)# aps group 3 RouterP1(config-controller)# aps working 1 RouterP1(config-controller)# aps hspw-icrm-grp 1 RouterP1(config-controller)# exit RouterP1(config)# interface cem 1/1/0 RouterP1(config-if)# cem 0 RouterP1(config-if)# xconnect 3.3.3.3 1 encapsulation mpls pw-class hspw_aps RouterP1(config-if)# backup peer 4.4.4.4 2 pw-class hspw_aps RouterP1(config-if)# exit RouterP1(config)# end This example shows how to configure the MR-APS integration with hot standby PW on a CEM interface on the protect router with framing mode as SONET on router PE1. RouterPE1> enable RouterPE1# configure terminal RouterPE1(config)# pseudowire-class hspw_aps RouterPE1(config-pw-class)# encapsulation mpls RouterPE1(config-pw-class)# status peer topology dual-homed RouterPE1(config-pw-class)# exit RouterPE1(config)# redundancy RouterPE1(config-red)# interchassis group 1 Step 26 backup peer peer-id vc-id pseudowire-class pw-classname Example: Router(config-if-srv)# backup peer 4.3.3.3 90 pseudowire-class vpws Specifies a redundant peer for a PW virtual circuit. Step 27 end Example: Router(config-controller)#end Ends the configuration session and returns to the EXEC mode. Command Purpose10-73 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire RouterPE1(config-r-ic)# member ip 14.2.0.1 RouterPE1(config-r-ic)# backbone interface GigabitEthernet 1/0/0 RouterPE1(config-r-ic)# backbone interface GigabitEthern RouterPE1(config-r-ic)# exit RouterPE1(config)# controller SONET 3/0/0 RouterPE1(config-controller)# framing sonet RouterPE1(config-controller)# clock source line RouterPE1(config-controller)# sts-1 1 RouterPE1(config-ctrlr-sts1)# mode vt-15 RouterPE1(config-ctrlr-sts1)# vtg 1 t1 1 cem-group 0 timeslots 1-24 RouterPE1(config-ctrlr-sts1)# exit RouterPE1(config-controller)# aps group 3 RouterPE1(config-controller)# aps protect 1 14.2.0.2 RouterPE1(config-controller)# aps hspw-icrm-grp 1 RouterPE1(config-controller)# exit RouterPE1(config)# interface cem 3/0/0 RouterPE1(config-if)# cem 0 RouterPE1(config-if)# xconnect 3.3.3.3 3 pw-class hspw_aps RouterPE1(config-if)# backup peer 4.4.4.4 4 pw-class hspw_aps RouterPE1(config-if)# exit RouterPE1(config)# end This example shows how to configure the MR-APS integration with hot standby PW on a CEM interface on the working router with framing mode as SONET on router P2. RouterP2> enable RouterP2# configure terminal RouterP2(config)# pseudowire-class hspw_aps RouterP2(config-pw-class)# encapsulation mpls RouterP2(config-pw-class)# status peer topology dual-homed RouterP2(config-pw-class)# exit RouterP2(config)# redundancy RouterP2(config-red)# interchassis group 1 RouterP2(config-r-ic)# member ip 14.6.0.2 RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/3 RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/4 RouterP2(config-r-ic)# exit RouterP2(config)# controller SONET 1/1/0 RouterP2(config-controller)# framing sonet RouterP2(config-controller)# clock source line RouterP2(config-controller)# sts-1 1 RouterP2(config-ctrlr-sts1)# mode vt-15 RouterP2(config-ctrlr-sts1)# vtg 1 t1 1 cem-group 0 timeslots 1-24 RouterP2(config-ctrlr-sts1)# exit RouterP2(config-controller)# aps group 3 RouterP2(config-controller)# aps working 1 RouterP2(config-controller)# aps hspw-icrm-grp 1 RouterP2(config-controller)# exit RouterP2(config)# interface cem 1/1/0 RouterP2(config-if)# cem 0 RouterP2(config-if)# xconnect 1.1.1.1 1 encapsulation mpls pw-class hspw_aps RouterP2(config-if)# backup peer 2.2.2.2 3 pw-class hspw_aps RouterP2(config-if)# exit RouterP2(config)# end This exampleshows how to configure the MR-APS Integration with hot standby PW on a CEM interface on the protect router PE2 with framing mode as SONET. RouterPE2> enable RouterPE2# configure terminal RouterPE2(config)# pseudowire-class hspw_aps RouterPE2(config-pw-class)# encapsulation mpls10-74 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire RouterPE2(config-pw-class)# status peer topology dual-homed RouterPE2(config-pw-class)# exit RouterPE2(config)# redundancy RouterPE2(config-red)# interchassis group 1 RouterPE2(config-r-ic)# member ip 14.6.0.1 RouterPE2(config-r-ic)# backbone interface GigabitEthernet 1/0/0 RouterPE2(config-r-ic)# backbone interface GigabitEthern RouterPE2(config-r-ic)# exit RouterPE2(config)# controller SONET 3/2/0 RouterPE2(config-controller)# framing sonet RouterPE2(config-controller)# clock source line RouterPE2(config-controller)# sts-1 1 RouterPE2(config-ctrlr-sts1)# mode vt-15 RouterPE2(config-ctrlr-sts1)# vtg 1 t1 1 cem-group 0 timeslots 1-24 RouterPE2(config-ctrlr-sts1)# exit RouterPE2(config-controller)# aps group 2 RouterPE2(config-controller)# aps protect 1 14.6.0.2 RouterPE2(config-controller)# aps hspw-icrm-grp 1 RouterPE2(config-controller)# exit RouterPE2(config)# interface cem 3/2/0 RouterPE2(config-if)# cem 0 RouterPE2(config-if)# xconnect 1.1.1.1 2 pw-class hspw_aps RouterPE2(config-if)# backup peer 2.2.2.2 4 pw-class hspw_aps RouterPE2(config-if)# exit RouterPE2(config)# end Configuring MR-APS Integration with Hot Standby Pseudowire on an IMA interface Perform these steps to configure MR-APS integration with hot standby PW on an IMA interface. The configuration includes configuring the working routers and protect routers that are part of the APS group. SUMMARY STEPS 1. enable 2. configure terminal 3. pseudowire-class pw-class-name 4. encapsulation mpls 5. status peer topology dual-homed 6. exit 7. redundancy 8. interchassis group group-id pw-class-name 9. member ip ip-address 10. backbone interface interface slot/bay/port 11. backbone interface interface slot/bay/port 12. exit 13. controller sonet slot/bay/port 14. framing sonet | sdh 15. clock source line 16. sts-1 sts1-number 10-75 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire 17. mode vt-15 18. vtg vtg_number t1 t1_line_number ima-group group-number 19. exit 20. aps group group_id 21. aps [working | protect] aps-group-number [ip-address] 22. aps hspw-icrm -grp group-number 23. interface atm slot/subslot/imagroup-id 24. atm asynchronous 25. pvc vpi/vci l2transport 26. xconnect peer-ip-address vc-id pw-class pw-class-name 27. backup peer ip-address vc-id pw-class pw-class-name 28. end 10-76 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire Detailed Steps Command Purpose Step 1 enable Example: Router> enable Enables the privileged EXEC mode. If prompted, enter your password. Step 2 configure terminal Example: Router# configure terminal Enters the global configuration mode. Step 3 pseudowire-class pw-class-name Example: Router(config)# pseudowire-class hw_aps Specifies the name of a PW class and enters PW class configuration mode. Step 4 encapsulation mpls Example: Router(config-pw-class)# encapsulation mpls Specifies that MPLS is used as the data encapsulation method for tunneling layer 2 traffic over the pseudowire. Step 5 status peer topology dual-homed Example: Router(config-pw-class)# status peer topology dual-homed Enables the reflection of the attachment circuit status on both the primary and secondary pseudowires. This configuration is necessary if the peer PEs are connected to a dual-homed device. Step 6 exit Example: Router(config-pw-class)# exit Exits PW class configuration mode. Step 7 redundancy Example: Router(config)# redundancy Enters the redundancy configuration mode. Step 8 interchassis group group-id Example: Router(config-red)# interchassis group 50 Configures an interchassis group within the redundancy configuration mode and enters the interchassis redundancy mode. Step 9 member ip ip-address Example: Router(config-r-ic)# member ip 60.60.60.2 Configures the IP address of peer member.10-77 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire Step 10 backbone interface interface Example: Router(config-r-ic)# backbone interface GigabitEthernet 2/3 Specifies the backbone interface. Step 11 exit Example: Router(config-r-ic)# exit Exits the redundancy mode. Step 12 controller sonet slot/subslot/port Example: Router(config)# controller sonet 1/1/0 Selects and configures a SONET controller and enters controller configuration mode. slot/subslot/port—Specifies the location of the interface. Step 13 framing [sonet|sdh] Example: Router(config-controller)# framing sonet Configures the controller for SONET framing. SONET framing is the default option. Step 14 clock source line Example: Router(config-controller)# clock source line Sets the clocking for individual T1 or E1 links. Step 15 sts-1 sts1-number Example: Router(config-controller)# sts-1 1 Specifies the STS identifier. Step 16 mode vt-15 Example: Router(config-ctrlr-sts1)# mode vt-15 Specifies the STS-1 mode of operation. Step 17 vtg vtg_number t1 t1_line_number ima-group ima-group-number Example: Router(config-ctrlr-sts1)# vtg 1 t1 1 ima-group 0 Configures the interface to run in IMA mode and assigns the interface to an IMA group. Step 18 exit Example: Router(config-ctrlr-sts1)# exit Exits from the interface configuration mode. Command Purpose10-78 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire Step 19 aps group group_id Example: Router(config-controller)#aps group 1 Configures the APS group for IMA interface. Step 20 aps [working | protect] aps-group-number Example: Router(config-controller)# aps working 1 Configures the APS group as working or protect interface. Step 21 aps hspw-icrm-grp group-number Example: Router(config-controller)# aps hspw-icrm-grp 1 Associates the APS group to an hot standby PW ICRM group number. Step 22 exit Example: Router(config-ctrlr)#end Ends the controller session and returns to the configuration mode. Step 23 interface atm slot/subslot/imagroup-number Example: Router(config-if)# interface atm 1/1/ima0 Specifies the IMA interface and enters interface configuration mode. Step 24 no ip address Example: Router(config-if)# no ip address Removes the configured IP address from the interface. Step 25 atm asynchronous Example: Router(config-if)# atm asynchronous This command enables or disables the asynchronous functionality on the ATM interface. Step 26 pvc vpi/vci l2transport Example: Router(config-if)# pvc 1/100 l2transport Assigns a VPI and VCI and enters PVC l2transport configuration mode. • vpi—ATM network virtual path identifier (VPI) of the VC to multiplex on the permanent virtual path. The range is from 0 to 255. • vci— VCI specifies the virtual channel identifier. Note The l2transport keyword indicates that the PVC is a switched PVC instead of a terminated PVC. Command Purpose10-79 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire Example This example shows how to configure the MR-APS integration with hot standby PW on an IMA interface on the working router P1. RouterP1> enable RouterP1# configure terminal RouterP1(config)# pseudowire-class hspw_aps RouterP1(config-pw-class)# encapsulation mpls RouterP1(config-pw-class)# status peer topology dual-homed RouterP1(config-pw-class)# exit RouterP1(config)# redundancy RouterP1(config-red)# interchassis group 1 RouterP1(config-r-ic)# member ip 14.2.0.2 RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/0 RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/1 RouterP1(config-r-ic)# exit RouterP1(config)# controller sonet 1/1/0 RouterP1(config-controller)# framing sonet RouterP1(config-controller)# clock source line RouterP1(config-controller)# sts-1 1 RouterP1(config-ctrlr-sts1)# mode vt-15 RouterP1(config-ctrlr-sts1)# vtg 1 t1 1 ima-group 0 RouterP1(config-ctrlr-sts1)# exit RouterP1(config-controller)# aps group 3 RouterP1(config-controller)# aps working 1 RouterP1(config-controller)# aps hspw-icrm-grp 1 RouterP1(config-controller)# exit RouterP1(config)# interface atm 1/1/ima0 RouterP1(config-if)# atm asynchronous RouterP1(config-if)# pvc 1/100 l2transport RouterP1(config-if)# xconnect 3.3.3.3 1 encapsulation mpls pw-class hspw_aps RouterP1(config-if)# backup peer 4.4.4.4 2 pw-class hspw_aps RouterP1(config-if)# exit RouterP1(config)# end Step 27 xconnect peer-ip-address vcid pw-class pw-class-name Example: Router(config-if-srv)# xconnect 3.3.3.3 1 pw-class hspw_aps Specifies the IP address of the peer PE router and the 32-bit virtual circuit identifier shared between the PEs at each end of the control channel. pw-class-name —The PW class configuration from which the data encapsulation type is taken. Note The peer router ID (IP address) and virtual circuit ID must be a unique combination on the router. Step 28 backup peer peer-id vc-id pseudowire-class pw-classname Example: Router(config-if-srv)# backup peer 4.3.3.3 90 pseudowire-class vpws Specifies a redundant peer for a PW virtual circuit. Step 29 end Example: Working-Router(config-controller)# end Ends the configuration session and returns to the EXEC mode. Command Purpose10-80 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire This example shows how to configure the MR-APS integration with hot standby PW on an IMA interface on the protect router PE1. RouterPE1> enable RouterPE1# configure terminal RouterPE1(config)# pseudowire-class hspw_aps RouterPE1(config-pw-class)# encapsulation mpls RouterPE1(config-pw-class)# status peer topology dual-homed RouterPE1(config-pw-class)# exit RouterPE1(config)# redundancy RouterPE1(config-red)# interchassis group 1 RouterPE1(config-r-ic)# member ip 14.2.0.2 RouterPE1(config-r-ic)# backbone interface GigabitEthernet 1/0/0 RouterPE1(config-r-ic)# backbone interface GigabitEthernet 1/0/1 RouterPE1(config)# controller sonet 1/1/0 RouterPE1(config-controller)# framing sonet RouterPE1(config-controller)# clock source line RouterPE1(config-controller)# sts-1 1 RouterPE1(config-ctrlr-sts1)# mode vt-15 RouterPE1(config-ctrlr-sts1)# vtg 1 t1 1 ima-group 0 RouterPE1(config-ctrlr-sts1)# exit RouterPE1(config-controller)# aps group 3 RouterPE1(config-controller)# aps protect 1 14.2.0.1 RouterPE1(config-controller)# aps hspw-icrm-grp 1 RouterPE1(config-controller)# exit RouterPE1(config)# interface atm 1/1/ima0 RouterPE1(config-if)# atm asynchronous RouterPE1(config-if)# pvc 1/100 l2transport RouterPE1(config-if)# xconnect 3.3.3.3 1 encapsulation mpls pw-class hspw_aps RouterPE1(config-if)# backup peer 4.4.4.4 2 pw-class hspw_aps RouterPE1(config-if)# exit RouterPE1(config)# end This example shows how to configure the MR-APS integration with hot standby PW on an IMA interface on the working router P2. RouterP2> enable RouterP2# configure terminal RouterP2(config)# pseudowire-class hspw_aps RouterP2(config-pw-class)# encapsulation mpls RouterP2(config-pw-class)# status peer topology dual-homed RouterP2(config-pw-class)# exit RouterP2(config)# redundancy RouterP2(config-red)# interchassis group 1 RouterP2(config-r-ic)# member ip 14.6.0.2 RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/3 RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/4 RouterP2(config-r-ic)# exit RouterP2(config)# controller sonet 1/1/0 RouterP2(config-controller)# framing sonet RouterP2(config-controller)# clock source line RouterP2(config-controller)# sts-1 1 RouterP2(config-ctrlr-sts1)# mode vt-15 RouterP2(config-ctrlr-sts1)# vtg 1 t1 1 ima-group 0 RouterP2(config-ctrlr-sts1)# exit RouterP2(config-controller)# aps group 2 RouterP2(config-controller)# aps working 1 RouterP2(config-controller)# aps hspw-icrm-grp 1 RouterP2(config-controller)# exit RouterP2(config)# interface atm 1/1/ima0 RouterP2(config-if)# atm asynchronous RouterP2(config-if)# pvc 1/100 l2transport RouterP2(config-if)# xconnect 1.1.1.1 1 encapsulation mpls pw-class hspw_aps RouterP2(config-if)# backup peer 2.2.2.2 3 pw-class hspw_aps10-81 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs MR-APS Integration with Hot Standby Pseudowire RouterP2(config-if)# exit RouterP2(config)# end This example shows how to configure the MR-APS integration with hot standby PW on an IMA interface on the working router PE2. RouterPE2> enable RouterPE2# configure terminal RouterPE2(config)# pseudowire-class hspw_aps RouterPE2(config-pw-class)# encapsulation mpls RouterPE2(config-pw-class)# status peer topology dual-homed RouterPE2(config-pw-class)# exit RouterPE2(config)# redundancy RouterPE2(config-red)# interchassis group 1 RouterPE2(config-r-ic)# member ip 14.6.0.1 RouterPE2(config-r-ic)# backbone interface GigabitEthernet 3/0/1 RouterPE2(config-r-ic)# backbone interface GigabitEthernet 3/0/2 RouterPE2(config-r-ic)# exit RouterPE2(config)# controller sonet 1/1/0 RouterPE2(config-controller)# framing sonet RouterPE2(config-controller)# clock source line RouterPE2(config-controller)# sts-1 1 RouterPE2(config-ctrlr-sts1)# mode vt-15 RouterPE2(config-ctrlr-sts1)# vtg 1 t1 1 ima-group 0 RouterPE2(config-ctrlr-sts1)# exit RouterPE2(config-controller)# aps group 3 RouterPE2(config-controller)# aps protect 1 14.6.0.2 RouterPE2(config-controller)# aps hspw-icrm-grp 1 RouterPE2(config-controller)# exit RouterPE2(config)# interface atm 3/2/ima0 RouterPE2(config-if)# atm asynchronous RouterPE2(config-if)# pvc 1/100 l2transport RouterPE2(config-if)# xconnect 1.1.1 1 2 encapsulation mpls pw-class hspw_aps RouterPE2(config-if)# backup peer 2.2.2.2 4 pw-class hspw_aps RouterPE2(config-if)# exit RouterPE2(config)# end Verification Use these commands to verify the MR-APS integration with hot standby PW configuration. Table 10-3 Verification Command Purpose show mpls l2transport vc Displays information about Any Transport over MPLS (AToM) virtual circuits (VCs) that have been enabled to route layer 2 packets on a router. show hspw-aps-icrm group group-id Displays information about a specified hot standby PW APS group. show hspw-aps-icrm all Displays information about all hot standby PW APS and ICRM groups.10-82 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Verifying the Interface Configuration Troubleshooting Tips Table 10-4 Troubleshooting Tips Verifying the Interface Configuration The show cem circuit command shows information about the circuit state, administrative state, the CEM ID of the circuit, and the interface on which it is configured. If xconnect is configured under the circuit, the command output also includes information about the attached circuit. Router# show cem circuit ? <0-504> CEM ID detail Detailed information of cem ckt(s) interface CEM Interface summary Display summary of CEM ckts | Output modifiers Router# show cem circuit CEM Int. ID Line Admin Circuit AC -------------------------------------------------------------- CEM1/1/0 1 UP UP ACTIVE --/-- CEM1/1/0 2 UP UP ACTIVE --/-- CEM1/1/0 3 UP UP ACTIVE --/-- CEM1/1/0 4 UP UP ACTIVE --/-- CEM1/1/0 5 UP UP ACTIVE --/-- The show cem circuit 0-504 command displays the detailed information about that particular circuit. Router# show cem circuit 1 CEM1/1/0, ID: 1, Line State: UP, Admin State: UP, Ckt State: ACTIVE Idle Pattern: 0xFF, Idle cas: 0x8, Dummy Pattern: 0xFF Dejitter: 5, Payload Size: 40 Framing: Framed, (DS0 channels: 1-5) Channel speed: 56 CEM Defects Set Excessive Pkt Loss RatePacket Loss show redundancy interchassis Displays information about interchassis redundancy group configuration. show xconnect all Displays information about all xconnect attachment circuits and pseudowires. Command Purpose Command Purpose debug hspw-aps errors Displays information about hot standby PW APS group errors. debug hspw-aps events Displays information about events related to hot standby PW APS group configuration.10-83 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Verifying the Interface Configuration Signalling: No CAS RTP: No RTP Ingress Pkts: 25929 Dropped: 0 Egress Pkts: 0 Dropped: 0 CEM Counter Details Input Errors: 0 Output Errors: 0 Pkts Missing: 25927 Pkts Reordered: 0 Misorder Drops: 0 JitterBuf Underrun: 1 Error Sec: 26 Severly Errored Sec: 26 Unavailable Sec: 5 Failure Counts: 1 Pkts Malformed: 0 The show cem circuit summary command displays the number of circuits which are up or down per interface basis. Router# show cem circuit summary CEM Int. Total Active Inactive -------------------------------------- CEM1/1/0 5 5 0 The show running module command shows detail on each CEM group: Router# show running module 1 Building configuration... Current configuration : 1542 bytes card type t1 1 1 ! Controller T1 1/1/0 framing esf linecode b8zs cem-group 1 timeslots 1-5 speed 56 cem-group 2 timeslots 6-10 speed 56 cem-group 3 timeslots 11-15 speed 56 cem-group 4 timeslots 16-20 speed 56 cem-group 5 timeslots 21-24 speed 56 ! Controller T1 1/1/1 framing esf linecode b8zs ! Controller T1 1/1/2 framing esf linecode b8zs ! Controller T1 1/1/3 framing esf ! Controller T1 1/1/4 framing esf linecode b8zs ! Controller T1 1/1/5 framing esf fdl both linecode b8zs ! Controller T1 1/1/6 framing esf linecode b8zs ! Controller T1 1/1/710-84 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Verifying the Interface Configuration framing esf linecode b8zs ! Controller T1 1/1/8 framing esf linecode b8zs ! Controller T1 1/1/9 framing esf clock source internal linecode b8zs ! Controller T1 1/1/10 framing esf linecode b8zs ! Controller T1 1/1/11 framing esf linecode b8zs ! Controller T1 1/1/12 framing esf linecode b8zs ! Controller T1 1/1/13 framing esf linecode b8zs ! Controller T1 1/1/14 framing esf linecode b8zs ! Controller T1 1/1/15 framing esf linecode b8zs ! Controller T1 1/1/16 framing esf linecode b8zs ! Controller T1 1/1/17 framing esf linecode b8zs ! Controller T1 1/1/18 framing esf linecode b8zs ! Controller T1 1/1/19 framing esf linecode b8zs ! Controller T1 1/1/20 framing esf linecode b8zs ! Controller T1 1/1/21 framing esf linecode b8zs ! Controller T1 1/1/22 framing esf linecode b8zs !10-85 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Verifying the Interface Configuration Controller T1 1/1/23 framing esf linecode b8zs ! interface CEM1/1/0 no ip address cem 1 ! cem 2 ! cem 3 ! cem 4 ! cem 5 ! end Router# show int cem 2/1/3 CEM2/1/3 is up, line protocol is up Hardware is Circuit Emulation Interface MTU 1500 bytes, BW 10000000 Kbit, DLY 0 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation CEM, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Router# show class cem class1 Class: class1 Idle Pattern: 0x9, Idle cas: 0xF Dejitter: 5, Payload Size: 100 RTP: No RTP Router# show class cem all Class: abcdefghijklmn Idle Pattern: 0xF, Idle cas: 0x8 Dejitter: 200, Payload Size: 200 RTP: Configured, RTP-HDR Compression: Disabled Class: class1 Idle Pattern: 0x9, Idle cas: 0xF Dejitter: 5, Payload Size: 100 RTP: No RTP Class: 1234 Idle Pattern: 0xF, Idle cas: 0x8 Dejitter: 5, Payload Size: 32 RTP: No RTP Router# show class cem detail Class: abcdefghijklmn Idle Pattern: 0xF, Idle cas: 0x810-86 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 10 Configuring the CEoP and Channelized ATM SPAs Verifying the Interface Configuration Dejitter: 200, Payload Size: 200 RTP: Configured, RTP-HDR Compression: Disabled Circuits inheriting this Class: None Interfaces inheriting this Class: None Class: class1 Idle Pattern: 0x9, Idle cas: 0xF Dejitter: 5, Payload Size: 100 RTP: No RTP Circuits inheriting this Class: None Interfaces inheriting this Class: None Class: 1234 Idle Pattern: 0xF, Idle cas: 0x8 Dejitter: 5, Payload Size: 32 RTP: No RTP Circuits inheriting this Class: None Router# show class cem class1 Class: class1 Idle Pattern: 0x9, Idle cas: 0xF Dejitter: 5, Payload Size: 100 RTP: No RTP P A R T 5 Ethernet Shared Port Adapters C H A P T E R 11-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 11 Overview of the Ethernet SPAs This chapter provides an overview of the release history, and feature and Management Information Base (MIB) support for the Fast Ethernet and Gigabit Ethernet SPAs on the Cisco 7600 series router. This chapter includes the following sections: • Release History, page 11-1 • Supported Ethernet SPA, page 11-2 • Restrictions, page 11-19 • Supported MIBs, page 11-20 • SPA Architecture, page 11-21 • Displaying the SPA Hardware Type, page 11-22 Release History Release Modification 15.1(1)S Support for Time of Day(ToD) feature on a 2-Port Gigabit Synchronous Ethernet SPA was introduced. 15.0(1)S • Added support for 2-Port Gigabit Synchronous Ethernet SPA. • Added restriction for 2-Port Gigabit Ethernet SPA regarding copper SFP. 12.2 (33) SRD • Added Support for SPA-8X1FE-TX-V2 and SPA-4X1FE-TX-V2 on SIP400 12.2(33)SRC • Added SFP-GE-T Support • Added SPA-1X10GE-L-V2 support to the SIP-400 12.2(33)SRB1 The Any Transport over MPLS over GRE (AToMoGRE) feature was introduced on the Cisco 7600 SIP-400 on the Cisco 7600 series router. The Backup Interface for Flexible UNI feature was introduced on the Cisco 7600 SIP-400 for Gigabit Ethernet SPAs.11-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Ethernet SPA Supported Ethernet SPA This section lists and describes the Ethernet SPA supported by the Cisco 7600 platform and the SIP line cards supporting these Ethernet SPAs. 2-Port Gigabit Synchronous Ethernet SPA The2-Port Gigabit Synchronous Ethernet SPA provides time and frequency distribution across Ethernet networks. Synchronization is not traditionally present in all-packet networks. Synchronization is cost-effective, and especially important to service providers that migrated late to packet networks, and use an external time-division multiplexing (TDM) circuit to provide timing to remote networks. These remote networks constantly require synchronization for crucial voice services. SPA-2X1GE-SYNCE also has the ability to interface with an external SSU/BITS interface or a GPS timing interface. The 2-Port Gigabit Synchronous Ethernet SPA comprises these clock interfaces: • BITS In • BITS Out • GPS In • GPS Out The 2-Port Gigabit Synchronous Ethernet SPA (SPA-2X1GE-SYNCE) is compatible with 2-Port GigE SPA-v2, and provides additional services such as clock frequency and time of day synchronization, using the following technologies: • Synchronous Ethernet (SyncE) • Ethernet Synchronization Messaging Channel (ESMC) 12.2(33)SRA Support for the following SPAs was introduced on the Cisco 7600 SIP-200 on the Cisco 7600 series router: • 4-Port Fast Ethernet SPA • 8-Port Fast Ethernet SPA The Multipoint Bridging feature was introduced on the Cisco 7600 SIP-400 on the Cisco 7600 series router. The Scalable EoMPLS feature was increased from 4 K to 12 K on the Cisco 7600 SIP-400 on the Cisco 7600 series router. Support for Ethernet Connectivity Fault Management and Ethernet Operations, Administration, and Maintenance was introduced. 12.2(18)SXF Support for the following SPAs was introduced on the Cisco 7600 SIP-600 on the Cisco 7600 series router and Catalyst 6500 series switch: • 1-Port 10-Gigabit Ethernet SPA • 5-Port Gigabit Ethernet SPA • 10-Port Gigabit Ethernet SPA Support for the following SPA was introduced on the Cisco 7600 SIP-400 on the Cisco 7600 series router and Catalyst 6500 series switch: • 2-Port Gigabit Ethernet SPA11-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features • IEEE1588v2 There are two standard ways to deliver timing across networks: • Synchronized Ethernet (SyncE): Synchronous Ethernet (SyncE) defined by the ITU-T standards such as G.8261, G.8262, G.8264, and G.781 leverages the PHY layer of Ethernet to transmit frequency to remote sites. SyncE provides a cost-effective alternative to the SONET networks. For SyncE to work, each network element along the synchronization path must support SyncE. • IEEE 1588-2008 (PTPv2) Supported Features The following is a list of some of the significant hardware and software features supported by the Fast Ethernet and Gigabit Ethernet SPAs on the Cisco 7600 series router: • Autonegotiation • Full-duplex operation • 802.1Q VLAN termination • Jumbo frames support (9216 bytes) • Support for command-line interface (CLI)-controlled OIR • 802.3x flow control • Up to 4000 VLANs per SPA • Up to 5000 MAC accounting entries per SPA using Fugu hardware (source MAC accounting for the ingress direction and destination MAC accounting for the egress direction) • Per-port byte and packet counters for policy drops, oversubscription drops, CRC error drops, packet sizes, unicast, multicast, and broadcast packets • Per-VLAN byte and packet counters for policy drops, oversubscription drops, unicast, multicast, and broadcast packets • Per-port byte counters for good bytes and dropped bytes • Multiprotocol Label Switching (MPLS) • Any Transport over MPLS over GRE (AToMoGRE) • Ethernet over Multiprotocol Label Switching (EoMPLS) • Quality of service (QoS) • Hot Standby Router Protocol (HSRP) • Virtual Router Redundancy Protocol (VRRP) • User-set speed • Hierarchal Virtual Private LAN Service (H-VPLS) (Gigabit Ethernet SPAs only) • Multipoint Bridging (Gigabit Ethernet SPAs only) • Connectivity Fault Management (CFM) • IP Subscriber Awareness over Ethernet • Generic SPA features such as FPD, LEDs, voltage margining, environment monitoring • ETHERLIKE-MIB • IP QoS parity between SIP-200 and SIP-400 FE SPAs11-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features • MAC address filtering • Multicast feature parity between SIP-200 and SIP-400 SPAs • IPv6 support • Legacy protocols (IPX, CLNS) • Address Resolution Protocol (ARP)/RARP Additional features supported by the 2-Port Gigabit Synchronous Ethernet SPA on the Cisco 7600 series router: • L1 clock frequency distribution - In this mode the 2-Port Gigabit Synchronous Ethernet SPA recovers the received clock, synchronizes it to a traceable source, and uses it to transmit data to the next node. • L2/L3 timing (event, phase, and frequency) is supported through IEEE 1588v2 PTP. • A BITS interface for an external SSU/BITS device can be used as a clock source, or to clean up accumulated wander on a system or recovered clock. • The GPS timing interface is used for external GPS devices and can be selected as an input or output reference. The GPS timing interface supports: – connectivity to GPS clock – translation of received GPS clock to IEEE1588v2 messages • IEEE1558V2 • In order to maintain a communication channel in synchronous network connections, ethernet relies on a channel called Ethernet Synchronization Messaging Channel (ESMC) based on IEEE 802.3 Organization Specific Slow Protocol. ESMC relays the SSM code that represents the quality level of the Ethernet Equipment Clock (EEC) in a physical layer. 1588V2 Overview IEEE 1588-2008 is a protocol specification standard. It is also known as Precision Time Protocol Version 2(PTPv2). It is a specifically designed to provide precise timing and synchronization over packet-based ethernet infrastructures. Timing over Packet Timing over packet (ToP) works as a virtual interface on Route Processor which is the address for the 2-Port Gigabit Synchronous Ethernet SPA’s PTP stack to outside world. Other PTP entities send and receive packets from the interface’s IP address. When a packet is received on the router destined to ToP’s IP address, the router’s hardware redirects to use the 2-Port Gigabit Synchronous Ethernet SPA and not the route processor. ToP is configured with 32 bit mask. ToP does not support QOS. CoPP is supported. Basic Operation of 1588V2 This section describes how the PTP works. Figure 11-1 shows the message exchange between the PTPv2 Master and Slave.11-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features Figure 11-1 PTPv2 Message Exchange The message exchange occurs in this sequence: • The master relays a SYNC message to the slave. The time at which this message is received is recorded by the hardware assist unit on the slave. In Figure 11-1, this is represented as t1. • The master records the actual time the SYNC message was sent (t0) from its own hardware assist unit and relays a follow-up message containing the time stamp of the previous SYNC message to the salve. • To calculate the network delay, the slave sends a “Delay Request” message (t2) to the master. The slave hardware assist unit records the time when the message is sent. • Upon receiving the delay request message, the master transmits a delay response message (t3), with the time stamp of t2, back to the slave. • The slave uses the timestamps, t0 through t3, to calculate the offset and propagation delay to correct its clock. 1588V2 Supported Models These are the two 1588V2 supported PTP models: • Service SPA Model: In service SPA model, packets orginates and terminate on the 2-Port Gigabit Synchronous Ethernet SPA through SIP400. The service SPA model is simple, uses the existing infrastructure, and works with different encapsulations. The 2-Port Gigabit Synchronous Ethernet SPA receives redirected PTP packets, processes and sends the reply packets to the central switching engine. These packets are forwarded based on the IP address of the client. These are the restrictions for the service SPA model: – The time is not stamped done at the exact packet entry or exit of the system.11-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features – The PTP packet does not remain constant, leading to delays called the packet delay variations (PDV). • Direct SPA Model: 2-Port Gigabit Synchronous Ethernet SPA is capable of accurately timestamping the packet, on the receiver and transmitter for the existing line cards on 7600. So to meet the ideal requirements of 1588v2, the PTP packets are received and transmitted on the same 2-Port Gigabit Synchronous Ethernet SPA. In the Direct SPA model, PTP packets are received or transmitted through the Ethernet port of the 2-Port Gigabit Synchronous Ethernet SPA. The PTP packets coming on a 2-Port Gigabit Synchronous Ethernet SPA Ethernet interface are diverted to the PTP stack on the SPA by the FPGA. The PTP stack or the algorithm then takes necessary action based on the configuration (master or slave). The reply packets are sent out of the SPA’s Ethernet ports. These are the restrictions for the direct SPA model: – Only Limited encapsulations are supported. – The PTP packets are received only on 2-Port Gigabit Synchronous Ethernet SPA ports. Supported Transport Modes These are the transport modes that 1588v2 supports: • Unicast Mode: In unicast mode, the 1588v2 master transmits the Sync or Delay_Resp messages to the slave on the unicast IP address of the slave and the slave in turn transmits the Delay_Req to the master on the unicast IP address of the master. • Unicast Negotiation Mode: In unicast negotiation mode, Master does not know of any slave at the outset. The slave sends a negotiation message to the Master. Unicast Negotiation mode is good for scalability purpose as one master can have multiple slaves. • Mix-multicast model: In Mix-multicast model, the master transmits messages in a multicast packet, to the IP address 224.0.1.129 (defined by the 1588v2 standard). The slave learns the IP address of the master in this process and transmits a delay request message. The master then transmits back a delay response message to the slave in unicast mode. To send messages in multicast mode, the master needs to explicitly specify the multicast egress interface. This enables the intermediate network to route the IP address 224.0.1.129 to the slave. Time of Day (TOD) 2 port Gigabit synchronous Ethernet SPA provides two physical interfaces to retrieve or generate timestamp to the GPS signal. The physical interfaces are used to retrieve Time of Day(ToD) and estimated phase are: • 1PPS interface • RJ45 interface Figure 11-2 shows the Time of Day(ToD) and 1 PPS Synchronization using 1588V2:11-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features Figure 11-2 Block Diagram for Time of Day(ToD) and 1 PPS Synchronization using 1588V2 Time of Day on the 1588V2 Master In 1588V2 master mode, Time of Day (TOD) enables 2-port Gigabit synchronous Ethernet SPA to receive the time from the GPS receiver through RJ45 interface and synchronizes with the SPA's current time. The 1588V2 master requires 1PPS input from the GPS device to read ToD correctly. Time of Day on the 1588V2 Slave In 1588V2 slave mode, 2-port Gigabit synchronous Ethernet SPA recovers ToD from the 1588v2 session. TOD and 1 PPS recovered from Precision Time Protocol (PTP) is replayed on the respective interfaces. Restrictions From 15.1(1)S release, these restrictions are applicable for the 1588V2 feature: • The TOD recovered from the 1588v2 session is not in sync with the system clock. • GPS interfaces can be used only for clock recovery. System clock cannot be transmitted out on the GPS interface. • Only TOD format supported is UBOX, CISCO, and NTP. To use the clock recovered form the 1588v2 session the ToP interface should be configured as the clock source.11-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features Precision Time Protocol (PTP) The Cisco 7600 series router supports the Precision Time Protocol (PTP) as defined by the IEEE 1588-2008 standard. PTP provides accurate time synchronization over packet-switched networks. Table 11-1 provides the description of the nodes within a PTP network. Table 11-1 Nodes within a PTP Network PTP Redundancy PTP redundancy is an implementation on different clock nodes. This helps the PTP slave clock node achieve the following: • Interact with multiple master ports such as grand master, boundary clock nodes, and so on. • Open PTP sessions. • Select the best master from the existing list of masters (referred to as the primary PTP master port or primary clock source). Network Element Description Grandmaster A network device physically attached to the primary time source. All clocks are synchronized to the grandmaster clock. Ordinary clock An ordinary clock is a 1588 clock with a single PTP port that can operate in one of the following modes: • Master mode—Distributes timing information over the network to one or more slave clocks, thus allowing the slave to synchronize its clock to the master. • Slave mode—Synchronizes its clock to a master clock. You can enable the slave mode on up to two interfaces simultaneously in order to connect to two different master clocks. Boundary clock The device participates in selecting the best master clock and can act as the master clock if no better clocks are detected. Boundary clock starts its own PTP session with a number of downstream slaves. The boundary clock mitigates the number of network hops and results in packet delay variations in the packet network between the Grand Master and Slave. Transparent clock A transparent clock is a device or a switch that calculates the time it requires to forward traffic and updates the PTP time correction field to account for the delay, making the device transparent in terms of time calculations.11-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features • Switch to the next best master available in case the primary master fails, or the connectivity to the primary master fails. Note The PTP redundancy model available on the 2-Port Gigabit Synchronous Ethernet SPA is hot standby model. Hot Standby Master Model The Cisco 7600 series router selects the best clock source from the PTP master clocks, and switches dynamically between them if the clock quality of the standby clock is greater than that of the current master clock. The best master clock is selected based on the following parameters: • Clock class • Packet Timing Signal Fail (PTSF) announce failure status • PTSF sync failure status • PTSF unusable status (PDV) • Local priority Advantages of Hot Standby Master Model The advantages of a hot standby master model are: • Fast reference switching • Monitor the PTSF unusable or PDV for the clock stream before selecting. Disadvantages of Hot Standby Model The disadvantages of hot standby model are: • Full communication with all the PTP master ports injects more packets to the network. • Require to monitor all the clock streams which increases CPU load on the SPA. • Scales to only three master clocks as the clock source. Restrictions The maximum number of PTP master ports for 2-Port Gigabit Synchronous Ethernet SPA is limited to three. Configuring PTP Redundancy PTP Redundancy with 2-Port Gigabit Synchronous Ethernet SPA as Master This section provides the configuration for the PTP redundancy with 2-Port Gigabit Synchronous Ethernet SPA as master. Complete the following steps:11-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features SUMMARY STEPS Step 1 enable Step 2 configure terminal Step 3 ptp clock ordinary/boundary domain domain-no Step 4 clock-port word master Step 5 transport ipv4 unicast interface gigabitethernet/top negotiation Step 6 exit11-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features DETAILED STEPS Configuration Example This is an example for configuration of PTP redundancy as a master clock: Router# enable Router# configure terminal Router(config)# ptp clock ordinary domain 0 Router(config-ptp-clk)# clock-port port master Router(config-ptp-port)# transport ipv4 unicast interface gi 5/2/2 negotiation Router(config-ptp-port)# exit Command or Action Purpose Step 1 enable Example: Router# enable Enables privileged EXEC mode. Enter your password if prompted. Step 2 configure terminal Example: Router# configure terminal Enters global configuration mode. Step 3 ptp clock ordinary/boundary domain domain-no Example: Router(config)# ptp clock ordinary domain 0 Configures PTP ordinary or boundary clock. Step 4 clock-port word master Example: Router(config-ptp-clk)# clock-port port master Sets the clock port to PTP master mode; the port exchanges timing packets with PTP slave devices. Step 5 transport ipv4 unicast interface gigabitethernet/top negotiation Example: Router(config-ptp-port)# transport ipv4 unicast interface gi 5/2/2 negotiation Sets port transport parameters. Note PTP redundancy is supported only on the unicast negotiation mode. Step 6 exit Example: Router(config-ptp-port)# exit Returns the command-line interface (CLI) to privileged EXEC mode.11-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features PTP Redundancy with 2-Port Gigabit Synchronous Ethernet SPA as Slave This section provides the configuration for the PTP redundancy with 2-Port Gigabit Synchronous Ethernet SPA as slave. Complete the following steps: SUMMARY STEPS Step 1 enable Step 2 configure terminal Step 3 ptp clock ordinary/boundary domain domain-no Step 4 clock-port word slave Step 5 transport ipv4 unicast interface gigabitethernet/top negotiation Step 6 clock source ip local-priority Step 7 exit DETAILED STEPS Command or Action Purpose Step 1 enable Example: Router# enable Enables privileged EXEC mode. Enter your password if prompted. Step 2 configure terminal Example: Router# configure terminal Enters global configuration mode. Step 3 ptp clock ordinary/boundary domain domain-no Example: Router(config)# ptp clock ordinary domain 0 Configures PTP to either ordinary or boundary clock. Step 4 clock-port word slave Example: Router(config-ptp-clk)# clock-port port slave Sets the clock port to PTP slave mode; the port exchanges timing packets with a PTP master device. 11-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features Step 5 transport ipv4 unicast interface gigabitethernet/top negotiation Example: Router(config-ptp-port)# transport ipv4 unicast interface gi 5/2/2 negotiation Sets port transport parameters. Step 6 clock source ip local-priority Example: Router(config-ptp-port)# clock source 8.8.8.1 Sets IP address of the PTP slave device. Step 7 exit Example: Router(config-ptp-port)# exit Returns the CLI to privileged EXEC mode. Command or Action Purpose11-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features This is an example for configuration of PTP redundancy as a slave clock: Router# enable Router# configure terminal Router(config)# ptp clock ordinary domain 0 Router(config-ptp-clk)# clock-port port slave Router(config-ptp-port)# transport ipv4 unicast interface gi 5/2/2 negotiation Router(config-ptp-port)# clock source 8.8.8.1 Router(config-ptp-port)# clock source 9.9.9.1 1 Router(config-ptp-port)# clock source 10.10.10.1 2 Router(config-ptp-port)# exit Verifying PTP Redundancy on the 2-Port Gigabit Synchronous Ethernet SPA This section provides show commands for verifying the PTP redundancy as slave: Router# show ptp clock running PTP Ordinary Clock [Domain 0] State Ports Pkts sent Pkts rcvd Redundancy Mode ACQUIRING 1 7354 38543 Hot standby PORT SUMMARY PTP Master Name Tx Mode Role Transport State Sessions Port Addr SLAVE unicast slave Gi3/3/0 - 1 2.2.2.1 Router# show ptp clock running domain 0 PTP Ordinary Clock [Domain 0] State Ports Pkts sent Pkts rcvd Redundancy Mode ACQUIRING 1 2065 11432 Hot standby PORT SUMMARY PTP Master Name Tx Mode Role Transport State Sessions Port Addr SLAVE unicast slave Gi3/3/0 - 1 2.2.2.1 SESSION INFORMATION SLAVE [Gi3/3/0] [Sessions 1] Peer addr Pkts in Pkts out In Errs Out Errs 1.1.1.1 7859 1444 0 0 2.2.2.1 3573 621 0 0 Router# show ptp port running PORT [SLAVE] CURRENT PTP MASTER PORT Protocol Address: 2.2.2.1 Clock Identity: 0x0:6:52:FF:FF:7C:6E:C0 Local Priority: 1 PTSF Status: PTSF_UNUSABLE Alarm In Stream: Clock Stream Id: 0 Priority1: 12811-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features Priority2: 128 Class: 13 Accuracy: Within 1s Offset (log variance): 52592 Steps Removed: 0 Router# show ptp port running detail PORT [SLAVE] CURRENT PTP MASTER PORT Protocol Address: 2.2.2.1 Clock Identity: 0x0:6:52:FF:FF:7C:6E:C0 PORT [SLAVE] PREVIOUS PTP MASTER PORT PORT [SLAVE] LIST OF PTP MASTER PORTS LOCAL PRIORITY 0 Protocol Address: 1.1.1.1 Clock Identity: 0x0:8:7C:FF:FF:B2:3F:40 PTSF Status: PTSF_UNUSABLE Alarm In Stream: Clock Stream Id: 1 Priority1: 128 Priority2: 128 Class: 13 Accuracy: Within 1s Offset (log variance): 52592 Steps Removed: 0 LOCAL PRIORITY 1 Protocol Address: 2.2.2.1 Clock Identity: 0x0:6:52:FF:FF:7C:6E:C0 PTSF Status: PTSF_UNUSABLE Alarm In Stream: Clock Stream Id: 0 Priority1: 128 Priority2: 128 Class: 13 Accuracy: Within 1s Offset (log variance): 52592 Steps Removed: 0 Router# show platform ptp all Slave info : [GigabitEthernet3/3/0][0x530EC0E8] ----------- clock role : 2 Slave Port hdl : 3690987522 Tx Mode : 2 Slave IP : 1.1.1.2 Slave State Machine : 0x55EAEE0C Slave state : 3 Config Vector : 0x457C1174 Selected Clk src : 2.2.2.1 Max Clk Srcs : 3 Boundary Clock : FALSE Lock status : ACQUIRING Refcnt : 1 -------------------------------- PTP Engine Handle : 1 Master IP : 1.1.1.1 Route to Master : GigabitEthernet3/3/0 N-H Mac address : 0008.7cb2.3f40 N-H Route Handle : 0x53C46628 N-H ARP Handle : 0x562FB3C811-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features Local Priority : 0 Set Master IP : 1.1.1.1 Set route IDB : GigabitEthernet3/3/0 Set route MAC : 0008.7cb2.3f40 -------------------------------- PTP Engine Handle : 0 Master IP : 2.2.2.1 Route to Master : GigabitEthernet3/3/1 N-H Mac address : 0006.527c.6ec0 N-H Route Handle : 0x53C465F4 N-H ARP Handle : 0x562FB418 Local Priority : 1 Set Master IP : 2.2.2.1 Set route IDB : GigabitEthernet3/3/1 Set route MAC : 0006.527c.6ec0 -------------------------------- PTP Engine Handle : -1 Master IP : 0.0.0.0 Route to Master : Not Set N-H Mac address : 0000.0000.0000 N-H Route Handle : 0x0 N-H ARP Handle : 0x0 Local Priority : 0 Set Master IP : 0.0.0.0 Set route IDB : Not Set Set route MAC : 0000.0000.0000 This section includes show command to verify the PTP redundancy as master: Router# show ptp clock running domain 0 PTP Ordinary Clock [Domain 0] State Ports Pkts sent Pkts rcvd Redundancy Mode FREQ_LOCKED 1 25077 4798 Hot standby PORT SUMMARY PTP Master Name Tx Mode Role Transport State Sessions Port Addr MASTER1 unicast master Gi1/0/0 - 1 - SESSION INFORMATION MASTER1 [Gi1/0/0] [Sessions 1] Peer addr Pkts in Pkts out In Errs Out Errs 1.1.1.2 4798 25077 0 0 Synchronous Ethernet Synchronous Ethernet (SyncE) is a procedure where we use a physical layer interface to pass timing from node to node in the same way timing is passed in SONET or SDH. SyncE, defined by the ITU-T standards such as G.8261, G.8262, G.8264, and G.781, leverages the PHY layer of Ethernet to transmit frequency to remote sites. SyncE over Ethernet provides a cost-effective alternative to the networks. For SyncE to work, each network element along the synchronization path must support SyncE.11-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features The 2-Port Gigabit Synchronous Ethernet SPA has a dedicated external interface known as BITs interface to recover clock from a Synchronization Supply Unit (SSU). The 7600 router uses this clock for SyncE. The BITS interface supports E1(European SSUs) and T1 (American BITS) framing. Table 11-2 lists the framing modes for the BITS port on a 2-Port Gigabit Synchronous Ethernet SPA. Table 11-2 Framing Modes for BITS Port You can implement SyncE on 2-Port Gigabit Synchronous Ethernet SPA with four different configurations: • Clock Recovery from SyncE: System clock is recovered from the SyncE clocking source (gigabit and ten gigabit interfaces only). The router uses this clock as the Tx clock for other SyncE interfaces or ATM/CEoP interfaces. • Clock Recovery from External Interface: System clock is recovered from a BITS clocking source or a GPS interface. • Line to External: The clock received from an Ethernet is forwarded to an external Synchronization Supply Unit (SSU). During a synchronization chain, the received clock may have unacceptable wander and jitter. The router recovers the clock from the SyncE interface, converts it to the format required for the BITS interface, and sends to a SSU through the BITS port. The SSU performs the cleanup and sends it back to the BITs interface. This clock is used as Tx clock for the SyncE ports. • System to External: The system clock is used as Tx clock for an external interface. By default the system clock is not transmitted on an external interface. Squelching Squelching is a process in which an alarm indication signal (AIS) is sent to the Tx interfaces whenever the clock source goes down. The squelching functionality is implemented in two cases: • Line to external: If the line source goes down, an AIS is transmitted on the external interface to the SSU. • System to external: If the router loses all the clock sources, an AIS is transmitted on the external interface to the SSU. Squelching is performed only on an external device such as SSU or Primary Reference Clock (PRC). BITS/SSU port support Matrix Framing modes supported SSM/QL support Tx Port Rx Port T1 T1 ESF Yes Yes Yes T1 T1 SF No Yes Yes E1 E1 CRC4 Yes Yes Yes E1 E1 FAS No Yes Yes E1 E1 CAS No No Yes E1 E1 CAS CRC4 Yes No Yes 2048kHz 2048kHz No Yes Yes11-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported Features SSM and ESMC Network Clocking uses these mechanisms to exchange the quality level of the clock between the network elements : • Synchronization Status Message • Ethernet Synchronization Messaging Channel Synchronization Status Message Network elements use Synchronization Status Messages (SSM) to inform the neighboring elements about the Quality Level (QL) of the clock. The non-ethernet interfaces such as optical interfaces and SONET/T1/E1 SPA framers uses SSM. The key benefits of the SSM functionality: • Prevents timing loops. • Provides fast recovery when a part of the network fails. • Ensures that a node derives timing from the most reliable clock source. Ethernet Synchronization Messaging Channel In order to maintain a logical communication channel in synchronous network connections, ethernet relies on a channel called Ethernet Synchronization Messaging Channel (ESMC) based on IEEE 802.3 Organization Specific Slow Protocol standards. ESMC relays the SSM code that represents the quality level of the Ethernet Equipment Clock (EEC) in a physical layer. The ESMC packets are received only for those ports configured as clock sources and transmitted on all the SyncE interfaces in the system. These packets are then processed by the Clock selection algorithm on RP and are used to select the best clock. The Tx frame is generated based on the QL value of the selected clock source and sent to all the enabled SyncE ports. Clock Selection Algorithm Clock selection algorithm selects the best available synchronization source from the nominated sources. The clock selection algorithm has a non-revertive behavior among clock sources with same QL value and always selects the signal with the best QL value. For clock option 1, the default is revertive and for clock option 2, the default is non-revertive. The clock selection process works in the QL enabled and QL disabled modes. When multiple selection processes are present in a network element, all processes work in the same mode. QL-enabled mode In QL-enabled mode, the following parameters contribute to the selection process: • Quality level • Signal fail via QL-FAILED • Priority • External commands. If no external commands are active, the algorithm selects the reference (for clock selection) with the highest quality level that does not experience a signal fail condition. If multiple inputs have the same highest quality level, the input with the highest priority is selected. For multiple inputs having the same highest priority and quality level, the existing reference is maintained (if it belongs to this group), otherwise an arbitrary reference from this group is selected.11-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Restrictions QL-disabled mode In QL-disabled mode, the following parameters contribute to the selection process: • Signal failure • Priority • External commands If no external commands are active, the algorithm selects the reference (for clock selection) with the highest priority that does not experience a signal fail condition. For multiple inputs having the same highest priority, the existing reference is maintained (if it belongs to this group), otherwise an arbitrary reference from this group is selected. Hybrid mode The SyncE feature requires that each network element along the synchronization path needs to support SyncE. Timing over Packet (ToP) enables transfer of timing over an asynchronous network. The hybrid mode uses the clock derived from 1588 (PTP) to drive the system clock. This is achieved by configuring the Timing over Packet (ToP) interface on the PTP slave as the input source. For more information on 1588V2, please see1588V2 Overview, page 11-4 : Note The ToP interface does not support QL and works only in the QL-disabled mode. For information on configuring the network clock, see Configuring Boundary Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400, page 12-29 Restrictions Note For other SIP-specific features and restrictions see also Chapter 3, “Overview of the SIPs and SSC.” These restrictions apply to the 2-Port Gigabit Synchronous Ethernet SPA introduced in Cisco IOS release 15.0(1)S: • Synchronous SPA features are compatible with 2-Port Gigabit Synchronous Ethernet SPA. • The maximum theoretical bandwidth of the 2-Port Gigabit Synchronous Ethernet SPA is 2 Gbps full-duplex. The actual performance is limited by the capability of the host or jacket card. • In a failover scenario the SPA does not perform any autoswitchover to a secondary clock source, even if the secondary reference is configured on the same SPA. If the primary clock goes down then the platform explicitly sets the secondary clock as source. • The 2-Port Gigabit Ethernet SPA has copper ports present and therfore does not allow the copper SFP to be enabled on it. Use the show hw-module subslot transceiver status command to view the status of the transciever on the card. Starting from the 12.2(33)SRD release SPA-8X1FE-TX-V2 and SPA-4X1FE-TX-V2 are supported on SIP-400 The following restrictions apply to Cisco IOS Release 12.2(18)SXF: • EtherChannel is not supported on Fast Ethernet SPAs or the 2-Port Gigabit Ethernet SPA on the Cisco 7600 SIP-400. 11-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Supported MIBs • The Line to External configuration for clock clean up is supported only if the line interface and the external (BITS) interface are on the same 2-Port Gigabit Synchronous Ethernet SPA. • A GPS cannot be used as an output source. • If there are more than two sources configured as clocks on the SIP400 and one of them goes Out of Range (OOR), then that clock is not selected unless it is configured again. • We recommend that you do not configure multiple input sources with the same priority as this may impact the TSM switching delay. Hybrid Mode Restrictions • When a 2-Port Gigabit Synchronous Ethernet SPA functions as the Master, the clock source can be system or a port such as GPS, BITS or Gigabitethernet on the SPA. But when the SPA functions as the Slave, clock recovery can only be through PTP and not from any other source. • When a 2-Port Gigabit Synchronous Ethernet SPA functions as the Slave, and the external interface is on the SPA, the system to external command is not supported. Supported MIBs The following MIBs are supported by the Fast Ethernet and Gigabit Ethernet SPAs on the Cisco 7600 series router: • ENTITY-MIB (RFC 2737) • CISCO-ENTITY-ASSET-MIB • CISCO-ENTITY-FRU-CONTROL-MIB • CISCO-ENTITY-ALARM-MIB • CISCO-ENTITY-SENSOR-MIB • IF-MIB • ETHERLIKE-MIB (RFC 2665) • Remote Monitoring (RMON)-MIB (RFC 1757) • CISCO-CLASS-BASED-QOS-MIB • MPLS-related MIBs • Ethernet MIB/RMON To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://tools.cisco.com/ITDIT/MIBS/servlet/index If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml11-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs SPA Architecture To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. SPA Architecture This section provides an overview of the architecture of the Fast Ethernet and Gigabit Ethernet SPAs and describes the path of a packet in the ingress and egress directions. Some of these areas of the architecture are referenced in the SPA software and can be helpful to understand when troubleshooting or interpreting some of the SPA CLI and show command output. Every incoming and outgoing packet on the Fast Ethernet SPAs goes through the physical port (PHY RJ45), the Media Access Controller (MAC), and a Layer 2 Filtering/Accounting ASIC. Every incoming and outgoing packet on the Gigabit Ethernet SPAs goes through the physical (PHY) SFP optics, the Media Access Controller (MAC), and a Layer 2 Filtering/Accounting ASIC. Path of a Packet in the Ingress Direction The following steps describe the path of an ingress packet through the Fast Ethernet or Gigabit Ethernet SPAs: 1. For Fast Ethernet SPAs, each of the ports receives incoming frames from one of the RJ45 interface connectors. For Gigabit Ethernet SPAs, the SFP optics receive incoming frames on a per-port basis from one of the optical fiber interface connectors. 2. For Fast Ethernet SPAs, the PHY device processes the frame and sends it over a serial interface to the MAC device. For Gigabit Ethernet SPAs, the SFP PHY device processes the frame and sends it over a serial interface to the MAC device. 3. The MAC device receives the frame, strips the CRCs, and sends the packet via the SPI 4.2 bus to the ASIC. 4. The ASIC takes the packet from the MAC devices and classifies the Ethernet information. CAM lookups based on etype, port, VLAN, and source and destination address information determine whether the packet is dropped or forwarded to the SPA interface. Path of a Packet in the Egress Direction The following steps describe the path of an egress packet from the SIP through the Fast Ethernet and Gigabit Ethernet SPAs: 1. The packet is sent to the ASIC using the SPI 4.2 bus. The packets are received with Layer 2 and Layer 3 headers in addition to the packet data. 2. The ASIC uses port number, destination MAC address, destination address type, and VLAN ID to perform parallel CAM lookups. If the packet is forwarded, it is forwarded via the SPI 4.2 bus to the MAC device. 3. For Fast Ethernet SPAs, the MAC device forwards the packets to the PHY RJ45 interface, which transmits the packet. For Gigabit Ethernet SPAs, the MAC device forwards the packets to the PHY laser-optic interface, which transmits the packet.11-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Displaying the SPA Hardware Type Displaying the SPA Hardware Type To verify the SPA hardware type that is installed in your Cisco 7600 series router, you can use the show interfaces command. Table 11-3 shows the hardware description that appears in the show command output for each type of Fast Ethernet and Gigabit Ethernet SPA that is supported on the Cisco 7600 series router. Example of the show hw-module subslot transceiver Command The following example shows output from the show hw-module subslot 1/1 transceiver 1 status command on a Cisco 7600 series router with a 2-Port Gigabit Ethernet SPA installed in slot 1 and subslot 1: Router# show hw-module subslot 1/1 transceiver 1 status The transceiver in slot 1 subslot 1 port 1 has been disabled because: it is not supported by this card. Sensor Data is not supported by this transceiver Example of the show interfaces Command The following example shows output from the show interfaces fastethernet command on a Cisco 7600 series router with a 4-Port Fast Ethernet SPA installed in slot 3: Router# show interfaces fastethernet3/2/3 FastEthernet3/2/3 is up, line protocol is up Hardware is FastEthernet SPA, address is 000e.d623.e840 (bia 000e.d623.e840) Internet address is 33.1.0.2/16 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 59/255, rxload 83/255 Encapsulation ARPA, loopback not set Keepalive not supported Full-duplex, 100Mb/s ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:11, output 00:00:08, output hang never Last clearing of "show interface" counters 3d00h Input queue: 0/75/626373350/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 32658000 bits/sec, 68032 packets/sec 5 minute output rate 23333000 bits/sec, 48614 packets/sec 17792456686 packets input, 1067548381456 bytes, 0 no buffer Table 11-3 SPA Hardware Descriptions in show Commands SPA Description in show interfaces Command 4-Port Fast Ethernet SPA Hardware is FastEthernet SPA 8-Port Fast Ethernet SPA Hardware is FastEthernet SPA 1-Port 10-Gigabit Ethernet SPA Hardware is TenGigEther SPA 2-Port Gigabit Ethernet SPA Hardware is GigEther SPA 5-Port Gigabit Ethernet SPA Hardware is GigEther SPA 10-Port Gigabit Ethernet SPA Hardware is GigEther SPA11-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Displaying the SPA Hardware Type Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 130043940 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 12719598014 packets output, 763177809958 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out The following example shows output from the show interfaces gigabitethernet command on a Cisco 7600 series router with a 2-Port Gigabit Ethernet SPA installed in slot 2: Router# show interfaces gigabitethernet 2/0/1 GigabitEthernet2/0/1 is down, line protocol is down Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40) Internet address is 2.2.2.1/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Full-duplex, 1000Mb/s, link type is force-up, media type is SX output flow-control is on, input flow-control is on ARP type: ARPA, ARP Timeout 04:00:00 Last input 03:19:34, output 03:19:29, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1703 packets input, 638959 bytes, 0 no buffer Received 23 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 1670 multicast, 0 pause input 1715 packets output, 656528 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out The following example shows output from the show interfaces tengigabitethernet command on a Cisco 7600 series router with a 1-Port 10-Gigabit Ethernet SPA installed in slot 7: Router# show interfaces tengigabitethernet7/0/0 TenGigabitEthernet7/0/0 is up, line protocol is up (connected) Hardware is TenGigEther SPA, address is 0000.0c00.0102 (bia 000f.342f.c340) Internet address is 15.1.1.2/24 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Full-duplex, 10Gb/s input flow-control is on, output flow-control is on ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:10, output hang never Last clearing of "show interface" counters 20:24:30 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec11-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 11 Overview of the Ethernet SPAs Displaying the SPA Hardware Type 5 minute output rate 0 bits/sec, 0 packets/sec L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes 237450882 packets input, 15340005588 bytes, 0 no buffer Received 25 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 1676 packets output, 198290 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out The following example shows output from the show interfaces gigabitethernet command on a Cisco 7600 series router with a 2-Port Gigabit Synchronous Ethernet SPA installed in slot 2: Router# show interfaces gigabitethernet 2/0/1 GigabitEthernet2/0/1 is down, line protocol is down Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40) Internet address is 2.2.2.1/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Full-duplex, 1000Mb/s, link type is force-up, media type is SX output flow-control is on, input flow-control is on ARP type: ARPA, ARP Timeout 04:00:00 Last input 03:19:34, output 03:19:29, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1703 packets input, 638959 bytes, 0 no buffer Received 23 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 1670 multicast, 0 pause input 1715 packets output, 656528 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped outC H A P T E R 12-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs This chapter provides information about configuring the 4-Port Fast Ethernet SPA (shared port adapter), 8-Port Fast Ethernet SPA, 1-Port 10-Gigabit Ethernet SPA, 2-Port Gigabit Ethernet SPA, 5-Port Gigabit Ethernet SPA, and 10-Port Gigabit Ethernet SPA on the Cisco 7600 series router. It includes the following sections: • Configuration Tasks, page 12-1 • Verifying the Interface Configuration, page 12-104 • Configuration Examples, page 12-105 For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and the Cisco IOS Configuration Fundamentals Command Reference publications that correspond to your Cisco IOS software release. Configuration Tasks This section describes how to configure the Fast Ethernet and Gigabit Ethernet SPAs and includes information about verifying the configuration. This section includes the following topics: • Required Configuration Tasks, page 12-2 • Specifying the Interface Address on a SPA, page 12-4 • Modifying the MAC Address on the Interface, page 12-5 • Gathering MAC Address Accounting Statistics, page 12-5 • Configuring HSRP, page 12-6 • Customizing VRRP, page 12-6 • Modifying the Interface MTU Size, page 12-9 • Configuring the Encapsulation Type, page 12-11 • Configuring Autonegotiation on an Interface, page 12-1112-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks • Configuring a Subinterface on a VLAN, page 12-13 • Configuring Layer 2 Switching Features, page 12-15 • Configuring Flow Control Support on the Link, page 12-21 • Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Mode, page 12-23 • Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Neg Mode, page 12-24 • Configuring 2-Port Gigabit Synchronous Ethernet SPA in Multicast Mode, page 12-25 • Configuring ToD on 1588V2 Master, page 12-26 • Configuring ToD on 1588V2 Slave, page 12-27 • Configuring Boundary Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400, page 12-29 • Configuring EtherChannels, page 12-46 • Configuring Virtual Private LAN Service (VPLS) and Hierarchical VPLS, page 12-46 • Configuring Connectivity Fault Management (CFM), page 12-46 • Troubleshooting CFM Features, page 12-58 • Configuring IP Subscriber Awareness over Ethernet, page 12-78 • Configuring a Backup Interface for Flexible UNI, page 12-79 • Flexible QinQ Mapping and Service Awareness on the 1-Port 10-Gigabit Ethernet SPA, page 12-85 • Configuring MultiPoint Bridging over Ethernet on the 1-Port 10-Gigabit Ethernet SPA, page 12-93 • Configuring QoS on Ethernet SPAs, page 12-99 • Saving the Configuration, page 12-103 • Shutting Down and Restarting an Interface on a SPA, page 12-103 Required Configuration Tasks This section lists the required configuration steps to configure the Fast Ethernet and Gigabit Ethernet SPAs. The commands in the section are applicable for both Fast Ethernet and Gigabit Ethernet SPAs; however, the examples below are for configuring a Gigabit Ethernet SPA. If you are configuring a Fast Ethernet SPA, replace the gigabitethernet command with the fastethernet command. Some of the required configuration commands implement default values that might be appropriate for your network. If the default value is correct for your network, then you do not need to configure the command. These commands are indicated by “(As Required)” in the Purpose column. Note Cisco Discovery Protocol (CDP) is disabled by default on Cisco 7600 SIP-400 interfaces.12-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks To configure the Fast Ethernet or Gigabit Ethernet SPAs, complete the following steps: Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# interface fastethernet slot/subslot/port[.subinterface-number] or Router(config)# interface gigabitethernet slot/subslot/port[.subinterface-number] or Router(config)# interface tengigabitethernet slot/subslot/port[.subinterface-number] Specifies the Fast Ethernet, Gigabit Ethernet or Ten Gigabit Ethernet interface to configure, where: • slot/subslot/port—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 12-4. • .subinterface-number—(Optional) Specifies a secondary interface (subinterface) number. Step 3 Router(config-if)# ip address [ip-address mask {secondary} | dhcp {client-id interface-name}{hostname host-name}] Sets a primary or secondary IP address for an interface that is using IPv4, where: • ip-address—Specifies the IP address for the interface. • mask—Specifies the mask for the associated IP subnet. • secondary—(Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address. • dhcp—Specifies that IP addresses will be assigned dynamically using DHCP. • client-id interface-name—Specifies the client identifier. The interface-name sets the client identifier to the hexadecimal MAC address of the named interface. • hostname host-name—Specifies the hostname for the DHCP purposes. The host-name is the name of the host to be placed in the DHCP option 12 field. Note The DHCP options with this command are not available for all Gigabit Ethernet SPAs and Fast Ethernet SPAs. Step 4 Router(config-if)# ip accounting mac-address {input | output} (Optional) Enables MAC address accounting. MAC address accounting provides accounting information for IP traffic based on the source and destination MAC addresses of the LAN interfaces, where: • input—Specifies MAC address accounting for traffic entering the interface. • output—Specifies MAC address accounting for traffic leaving the interface.12-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Specifying the Interface Address on a SPA SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SPA interface processor (SIP), SPA, and interface in the command-line-interface (CLI.) The interface address format is slot/subslot/port, where: • slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. • subslot—Specifies the secondary slot of the SIP where the SPA is installed. • port—Specifies the number of the individual interface port on a SPA. Step 5 Router(config-if)# mtu bytes (As Required) Specifies the maximum packet size for an interface, where: • bytes—Specifies the maximum number of bytes for a packet. The default is 1500 bytes. Step 6 Router(config-if)# standby [group-number] ip [ip-address [secondary]] (Required for Hot Standby Router Protocol [HSRP] Configuration Only) Creates (or enables) the HSRP group using its number and virtual IP address, where: • group-number—(Optional) Specifies the group number on the interface for which HSRP is being enabled. The range is 0 to 255; the default is 0. If there is only one HSRP group, you do not need to enter a group number. • ip-address—(Optional on all but one interface if configuring HSRP) Specifies the virtual IP address of the hot standby router interface. You must enter the virtual IP address for at least one of the interfaces; it can be learned on the other interfaces. • secondary—(Optional) Specifies the IP address is a secondary hot standby router interface. If neither router is designated as a secondary or standby router and no priorities are set, the primary IP addresses are compared and the higher IP address is the active router, with the next highest as the standby router. This command enables HSRP but does not configure it further. For additional information on configuring HSRP, refer to the HSRP section of the Cisco IP Configuration Guide publication that corresponds to your Cisco IOS software release. Step 7 Router(config-if)# no shutdown Enables the interface. Command Purpose12-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks The following example shows how to specify the first interface (0) on a SPA installed in the first subslot of a SIP (0) installed in chassis slot 3: Router(config)# interface serial 3/0/0 This command shows a serial SPA as a representative example, however the same slot/subslot/port format is similarly used for other SPAs (such as Asynchronous Transfer Mode [ATM] and packet over SONET [POS]) and other non-channelized SPAs. Modifying the MAC Address on the Interface The Gigabit Ethernet SPAs use a default MAC address for each port that is derived from the base address that is stored in the electrically erasable programmable read-only memory (EEPROM) on the backplane of the Cisco 7600 series router. To modify the default MAC address of an interface to some user-defined address, use the following command in interface configuration mode: To return to the default MAC address on the interface, use the no form of the command. Verifying the MAC Address To verify the MAC address of an interface, use the show interfaces gigabitethernet privileged EXEC command and observe the value shown in the “address is” field. The following example shows that the MAC address is 000a.f330.2e40 for interface 1 on the SPA installed in subslot 0 of the SIP installed in slot 2 of the Cisco 7600 series router: Router# show interfaces gigabitethernet 2/0/1 GigabitEthernet2/0/1 is up, line protocol is up Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40) Internet address is 2.2.2.1/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Full-duplex, 1000Mb/s, link type is force-up, media type is SX output flow-control is on, input flow-control is on (Additional output removed for readability) Gathering MAC Address Accounting Statistics The ip accounting mac-address [input | output] command can be entered to enable MAC Address Accounting on an interface. After enabling MAC Address Accounting, MAC address statistics can be gathered by entering the show interfaces mac-accounting command. Command Purpose Router(config-if)# mac-address ieee-address Modifies the default MAC address of an interface to some user-defined address, where: • ieee-address—Specifies the 48-bit IEEE MAC address written as a dotted triple of four-digit hexadecimal numbers (xxxx.yyyy.zzzz).12-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Configuring HSRP Hot Standby Router Protocol (HSRP) provides high network availability because it routes IP traffic from hosts without relying on the availability of any single router. HSRP is used in a group of routers for selecting an active router and a standby router. (An active router is the router of choice for routing packets; a standby router is a router that takes over the routing duties when an active router fails, or when preset conditions are met). HSRP is enabled on an interface by entering the standby [group-number] ip [ip-address [secondary]] command. The standby command is also used to configure various HSRP elements. This document does not discuss more complex HSRP configurations. For additional information on configuring HSRP, see the refer to the HSRP section of the Cisco IP Configuration Guide publication that corresponds to your Cisco IOS software release. In the following HSRP configuration, standby group 2 on GigabitEthernet port 2/1/0 is configured at a priority of 110 and is also configured to have a preemptive delay should a switchover to this port occur: Router(config)# interface GigabitEthernet 2/1/0 Router(config-if)# standby 2 ip 120.12.1.200 Router(config-if)# standby 2 priority 110 Router(config-if)# standby 2 preempt Verifying HSRP To display HSRP information, use the show standby command in EXEC mode: Router# show standby Ethernet0 - Group 0 Local state is Active, priority 100, may preempt Hellotime 3 holdtime 10 Next hello sent in 0:00:00 Hot standby IP address is 198.92.72.29 configured Active router is local Standby router is 198.92.72.21 expires in 0:00:07 Standby virtual mac address is 0000.0c07.ac00 Tracking interface states for 2 interfaces, 2 up: UpSerial0 UpSerial1 Customizing VRRP Customizing the behavior of Virtual Router Redundancy Protocol (VRRP) is optional. Be aware that as soon as you enable a VRRP group, that group is operating. It is possible that if you first enable a VRRP group before customizing VRRP, the router could take over control of the group and become the master virtual router before you have finished customizing the feature. Therefore, if you plan to customize VRRP, it is a good idea to do so before enabling VRRP. To customize your VRRP configuration, use any of the following VRRP commands inTable 12-1 in interface configuration mode.12-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Table 12-1 VRRP Commands Command Purpose Router(config-if)# vrrp group authentication text text-string Authenticates VRRP packets received from other routers in the group. If you configure authentication, all routers within the VRRP group must use the same authentication string, where: • group—Virtual router group number for which authentication is being configured. The group number is configured with the vrrp ip command. • text text-string—Authentication string (up to eight alphanumeric characters) used to validate incoming VRRP packets. Router(config-if)# vrrp group description text Assigns a text description to the VRRP group, where: • group—Virtual router group number. • text—Text (up to 80 characters) that describes the purpose or use of the group. Router(config-if)# vrrp group priority level Sets the priority level of the router within a VRRP group. The default value is 100, where: • group—Virtual router group number. • level —Priority of the router within the VRRP group. The range is from 1 to 254. The default is 100. Router(config-if)# vrrp group preempt [delay seconds] Configures the router to take over as master virtual router for a VRRP group if it has a higher priority than the current master virtual router. This command is enabled by default. You can use it to change the delay, where: • group—Virtual router group number of the group for which preemption is being configured. The group number is configured with the vrrp ip command. • delay seconds—(Optional) Number of seconds that the router will delay before issuing an advertisement claiming master ownership. The default delay is 0 seconds. 12-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Enabling VRRP To enable VRRP on an interface, use the following commands beginning in global configuration mode: Router(config-if)# vrrp group timers advertise [msec] interval Configures the interval between successive advertisements by the master virtual router in a VRRP group, where: • group—Virtual router group number to which the command applies. • msec—(Optional) Changes the unit of the advertisement time from seconds to milliseconds. Without this keyword, the advertisement interval is in seconds. • interval—Time interval between successive advertisements by the master virtual router. The unit of the interval is in seconds, unless the msec keyword is specified. The default is 1 second. Router(config-if)# vrrp group timers learn Configures the router, when it is acting as backup virtual router for a VRRP group, to learn the advertisement interval used by the master virtual router, where: • group—Virtual router group number to which the command applies. Command Purpose Command Purpose Step 1 Router(config)# interface type number Configures an interface, where: • type—Interface type. • number—Interface number. Step 2 Router(config-if)# vrrp group ip ipaddress Enables VRRP on an interface and identifies the primary IP address of the virtual router, where: • group—Virtual router group number to which the command applies. • ipaddress—IP address of the virtual router. Step 3 Router(config-if)# vrrp group ip ipaddress [secondary] (Optional) Enables VRRP on an interface. After you identify a primary IP address, you can use the vrrp ip command again with the secondary keyword to indicate additional IP addresses supported by this group, where: • group—Virtual router group number to which the command applies. • ipaddress—IP address of the virtual router. • secondary—(Optional) Indicates additional IP addresses supported by this group. 12-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Verifying VRRP To verify VRRP, use either of the following commands in EXEC mode: Modifying the Interface MTU Size The Cisco IOS software supports three different types of configurable maximum transmission unit (MTU) options at different levels of the protocol stack: • Interface MTU—Checked by the SPA on traffic coming in from the network. Different interface types support different interface MTU sizes and defaults. The interface MTU defines the maximum packet size allowable (in bytes) for an interface before drops occur. If the frame is smaller than the interface MTU size, but is not smaller than the minimum frame size for the interface type (such as 64 bytes for Ethernet), then the frame continues to process. • IP MTU—Can be configured on an interface or subinterface and is used by the Cisco IOS software to determine whether fragmentation of a packet takes place. If an IP packet exceeds the IP MTU size, then the packet is fragmented. • Tag or Multiprotocol Label Switching (MPLS) MTU—Can be configured on an interface or subinterface and allows up to six different labels, or tag headers, to be attached to a packet. The maximum number of labels is dependent on your Cisco IOS software release. Different encapsulation methods and the number of MPLS MTU labels add additional overhead to a packet. For example, Subnetwork Access Protocol (SNAP) encapsulation adds an 8-byte header, dot1q encapsulation adds a 2-byte header, and each MPLS label adds a 4-byte header (n labels x 4 bytes). For the Fast Ethernet and Gigabit Ethernet SPAs on the Cisco 7600 series router, the default MTU size is 1500 bytes. When the interface is being used as a Layer 2 port, the maximum configurable MTU is 9216 bytes. The SPA automatically adds an additional 22 bytes to the configured MTU size to accommodate some of the additional overhead. Command Purpose Router# show vrrp [brief | group] Displays a brief or detailed status of one or all VRRP groups on the router, where: • brief—(Optional) Provides a summary view of the group information. • group—(Optional) Virtual router group number of the group for which information is to be displayed. The group number is configured with the vrrp ip command. Router# show vrrp interface type number [brief] Displays the VRRP groups and their status on a specified interface, where: • type—Interface type. • number—Interface number. • brief—(Optional) Provides a summary view of the group information.12-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Interface MTU Configuration Guidelines When configuring the interface MTU size on a Fast Ethernet and Gigabit Ethernet SPA on a Cisco 7600 series router, consider the following guidelines: • The default interface MTU size accommodates a 1500-byte packet, plus 22 additional bytes to cover the following additional overhead: – Layer 2 header—14 bytes – Dot1q header—4 bytes – CRC—4 bytes Note Depending on your Cisco IOS software release, a certain maximum number of MPLS labels are supported. If you need to support more than two MPLS labels, then you need to increase the default interface MTU size. • If you are using MPLS, be sure that the mpls mtu command is configured for a value less than or equal to the interface MTU. • If you are using MPLS labels, then you should increase the default interface MTU size to accommodate the number of MPLS labels. Each MPLS label adds 4 bytes of overhead to a packet. Interface MTU Guidelines for Layer 2 Ports On Layer 2 ports, it is important to understand the idea of the jumbo MTU. The jumbo MTU can be configured using the system jumbomtu command, although this command is only supported under the following scenarios: • The port is a member of a Layer 2 EtherChannel. • The new MTU size on the Layer 2 port is less than the currently configured maximum MTU for the port. If neither of the above conditions applies to your configuration, neither does “jumbo MTU.” Note Fast Ethernet SPAs cannot function as Layer 2 ports. Interface MTU Configuration Task To modify the MTU size on an interface, use the following command in interface configuration mode: To return to the default MTU size, use the no form of the command. Command Purpose Router(config-if)# mtu bytes Configures the maximum packet size for an interface, where: • bytes—Specifies the maximum number of bytes for a packet. The default is 1500 bytes and the maximum configurable MTU is 9216 bytes.12-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Verifying the MTU Size To verify the MTU size for an interface, use the show interfaces gigabitethernet privileged EXEC command and observe the value shown in the MTU field. The following example shows an MTU size of 1500 bytes for interface port 1 (the second port) on the Gigabit Ethernet SPA installed in the top subslot (0) of the SIP that is located in slot 2 of the Cisco 7600 series router: Router# show interfaces gigabitethernet 2/0/1 GigabitEthernet2/0/1 is up, line protocol is up Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40) Internet address is 2.2.2.1/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Configuring the Encapsulation Type By default, the interfaces on the Fast Ethernet and Gigabit Ethernet SPAs support Advanced Research Projects Agency (ARPA) encapsulation. They do not support configuration of service access point or SNAP encapsulation for transmission of frames; however, the interfaces will properly receive frames that use service access point and SNAP encapsulation. The only other encapsulation supported by the SPA interfaces is IEEE 802.1Q encapsulation for virtual LANs (VLANs). Configuring Autonegotiation on an Interface Fast Ethernet and Gigabit Ethernet interfaces use a connection-setup algorithm called autonegotiation. Autonegotiation allows the local and remote devices to configure compatible settings for communication over the link. Using autonegotiation, each device advertises its transmission capabilities and then agrees upon the settings to be used for the link. For the Fast Ethernet and Gigabit Ethernet interfaces on the Cisco 7600 series router, flow control is autonegotiated when autonegotiation is enabled. Autonegotiation is enabled by default. The following guidelines should be followed regarding autonegotiation: • If autonegotiation is disabled on one end of a link, it must be disabled on the other end of the link. If one end of a link has autonegotiation disabled while the other end of the link does not, the link will not come up properly on both ends. • Autonegotiation is not supported on the 10-Port Gigabit Ethernet SPA on the Cisco 7600 SIP-600. • Flow control can be configured separately of autonegotiation when Ethernet SPAs are installed in a Cisco 7600 SIP-600. • Flow control is enabled by default. • Flow control will be on if autonegotiation is disabled on both ends of the link. • Flow control cannot be disabled on a Fast Ethernet SPA.12-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Disabling Autonegotiation Autonegotiation is automatically enabled and can be disabled on the Fast Ethernet interfaces on the Cisco 7600 SIP-200, and the Gigabit Ethernet interfaces on the Cisco 7600 SIP-400 or Cisco 7600 SIP-600. During autonegotiation, advertisement for flow control, speed, and duplex occurs. If the Gigabit Ethernet interface is connected to a link that has autonegotiation disabled, autonegotiation should either be re-enabled on the other end of the link or disabled on the Fast Ethernet or Gigabit Ethernet SPA, if possible. Both ends of the link will not come up properly if only one end of the link has disabled autonegotiation. Note Speed and duplex configurations are negotiated using autonegotiation. However, the only values that are negotiated are 100 Mbps for speed and full-duplex for duplex for Fast Ethernet SPAs, and 1000 Mbps for speed and full-duplex for duplex for Gigabit Ethernet SPAs. Therefore, from a user’s perspective, these settings are not negotiated, but enabled using autonegotiation. To disable autonegotiation on Fast Ethernet or Gigabit Ethernet SPAs, use the following commands in interface configuration mode: Enabling Autonegotiation Autonegotiation is automatically enabled and can be disabled unless it is on a SPA installed in a Cisco 7600 SIP-400, or on a 10-Port Gigabit Ethernet SPA, 5-Port Gigabit Ethernet SPA, or a 10-Port Gigabit Ethernet SPA when installed in a Cisco 7600 SIP-600. See the “Configuring Flow Control for an Ethernet SPA Interface on a Cisco 7600 SIP-600” section on page 12-22. To re-enable autonegotiation on a Fast Ethernet or Gigabit Ethernet interface, use the following commands in interface configuration mode: SFP-GE-T Support The SFP-GE-T supports speeds of 10 Mbps, 100 Mbps, and 1000 Mbps. Speed is not autonegotiated; you must configure it using the speed command. Only full-duplex mode is supported. Command Purpose Router(config-if)# no negotiation auto Disables autonegotiation on a Fast Ethernet SPA interface on the Cisco 7600 SIP-200 or a Gigabit Ethernet SPA interfaces on the Cisco 7600 SIP-400. No advertisement of flow control occurs. Router(config-if)# speed nonegotiate Disables autonegotation of speed on Gigabit Ethernet SPA interfaces on the Cisco 7600 SIP-600. Command Purpose Router(config-if)# negotiation auto Enables autonegotiation on a Fast Ethernet SPA interface on a Cisco 7600 SIP-200 or a Gigabit Ethernet SPA interfaces on the Cisco 7600 SIP-400. Advertisement of flow control occurs. Router(config-if)# no speed nonegotiate Re-enables autonegotation on Gigabit Ethernet SPA interfaces on the Cisco 7600 SIP-600. 12-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Note Because autonegotiation of full-duplex is not supported, you must manually configure full-duplex mode. You can configure each Ethernet interface independently using any combination of 10 Mbps, 100 Mbps, or 1000 Mbps. To set the interface speed, use the following command in the interface configuration mode: Configuring an Ethernet VLAN For information on configuring Ethernet VLANs, see the “Creating or Modifying an Ethernet VLAN” section of the “Configuring VLANs” chapter in the Cisco 7600 Series Cisco IOS Software Configuration Guide publication that corresponds to your Cisco IOS software release. Configuring a Subinterface on a VLAN You can configure subinterfaces on the Fast Ethernet SPA interfaces and Gigabit Ethernet SPA interfaces on a VLAN using IEEE 802.1Q encapsulation. Cisco Discovery Protocol (CDP) is disabled by default on the 2-Port Gigabit Ethernet SPA interfaces and subinterfaces on the Cisco 7600 SIP-400. To configure a SPA subinterface on a VLAN, use the following commands beginning in interface configuration mode: Note On any Cisco 7600 SIP-600 Ethernet port subinterface using VLANs, a unique VLAN ID must be assigned. This VLAN ID cannot be in use by any other interface on the Cisco 7600 series router. Command Purpose Router(config-if)# speed {10 | 100 | 1000 | auto} Configures the interface speed. Accepted values are: • 10 for 10 Mbps operation • 100 for 100 Mbps operation • 1000 for 1000 Mbps operation12-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Command Purpose Step 1 Router(config)# interface fastethernet slot/subslot/port.subinterface-number or Router(config)# interface gigabitethernet slot/subslot/port.subinterface-number or Router(config)# interface tengigabitethernet slot/subslot/port.subinterface-number Specifies the Fast Ethernet, Gigabit Ethernet or Ten Gigabit Ethernet interface to configure, where: • slot/subslot/port—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 12-4. • .subinterface-number—Specifies a secondary interface (subinterface) number. Step 2 Router(config-subif)# encapsulation dot1q vlan-id Defines the encapsulation format as IEEE 802.1Q (“dot1q”), where vlan-id is the number of the VLAN (1–4094). Step 3 Router(config-if)# ip address ip-address mask [secondary] Sets a primary or secondary IP address for an interface, where: • ip-address—Specifies the IP address for the interface. • mask—Specifies the mask for the associated IP subnet. • secondary—(Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.12-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Verifying Subinterface Configuration on a VLAN To verify the configuration of a subinterface and its status on the VLAN, use the show vlans privileged EXEC command. The following example shows the status of subinterface number 1 on port 0 on the SPA in VLAN number 200: Router# show vlans VLAN ID:200 (IEEE 802.1Q Encapsulation) Protocols Configured: Received: Transmitted: IP 0 2 VLAN trunk interfaces for VLAN ID 200: GigabitEthernet4/1/0.1 (200) IP:12.200.21.21 Total 0 packets, 0 bytes input Total 2 packets, 120 bytes output Configuring Layer 2 Switching Features The Cisco 7600 series router supports simultaneous, parallel connections between Layer 2 Ethernet segments. After you review the SPA-specific guidelines described in this document, refer to the “Configuring Layer 2 Ethernet Interfaces” section of the Cisco 7600 Series Router Cisco IOS Software Configuration GuideCatalyst 6500 Series Switch Cisco IOS Software Configuration Guide, 12.2SX for more information about configuring the Layer 2 switching features. Configuring Multipoint Bridging Multipoint bridging (MPB) enables the connection of multiple ATM PVCs, Frame Relay permanent virtual circuits (PVCs), Bridging Control Protocol (BCP) ports, and WAN Gigabit Ethernet subinterfaces into a single broadcast domain (virtual LAN), together with the LAN ports on that VLAN. This enables service providers to add support for Ethernet-based Layer 2 services to the proven technology of their existing ATM and Frame Relay legacy networks. Customers can then use their current VLAN-based networks over the ATM or Frame Relay cloud. This also allows service providers to gradually update their core networks to the latest Gigabit Ethernet optical technologies, while still supporting their existing customer base. For MPB configuration guidelines and restrictions and feature compatibility tables, see the “Configuring Multipoint Bridging” section on page 4-36. Configuring the Bridging Control Protocol The Bridging Control Protocol (BCP) enables forwarding of Ethernet frames over SONET networks and provides a high-speed extension of enterprise LAN backbone traffic through a metropolitan area. The implementation of BCP on the SPAs includes support for IEEE 802.1D, IEEE 802.1Q Virtual LAN (VLAN), and high-speed switched LANs. For BCP configuration guidelines and restrictions and feature compatibility tables, see the “BCP Feature Compatibility” section on page 4-56 of Chapter 4, “Configuring the SIPs and SSC.”12-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Configuring AToM over GRE MPLS over generic routing encapsulation (MPLSoGRE) encapsulates MPLS packets inside IP tunnels, creating a virtual point-to-point link across non-MPLS networks. This allows users of primarily MPLS networks to continue to use existing non-MPLS legacy networks until migration to MPLS is possible. AToM (any transport over MPLS) over GRE includes support the following transports: • ATM over MPLS • Frame Relay over MPLS (FRoMPLS) • High-Level Data Link Control (HDLC) over MPLS • Scalable Ethernet over MPLS (EoMPLS) • Circuit Emulation over Packet (CEoP) • Hardware-based EoMPLS AToMoGRE is supported only on the following hardware: • SIP-400, 5x1 GE SPA, 2x1 GE SPA (Core facing) • ATM SPA (SPA-2xOC3-ATM, SPA-4xOC3-ATM, SPA-1xOC12-ATM, SPA-1xOC48-ATM, CEoPs SPA (such as OC3, 24T1/E1) with Inverse Multiplexing (IMA) support, and all Ethernet interfaces • Sup32, Sup720, RSP720 AToMoGRE supports the following features: • Provider edge (PE)-to-PE, P-to-PE, and P-to-P tunneling of MPLS packets (See Figure 12-1, Figure 12-2, and Figure 12-3.) Figure 12-1 PE-to-PE GRE Tunnel Figure 12-2 P-to-PE GRE Tunnel IPv4 (No MPLS) GRE Tunnel PE1 PE2 MPLSoGRE 191890 IPv4 (No MPLS) GRE Tunnel P1 MPLSoGRE 191892 MPLS PE1 PE212-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Figure 12-3 P-to-P GRE Tunnel • IPv4 on customer edge (CE) facing interfaces. • IPv4 on core facing interfaces. • GRE 4-byte headers (no option fields). • Nondedicated physical interface supporting both tunneled and nontunneled traffic. • Multiple routes for the tunnel between the Cisco 7600 SIP-400 physical interface or subinterface and the IP cloud may exist. The routing protocol will pick only one route for MPLSoGRE traffic. • No software-imposed limit on the maximum number of tunnels. The Cisco 7600 SIP-400 supports a maximum number of 128 tunnels. Tunnel traffic can be routed through Cisco 7600 SIP-400 main interfaces or subinterfaces. • The Cisco 7600 SIP-400 physical interface or subinterface used for the tunnel endpoint can be used to carry native MPLS and AToMoMPLS and its variations: Hardware-based EoMPLS, FRoMPLS, PPPoMPLS, HDLCoMPLS, Scalable EoMPLS, and CEoP. Note Switched Virtual Interfaces (SVI) are not supported with MPLSoGRE. AToMoGRE Configuration Guidelines The following guidelines apply to AToMoGRE: • Ingress/egress features are not supported on the tunnel interface; they are supported on the physical interface or subinterface. • Unsupported GRE options are: sequencing, checksum, key, source route. • Some tunnel options are not supported: Carry Security Options of Client Packet, Unidirectional Link Routing, Mobile IP Path MTU Discovery. • The Cisco 7600 SIP-400 physical interface or subinterface used for the tunnel endpoint cannot be used to carry Software-based EoMPLS and VPLS. Advanced features such as Carrier Supporting Carrier (CSC) and Inter-Autonomous Systems (Inter-AS) are not supported. • AToM over GRE cannot be combined with the AToM Tunnel Select feature. Configuring mVPNoGRE The multicast Virtual Private Network over generic routing encapsulation (mVPNoGRE) provides a mechanism to send unicast and multicast packets across a non-MPLS network. This is accomplished by creating a GRE tunnel across the non-MPLS network. When MPLS (unicast VRF) or mVPN (multicast VRF) packets are sent across the non-MPLS network, they are encapsulated within a GRE packet and IPv4 (No MPLS) GRE Tunnel P1 P2 MPLSoGRE 191891 MPLS MPLS PE1 PE212-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks transverse the non-MPLS network through the GRE tunnel. Upon receiving the GRE packet at the other side of the non-MPLS network, it removes the GRE header and forwards the inner MPLS or unicast VRF or mVPN packet to its final destination. Note For mVPNoGRE, there is one outer packet and two inner packets. The outer packet is unicast GRE. The first inner packet is multicast GRE (mVPN), and the second inner packet is normal (customer) multicast. Note mVPNoGRE is not supported on Fast Ethernet SPAs on the Cisco 7600 SIP-200. PE-to-PE Tunneling mVPNoGRE uses the Provider Edge-to-Provider Edge (PE-to-PE) tunneling variation. mVPNoGRE provides a scalable way to connect multiple customer networks across a non-MPLS network. It does this by multiplexing traffic destined to multiple customer networks through a single GRE tunnel. On each side of the non-MPLS network, each Customer Edge (CE) router is assigned a VPN Routing and Forwarding (VRF) number by the PE router. The IP networks behind the CE routers are learned by the PE router through a routing protocol such as BGP, OSPF or RIP. Routes to these networks are then stored in the VRF routing table for that CE router. The PE router on one side of the non-MPLS network is learned by the PE router on the other side of the non-MPLS network though a routing protocol running within the non-MPLS network. Routes between the PE routers are stored in the main or default routing table. Routes of the customer networks behind the PE router are learned by the other PE router through BGP and are not known to the non-MPLS network. This is accomplished by defining a static route to the BGP neighbor (the other PE router) through a GRE tunnel across the non-MPLS network. When routes are learned from the BGP neighbor, they will have the next-hop of the GRE tunnel and thus all customer network traffic will be sent using the GRE tunnel. GRE Tunnel Attached to a Cisco 7600 SIP-400 Interface or Subinterface For the Cisco 7600 series router to perform the MPLS and mVPN processing and have the Cisco 7600 SIP-400 perform the GRE processing, interfaces or subinterfaces must have an IP address. The MPLS and protocol independent multicast (PIM) configuration must be on the tunnel interface. The Cisco 7600 series router views the Cisco 7600 SIP-400 main interface or subinterface as an MPLS or PIM interface, so MPLS and mVPN processing is performed, and provides the Cisco 7600 SIP-400 with the correlation information needed to perform GRE processing. Tunnel Interface Configuration The ip pim sparse-mode command must be configured on the tunnel interface. It should not be configured on the physical interface or subinterface facing core. It is automatically configured on the Cisco 7600 SIP-400 interface or subinterface when a tunnel is attached to the interface or subinterface. The tunnel source IP address is typically a lookback address. Displaying Unicast Routes The display of unicast routes (Main Routing Table) shows the next hop for the BGP neighbor to be the Cisco 7600 SIP-400 interface or subinterface. On a router that natively supports this feature, the next hop for the BGP neighbor is the tunnel interface. The following example shows the output from the show ip route command:12-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks router# show ip route | inc Tunnel S 4.4.4.4 is directly connected, Tunnel0 C 1.0.0.0 is directly connected, Tunnel0 Displaying Multicast Routes The display of multicast routes (groups) shows the output interface for the 239.0.0.0/8 group to be the Cisco 7600 SIP-400 interface or subinterface. On a router that natively supports this feature, the output interface is the tunnel interface. The following example shows the output from the show ip mroute command: router# show ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group V - RD & Vector, v - Vector Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 224.0.1.40), 01:23:02/00:03:22, RP 2.2.2.2, flags: SJCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Tunnel0, Forward/Sparse-Dense, 00:03:45/00:03:22 Loopback0, Forward/Sparse-Dense, 01:23:02/00:02:30 (*, 239.1.1.2), 01:23:01/00:02:35, RP 2.2.2.2, flags: SJCZ Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Tunnel0, Forward/Sparse-Dense, 00:03:45/00:02:34 MVRF vpn1, Forward/Sparse-Dense, 01:23:01/00:02:12 (2.2.2.2, 239.1.1.2), 01:22:50/00:03:29, flags: T Incoming interface: Loopback0, RPF nbr 0.0.0.0, RPF-MFD Outgoing interface list: Tunnel0, Forward/Sparse-Dense, 00:03:45/00:02:54, H (4.4.4.4, 239.1.1.2), 00:03:33/00:02:59, flags: TZ Incoming interface: Tunnel0, RPF nbr 1.0.0.2, RPF-MFD Outgoing interface list: MVRF vpn1, Forward/Sparse-Dense, 00:03:33/00:02:26, H (*, 239.1.1.1), 01:23:01/stopped, RP 2.2.2.2, flags: SJCZ Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: MVRF vpn3, Forward/Sparse-Dense, 01:23:01/00:02:11 (2.2.2.2, 239.1.1.1), 01:22:50/00:02:59, flags: PT Incoming interface: Loopback0, RPF nbr 0.0.0.0, RPF-MFD Outgoing interface list: Null router# show ip mroute vrf vpn1 IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,12-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group V - RD & Vector, v - Vector Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 224.0.1.40), 01:23:11/00:02:24, RP 200.200.200.200, flags: SJCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Loopback200, Forward/Sparse-Dense, 01:23:11/00:02:24 Tunnel16, Forward/Sparse-Dense, 00:03:40/00:02:32 (*, 224.1.2.3), 00:02:43/stopped, RP 200.200.200.200, flags: S Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Tunnel16, Forward/Sparse-Dense, 00:02:43/00:02:43 (100.0.1.2, 224.1.2.3), 00:00:17/00:03:20, flags: T Incoming interface: GigabitEthernet2/0/0.1, RPF nbr 0.0.0.0, RPF-MFD Outgoing interface list: Tunnel16, Forward/Sparse-Dense, 00:00:17/00:03:12, H (*, 224.1.2.2), 00:02:43/stopped, RP 200.200.200.200, flags: S Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Tunnel16, Forward/Sparse-Dense, 00:02:44/00:02:42 (100.0.1.2, 224.1.2.2), 00:00:18/00:03:20, flags: T Incoming interface: GigabitEthernet2/0/0.1, RPF nbr 0.0.0.0, RPF-MFD Outgoing interface list: Tunnel16, Forward/Sparse-Dense, 00:00:18/00:03:11, H (*, 224.1.2.1), 00:02:44/stopped, RP 200.200.200.200, flags: S Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Tunnel16, Forward/Sparse-Dense, 00:02:44/00:02:44 (100.0.1.2, 224.1.2.1), 00:00:19/00:03:19, flags: T Incoming interface: GigabitEthernet2/0/0.1, RPF nbr 0.0.0.0, RPF-MFD Outgoing interface list: Tunnel16, Forward/Sparse-Dense, 00:00:19/00:03:10, H Displaying Tunnel-to-Interface Mappings The show cwan mplsogre command displays the tunnel-to-interface mappings. The following example illustrates the output of the show cwan mplsogre command: Router# show cwan mplsogre gigabitethernet 2/0/0 Tunnel1 is attached Interface VLAN: 1022, STATE: UP IP Address: 6.0.0.1 IP Mask: 255.0.0.0 Tunnel VLAN: 1017, STATE: UP IP Address: 8.0.0.1 IP Mask: 255.0.0.0 Src Address: 6.0.0.1, Dst Address: 7.0.0.1 Static Routes to Tunnel: 1 IP Address: 4.0.0.1 IP Mask: 255.255.255.25512-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Scalable EoMPLS In Cisco IOS Release 12.2(33)SRA and later, Scalable EoMPLS now allows a Cisco 7600 SIP-400-based line card to face the CE. This configuration allows the platform to scale the number of EoMPLS virtual connections (VCs) that it can support from 4K to 12K. When AToM xconnect commands are placed on Cisco 7600 SIP-400 subinterfaces, the line card performs AToM imposition and disposition. Supervisor hardware will perform only MPLS switching on traffic from these interfaces. Additionally, configuring xconnect commands on Cisco 7600 SIP-400 subinterfaces will not consume globally significant VLANs on a per-xconnect basis. This change also provides the ability to support FRR on EoMPLS VCs with the same model as other CEF/MFI-based AToM configurations. To achieve this scalability, Cisco 7600 SIP-400 must be the CE facing line card as opposed to the current model of a LAN line card facing the CE. With Cisco 7600 SIP-400 configured for Scalable EoMPLS, any line card capable of switching MPLS packets may be core facing. On a Sup720 system, configuring EoMPLS under a non-VLAN interface is considered hardware-based EoMPLS. Configuring EoMPLS on a VLAN interface is considered to be software-based MPLS. Configuring EoMPLS on Cisco 7600 SIP-400 subinterfaces is considered to be Scalable EoMPLS. Configuring Flow Control Support on the Link Flow control is turned on or off based on the result of autonegotiation. Flow control is not supported on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, so it will always negotiate to off. Flow control can be configured independently of autonegotiation on the Cisco 7600 SIP-600. For information on this process, see the “Configuring Autonegotiation on an Interface” section on page 12-11. This section discusses the following topics: • Verifying Flow Control Status for an Ethernet SPA Interface on a Cisco 7600 SIP-200, page 12-21 • Verifying Flow Control Status for a Gigabit Ethernet SPA Interface on a Cisco 7600 SIP-400, page 12-22 • Configuring Flow Control for an Ethernet SPA Interface on a Cisco 7600 SIP-600, page 12-22 Verifying Flow Control Status for an Ethernet SPA Interface on a Cisco 7600 SIP-200 The following example shows how to verify that flow control pause frames are being transmitted and received for a Fast Ethernet SPA on the Cisco 7600 SIP-200. Router# show hw sub 2 counter mac Show counters info for Subslot 2: port:0 good_octets_received: 2046026640038 bad_octets_received: 0 good_frames_received: 31969140675 bad_frames_received: 0 broadcast_frames_received: 2 multicast_frames_received: 3562 good_octets_sent: 1373554315151 good_frames_sent: 22892514199 broadcast_frames_sent: 0 multicast_frames_sent: 0 mac_transfer_error: 0 excessive_collision: 0 unrecog_mac_control_received: 0 fc_sent: 11232431 good_fc_received: 012-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks rx_over_flow_events: 234082101 undersize: 0 fragments: 0 oversize: 0 jabber: 0 mac_rcv_error: 0 bad_crc: 0 collisions: 0 late_collision: 0 rate_limit_dropped: 0 tx_fifo_full_packet_drops : 0 spi4_rx_frames: 2814271686 spi4_tx_frames: 1328805298 Verifying Flow Control Status for a Gigabit Ethernet SPA Interface on a Cisco 7600 SIP-400 To verify flow control status on a Gigabit Ethernet interface on a SPA, use the show interfaces gigabitethernet privileged EXEC command and view the “output flow-control is” and “input flow-control is” output lines to see if input and output flow control is on or off. The “pause input” and “pause output” counters of the output of this command can be used to view the number of pause frames sent or received by the interface. The following example shows that zero pause frames have been transmitted and received by the MAC device for interface port 1 (the second port) on the SPA located in subslot 0 of the SIP that is installed in slot 2 of the Cisco 7600 series router: Router# show interfaces gigabitethernet 2/0/1 GigabitEthernet2/0/1 is up, line protocol is up Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40) Internet address is 2.2.2.1/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Full-duplex, 1000Mb/s, link type is force-up, media type is SX output flow-control is off, input flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input 03:18:49, output 03:18:44, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1703 packets input, 638959 bytes, 0 no buffer Received 23 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 1670 multicast, 0 pause input 1715 packets output, 656528 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Configuring Flow Control for an Ethernet SPA Interface on a Cisco 7600 SIP-600 On the Cisco 7600 SIP-600, flow control can be configured on Ethernet SPA interfaces by entering the flowcontrol send command to configure the interface to transmit pause frames or the flowcontrol receive command to configure the interface to receive pause frames.12-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Note When a user configures flow control for either the transmit or receive direction, it is automatically enabled for both transmit and receive directions simultaneously. Fast Ethernet SPAs have flow control enabled by default and it cannot be disabled. Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Mode In unicast mode, the slave port and the master port need to know each other’s IP address. Unicast mode has one to one mapping between the slave and the master. One master can have just one slave and vice-versa. Unicast mode is not a good option for scalability. The command used for configuring 2-Port Gigabit Synchronous Ethernet SPA on unicast mode is clock-port. Command Purpose Router(config-if)# flowcontrol send [desired | off | on] Enables transmission of outgoing pause frames. The following options can be configured with this command: • desired—Allows, but does not require, outgoing pause frames to leave the interface. • off—Disables transmission of outgoing pause frames. • on—Enables transmission of outgoing pause frames. Router(config-if)# flowcontrol receive [desired | off | on] Enables the interface to receive incoming pause frames. The following options can be configured with this command: • desired—Allows, but does not require, the interface to receive incoming pause frames. • off—Does not allow incoming pause frames to enter the interface. • on—Allows incoming pause frames to enter the interface. Command Purpose Router(config-ptp-clk)#clock-port Configures 2-Port Gigabit Synchronous Ethernet SPA on unicast mode. The following options can be configured with this command: • Word • Port Name12-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Before configuring 2-Port Gigabit Synchronous Ethernet SPA on different modes, you need to configure the ToP 32 bit mask IP address. Note that ToP interface is addressed as ToP slot/subslot/2. The following example shows the configuration of ToP 32 bit mask IP address: Router(config)#int top2/0/2 Router(config-if)#ip address 8.8.8.2 255.255.255.255 Router(config-if)#no sh Router#sh run int top2/0/2 Building configuration... Current configuration : 72 bytes ! interface ToP2/0/2 ip address 8.8.8.2 255.255.255.255 end ! The following example shows the configuration of 2-Port Gigabit Synchronous Ethernet SPA on the unicast mode: Router# configure terminal Router(config)# ptp clock ordinary domain 0 Router(config-ptp-clk) clock-port SLAVE slave Router(config-ptp-port)# transport ipv4 unicast interface ToP5/2/2 Router(config-ptp-port)# clock-source 8.8.8.1 Router(config)# ptp clock ordinary domain 0 Router(config-ptp-clk)# clock-port MASTER Master Router(config-ptp-port)# transport ipv4 unicast interface ToP5/2/2 Router(config-ptp-port)#clock destination 8.8.8.2 Router(config-ptp-port)#sync interval <> Router (config-ptp-port)#announce interval <> Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Neg Mode In unicast neg mode, master port knows the slave port at the outset. Slave port sends negotiation TLV when active and master port figures out that there is some slave port for synchronization. Unicast neg mode is a good option for scalability as one master has multiple slaves. The command used for configuring 2-Port Gigabit Synchronous Ethernet SPA on unicast neg mode is clock-port. The following example shows the configuration of 2-Port Gigabit Synchronous Ethernet SPA on the unicast neg mode: Router# configure terminal Router(config)# ptp clock ordinary domain 0 Router(config-ptp-clk) clock-port SLAVE slave Router(config-ptp-port)# transport ipv4 unicast interface ToP5/2/2 negotiation Command Purpose Router(config-ptp-clk)#clock-port Configures 2-Port Gigabit Synchronous Ethernet SPA on unicast neg mode. The following options can be configured with this command: • Word • Port Name12-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Router(config-ptp-port)# clock-source 8.8.8.1 Router(config)# ptp clock ordinary domain 0 Router(config-ptp-clk)# clock-port MASTER Master Router(config-ptp-port)# transport ipv4 unicast interface ToP5/2/2 negotiation Router(config-ptp-port)#sync interval <> Router (config-ptp-port)#announce interval <> Configuring 2-Port Gigabit Synchronous Ethernet SPA in Multicast Mode In multicast mode, the master port sends sync message and announce on 224.0.1.129. The master port explicitly specifies multicast egress interface. The slave receives multicast message from the master port and gets to know master port’s IP address. To this IP address, slave port sends a unicast delay request. Master sends delay response back to slave port’s ip addreess in unicast mode. Multi cast mode is a good option for scalability as master needs to send just one set of sync messages instead of as many as number of slaves port. The command used for configuring 2-Port Gigabit Synchronous Ethernet SPA on multicast mode is clock-port. The following example shows the configuration of 2-Port Gigabit Synchronous Ethernet SPA on the multicast mode: Router# configure terminal Router(config)# ptp clock ordinary domain 0 Router(config-ptp-clk) clock-port SLAVE slave Router(config-ptp-port)# transport ipv4 multicast-mix interface ToP5/2/2 negotiation Router(config)# ptp clock ordinary domain 0 Router(config)# multicast-source Gi3/3 Router(config)# multicast-source Vlan100 Router(config-ptp-clk)# clock-port MASTER Master Router(config-ptp-port)# transport ipv4 multicast-mix interface ToP5/2/2 negotiation Router(config-ptp-port)#sync interval <> Router (config-ptp-port)#announce interval <> Verifying the PTP modes Use the show ptp clock dataset current command to display the sample output. Router#show ptp clock dataset current CLOCK [Ordinary Clock, domain 0] Steps Removed: 1 Offset From Master: 757720306ns Use the show ptp clock dataset default command to display the sample output. Command Purpose Router(config-ptp-clk)#clock-port Configures 2-Port Gigabit Synchronous Ethernet SPA on multicast mode. The following options can be configured with this command: • Word • Port Name12-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Router#show ptp clock dataset default CLOCK [Ordinary Clock, domain 0] Two Step Flag: No Clock Identity: 0x0:A:8B:FF:FF:5C:A:80 Number Of Ports: 1 Priority1: 128 Priority2: 128 Domain Number: 0 Slave Only: Yes Clock Quality: Class: 13 Accuracy: Greater than 10s Offset (log variance): 52592 Use the ptp clock dataset parent domain command to display the sample output. Router# show ptp clock dataset parent domain 0 CLOCK [Ordinary Clock, domain 0] Parent Stats: No Observed Parent Offset (log variance): 65535 Observed Parent Clock Phase Change Rate: 0 Grandmaster Clock: Identity: 0x0:D0:4:FF:FF:B8:6C:0 Priority1: 128 Priority2: 128 Clock Quality: Class: 13 Accuracy: Within 1s Offset (log variance): 52592 Use the show ptp clock dataset time-properties domain command to display the sample output. Router# show ptp clock dataset time-properties domain 0 CLOCK [Ordinary Clock, domain 0] Current UTC Offset Valid: TRUE Current UTC Offset: 33 Leap 59: FALSE Leap 61: FALSE Time Traceable: TRUE Frequency Traceable: TRUE PTP Timescale: TRUE Configuring ToD on 1588V2 Master These commands are used to configure ToD on a 1588V2 master: This example shows the configuration of ToD on 1588V2 Master: Router# config terminal Router(config)# ptp clock ordinary domain 0 Router(config-ptp-clk)# tod 3/3 cisco Router(config-ptp-clk)# input 1pps 3/3 Router(config-ptp-clk)# clock-port MASTER master Command Purpose Router(config-ptp-clk)# tod / Configures ToD on 1588V2. Router(config-ptp-clk)# input 1pps / Provides the input to the master. 12-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Router(config-ptp-clk)# transport ipv4 unicast interface Gi3/3/1 negotiation Router(config-ptp-clk)# end Verifying ToD Configuration on the 1588V2 Master This example helps you verify the ToD configuration for 1588V2 Master. Router# show ptp clock runn dom 0 PTP Ordinary Clock [Domain 0] State Ports Pkts sent Pkts rcvd FREQ_LOCKED 1 30052 5867 PORT SUMMARY Name Tx Mode Role Transport State Sessions MASTER unicast master To3/1/2 - 1 SESSION INFORMATION MASTER [To3/1/2] [Sessions 1] Peer addr Pkts in Pkts out In Errs Out Errs 4.4.4.4 5867 30052 0 1 Use the show platform ptp tod all command to display the sample output. Router# show platform ptp tod all -------------------------------- ToD/1PPS Info for SPA 3/1 -------------------------------- ToD CONFIGURED : YES ToD FORMAT : CISCO ToD DELAY : 0 1PPS MODE : INPUT 1PPS STATE : UP ToD STATE : UP ToD CLOCK : Mon Aug 30 09:36:47 UTC 2010 Configuring ToD on 1588V2 Slave These commands are used to configure ToD on the 1588V2 slave: This example shows the ToD configuration on the 1588V2 slave: Router# config terminal Router(config)# ptp clock ordinary domain 0 Router(config-ptp-clk)# tod 3/3 cisco Router(config-ptp-clk)# output 1pps 3/3 Router(config-ptp-clk)# clock-port SLAVE slave Command Purpose Router(config-ptp-clk)# tod / Configures ToD on 1588V2. Router(config-ptp-clk)# output 1pps / Provides the output from the slave. 12-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Router(config-ptp-clk)# transport ipv4 unicast interface Gi3/3/1 negotiation Router(config-ptp-clk)# clock source 1.1.1.1 Router(config-ptp-clk)# end Verifying ToD Configuration on the 1588V2 Slave This example helps you verify the ToD configuration on the1588V2 slave. Router# show ptp clock runn dom 0 PTP Ordinary Clock [Domain 0] State Ports Pkts sent Pkts rcvd ACQUIRING 1 5308 27185 PORT SUMMARY Name Tx Mode Role Transport State Sessions SLAVE unicast slave To3/1/2 - 1 SESSION INFORMATION SLAVE [To3/1/2] [Sessions 1] Peer addr Pkts in Pkts out In Errs Out Errs 3.3.3.3 27185 5308 0 0 Use the show platform ptp tod all command to display the sample output. Router# show ptp clock runn dom 0 PTP Ordinary Clock [Domain 0] State Ports Pkts sent Pkts rcvd PHASE_ALIGNED 1 21428 109772 PORT SUMMARY Name Tx Mode Role Transport State Sessions SLAVE unicast slave To3/1/2 - 1 SESSION INFORMATION SLAVE [To3/1/2] [Sessions 1] Peer addr Pkts in Pkts out In Errs Out Errs Router# show platform ptp tod all -------------------------------- ToD/1PPS Info for SPA 3/1 -------------------------------- ToD CONFIGURED : YES ToD FORMAT : CISCO ToD DELAY : 0 1PPS MODE : OUTPUT OFFSET : 0 PULSE WIDTH : 0 ToD CLOCK : Mon Aug 30 09:52:08 UTC 2010 --------------------------------12-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Configuring Boundary Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400 Use the following configuration to configure the 2-Port Gigabit Synchronous Ethernet SPA on the Cisco SIP-400: ptp clock boundary domain 0 clock-port SLAVE slave transport ipv4 unicast interface To2/0/2 negotiation clock source 133.133.133.133 clock-port MASTER master transport ipv4 unicast interface Top2/0/2 negotiation Configuring Network Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400 The 2-Port Gigabit Synchronous Ethernet SPA supports time, phase and frequency awareness through Ethernet networks. The 2-Port Gigabit Synchronous Ethernet SPA on the Cisco SIP-400 enables clock selection and translation between the various clock frequencies. If the 2-Port Gigabit Synchronous Ethernet SPA interoperates with devices that do not support synchronization, synchronization features can be disabled or partially enabled to maintain backward compatibility. The network clock can be configured in global configuration mode and interface configuration mode: • Configuring Network Clock in Global Configuration Mode, page 12-29 • Configuring Network Clock in Interface Configuration Mode, page 12-33 Configuring Network Clock in Global Configuration Mode Use the following commands to configure the 2-Port Gigabit Synchronous Ethernet SPA on the Cisco SIP-400: Command Purpose Router(config)# [no] network-clock synchronization automatic Enables G.781 based automatic clock selection process. G.781 is the ITU-T Recommendation that specifies the synchronization layer functions. Router(config)# [no] network-clock eec {1 | 2} Example Router(config)# network-clock eec 1 Configures the clocking system hardware with the desired parameters. These are the options: • For option 1, the default value is EEC-Option 1 (2048). • For option 2, the default value is EEC-Option 2 (1544).12-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Router(config)#[no] network-clock synchronization ssm option {1| 2 {GEN1 | GEN2}} Example Router(config)#network-clock synchronization ssm option 2 GEN1 Configures the router to work in a synchronized network mode as described in G.781. The following are the options: • Option 1: refers to synchronization networks designed for Europe (SDH/ E1 framings are compatible with this option). • Option 2: refers to synchronization networks designed for the US (SONET/T1 framings are compatible with this option). The default option is 1 and while choosing option 2, you need to specify the second generation message (GEN2) or first generation message (GEN1). Note Network-clock configurations that are not common between options need to be configured again. Router(config)#[no] network-clock synchronization mode QL-enabled Configures the automatic selection process for quality level QL-enabled mode. Note QL-enabled mode succeeds only if there are any synchronization interfaces that are capable of sending SSM. Router(config)#[no] esmc process Enables or disables the ESMC process at system level. Note This command fails if there is no SyncE capable interface installed in the platform. Router(config)#network-clock hold-off {0 | <50-10000>} global Example Router(config)#network-clock hold-off 75 global Configures general hold-off timer in milliseconds. The default value is 300 milliseconds. Note Displays a warning message for values below 300 ms and above 1800 ms. Router(config)#network-clock external hold-off {0 | <50-10000>} Example Router(config)#network-clock external 3/1/1 hold-off 300 Overrides hold-off timer value for external interface. Note Displays a warning message for values above 1800 ms, as waiting longer causes the clock to go into the holdover mode. Router(config)#network-clock wait-to-restore <0-86400> global Example Router(config)#network-clock external wait-to-restore 1000 global Sets the value for the wait-to-restore timer globally. The wait to restore time is configurable in the range of 0 to 86400 seconds. The default value is 300 seconds. Caution Ensure that you set the wait-to-restore values above 50 seconds to avoid a timing flap. Command Purpose12-31 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Router(config)# [no] network-clock input-source {interface | top | {external [t1 {sf | efs | d4} | e1 [crc4| fas| cas [crc4] | 2m | 10m]}} Example Router(config)# network-clock input-source 23 top 2/0/1/3 Example for GPS interface Router(config)# network-clock input-source 1 external 3/0/0 10m Configures a clock source line interface, an external timing input interface, GPS interface, or a packet-based timing recovered clock as the input clock for the system and defines its priority. Priority is a number between 1 and 250. This command also configures the type of signal for an external timing input interface. These signals are: • T1 with Standard Frame format or Extended Standard Frame format. • E1 with or without CRC4 • 2 MHz signal • Default for Europe or Option I is e1 crc4 if the signal type is not specified. • Default for North America or Option II is t1 esf if signal type is not specified. Note The no version of the command reverses the command configuration, implying that the priority has changed to undefined and the state machine is informed. Router(config)#[no] network-clock revertive Specifies whether or not the clock source is revertive. Clock sources with the same priority are always non-revertive. The default value is non-revertive. In non-revertive switching, a switch to an alternate reference is maintained even after the original reference recovers from the failure that caused the switch. In revertive switching, the clock switches back to the original reference after that reference recovers from the failure, independent of the condition of the alternate reference. Command Purpose12-32 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Router(config)#network-clock quality-level {tx | rx} {interface | external | controller } Example Router(config)# network-clock quality-level rx QL-PRC external 4/0/0 e1 crc4 Specifies the QL value for line or external timing input or output. The value is based on a global interworking Option. • If Option 1 is configured, the available values are QL-PRC, QL-SSU-A, QL-SSU-B, QL-SEC, and QL-DNU. • If Option 2 is configured with GEN 2, the available values are QL-PRS, QL-STU, QL-ST2, QL-TNC, QL-ST3, QL-SMC, QL-ST4 and QL-DUS. • If option 2 is configured with GEN1, the available values are QL-PRS, QL-STU, QL-ST2, QL-SMC, QL-ST4 and QL-DUS Note This command is not supported for synchronous ethernet interfaces. Router(config)#network-clock output-source line {interface | controller {t1 | e1} } {external [t1 {sf | efs | d4} | e1 [crc4| fas| cas [crc4] | 2m | 10m] } Example Router(config)# network-clock output-source line 1 interface GigabitEthernet3/0/0 Transmits the line clock sources to external timing output interfaces. Note A line can be configured to be the output source for only one external interface. This command provides the station clock output as per G.781. We recommend that you use the interface level command instead of global commands. Global command should preferably be used for interfaces that do not have an interface sub mode. For more information on configuring network clock in interface level mode, see Configuring Network Clock in Interface Configuration Mode, page 12-33. Router(config)#network-clock output-source system {external [t1 {sf | efs | d4} | e1 [crc4| fas| cas [crc4] | 2m | 10m] } Example Router(config)#network-clock output-source system 55 external 3/0/1 t1 efs Allows transmitting the system clock to external timing output interfaces. This command provides station clock output as per G.781. We recommend that you use the interface level command instead of global commands. Global command should preferably be used for interfaces that do not have an interface sub mode. For more information on configuring network clock in interface level mode, see Configuring Network Clock in Interface Configuration Mode, page 12-33. Router(config)#[no] network-clock synchronization participate Example Router(config)#[no] network-clock synchronization participate 2 Enables or disables a slot from participating in network-clock algorithm. By default all slots are participating slots. Note A slot cannot be disabled from participation if it's primary source, secondary source, or system to external is valid. Command Purpose12-33 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Configuring Network Clock in Interface Configuration Mode Use the following commands in the interface configuration mode to configure the network clock and timers on the Cisco 7600 SIP-400, 2-Port Gigabit Synchronous Ethernet SPA. Command Purpose Router(config-if)#[no] clock cleanup bits [t1 {sf | esf} | e1 crc4 | 2m | japan] Example: Router(config-if)#clock cleanup bits 2/0 t1 esf Enables or disables clock clean up on 2-Port Gigabit Synchronous Ethernet SPA. Router(config-if)#clock source {internal | line| loop} Example: Router(config-if)#clock source internal Sets the clock source on the interface to: • Line: The system clock selection process selects the clock source line as the interface and uses the system clock for TX. • Internal: The system clock selection process does not select clock source as the interface but it uses the system clock for TX. • Loop: The system clock selection process selects the clock source line as the interface. For TX clock the interface uses the clock source received on the same interface. Note By default, the clock source on the interface is set to internal. Router(config-if)#synchronous mode Configures the ethernet interface to synchronous mode and this automatically enables the ESMC and Quality Level process on the interface. Note This command is applicable to Synchronous Ethernet capable interfaces. The default value is asynchronous mode. Router(config-if)#esmc mode [tx | rx |] Example: Router(config-if)#esmc mode tx Enables or disables ESMC process on the interface. Note If the interface is configured as line source but does not receive ESMC message from peer node on the interface, then the interface is removed from selectable clock source list. By default this is enabled for synchronous mode and disabled for asynchronous mode. Note This command is not supported for non-synchronous ethernet interfaces.12-34 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Managing Synchronization You can manage the synchronization using the following management commands: Router(config-if)#network-clock source quality-level {tx | rx} Example: Router(config-if)#network-clock source quality-level QL-PRC The command forces QL value to local clock selection process and it is considered by the clock selection process as a value from network. The value is based on global interworking Option. • If Option 1 is configured, the available values are QL-PRC, QL-SSU-A, QL-SSU-B, QL-SEC, and QL-DNU. • If Option 2 is configured with GEN 2, the available values are QL-PRS, QL-STU, QL-ST2, QL-TNC, QL-ST3, QL-SMC, QL-ST4 and QL-DUS. • If option 2 is configured with GEN1, the available values are QL-PRS, QL-STU, QL-ST2, QL-SMC, QL-ST4 and QL-DUS Note This command is applicable to Synchronous Ethernet capable interfaces. Router(config-if)#network-clock hold-off <0 | 50-10000> Example: Router(config-if)#network-clock hold-off 1000 Configures hold-off timer for interface. The default value is 300 milliseconds. Note Displays a warning for values below 300 ms and above 1800 ms. Router(config-if)#[no] network-clock wait-to-restore <0-86400> Example: Router(config-if)#network-clock wait-to-restore 1000 Configures the wait-to-restore timer on the SyncE interface. Caution Ensure that you set the wait-to-restore values above 50 seconds to avoid timing flap. Router(config-if)# [no] esmc mode ql-disabled Disables the quality level mode. The default mode for synchronous ethernet is ql-enabled. Note This command is not supported for non-synchronous ethernet interfaces. Command Purpose12-35 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Sample configuration Example 12-1 Configuration for QL-enabled mode clock selection. network-clock synchronization automatic network-clock synchronization mode QL-enabled network-clock input-source 1 interface TenGigabitEthernet12/1 network-clock input-source 1 interface ATM6/0/0 ! Command Purpose Router(config)# network-clock set lockout {interface interface_name slot/card/port | external slot/card/port} Example: Router(config)#network-clock set lockout interface tenGigabitEthernet 7/1 Router(config)#network-clock clear lockout interface tenGigabitEthernet 7/1 Locks out a clock source. A clock source flagged as lock-out is not selected for SyncE. To clear the lock-out on a source, use network-clock clear lockout {interface interface_name slot/card/port | external slot/card/port} command. Note Lockout takes precedence over force switch and force switch overrides the manual switch. Router(config)# network-clock switch force {interface interface_name slot/card/port | external slot/card/port} Example: Router(config)#network-clock switch force interface tenGigabitEthernet 7/1 t1 Forcefully selects a synchronization source irrespective of whether the source is available and is within the range. Router(config)# network-clock switch manual {interface interface_name slot/card/port | external slot/card/port} Example: Router(config)#network-clock switch manual interface tenGigabitEthernet 7/1 t1 Manually selects a synchronization source, provided the source is available and is within the range. Router(config)#network-clock clear switch {t0 | external [10m | 2m]} Example: Router(config)#network-clock clear switch t0 Clears the forced switch and manual switch commands. 12-36 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks interface TenGigabitEthernet12/1 no ip address clock source line synchronous mode end ! interface ATM6/0/0 no ip address atm framing sdh no atm enable-ilmi-trap end Example 12-2 Configuration for Line to External network-clock synchronization automatic network-clock synchronization mode QL-enabled network-clock input-source 1 External 3/0/0 network-clock output-source line 1 interface GigabitEthernet3/0/0 External 3/0/0 e1 crc4 interface GigabitEthernet3/0/0 no ip address no negotiation auto synchronous mode Example 12-3 Configuration for Hybrid Mode Clock Selection network-clock synchronization automatic network-clock input-source 1 interface ToP3/0/2 network-clock quality-level rx QL-PRC interface ToP3/0/2 Example 12-4 GPS Configuration 10MHz signal network-clock input-source 1 External 3/0/0 10m 2M signal network-clock input-source 1 External 3/0/0 10m Verifying the Synchronous Ethernet configuration Use the show network-clock synchronization command to display the sample output. Router#show network-clocks synchronization Symbols: En - Enable, Dis - Disable, Adis - Admin Disable NA - Not Applicable * - Synchronization source selected # - Synchronization source force selected & - Synchronization source manually switched Automatic selection process : Enable Equipment Clock : 2048 (EEC-Option1) Clock Mode : QL-Enable ESMC : Enabled SSM Option : 1 T0 : TenGigabitEthernet12/1 Hold-off (global) : 300 ms Wait-to-restore (global) : 300 sec Tsm Delay : 180 ms12-37 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Revertive : No Nominated Interfaces Interface SigType Mode/QL Prio QL_IN ESMC Tx ESMC Rx Internal NA NA/Dis 251 QL-SEC NA NA *Te12/1 NA Sync/En 1 QL-PRC - - AT6/0/0 NA NA/En 1 QL-SSU-A NA NA Use the show network-clock synchronization detail command to display all details of network-clock synchronization parameters at the global and interface levels. Router# show network-clocks synchronization detail Symbols: En - Enable, Dis - Disable, Adis - Admin Disable NA - Not Applicable * - Synchronization source selected # - Synchronization source force selected & - Synchronization source manually switched Automatic selection process : Enable Equipment Clock : 2048 (EEC-Option1) Clock Mode : QL-Enable ESMC : Enabled SSM Option : 1 T0 : TenGigabitEthernet12/1 Hold-off (global) : 300 ms Wait-to-restore (global) : 300 sec Tsm Delay : 180 ms Revertive : No Force Switch: FALSE Manual Switch: FALSE Number of synchronization sources: 2 sm(netsync NETCLK_QL_ENABLE), running yes, state 1A Last transition recorded: (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (ql_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (sf_change)-> 1A (ql_change)-> 1A Nominated Interfaces Interface SigType Mode/QL Prio QL_IN ESMC Tx ESMC Rx Internal NA NA/Dis 251 QL-SEC NA NA *Te12/1 NA Sync/En 1 QL-PRC - - AT6/0/0 NA NA/En 1 QL-SSU-A NA NA Interface: --------------------------------------------- Local Interface: Internal Signal Type: NA Mode: NA(Ql-enabled) SSM Tx: Disable SSM Rx: Disable Priority: 251 QL Receive: QL-SEC QL Receive Configured: - QL Receive Overrided: - QL Transmit: - QL Transmit Configured: - Hold-off: 0 Wait-to-restore: 0 Lock Out: FALSE Signal Fail: FALSE Alarms: FALSE Slot Disabled: FALSE12-38 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Local Interface: Te12/1 Signal Type: NA Mode: Synchronous(Ql-enabled) ESMC Tx: Enable ESMC Rx: Enable Priority: 1 QL Receive: QL-PRC QL Receive Configured: - QL Receive Overrided: - QL Transmit: QL-DNU QL Transmit Configured: - Hold-off: 300 Wait-to-restore: 300 Lock Out: FALSE Signal Fail: FALSE Alarms: FALSE Slot Disabled: FALSE Local Interface: AT6/0/0 Signal Type: NA Mode: NA(Ql-enabled) SSM Tx: Enable SSM Rx: Enable Priority: 1 QL Receive: QL-SSU-A QL Receive Configured: - QL Receive Overrided: - QL Transmit: - QL Transmit Configured: - Hold-off: 300 Wait-to-restore: 300 Lock Out: FALSE Signal Fail: FALSE Alarms: FALSE Slot Disabled: FALSE Use the show interface accounting command to display the sample output. Router#show interfaces tenGigabitEthernet 12/1 accounting TenGigabitEthernet12/1 Protocol Pkts In Chars In Pkts Out Chars Out DEC MOP 14 1134 14 1806 ARP 0 0 2 224 CDP 145 55970 145 63049 ESMC 3246 194760 7099 823484 Use the show esmc command to display the sample output. Router#show esmc Interface: TenGigabitEthernet12/1 Administative configurations: Mode: Synchronous ESMC TX: Enable ESMC RX: Enable QL TX: - QL RX: - Operational status: Port status: UP QL Receive: QL-PRC QL Transmit: QL-DNU QL rx overrided: - ESMC Information rate: 1 packet/second ESMC Expiry: 5 second12-39 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Interface: TenGigabitEthernet12/2 Administative configurations: Mode: Synchronous ESMC TX: Enable ESMC RX: Enable QL TX: - QL RX: - Operational status: Port status: UP QL Receive: QL-DNU QL Transmit: QL-DNU QL rx overrided: QL-DNU ESMC Information rate: 1 packet/second ESMC Expiry: 5 second Use the show esmc detail command to display all details of esmc parameters at the global and interface levels. Router#show esmc detail Interface: TenGigabitEthernet12/1 Administative configurations: Mode: Synchronous ESMC TX: Enable ESMC RX: Enable QL TX: - QL RX: - Operational status: Port status: UP QL Receive: QL-PRC QL Transmit: QL-DNU QL rx overrided: - ESMC Information rate: 1 packet/second ESMC Expiry: 5 second ESMC Tx Timer: Running ESMC Rx Timer: Running ESMC Tx interval count: 1 ESMC INFO pkts in: 2195 ESMC INFO pkts out: 6034 ESMC EVENT pkts in: 1 ESMC EVENT pkts out: 16 Interface: TenGigabitEthernet12/2 Administative configurations: Mode: Synchronous ESMC TX: Enable ESMC RX: Enable QL TX: - QL RX: - Operational status: Port status: UP QL Receive: QL-DNU QL Transmit: QL-DNU QL rx overrided: QL-DNU ESMC Information rate: 1 packet/second ESMC Expiry: 5 second ESMC Tx Timer: Running ESMC Rx Timer: Running ESMC Tx interval count: 1 ESMC INFO pkts in: 0 ESMC INFO pkts out: 2159 ESMC EVENT pkts in: 0 ESMC EVENT pkts out: 1012-40 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Troubleshooting the Synchronous Ethernet configuration The following debug commands are available for troubleshooting the Synchronous Ethernet configuration on the Cisco 7600 ES+ Line Card: Debug Command Purpose debug platform ssm Debugs issues related to SSM such as Rx, Tx,QL values and so on. debug platform network-clock Debugs issues related to network clock such as alarms, OOR, active-standby sources not selected correctly and so on. debug esmc error debug esmc event debug esmc packet [interface ] debug esmc packet rx [interface ] debug esmc packet tx [interface ] Verifies whether the ESMC packets are transmitted or received with proper quality level values.12-41 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Troubleshooting Scenarios Note Before you troubleshoot, ensure that all the network clock synchronization configurations are complete. Table 12-2 provides the troubleshooting scenarios encountered while configuring the synchronous ethernet.12-42 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Table 12-2 Troubleshooting scenarios12-43 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Problem Solution Incorrect clock limit set or disabled queue limit mode • Verify that there are no alarms on the interfaces. Use the show network-clock synchronization detail RP command to confirm. Warning We suggest you do not use these debug commands without TAC supervision. • Use the show network-clock synchronization command to confirm if the system is in revertive mode or non-revertive mode and verify the non-revertive configurations as shown in this example: RouterB#show network-clocks synchronization Symbols: En - Enable, Dis - Disable, Adis - Admin Disable NA - Not Applicable - Synchronization source selected # - Synchronization source force selected & - Synchronization source manually switched Automatic selection process : Enable Equipment Clock : 1544 (EEC-Option2) Clock Mode : QL-Enable ESMC : Enabled SSM Option : GEN1 T0 : POS3/1/0 Hold-off (global) : 300 ms Wait-to-restore (global) : 0 sec Tsm Delay : 180 ms Revertive : Yes<<< enable Enables privileged EXEC mode. • Enter your password if prompted. configure terminal Example: Router# configure terminal Enters global configuration mode. Router(config)# ethernet cfm domain domain-name level 0 to 7 direction outward Example Router(config)# ethernet cfm domain domain1 level 5 direction outward Defines a CFM Maintenance domain at a particular maintenance level. It sets the router into config-ether-cfm configuration mode, where parameters specific to the maintenance domain can be set. • Direction outward (optional)—Specifies the domain direction. Specifying a domain as outward allows for the creation of multiple outward domains at the same level containing an overlapping set of vlans. The set of vlans in an outward domain can also overlap with inward domains. Note that the set of vlans between inward domains at the same level must still be unique.12-51 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks DETAILED STEPS \ Configuring CFM in the EVC Use the commands in the following sections to configure CFM on the EVC. SUMMARY STEPS 1. enable 2. configure terminal 3. ethernet cfm global 4. ethernet cfm mip {autocreate|filter} 5. ethernet cfm mip auto-create level 6. ethernet cfm mip auto-create level {evc|vlan} Command Purpose enable Example: Router> enable Enables privileged EXEC mode. • Enter your password if prompted. configure terminal Example: Router# configure terminal Enters global configuration mode. Router(config)# interface interface Example Router(config)# interface interface1 Enters the interface configuration mode Router(config-interface)# ethernet cfm mep level 0 to 7 inward | outward domain-name mpid id vlan vlan-id | any | vlan-id-vlan-id vlan-id-vlan-id Example Router(config-interface1)# ethernet cfm mep level 7 inward domain1 mpid 22718 vlan 32 • inward | outward—Indicates the direction of the MEP as either inward (towards the bridge) or outward (towards the wire). The default is inward facing. • domain-name—A string of maximum length of 256 characters. • id—A string of maximum length of 256 characters. • vlan-id—An integer from 1 to 4095. Note A comma must be entered to separate each VLAN ID range from the next range. Note Hyphen must be entered to separate the starting and ending VLAN ID values that are used to define a range of VLAN IDs.12-52 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks 7. ethernet cfm mip auto-create level evc name 8. ethernet cfm domain domain level 9. service {word|number|vlan-id |vpn-id} 10. service evc {evc|port} 11. service evc evc name 12. service evc {direction|vlan} DETAILED STEPS Command Purpose Step 1 enable Example: Router> enable Enables privileged EXEC mode. • Enter your password if prompted. Step 2 configure terminal Example: Router# configure terminal Enters global configuration mode. Step 3 ethernet cfm global Example: PE1(config)#ethernet cfm global Enables CFM globally. Step 4 ethernet cfm mip {autocreate|filter} Example: PE1(config)#ethernet cfm mip Creates a MaintenanceIntermediate Point (MIP) for every VLAN on an interface using the autocreate or the filter options. Ensure that you have created a domain using the ethernet cfm domain command. If you do not have a domain configured at the same level, the ethernet cfm mip level command is rejected. You cannot configure a MIP at a level lower than the level of already configured maintenance end points (MEPs) on an interface. Step 5 ethernet cfm mip auto-create level Example: PE1(config)#ethernet cfm mip auto-create level Automatically creates a MIP in the ethernet interface and sets the maintenance level number. The acceptable range of maintenance levels are 0-7.12-53 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Sample Configuration The following example shows the CFM configuration for an EVC interface. interface GigabitEthernet3/0/10 description connec to CE1 GigabitEthernet0/0 ip arp inspection limit none Step 6 ethernet cfm mip auto-create level {evc|vlan} Example: PE1(config)#ethernet cfm mip auto-create level 7 evc PE1(config)#ethernet cfm mip auto-create level 7 vlan ? <1-4094> VLAN id Sets the EVC or the Vlan values based on the selected option. The acceptable range of vlan values are 1-4094. Step 7 ethernet cfm domain domain level Example: PE1(config)#ethernet cfm domain DOMAIN_PROVIDER_L5_1 level 5 Defines a connectivity fault management (CFM) maintenance domain at a particular maintenance level and put the command-line interface (CLI) into Ethernet CFM configuration mode (config-ether-cfm), use the ethernet cfm domain level command in global configuration mode. Step 8 service {word|number|vlan-id|vpn-id} Example: PE1(config-ecfm)#service vlan100 Sets a universally unique ID for a customer service instance (CSI) or the maintenance association number value, primary VLAN ID and VPN ID within a maintenance domain in Ethernet connectivity fault management (CFM) configuration mode. Step 9 service evc {evc|port} Example: PE1(config-ecfm)#service vlan100 evc Configures a service EVC or port before you configure a maintenance endpoint (MEP) for a domain. Step 10 service evc evc name Example: PE1(config-ecfm)#service vlan100 evc vlan100 Assigns a unique EVC name. Step 11 service evc {direction|vlan} Example: PE1(config-ecfm)#service vlan100 evc vlan100 Specifies the service direction and the VLAN range of 1-4094. Step 12 service evc direction Example: PE1(config-ecfm)#service vlan100 evc vlan100 direction down Sets the LAN direction to DOWN in the evc service instance. Command Purpose 12-54 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks no ip address mls qos trust dscp ethernet uni id customer1 service instance 1 ethernet evc10 encapsulation dot1q 2 ethernet lmi ce-vlan map 1-10 bridge-domain 2 cfm mep domain L7 mpid 1502 The following example shows CFM configuration over a switchport interface configuration mode. interface GigabitEthernet3/0/10 switchport switchport mode trunk shutdown mls qos trust dscp no keepalive ethernet cfm mep domain L7 mpid 1001 vlan 10 end The following example shows CFM configuration over a switchport interface configuration mode. ethernet cfm domain L6 level 6 service xconn evc xconn continuity-check12-55 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Verifying Ethernet CFM Configuration The following commands can be used to verify CFM configuration: The show ethernet cfm maintenance-points local displays the local maintenance points that are configured: Router# show ethernet cfm maintenance-points local MPID DomainName Level Type VLAN Port CC-Status MAC 1522 DOMAIN_PROVIDER_L5_1 5 MEP I 2 Et2/0.1 Enabled aabb.cc00.0100 1502 DOMAIN_PROVIDER_L5_1 5 MEP O 2 Et0/0.1 Enabled aabb.cc00.0100 1523 DOMAIN_PROVIDER_L5_1 5 MEP O 3 Et2/0.2 Enabled aabb.cc00.0100 1503 DOMAIN_PROVIDER_L5_1 5 MEP I 3 Et0/0.2 Enabled aabb.cc00.0100 1302 DOMAIN_OPERATOR_L3_1 3 MEP I 2 Et0/0.1 Enabled aabb.cc00.0100 1303 DOMAIN_OPERATOR_L3_1 3 MEP I 3 Et0/0.2 Enabled aabb.cc00.0100 Level Type Port MAC 7 MIP Et2/0.2 aabb.cc00.0100 7 MIP Et2/0.1 aabb.cc00.0100 7 MIP Et0/0.2 aabb.cc00.0100 7 MIP Et0/0.1 aabb.cc00.0100 Command Purpose Router# show ethernet cfm maintenance-points local [mep | mip] [interface interface-name | domain domain-name | level {0 to 7}] Displays the local maintenance points configured on the device. Allows filtering of output as follows: • Displays all maintenance points independent of domain or interface. • Displays all maintenance points on a particular interface independent of domain • Displays all maintenance points on a particular interface belonging to a given domain • Displays all maintenance points belonging to a given domain independent of interface The display may also be restricted to either MEPs or MIPs. • domain-name— (optional) A string of maximum length of 256 characters.12-56 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks The ping ethernet command shows loopback messages on the destination MAC address: Router# ping ethernet Sending 5, 100-byte Ethernet CFM Echoes to , timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms The show ethernet cfm statistics command shows loopback messages on the destination MAC address: Router-c7606# show ethernet cfm statistics MPID: 100 Last clearing of counters: 00:00:10 CCMs: Transmitted:10Rcvd Seq Errors:0 LTRs: Unexpected Rcvd: 0 LBRs: Transmitted: 5Rcvd Seq Errors:0 Rcvd In Order:10Rcvd Bad MSDU:0 Debugging the Ethernet CFM Configuration Use the following commands to debug the Ethernet CFM configuration: Command Purpose Router# ping ethernet {domain domain-name | level {0 to 7}} vlan vlan-id [source mpid] Sends Ethernet CFM loopback messages to the destination MAC address. • mac-address—MAC Address of remote maintenance point, in the format abcd.abcd.abcd. • domain-name—A string of maximum. length of 256 characters. • vlan-id—An integer from 1 to 4095. Command Purpose Router# show ethernet cfm statistics mpid mpid Displays the CFM statistics. Note The mpid is an integer value between 1 and 8191.12-57 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Command Purpose Router# debug ethernet cfm events domain domain-name | vlan vlan-id | evc evc-name Enables Ethernet CFM event debugging and provides the capability to filter out debug messages per: • Maintenance Domain, or • VLAN, or • Combination of Maintenance Domain and VLAN, or • EVC Router# debug ethernet cfm errors Enables Ethernet CFM error debugging. Router# debug ethernet-cfm packets domain domain-name vlan vlan-id | evc evc-name Enables Ethernet CFM message debugging and provides the capability to filter out debug messages per: • Maintenance Domain, or • VLAN, or • Combination of Maintenance Domain and VLAN, or • EVC Router# debug ethernet cfm all domain domain-name vlan vlan-id | evc evc-name Enables all Ethernet CFM debug commands and provides the capability to filter out debug messages per: • Maintenance Domain, or • VLAN, or • Combination of Maintenance Domain and VLAN, or • EVC12-58 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Troubleshooting CFM Features Table 12-3 provides troubleshooting solutions for the CFM features. Router# debug ethernet cfm diagnostic events | packets cc | filter | lb | lt Enables Ethernet CFM diagnostic debugging. These debugging messages may or may not be tied to a particular service-instance, or they may be low-level platform-specific messages. Packet diagnostics are further broken down into the following debugs: • cc - Continuity Check • filter - MIP and MEP filtering • lb - Loopback • lt - Linktrace Router# debug ethernet-cfm packets domain domain-name vlan vlan-id | evc evc-name Enables Ethernet CFM Messages debugging. and provides capability to filter out debug messages per: • Maintenance Domain, or • VLAN, or • Combination of Maintenance Domain and VLAN, or • EVC Command Purpose12-59 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Table 12-3 Troubleshooting Scenarios Problem Solution When you configure CFM, the message “Match registers are not available” is displayed. Use the show platform mrm info command on the SP console to verify the match registers. Based on the derived output, perform these tasks: 1. Check the hardware limitations on the affected ports. 2. Enable CFM across the system to allow co-existence with other protocols. 3. Ensure that no CFM traffic is present in any supervisor or ports. 4. Configure STP mode to Multiple Spanning Tree (MST) and re-enable CFM or disable CFM completely. For more information on match registers, see Ethernet Connectivity Fault Management at http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature /guide/srethcfm.html. CFM uses two match registers to identify the control packet type and each VLAN spanning tree also uses a match register to identify its control packet type. For both protocols to work on the same system, each line card should support three match registers, and at least one supporting only a 44 bit MAC match. CFM configuration errors CFM configuration error occurs when when a MEP receives a continuity check with an overlapping MPID. To verify the source of the error, use the command show ethernet cfm errors configuration or show ethernet cfm errors. CFM ping and traceroute result is "not found" Complete these steps: 1. Use show run ethernet cfm to view all CFM global configurations. 2. Use show ethernet cfm location main to view local MEPs and their CCM statistics 3. Use show ethernet cfm peer meps command to View CFM CCM received from Peer MEPs. 4. Use trace ethernet cfm command to start a CFM trace. CFM connectivity is down and issues at the maintenance domain levels Use the ping ethernet {mac-address | mpid id | multicast} domain domain-name { vlan vlan-id | port | evc evc-name } or traceroute ethernet {mac-address | mpid id } domain domain-name { vlan vlan-id | port | evc evc-name } commands to verify ethernet CFM connectivity. Share the output with TAC for further investigation.12-60 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Configuring Ethernet Operations, Administration, and Maintenance The Gigabit Ethernet SPAs support OAM as defined by IEEE 802.3ah, Ethernet in the First Mile. IEEE 802.3ah operates on a single point-to-point link between two devices using slow protocol packets called OAM protocol data units (OAMPDUs) that are never forwarded. IEEE 802.3ah defines five functional areas, of which the Gigabit Ethernet SPAs on the Cisco 7600 series router support the following three: • OAM discovery—Supports identification of OAM support and capabilities on a peer device. • Link monitoring—Provides event notification and link information. It also supports polling and response (but not writing) of the 802.3ah MIB. • Remote failure indication—Supports informing a peer device that the receive path is down. This requires support of unidirectional operation on the link. Ethernet OAM Configuration Guidelines When configuring Ethernet OAM on the SPAs, consider the following guidelines: Loop trap error Use the show ethernet cfm error command to check for Loop Trap errors as shown here: CE(config-if)#do sh ethernet cfm err -------------------------------------------------- ----------------------------- Level Vlan MPID Remote MAC Reason Service ID -------------------------------------------------- ----------------------------- 5 711 550 1001.1001.1001 Loop Trap Error OUT PE#sh ethernet cfm err -------------------------------------------------- ----------------------------- Level Vlan MPID Remote MAC Reason Service ID -------------------------------------------------- ----------------------------- 5 711 550 1001.1001.1001 Loop Trap Error OUT Module has insufficient match registers Complete these steps: 1. Verify and confirm if a unsupported line card is inserted into the router. 2. If yes, perform a OIR to remove the unsupported line card. CFM is deactivated Complete these steps: 1. Check if all the line cards have free match reagisters. 2. Check if CFM is activated on supervisor cards. CFM is not supported on supervisor cards that has two match registers. In this scenario, CFM is automatically disabled on the SUP ports and enabled on rest of the line cards. Problem Solution12-61 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks • See Table 12-4 for information about where the OAM features for SPA interfaces are supported. • On Gigabit Ethernet links, the unidirectional fault signaling support in OAM and the autonegotiation capabilities of Gigabit Ethernet (IEEE 802.3z) are mutually exclusive. You must disable autonegotiation for OAM fault signaling to be sent over unidirectional links. • Ethernet OAM requires point-to-point links where OAMPDUs are created and terminated. • When configuring Ethernet OAM interface modes, consider the following guidelines: – At least one of the peer interfaces must be in active mode. – The peer interfaces either can be both in active mode, or one can be in active mode and the other in passive mode. – You can change Ethernet OAM modes without disabling OAM. • When using templates to configure Ethernet OAM interfaces, consider the following guidelines: – If you use a template to configure common or global OAM characteristics and apply it an interface, you can override any of the configuration statements in the template by configuring the same command at the interface with a different value. – You can define multiple templates to create different sets of link monitoring characteristics. – You can only apply one template to any single Ethernet OAM interface. Table 12-4 provides information about where the OAM features for SPA interfaces are supported. Ethernet OAM Configuration Tasks The following sections describe the Ethernet OAM configuration tasks: • Enabling OAM on an Interface, page 12-62 (required) • Enabling and Disabling a Link Monitoring Session, page 12-64 (optional) • Starting and Stopping Link Monitoring Operation, page 12-64 (optional) • Configuring Link Monitoring Options, page 12-65 (optional) • Configuring Remote Failure Indication Actions, page 12-72 (optional) • Configuring Global Ethernet OAM Options Using a Template, page 12-73 (optional) • Verifying Ethernet OAM Configuration, page 12-74 Table 12-4 Ethernet OAM Feature Compatibility by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 • OAM discovery • Link monitoring • Remote failure indication (Dying Gasp only) Not supported. In Cisco IOS Release 12.2(33)SRA: • 2-Port Gigabit Ethernet SPA In Cisco IOS Release 12.2(33)SRA: • 1-Port 10-Gigabit Ethernet SPA • 5-Port Gigabit Ethernet SPA • 10-Port Gigabit Ethernet SPA Remote loopback Not supported. Not supported. Not supported. MIB variable retrieval Not supported. Not supported. Not supported.12-62 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Enabling OAM on an Interface OAM is disabled on an interface by default. When you enable OAM on an interface, the interface automatically advertises to the remote peer that it supports link monitoring during OAM discovery. Link monitoring support must be agreed upon by the peer interfaces for monitoring to operate across the link. Once link monitoring support is achieved between the peer interfaces, the interface will start the link monitoring operation, and send event OAMPDUs when errors occur locally, and interpret event OAM PDUs received by the remote peer. You do not need to explicitly configure link monitoring support, or start the link monitoring operation on the link unless you have previously disabled monitoring support or operation on the interface.12-63 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks To enable OAM features on a Gigabit Ethernet interface, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface type slot/subslot/port Specifies the Ethernet SPA interface, where • type—Specifies the type of Ethernet interface, such as gigabitethernet or tengigabitethernet. • slot/subslot/port—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 12-4. Note Ethernet OAM can be defined on a main Gigabit Ethernet interface only—not on subinterfaces. Step 2 Router(config-if)# ethernet oam [max-rate oampdus | min-rate num-seconds | mode {active | passive} | timeout seconds] Enables OAM on a Gigabit Ethernet interface, where: • max-rate oampdus—(Optional) Specifies the maximum number of OAMPDUs that can be sent per second as an integer in the range of 1 to 10. The default is 10. • min-rate num-seconds—(Optional) Specifies the number of seconds (in the range 1–10) during which at least one OAMPDU must be sent. The default is 1 second. • mode {active | passive}—(Optional) Specifies the client mode for OAM discovery and link negotiation, where: – active— Specifies that the interface initiates OAMPDUs for protocol negotiation as soon as the interface becomes active. This is the default. At least one of the OAM peers must be configured in active mode. – passive—Specifies that the interface waits in a listening mode to receive an incoming OAMPDU for protocol negotiation from a peer. The passive interface begins sending OAMPDUs once it receives OAMPDUs from the peer. 12-64 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Enabling and Disabling a Link Monitoring Session The OAM peer interfaces must establish a link monitoring session before the actual operation of link monitoring can begin. If you have enabled OAM on the interface, and have not explicitly disabled link monitoring support on the interface, then you do not need to explicitly configure link monitoring support on the interface to establish a session. The ethernet oam link-monitor supported command automatically runs in the background when you configure the ethernet oam interface configuration command. Be sure that at least one of the Ethernet OAM peers is configured for active mode so that a session can be established. To explicitly configure and enable a link monitoring session on an interface, use the following command in interface configuration mode: To disable a link monitoring session on an interface, use the following command in interface configuration mode: Starting and Stopping Link Monitoring Operation If a link monitoring session is established among the Ethernet OAM peer interfaces, then sending and receiving of Event Notification OAMPDUs can begin between the peers. This link monitoring operation across the link automatically starts when you enable OAM on the interface. The ethernet oam link-monitor on command automatically runs in the background when you configure the ethernet oam interface configuration command. You can stop and restart the operation of link monitoring (or, the sending and receiving of Event Notification OAMPDUs on a link). Stopping link monitoring operation is not the same thing as disabling link monitoring support. When you stop link monitoring operation, the interface is still configured to support link monitoring with its peer, but just is not actively sending and receiving Event Notification OAMPDUs. Note If you configure an interface in passive mode, then you must be sure that the peer is in active mode for successful OAM operation. • timeout seconds—Specifies the amount of time, in seconds (in the range 2–30), after which a device declares its OAM peer to be nonoperational and resets its state machine. The default is 5 seconds. Command Purpose Command Purpose Router(config-if)# ethernet oam link-monitor supported Enables link monitoring support on an Ethernet OAM interface. Command Purpose Router(config-if)# no ethernet oam link-monitor supported Disables link monitoring support on an Ethernet OAM interface.12-65 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks To explicitly configure and start link monitoring operation on an interface, use the following command in interface configuration mode: To stop link monitoring operation on an interface, use the following command in interface configuration mode: Configuring Link Monitoring Options When OAM link monitoring is active, Event Notification OAMPDUs are sent to a remote OAM client when errors are detected locally. You can configure certain windows and thresholds to define when these error event notifications are triggered. If you do not modify the link monitoring options, default values are used for the window periods and low thresholds. The Gigabit Ethernet SPAs support the following types of error events as defined by IEEE 802.3ah: • Errored Symbol Period (errored symbols per second)—This event occurs when the number of symbol errors during a specified period exceeds a threshold. These are coding symbol errors (for example, a violation of 4B/5B coding). • Errored Frame (errored frames per second)—This event occurs when the number of frame errors during a specified period exceeds a threshold. • Errored Frame Period (errored frames per N frames)—This event occurs when the number of frame errors within the last N frames exceeds a threshold. • Errored Frame Seconds Summary (errored seconds per M seconds)—This event occurs when the number of errored seconds (one second intervals with at least one frame error) within the last M seconds exceeds a threshold. Cisco Systems adds the following types of vendor-specific error events: • Receive CRC (errored frames per second)—This event occurs when the number of frames received with CRC errors during a specified period exceeds a threshold. • Transmit CRC (errored frames per second)—This event occurs when the number of frames transmitted with CRC errors during a specified period exceeds a threshold. The link monitoring options can be configured in a global template that can be applied to one or more interfaces, and also can be explicitly configured at the interface. Specifying Errored Symbol Period Link Monitoring Options The errored symbol period link monitoring options include the ability to specify the number of symbols to be tracked or counted for errors, and the high and low thresholds for triggering the Errored Symbol Period Link Event. Command Purpose Router(config-if)# ethernet oam link-monitor on Starts link monitoring on an Ethernet OAM interface. Command Purpose Router(config-if)# no ethernet oam link-monitor on Stops link monitoring on an Ethernet OAM interface.12-66 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks To specify errored symbol period link monitoring options, use the following commands in interface configuration or template configuration mode: Specifying Errored Frame Link Monitoring Options The errored frame link monitoring options include the ability to specify a period of time during which frame errors are tracked or counted, and the high and low thresholds for triggering the Errored Frame Link Event. The Gigabit Ethernet SPAs on the Cisco 7600 series router count general frame errors, such as CRC errors and corrupted packets, as errored frames. To specify errored frame link monitoring options, use the following commands in interface configuration or template configuration mode: Command Purpose Router(config-if)# ethernet oam link-monitor symbol-period window million-symbol-units (Optional) Specifies the number of symbols (in the range 1–65535, as a multiple of 1 million symbols) to be included in the error counting according to the specified thresholds. The default window unit is 100, or 100 million symbols. Router(config-if)# ethernet oam link-monitor symbol-period threshold low low-symbols (Optional) Specifies the low errored symbol threshold as a number of symbol errors (in the range 0–65535). If the number of error symbols in the window period is equal to or greater than low-symbols, then the Errored Symbol Period Link Event will be generated. The default low threshold is 0 symbols. Router(config-if)# ethernet oam link-monitor symbol-period threshold high {none | high-symbols} (Optional) Specifies the high errored symbol threshold as a number of error symbols (in the range 1–65535). If the number of error symbols in the window period is equal to or greater than high-symbols, then a user defined action will be triggered. There is no default for the high threshold, so you must explicitly configure a value to enable it. For more information about configuring a user-defined action, see “Specifying a High Threshold Action” section on page 12-71. Command Purpose Router(config-if)# ethernet oam link-monitor frame window 100-millisecond-units (Optional) Specifies a period of time (in the range 10–600, as a multiple of 100 milliseconds) during which error counting occurs according to the specified thresholds. The default window unit is 10, or 1000 milliseconds.12-67 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Specifying Errored Frame Period Link Monitoring Options The errored frame period link monitoring options include the ability to specify the number of error frames to be tracked or counted for errors, and the high and low thresholds for triggering the Errored Frame Period Link Event. The Gigabit Ethernet SPAs on the Cisco 7600 series router count general frame errors, such as CRC errors and corrupted packets, as errored frames. To specify errored frame period link monitoring options, use the following commands in interface configuration or template configuration mode: Router(config-if)# ethernet oam link-monitor frame threshold low low-frames (Optional) Specifies the low error frame threshold as a number of frames (in the range 0–65535). If the number of error frames in the window period is equal to or greater than low-frames, then the Errored Frame Link Event will be generated. The default low threshold is 0 frame errors. Router(config-if)# ethernet oam link-monitor frame threshold high {none | high-frames} (Optional) Specifies the high error frame threshold as a number of error frames (in the range 1–65535). If the number of error frames in the window period is equal to or greater than high-frames, then a user defined action will be triggered. There is no default for the high threshold, so you must explicitly configure a value to enable it. Use the none keyword to disable the high threshold. For more information about configuring a user-defined action, see “Specifying a High Threshold Action” section on page 12-71. Command Purpose Command Purpose Router(config-if)# ethernet oam link-monitor frame-period window 10000-frame-units (Optional) Specifies the number of frames (in the range 1000–65535, as a multiple of 10000 frames) to be included in the error counting according to the specified thresholds. The default window unit is 1000, or 10000000 frames.12-68 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Specifying Errored Frame Seconds Summary Link Monitoring Options The errored frame seconds summary link monitoring options include the ability to specify a period of time during which tracking of a number of errored-seconds periods (one-second intervals with at least one frame error) occurs, and the high and low thresholds for triggering the Errored Frames Seconds Summary Link Event. To specify errored frame seconds summary link monitoring options, use the following commands in interface configuration or template configuration mode: Router(config-if)# ethernet oam link-monitor frame-period threshold low low-frames (Optional) Specifies the low error frame threshold as a number of frames (in the range 0–65535). If the number of error frames in the window period is equal to or greater than low-frames, then the Errored Frame Period Link Event will be generated. The default low threshold is 0 frame errors. Router(config-if)# ethernet oam link-monitor frame-period threshold high {none | high-frames} (Optional) Specifies the high error frame threshold as a number of frames (in the range 1–65535). If the number of error frames in the window period is equal to or greater than high-frames, a user defined action will be triggered. There is no default for the high threshold, so you must explicitly configure a value to enable it. Use the none keyword to disable the high threshold. For more information about configuring a user-defined action, see “Specifying a High Threshold Action” section on page 12-71. Command Purpose Command Purpose Router(config-if)# ethernet oam link-monitor frame-seconds window 100-millisecond-units (Optional) Specifies a period of time (in the range 100–9000, as a multiple of 100 milliseconds) during which tracking of an errored-seconds period occurs according to the specified thresholds. The default window unit is 100, or 10000 milliseconds.12-69 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Specifying Receive CRC Link Monitoring Options The receive CRC link monitoring options include the ability to specify a period of time during which tracking of frames received with CRC occurs, and the high and low thresholds for triggering the error. Receive CRC link monitoring is a Cisco-specific implementation and is only locally significant to the Ethernet OAM interface on the Cisco 7600 series router. To specify receive CRC link monitoring options, use the following commands in interface configuration or template configuration mode: Router(config-if)# ethernet oam link-monitor frame-seconds threshold low low-errored-seconds (Optional) Specifies the low errored seconds threshold as a number of errored seconds (in the range 0–900). If the number of errored seconds in the window period is equal to or greater than low-errored-seconds, then the Errored Frame Seconds Summary Link Event will be generated. The default low threshold is 0 error seconds. Router(config-if)# ethernet oam link-monitor frame-seconds threshold high {none | high-errored-seconds} (Optional) Specifies the high errored seconds threshold as a number of errored seconds (in the range 1–900). If the number of errored seconds in the window period is equal to or greater than high-errored-seconds, then a user defined action will be triggered. There is no default for the high threshold, so you must explicitly configure a value to enable it. Use the none keyword to disable the high threshold. For more information about configuring a user-defined action, see “Specifying a High Threshold Action” section on page 12-71. Command Purpose Command Purpose Router(config-if)# ethernet oam link-monitor receive-crc window 100-millisecond-units (Optional) Specifies a period of time (in the range 10–1800, as a multiple of 100 milliseconds) during which tracking of frames received with CRC errors occurs according to the specified thresholds. The default window unit is 10, or 1000 milliseconds.12-70 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Specifying Transmit CRC Link Monitoring Options The transmit CRC link monitoring options include the ability to specify a period of time during which tracking of frames transmitted with CRC occurs, and the high and low thresholds for triggering the error. Transmit CRC link monitoring is a Cisco-specific error event and is only locally significant to the Ethernet OAM interface on the Cisco 7600 series router. To specify transmit CRC link monitoring options, use the following commands in interface configuration or template configuration mode: Router(config-if)# ethernet oam link-monitor receive-crc threshold low low-frames (Optional) Specifies the low CRC threshold as a number of frames (in the range 0–65535). If the number of frames received with CRC errors in the window period is equal to or greater than low-frames, then the Receive CRC error will be generated. The default low threshold is 1 frame. Router(config-if)# ethernet oam link-monitor receive-crc threshold high {none | high-frames} (Optional) Specifies the high CRC threshold as a number of frames (in the range 1–65535). If the number of frames received with CRC errors in the window period is equal to or greater than high-frames, a user defined action will be triggered. There is no default for the high threshold, so you must explicitly configure a value to enable it. Use the none keyword to disable the high threshold. For more information about configuring a user-defined action, see “Specifying a High Threshold Action” section on page 12-71. Command Purpose Command Purpose Router(config-if)# ethernet oam link-monitor transmit-crc window 100-millisecond-units (Optional) Specifies a period of time (in the range 10–1800, as a multiple of 100 milliseconds) during which tracking of frames received with CRC errors occurs according to the specified thresholds. The default window unit is 10, or 1000 milliseconds.12-71 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Specifying a High Threshold Action When you configure high thresholds for OAM link monitoring, you can specify an action to be taken when the high threshold is exceeded. When configuring high threshold actions, consider the following guidelines: • There is no default action. • If you configure a high threshold but do not configure any corresponding action, only a message appears on the syslog and no other action is taken on the interface. • If you want to associate different high threshold actions for different kinds of link monitoring functions, you can use configuration templates. However, only one configuration template can be applied to any Ethernet OAM interface. • Only one high threshold action can be configured for any Ethernet OAM interface. Router(config-if)# ethernet oam link-monitor transmit-crc threshold low low-frames (Optional) Specifies the low CRC threshold as a number of frames (in the range 0–65535). If the number of frames transmitted with CRC errors in the window period is equal to or greater than low-frames, then the Receive CRC error will be generated. The default low threshold is 1 frame. Router(config-if)# ethernet oam link-monitor transmit-crc threshold high {none | high-frames} (Optional) Specifies the high CRC threshold as a number of frames (in the range 1–65535). If the number of frames transmitted with CRC errors in the window period is equal to or greater than high-frames, a user defined action will be triggered. There is no default for the high threshold, so you must explicitly configure a value to enable it. Use the none keyword to disable the high threshold. For more information about configuring a user-defined action, see “Specifying a High Threshold Action” section on page 12-71. Command Purpose12-72 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks To configure an action when a high threshold for an error is exceeded on an Ethernet OAM interface, use the following command in interface configuration or template configuration mode: Configuring Remote Failure Indication Actions When an RFI event occurs locally, the local client sends an Information OAMPDU to its peer with a bit selected that indicates the type of failure. The Gigabit Ethernet SPAs on the Cisco 7600 series router process all of the following types of Remote Failure Indication (RFI) conditions as defined by IEEE 802.3ah: • Critical Event—This type of RFI is sent when an unspecified critical event has occurred. These events are vendor specific, and the failure indication might be sent immediately and continuously. • Dying Gasp—This type of RFI is sent when an unrecoverable condition (for example, a power failure) has occurred. The conditions for a dying gasp RFI are vendor specific, and the failure indication might be sent immediately and continuously. The Gigabit Ethernet SPAs on the Cisco 7600 series router generate a Dying Gasp RFI when an interface is error-disabled or administratively shut down. This is the only type of RFI that the Gigabit Ethernet SPAs on the Cisco 7600 series router generate. • Link Fault—This type of RFI is sent when a loss of signal is detected by the receiver (for example, a peer's laser is malfunctioning). A link fault is sent once per second in the Information OAMPDU. The link fault RFI applies only when the physical sublayer is capable of independent transmit and receive. When the Gigabit Ethernet SPAs receive an OAMPDU with an RFI bit selected, a syslog message is created providing the failure reason, as shown in the following example: %ETHERNET_OAM-SP-6-RFI: The client on interface Gi1/1 has received a remote failure indication from its remote peer (failure reason = remote client administratively turned off) Command Purpose Router(config-if)# ethernet oam link-monitor high-threshold action {error-disable-interface | failover} (Optional) Configures the action when a high threshold error is exceeded, where: • error-disable-interface—Shuts down the Ethernet OAM interface. • failover—(EtherChannel interface only) Configures the interface for an automatic failover of traffic from one port in an EtherChannel to another port in the same EtherChannel when one of the ports in the channel exceeds the high error threshold within the specified interval. The port failover only occurs if there is at least one operational port available in the EtherChannel. The failed port will be put into an error disable state. If the failed port is the last port in the EtherChannel, the port will not be put into an error disable state and continues to pass traffic regardless of the type of errors being received. Single, nonchanneling ports go into the error disable state when the error threshold is exceeded within the specified interval.12-73 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks You can configure a response, or action, by the local client to shut down the OAM interface when it receives Information OAMPDUs with a Dying Gasp RFI bit selected. To configure an error disable action for the local Ethernet OAM interface, use the following command in interface configuration or template configuration mode: Configuring Global Ethernet OAM Options Using a Template Create configuration templates when you have a common set of link-monitoring or remote-failure characteristics that you want to apply to multiple Ethernet OAM interfaces. This streamlines Ethernet OAM interface configuration. Although you can configure multiple configuration templates, only one template can be associated with any single Ethernet OAM interface. You can override any commands defined within a template by explicitly configuring the same command (that is predefined by the template) in interface configuration mode. To configure global Ethernet OAM interface options using a template, use the following command beginning in global configuration mode: Command Purpose Router(config-if)# ethernet oam remote-failure dying-gasp action error-disable-interface (Optional) Specifies that the local Ethernet OAM interface is shut down upon receipt of an Information OAMPDU from its peer that indicates a Dying Gasp. Command Purpose Step 1 Router(config)# template template-name Creates or selects a template and enters template configuration mode, where template-name is an up to 32-character string defining the name of the template. Step 2 Router(config-template)# ethernet oam link-monitor command or Router(config-template)# ethernet oam remote-failure command Specify one or more ethernet oam configuration commands. Repeat this step for the number of commands that you want to configure. For information about link monitoring commands, see the “Configuring Link Monitoring Options” section on page 12-65. Step 3 Router(config-template)# exit Exit template configuration mode and return to global configuration mode.12-74 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Verifying Ethernet OAM Configuration To verify the Ethernet OAM configuration, use the following commands in privileged EXEC configuration mode: Step 4 Router(config)# interface type slot/subslot/port Specifies the Ethernet SPA interface, where • type—Specifies the type of Ethernet interface, such as gigabitethernet or tengigabitethernet. • slot/subslot/port—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 12-4. Note Ethernet OAM only can be defined on a main Gigabit Ethernet interface—not on subinterfaces. Step 5 Router(config-if)# source template template-name Attaches the template called template-name and applies the set of configuration commands defined by the named template to the specified interface. Command Purpose Command Purpose Router# show ethernet oam discovery [interface type slot/subslot/port] Displays information about OAM functions negotiated during the OAM discovery phase of establishing an OAM session, where: • type—Specifies the type of Ethernet interface, such as gigabitethernet or tengigabitethernet. • slot/subslot/port—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 12-4. Router# show ethernet oam statistics [interface type slot/subslot/port] Displays statistics for information OAMPDUs and local and remote faults, where: • type—Specifies the type of Ethernet interface, such as gigabitethernet or tengigabitethernet. • slot/subslot/port—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 12-412-75 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks This section includes the following topics: • Verifying an OAM Session, page 12-75 • Verifying OAM Discovery Status, page 12-75 • Verifying Information OAMPDU and Fault Statistics, page 12-76 • Verifying Link Monitoring Configuration and Status, page 12-77 Verifying an OAM Session To verify an OAM session, use the show ethernet oam summary command. The following example shows that the local OAM client is established on the second Gigabit Ethernet SPA interface (1) located in subslot 1 of the SIP installed in chassis slot 6 of the Cisco 7600 series router (Gi6/1/1). The local client interface is in session with a remote client with MAC address 0012.7fa6.a700 and organizationally unique identifier (OUI) 00000C, which is the OUI for Cisco Systems. The remote client is in active mode, and has established capabilities for link monitoring and remote loopback for the OAM session. Router# show ethernet oam summary Symbols: * - Master Loopback State, # - Slave Loopback State Capability codes: L - Link Monitor, R - Remote Loopback U - Unidirection, V - Variable Retrieval Local Remote Interface MAC Address OUI Mode Capability Gi6/1/1 0012.7fa6.a700 00000C active L R Verifying OAM Discovery Status To verify OAM Discovery status on the local client and remote peer, use the show ethernet oam discovery command as shown in the following example: Router# show ethernet oam discovery interface gigabitethernet6/1/1 GigabitEthernet6/1/1 Router# show ethernet oam status [interface type slot/subslot/port] Displays information about link monitoring configuration and status on the local OAM client, where: • type—Specifies the type of Ethernet interface, such as gigabitethernet or tengigabitethernet. • slot/subslot/port—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 12-4 Router# show ethernet oam summary Displays information about the OAM session with the remote OAM client, where: • type—Specifies the type of Ethernet interface, such as gigabitethernet or tengigabitethernet. • slot/subslot/port—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 12-4 Command Purpose12-76 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Local client ------------ Administrative configurations: Mode: active Unidirection: not supported Link monitor: supported (on) Remote loopback: not supported MIB retrieval: not supported Mtu size: 1500 Operational status: Port status: operational Loopback status: no loopback PDU permission: any PDU revision: 1 Remote client ------------- MAC address: 0030.96fd.6bfa Vendor(oui): 0x00 0x00 0x0C (cisco) Administrative configurations: Mode: active Unidirection: not supported Link monitor: supported Remote loopback: not supported MIB retrieval: not supported Mtu size: 1500 Verifying Information OAMPDU and Fault Statistics To verify statistics for information OAMPDUs and local and remote faults, use the show ethernet oam statistics command as shown in the following example: Router# show ethernet oam statistics interface gigabitethernet6/1/1 GigabitEthernet6/1/1 Counters: --------- Information OAMPDU Tx : 588806 Information OAMPDU Rx : 988 Unique Event Notification OAMPDU Tx : 0 Unique Event Notification OAMPDU Rx : 0 Duplicate Event Notification OAMPDU TX : 0 Duplicate Event Notification OAMPDU RX : 0 Loopback Control OAMPDU Tx : 1 Loopback Control OAMPDU Rx : 0 Variable Request OAMPDU Tx : 0 Variable Request OAMPDU Rx : 0 Variable Response OAMPDU Tx : 0 Variable Response OAMPDU Rx : 0 Cisco OAMPDU Tx : 4 Cisco OAMPDU Rx : 0 Unsupported OAMPDU Tx : 0 Unsupported OAMPDU Rx : 0 Frames Lost due to OAM : 0 Local Faults: ------------- 0 Link Fault records 2 Dying Gasp records Total dying gasps : 4 Time stamp : 00:30:3912-77 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Total dying gasps : 3 Time stamp : 00:32:39 0 Critical Event records Remote Faults: -------------- 0 Link Fault records 0 Dying Gasp records 0 Critical Event records Local event logs: ----------------- 0 Errored Symbol Period records 0 Errored Frame records 0 Errored Frame Period records 0 Errored Frame Second records Remote event logs: ------------------ 0 Errored Symbol Period records 0 Errored Frame records 0 Errored Frame Period records 0 Errored Frame Second records Verifying Link Monitoring Configuration and Status To verify link monitoring configuration and status on the local client, use the show ethernet oam status command. The highlighted “Status” field in the following example shows that link monitoring status is supported and enabled (on). Router# show ethernet oam status interface gigabitethernet6/1/1 GigabitEthernet6/1/1 General ------- Mode: active PDU max rate: 10 packets per second PDU min rate: 1 packet per 1 second Link timeout: 5 seconds High threshold action: no action Link Monitoring --------------- Status: supported (on) Symbol Period Error Window: 1 million symbols Low threshold: 1 error symbol(s) High threshold: none Frame Error Window: 10 x 100 milliseconds Low threshold: 1 error frame(s) High threshold: none Frame Period Error Window: 1 x 100,000 frames Low threshold: 1 error frame(s) High threshold: none Frame Seconds Error Window: 600 x 100 milliseconds Low threshold: 1 error second(s) High threshold: none12-78 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Verifying Status of the Remote OAM Client To verify the status of a remote OAM client, use the show ethernet oam summary and show ethernet oam status commands. To verify the remote client mode and capabilities for the OAM session, use the show ethernet oam summary command and observe the values in the Mode and Capability fields. The following example shows that the local client (local interface Gi6/1/1) is connected to the remote client Router# show ethernet oam summary Symbols: * - Master Loopback State, # - Slave Loopback State Capability codes: L - Link Monitor, R - Remote Loopback U - Unidirection, V - Variable Retrieval Local Remote Interface MAC Address OUI Mode Capability Gi6/1/1 0012.7fa6.a700 00000C active L R Configuring IP Subscriber Awareness over Ethernet Container interfaces are used to apply hardware specific features like Security Access Control List (ACL) and Policy Based Routing (PBR) which then can be inherited to all IP session interfaces attached to a container interface. To form the association between a container interface and an IP session interface/subinterface, use the container command under IP session interfaces/subinterfaces. It is required to configure the VRF (not required in the case of global VRF) on the container and the subinterface in order to make an association between them using the container command. Command Purpose Step 1 Router(config)# interface gigabitethernet slot/subslot/port.subinterface-number access Specifies the GigabitEthernet interface to configure, where: • slot/subslot—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 12-4. • port.subinterface-number—Specifies a secondary interface (subinterface) number. • access—Indentifies the subscriber in the access-side network on subinterfaces. Step 2 Router(config)# ip vrf forwarding vrf-name Defines the VRF. Step 3 Router(config-subif)# container container number Defines the virtual interface and that would be allocated as the internal VLAN which would be shared by all the IP session interfaces which are tied with the container interface. Step 4 Router(config-subif)# encapsulation dot1q vlan-id Defines the encapsulation format as IEEE 802.1Q (“dot1q”), where vlan-id is the number of the VLAN (1–4095).12-79 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks IP Subscriber Awareness over Ethernet Restrictions There are restrictions being imposed because the internal VLAN is shared by multiple subinterfaces. The restrictions are as follows: • IP Subscriber awareness over Ethernet is only supported on a Cisco 7600 SIP-400. • Security ACL will not be supported on per IP subscriber interface basis. However, security ACL feature will be supported on a per group basis. • Only single route-map policy can be applied on all subinterfaces that are sharing the Internal VLAN. If route-map is defined based on source IP address, then source IP address range should be easily definable and should not cause a configuration bloat. • unicast Reverse Path Forwarding (uRPF) check can be done only on an internal VLAN level that is shared by subinterfaces, and not at subinterface level. Because of this restriction, a subscriber sharing the same internal VLAN may be able to spoof the IP address of some other subscribers. • IPv4 multicast is not supported on IP session interfaces. IPv4 multicast does not have any functionality on a per-group basis, as replication is always required on a interface basis and not on a group basis. There are also some configuration restrictions for link redundancy: • There is no mechanism to synchronize the route installed by the DHCP to multiple routers; it will be difficult to use IP unnumbered' on and IP session interface. Instead, numbered IP addresses will be used on IP session interface and DHCP will assign IP addresses to the subscriber from the same subnet assigned to the IP session interface. • It is required to configure the HSRP group for each IP session interface so the Cisco 7600 series router can scale to a 16K HSRP group. Configuring a Backup Interface for Flexible UNI The Backup Interface for Flexible UNI feature allows you to configure redundant user-to-network interface (UNI) connections for Ethernet interfaces, which provides redundancy for dual-homed devices. You can configure redundant (flexible) UNIs on a network provider-edge (N-PE) device in order to supply flexible services through redundant user provider-edge (U-PE) devices. The UNIs on the N-PEs are designated as primary and backup and have identical configurations. If the primary interface fails, the service is automatically transferred to the backup interface. Note The configurations on the primary and backup interfaces must be identical. The primary interface is the interface for which you configure a backup. During operation, the primary interface is active and the backup (secondary) interface operates in standby mode. If the primary interface goes down (due to loss of signal), the router begins using the backup interface. While the primary interface is active (up) the backup interface is in standby mode. If the primary interface goes down, the backup interface transitions to the up state and the router begins using it in place of the primary. When the primary interface comes back up, the backup interface transitions back to standby mode. While in standby mode, the backup interface is effectively down and the router does not monitor its state or gather statistics for it. This feature provides the following benefits: • Supports the following Ethernet virtual circuit (EVC) features: 12-80 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks – Frame matching: EVC with any supported encapsulation (Dot1q, default, untagged) – Frame rewrite: Any supported (ingress and egress with push, pop, and translate) – Frame forwarding: MultiPoint Bridging over Ethernet (MPB-E), xconnect, connect – Quality of Service (QoS) on EVC • Supports Layer 3 (L3) termination and L3 VRF • Supports several types of uplinks: MPLS, VPLS, and switchports The Backup Interface for Flexible UNI feature makes use of these Ethernet components: • Ethernet virtual circuit (EVC)—An association between two or more UNIs that identifies a point-to-point or point-to-multipoint path within the provider network. For more information about EVCs, see the description of “Flexible QinQ Mapping and Service Awareness” at the following URL: http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg.html • Ethernet flow point (EFP)—The logical demarcation point of an EVC on an interface. An EVC that uses two or more UNIs requires an EFP on the associated ingress interface and egress interface of every device that the EVC passes through. Configuration Guidelines Observe these guidelines as you configure a backup interface for Flexible UNI on the router: • Hardware and software support: – Supported on the Cisco 7600-ES20-2x10G and 7600-ES20-20x1G line cards. – Supported on the Cisco 7600 SIP-400 with Gigabit Ethernet SPAs. In an EVC configuration, version 2 SPAs are required. For IP termination, the SPAs can be version 1 or version 2. – Supported with the Route Switch Processor 720, Supervisor Engine 720, and Supervisor Engine 32. – Requires Cisco IOS Release 12.2SRB1 or later. • You can use the same IP address on both the primary and secondary interfaces. This enables the interface to support L3 termination (single or double tagged). • The configurations on the primary and backup interfaces must match. The router does not check that the configurations match; however, the feature does not work if the configurations are not the same. Note If the configuration includes the xconnect command, you must specify a different VCID on the primary and backup interfaces. • The duplicate resources needed for the primary and secondary interfaces are taken from the total resources available on the router and thus affect available resources. For example, each xconnect consumes resources on both the primary and backup interfaces. • Local switching (connect) between primary and backup interfaces uses twice the number of physical interfaces. This limitation is due to lack of support for local switching on EVCs on the same interface. • Any features configured on the primary and backup interfaces (such as bridge-domain, xconnect, and connect) transition up or down as the interface itself transitions between states. • Switchover time between primary and backup interfaces is best effort. The time it takes the backup interface to transition from standby to active mode depends on the link-state detection time and the amount of time needed for EVCs and their features to transition to the up state. 12-81 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks • Configuration changes and administrative actions made on the primary interface are automatically reflected on the backup interface. • The router monitors and gathers statistics for the active interface only, not the backup. During normal operation, the primary interface is active; however, if the primary goes down, the backup becomes active and the router begins monitoring and gathering statistics for it. • When the primary interface comes back up, the backup interface always transitions back to standby mode. Once the signal is restored on the primary interface, there is no way to prevent the interface from being restored as the primary. Configuration Instructions To configure a backup interface for a flexible UNI on an Ethernet port, perform the following steps: Note You must apply the same configuration to both the primary and backup interfaces or the feature does not work. To configure EVC service instances on the interfaces, use the service instance, encapsulation, rewrite, bridge-domain, and xconnect commands. For information, see the following URLs: http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg.html Command or Action Purpose Step 1 Router(config)# interface type slot/subslot/port Router(config)# interface gigabitethernet3/0/0 Selects the primary interface. This is the interface you are creating a backup interface for. For example, interface gigabitEthernet 3/0/0 selects the interface for port 0 of the Gigabit Ethernet card installed in slot 3, subslot 0. • type specifies the interface type. Valid values are gigabitethernet or tengigabitethernet. • slot/subslot/port specifies the location of the interface. Step 2 Router(config-if)# backup interface type interface Router(config-if)# backup interface gigabitethernet4/0/1 Selects the interface to serve as a backup interface. Step 3 Router(config-if)# backup delay enable-delay disable-delay Router(config-if)# backup delay 0 0 (Optional) Specifies a time delay (in seconds) for enabling or disabling the backup interface. • enable-delay is the amount of time to wait after the primary interface goes down before bringing up the backup interface. • disable-delay is the amount of time to wait after the primary interface comes back up before restoring the backup interface to the standby (down) state Note For the backup interface for Flexible UNI feature, do not change the default delay period (0 0) or the feature may not work correctly. 12-82 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks The following example shows a sample configuration in which: • gi3/0/1 is the primary interface and gi4/0/1 is the backup interface. • Each interface supports two service instances (2 and 4), and each service instance uses a different type of forwarding (bridge-domain and xconnect). • The xconnect command for service instance 2 uses a different VCID on each interface. int gi3/0/1 backup interface gi4/0/1 service instance 4 ethernet encapsulation dot1q 4 rewrite ingress tag pop 1 symmetric bridge-domain 4 Step 4 Router(config-if)# backup load enable-percent disable-percent Router(config-if)# backup load 50 10 (Optional) Specifies the thresholds of traffic load on the primary interface (as a percentage of the total capacity) at which to enable and disable the backup interface. • enable-percent—Activate the backup interface when the traffic load on the primary exceeds this percentage of its total capacity. • disable-percent—Deactivate the backup interface when the combined load of both primary and backup returns to this percentage of the primary’s capacity. Applying the settings from the example to a primary interface with 10-MB capacity, the router enables the backup interface when traffic load on the primary exceeds 5 Mbytes (50%), and disables the backup when combined traffic on both interfaces falls below 1 MB (10%). Step 5 Router(config-if)# exit Exits interface configuration mode and returns to global configuration mode. Step 6 Router(config)# connect primary interface srv-inst interface srv-inst Router(config)# connect backup interface srv-inst interface srv-inst Router(config)# connect primary gi3/0/0 2 gi3/0/1 2 Router(config)# connect backup gi4/0/0 2 gi4/0/1 2 (Optional) Creates a local connection between a single service instance (srv-inst) on two different interfaces. The connect primary command creates a connection between primary interfaces, and connect backup creates a connection between backup interfaces. In the example, a local connection is configured between service instance 2 on primary interfaces (gi3/0/0 and gi3/0/1) and on backup interfaces (gi4/0/0 and gi4/0/1). Step 7 Router(config)# connect primary interface srv-inst1 interface srv-inst2 Router(config)# connect backup interface srv-inst1 interface srv-inst2 Router(config)# connect primary gi3/0/0 2 gi3/0/0 3 Router(config)# connect backup gi4/0/0 2 gi4/0/0 3 (Optional) Enables local switching between different service instances (srv-inst1 and srv-inst2) on the same port. Use the connect primary command to create a connection on a primary interface, and connect backup to create a connection on a backup interface. In the example, we are configuring local switching between service instances 2 and 3 on both the primary (gi3/0/0) and backup interfaces (gi4/0/0). Step 8 Router(config-if)# exit Exits interface configuration mode. Command or Action Purpose12-83 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks service instance 2 ethernet encapsulation dot1q 2 rewrite ingress tag pop 1 symmetric xconnect 10.0.0.0 2 encap mpls int gi4/0/1 service instance 4 ethernet encapsulation dot1q 4 rewrite ingress tag pop 1 symmetric bridge-domain 4 service instance 2 ethernet encapsulation dot1q 2 rewrite ingress tag pop 1 symmetric xconnect 10.0.0.0 5 encap mpls Verifying the Flexible UNI Backup Interface Configuration This section lists the commands to display information about the primary and backup interfaces configured on the router. In the examples that follow, the primary interface is gi3/0/0 and the secondary (backup) interface is gi3/0/11. • To display a list of backup interfaces, use the show backup command in privileged EXEC mode. Our sample output shows a single backup (secondary) interface: NPE-11# show backup Primary Interface Secondary Interface Status ----------------- ------------------- ------ GigabitEthernet3/0/0 GigabitEthernet3/0/11 normal operation • To display information about a primary or backup interface, use the show interfaces command in privileged EXEC mode. Issue the command on the interface for which you want to display information. The following examples show the output displayed when the command is issued on the primary (gi3/0/0) and backup (gi3/0/11) interfaces: NPE-11# show int gi3/0/0 GigabitEthernet3/0/0 is up, line protocol is up (connected) Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800) Backup interface GigabitEthernet3/0/11, failure delay 0 sec, secondary disable delay 0 sec, kickin load not set, kickout load not set […] NPE-11# show int gi3/0/11 GigabitEthernet3/0/11 is standby mode, line protocol is down (disabled) If the primary interface goes down, the backup (secondary) interface is transitioned to the up state, as shown in the command output that follows. Notice how the command output changes if you reissue the show backup and show interfaces commands at this time: the status retrieved by the show backup status changes, the line protocol for gi3/0/0 is now down (notconnect), and the line protocol for gi3/0/11 is now up (connected). NPE-11# !!! Link gi3/0/0 (active) goes down… 22:11:11: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/0/0, changed state to down 22:11:12: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/0/11, changed state to up 22:11:12: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/0, changed state to down 22:11:13: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/11, changed state to up12-84 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks NPE-11# show backup Primary Interface Secondary Interface Status ----------------- ------------------- ------ GigabitEthernet3/0/0 GigabitEthernet3/0/11 backup mode NPE-11# show int gi3/0/0 GigabitEthernet3/0/0 is down, line protocol is down (notconnect) Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800) Backup interface GigabitEthernet3/0/11, failure delay 0 sec, secondary disable delay 0 sec, NPE-11# show int gi3/0/11 GigabitEthernet3/0/11 is up, line protocol is up (connected) Troubleshooting Table 12-5 provides troubleshooting solutions for the backup interface of the Flexible UNI feature. Table 12-5 Troubleshooting Scenarios12-85 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Flexible QinQ Mapping and Service Awareness on the 1-Port 10-Gigabit Ethernet SPA The Flexible QinQ Mapping and Service Awareness on 1-Port 10-Gigabit Ethernet SPA feature allows service providers to offer triple-play services, residential Internet access from a digital subscriber line access multiplexer (DSLAM), and business Layer 2 and Layer 3 VPN by providing for termination of double-tagged dot1q frames onto a Layer 3 subinterface at the access node. The access node connects to the DSLAM through the 1-Port 10-Gigabit Ethernet SPA. This provides a flexible way to identify the customer instance by its VLAN tags, and to map the customer instance to different services. Flexible QinQ Mapping and Service Awareness on the1-Port 10-Gigabit Ethernet SPA is supported only through Ethernet Virtual Connection Services (EVCS) service instances. EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port on a given router. Figure 12-4 shows a typical metro architecture where the access switch facing the DSLAM provides VLAN translation (selective QinQ) and grooming funcitonality and where the serivce routers (SR) provide QinQ termination into a Layer 2 or Layer 3 service. Problem Solution The backup interface is in a standby state or the line protocol is down Use the show interfaces command on the specific interface in privileged EXEC mode to display interface and line protocol details. Share the output with TAC for further investigation. This sample output of the command displayed when the command on the primary (gi3/0/0) and backup (gi3/0/11) interfaces: NPE-11# show int gi3/0/0 GigabitEthernet3/0/0 is up, line protocol is up (connected) Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800) Backup interface GigabitEthernet3/0/11, failure delay 0 sec, secondary disable delay 0 sec, kickin load not set, kickout load not set [...] NPE-11# show int gi3/0/11 GigabitEthernet3/0/11 is standby mode, line protocol is down (disabled)12-86 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Figure 12-4 Typical Metro Architecture Flexible QinQ Mapping and Service Awareness on the 1-Port 10-Gigabit Ethernet SPA provides the following functionality: • VLAN connect with local significance (VLAN local switching) – Single tag Ethernet local switching where the received dot1q tag traffic from one port is cross-connected to another port by changing the tag. This is a 1-to-1 mapping service and there is no MAC learning involved. – Double tag Ethernet local switching where the received double tag traffic from one port is cross-connected to another port by changing both tags. The mapping to each double tag combination to the cross-connect is 1-to-1. There is no MAC learning involved. • Selective QinQ (1-to-2 translation) – xconnect—Selective QinQ adds an outer tag to the received dot1q traffic and then tunnels it to the remote end with Layer 2 switching or EoMPLS. – Layer 2 switching—Selective QinQ adds an outer tag to the received dot1q traffic and then performs Layer 2 switching to allow switch virtual interface (SVI) based on the outer tag for configuring additional services. • Double tag translation (2-to-2 translation) Layer 2 switching—Two received tagged frames are popped and two new tags are pushed. • Double tag termination (2-to-1 tag translation) – Ethernet MultiPoint Bridging over Ethernet (MPBE)—The incoming double tag is uniquely mapped to a single dot1q tag that is then used to do MPBE – Double tag MPBE—The ingress line uses double tags in the ingress packet to look up the bridging VLAN. The double tags are popped and the egress line card adds new double tags and sends the packet out. 191299 POP Single node possible L2/MPLS Access Central Office Access router DSLAMs L2 Access network L2 Switches facing DSLAM Service Router: QinQ termination/L2/L3 VPN L3 Multicast Access Router: Selective QinQ, L3 Multicast DHCP Relay DSLAM: Dot1q Tag imposition 1:1 VLAN per sub N:1 VLAN for Video V V IP Core Central Office Access router DSLAMs Qin Q VIP BRAS BRAS Service router Service router12-87 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks – Double tag routing—Same as regular dot1q tag routing except that double tags are used to identify the hidden VLAN. • Local VLAN significance—VLAN tags are significant only to the port. • Scalable EoMPLS VC—Single tag packets are sent across the tunnel. • QinQ policing and QoS • Layer 2 protocol data unit (PDU) packet—If the Layer 2 PDUs are tagged, packets are forwarded transparently; if the Layer 2 PDUs are untagged, packets are treated per the physical port configuration. Restrictions and Usage Guidelines When configuring Flexible QinQ Mapping and Service Awareness on the 1-Port 10-Gigabit Ethernet SPA, follow these restrictions and usage guidelines: • Service Scalability: – Service Instances: 16, 000 – Input matching pairs: 8,000 – Bridge-domains: 16, 000 – Local switching: 32,000 – Xconnect:16, 000 – Subinterface: 2,000 • QoS Scalability: – Shaping: Parent queue is 2,000 and child queue is 16,000 – Marking: Parent queue is 2,000 and child queue is 16,000 • Modular QoS CLI (MQC) actions supported include: – Shaping – Bandwidth – Two priority queues per policy – The set cos command, set cos-inner command, set cos cos-inner command, and set cos-inner cos command – WRED aggregate – Queue-limit SUMMARY STEPS 1. enable 2. configure terminal 3. interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet slot/subslot/port[.subinterface-number] 4. [no] service instance id {Ethernet service-name} 5. encapsulation dot1q vlan-id12-88 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks 6. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} [symmetric] DETAILED STEPS Command Purpose Step 1 enable Router> enable Enables privileged EXEC mode. • Enter your password if prompted. Step 2 configure terminal Router# configure terminal Enters global configuration mode. Step 3 interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet slot/subslot/port[.subinterface-number] Router(config)# interface gigabitethernet 4/0/0 Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where: • slot/subslot/port—Specifies the location of the interface. • subinterface-number—(Optional) Specifies a secondary interface (subinterface) number. Step 4 [no] service instance id {Ethernet [service-name} Router(config-if)# service instance 101 ethernet Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode. 12-89 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Examples Single Tag VLAN Connect In this example, an incoming frame with a dot1q tag of 10 enters TenGigabitEthernet1/0/1. It is index directed to TenGigabitEthernet1/0/2 and exits with a dot1q tag of 11. No MAC learning is involved. ! DSLAM facing port Router(config)# interface TenGigabitEthernet1/0/1 Router(config-if)# service instance 100 ethernet Router(config-if-srv)# encapsulation dot1q 10 Router(config-if-srv)# rewrite ingress tag pop 1 symmetric !L2 facing port Router(config)# interface TenGigabitEthernet1/0/2 Router(config-if)# service instance 101 ethernet Router(config-if-srv)# encapsulation dot1q 11 Router(config-if-srv)# rewrite ingress tag pop 1 symmetric ! connect service Router# connect EVC1 TenGigabitEthernet1/0/1 100 TenGigabitEthernet1/0/2 101 Double Tag VLAN Connect In this example, an incoming frame with an outer dot1q tag of 10 and inner tag of 20 enters TenGigabitEthernet1/0/1. It is index directed to TenGigabitEthernet1/0/2 and exits with an outer dot1q tag of 11 and inner tag 21. No MAC learning is involved. ! DSLAM facing port Router(config)# interface TenGigabitEthernet1/0/1 Router(config-if)# service instance 100 ethernet Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20 Router(config-if-srv)# rewrite ingress tag pop 2 symmetric !L2 facing port Step 5 encapsulation dot1q vlan-id Router(config-if-srv)# encapsulation dot1q 13 Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance. Step 6 rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} [symmetric] Router(config-if-srv)# rewrite ingress tag push dot1q 20 Specifies the tag manipulation that is to be performed on the frame ingress to the service instance. Command Purpose12-90 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Router(config)# interface TenGigabitEthernet1/0/2 Router(config-if)# service instance 101 ethernet Router(config-if-srv)# encapsulation dot1q 11 second-dot1q 21 Router(config-if-srv)# rewrite ingress tag pop 2 symmetric ! connect service Router# connect EVC1 TenGigabitEthernet1/0/1 100 TenGigabitEthernet1/0/2 101 Selective QinQ with Connect This configuration uses EoMPLS to perform packet forwarding. This is index directed. ! DSLAM facing port - single tag packet from link Router(config)# interface TenGigabitEthernet1/0/1 Router(config-if)# service instance 100 ethernet Router(config-if-srv)# encapsulation dot1q 10-20,30,50-60 !L2/QinQ facing port double tag packets Router(config)# interface TenGigabitEthernet1/0/2 Router(config-if)# service instance 101 ethernet Router(config-if-srv)# encapsulation dot1q 11 second-dot1q any Router(config-if-srv)# rewrite ingress tag pop 1 symmetric ! connecting service instances ! QinQ outer dot1q is 11 Router# connect EVC1 TenGigabitEthernet1/0/1 100 TenGigabitEthernet1/0/2 101 Selective QinQ with Xconnect This configuration uses EoMPLS to perform packet forwarding. This is not index directed. ! DSLAM facing port Router(config)# interface TenGigabitEthernet1/0/1 Router(config-if)# service instance 100 ethernet Router(config-if-srv)# encapsulation dot1q 10-20,30,50-60 Router(config-if-srv)# xconnect 2.2.2.2 999 pw-class vlan-xconnect ! Router(config)# interface Loopback1 Router(config-if)# ip address 1.1.1.1 255.255.255.255 ! MPLS core facing port Router(config)# interface TenGigabitEthernet2/0/1 Router(config-if)# ip address 192.168.1.1 255.255.255.0 Router(config-if)# mpls ip Router(config-if)# mpls label protocol ldp ! MPLS core facing port Router(config)# interface TenGigabitEthernet2/0/1 Router(config-if)# ip address 192.169.1.1 255.255.255.0 Router(config-if)# mpls ip Router(config-if)# mpls label protocol ldp ! Router(config)# interface Loopback1 Router(config-if)# ip address 2.2.2.2 255.255.255.255 ! CE facing EoMPLS configuration Router(config)# interface TenGigabitEthernet1/0/2 Router(config-if)# service instance 1000 Router(config-if-srv)# encapsulation dot1q 1000 second-dot1q any Router(config-if-srv)# rewrite ingress tag pop 1 symmetric Router(config-if-srv)# xconnect 1.1.1.1 999 pw-class vlan-xconnect12-91 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Selective QinQ with Layer 2 Switching This configuration uses Layer 2 Switching to perform packet forwarding. The forwarding mechanism is the same as MPB-E, only the rewrites for each service instance are different. ! DSLAM facing port, single tag incoming Router(config)# interface TenGigabitEthernet1/0/1 Router(config-if)# service instance 100 ethernet Router(config-if-srv)# encapsulation dot1q 10-20 Router(config-if-srv)# bridge-domain 11 ! QinQ VLAN Router(config)# interface VLAN11 !QinQ facing port Router(config)# interface TenGigabitEthernet1/0/2 Router(config-if)# switchport Router(config-if)# switchport mode trunk Router(config-if)# switchport trunk vlan allow 11 Double Tag Translation (2-to-2 Tag Translation) In this case, double-tagged frames are received on ingress. Both tags are popped and two new tags are pushed. The packet is then Layer 2 switched to the bridge-domain VLAN. ! QinQ facing port Router(config)# interface TenGigabitEthernet1/0/1 Router(config-if)# service instance 100 ethernet Router(config-if-srv)# encapsulation dot1q 100 second-dot1q 10 Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 200 second-dot1q 20 second-dot1q 10 Router(config-if-srv)# bridge-domain 200 ! QinQ VLAN Router(config)# interface VLAN200 ! Router(config)# interface TenGigabitEthernet1/0/2 Router(config-if)# service instance 101 ethernet Router(config-if-srv)# encapsulation dot1q 200 second-dot1q 20 Router(config-if-srv)# bridge-domain 200 Double Tag Termination (2 to 1 Tag Translation) This example falls under the Layer 2 switching case. ! Double tag traffic Router(config)# interface TenGigabitEthernet1/0/1 Router(config-if)# service instance 100 ethernet Router(config-if-srv)# encapsulation dot1q 200 second-dot1q 20 Router(config-if-srv)# rewrite ingress tag pop 2 symmetric Router(config-if-srv)# bridge-domain 10 ! Router(config)# interface TenGigabitEthernet1/0/2 Router(config-if)# service instance 101 ethernet Router(config-if-srv)# encapsulation dot1q 10 Router(config-if-srv)# rewrite ingress tag pop 1 symmetric Router(config-if-srv)# bridge-domain 10 ! Router(config)# interface TenGigabitEthernet1/0/3 Router(config-if)# service instance 101 ethernet Router(config-if-srv)# encapsulation dot1q 3012-92 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Router(config-if-srv)# rewrite ingress tag pop 1 symmetric Router(config-if-srv)# bridge-domain 10 Verification Use the following commands to verify operation. Troubleshooting Table 12-6 provides the troubleshooting solutions for the Flexible mapping feature. Table 12-6 Troubleshooting Command Purpose Router# show ethernet service evc [id evc-id | interface interface-id] [detail] Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detailed option provides additional information on the EVC. Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail] Displays information about one or more service instances: If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances s on the given interface. Router# show ethernet service interface [interface-id] [detail] Displays information in the Port Data Block (PDB). Router# show mpls l2 vc detail Displays detailed information related to the virtual connection (VC). Router# show mpls forwarding Displays the contents of theMPLS Label Forwarding Information Base (LFIB). Note Output should have the label entry l2ckt. Router# show platform software efp-client Displays service instance details. Problem Solution Erroneous TCAM entries. Use the show hw-module subslot subslot tcam command to verify and the TCAM entries. Share the output with TAC for further investigation. Incorrect virtual VLAN IDs on a QinQ subinterface. Use the test hw-mod subslot subslot command to verify the virtual VLAN ID values on a QinQ subinterface. Share the output with TAC for further investigation. Wrong interface configured and tag manipulation incorrectly programmed. Use the command show platform np interface detail to verfiy the interface and tag details. Share the output with TAC for further investigation. VLAN ID is incorrectly programmed Use the command show hw-module subslot subslot tcam all_entries vlan to verify the VLAN ID details. Share the output with TAC for further investigation.12-93 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Configuring MultiPoint Bridging over Ethernet on the 1-Port 10-Gigabit Ethernet SPA The MultiPoint Bridging over Ethernet (MPBE) on the 1-Port 10-Gigabit Ethernet SPA feature provides Ethernet LAN switching with MAC learning, local VLAN significance, and full QoS support. MPBE also provides Layer 2 switchport-like features without the full switchport implementation. MPBE is supported only through Ethernet Virtual Connection Services (EVCS) service instances. EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port on a given router. For MPBE, an EVC packet filtering capability prevents leaking of broadcast/multicast bridge-domain traffic packets from one service instance to another. Filtering occurs before and after the rewrite to ensure that the packet goes only to the intended service instance. You can use MPBE to: • Simultaneously configure Layer 2 and Layer 3 services such as Layer 2 VPN, Layer 3 VPN, and Layer 2 bridging on the same physical port. • Define a broadcast domain in a system. Customer instances that are part of a broadcast domain can be in the same physical port or in different ports. • Configure mutltiple service instances with different encapuslations and map them to a single bridge domain. • Perform local switching between service instances under the same bridge domain. • Span across different physical interfaces using service instances that are part of the same bridge domain. • Use encapsulation VLANs as locally significant (physical port). • Replicate flooded packets from the core to all service instances under the bridge domain. • Configure a Layer 2 tunneling service or Layer 3 terminating service under the bridge domain VLAN. MPBE accomplishes this by manipulating VLAN tags for each service instance and mapping the manipulated VLAN tags to Layer 2 or Layer 3 services. Possible VLAN tag manipulations include: • Single tag termination • Single tag tunneling • Single tag translation • Double tag termination • Double tag tunneling Inner, outer start/end VLANs incorrectly programmed. Use the show platform np efp command to verify the VLAN details. Share the output with TAC for further investigation. Erroneous TCAM entries on the platform Use the show plat soft qos tcamfeature and show plat soft qos tcamt commands to verify the TCAM entries. Share the output with TAC for further investigation. Problem Solution12-94 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks • Double tag translation • Selective QinQ translation Restrictions and Usage Guidelines When configuring the MultiPoint Bridging over Ethernet on the 1-Port 10-Gigabit Ethernet SPA, follow these restrictions and usage guidelines: • Each service instance is considered as a separate circuit under the bridge-domain. • Encapsulation can be dot1q or QinQ packets. • 60 MPB VCs are supported under one bridge-domain. • Internet Group Management Protocol (IGMP) snooping is supported with MPB VCs. • Split Horizon is supported with MPB VCs. • Bridge protocol data unit (BDPU) packets are either tunneled or dropped. • For ingress policing, only the drop action and the accept action for the police command are supported. Marking is not supported as part of the policing. • Ingress shaping is not supported. • For ingress marking, supports match vlan command, match vlan-inner command, match cos command, match cos-inner command, set cos command, and set cos-inner command. • For egress marking, set cos command and set cos-inner command are supported; match inner-cos command and match inner-vlan command are not supported. SUMMARY STEPS 1. enable 2. configure terminal interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet slot/subslot/port[.subinterface-number] 3. [no] service instance id {Ethernet [service-name} 4. encapsulation dot1q vlan-id 5. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} [symmetric] 6. [no] bridge-domain bridge-id12-95 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks DETAILED STEPS Command Purpose Step 1 enable Router> enable Enables privileged EXEC mode. • Enter your password if prompted. Step 2 configure terminal Router# configure terminal Enters global configuration mode. Step 3 interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet slot/subslot/port[.subinterface-number] Router(config)# interface gigabitethernet4/0/0 Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet interface to configure, where: • slot/subslot/port—Specifies the location of the interface. • subinterface-number—(Optional) Specifies a secondary interface (subinterface) number. Step 4 [no] service instance id {Ethernet service-name} Router(config-if)# service instance 101 ethernet Creates a service instance (an instantiation of an EVC) on an interface and sets the device into the config-if-srv submode. Step 5 encapsulation dot1q vlan-id Router(config-if-srv)# encapsulation dot1q 10 Defines the matching criteria to be used in order to map ingress dot1q frames on an interface to the appropriate service instance. Step 6 [no] rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} [symmetric] Router(config-if-srv)# rewrite ingress tag push dot1q 200 This command specifies the tag manipulation that is to be performed on the frame ingress to the service instance. Note If this command is not configured, then the frame is left intact on ingress (the service instance is equivalent to a trunk port). Step 7 [no] bridge-domain bridge-id Router(config-subif)# bridge domain 12 Binds the service instance to a bridge domain instance where bridge-id is the identifier for the bridge domain instance.12-96 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Examples Single Tag Termination Example In this example, the single tag termination indentifies customers based on a single VLAN tag and maps the single-VLAN tag to the bridge-domain. Router(config)# interface TenGigabitEthernet1/2/0 Router(config-if)# service instance 10 ethernet Router(config-if-srv)# encapsulation dot1q 10 Router(config-if-srv)# rewrite ingress tag pop 1 symmetric Router(config-if-srv)# bridge domain 12 } Single Tag Tunneling Example In this single tag tunneling example, the incoming VLAN tag is not removed but continues with the packet. Router(config)# interface TenGigabitEthernet1/2/0 Router(config-if)# service instance 10 ethernet Router(config-if-srv)# encapsulation dot1q 10 Router(config-if-srv)# bridge-domain 200 Single Tag Translation Example In this single-tag translation example, the incoming VLAN tag is removed and VLAN 200 is added to the packet. Router(config)# interface TenGigabitEthernet3/0/0 Router(config-if)# service instance 10 ethernet Router(config-if-srv)# encapsulation dot1q 10 Router(config-if-srv)# rewrite ingress tag translate 1-to-1 dot1q 200 symmetric Router(config-if-srv)# bridge-domain 200 Double Tag Termination Configuration Example In this double-tag termination example, the ingress receives double tags that indentify the bridge VLAN; the double tags are stripped (terminated) from the packet. Router(config)# interface TenGigabitEthernet2/0/0 Router(config-if)# service instance 1 ethernet Router(config-if-srv)# encapsulation dot1q 10 inner 20 Router(config-if-srv)# rewrite ingress tag pop 2 symmetric Router(config-if-srv)# bridge-domain 200 Router(config-if)# service instance 2 Router(config-if-srv)# encapsulation dot1q 40 inner 30 Router(config-if-srv)# rewrite ingress tag pop 2 symmetric Router(config-if-srv)# bridge-domain 200 Double-Tag Translation Configuration Example In this example, double tagged frames are received on ingress. Both tags are popped and two new tags are pushed. The packet is then Layer 2-switched to the bridge-domain VLAN. Router(config)# interface TenGigabitEthernet1/0/0 Router(config-if)# service instance 1 ethernet12-97 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20 Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 40 second dot1q 30 symmetric Router(config-if-srv)# bridge-domain 200 Router(config-if)# service instance 2 ethernet Router(config-if-srv)# encapsulation dot1q 40 second-dot1q 30 Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 10 second dot1q 20 symmetric Router(config-if-srv)# bridge-domain 200 Selective QinQ Configuration Example In this example, a range of VLANs is configured and plugged into a single MPB VC. Router(config)# interface TenGigabitEthernet1/0/0 Router(config-if)# service instance 1 ethernet Router(config-if-srv)# encapsulation dot1q 10-20 Router(config-if-srv)# bridge-domain 200 Router(config)# interface TenGigabitEthernet2/0/0 Router(config-if)# service instance 1 ethernet Router(config-if-srv)# encapsulation dot1q 10-30 Router(config-if-srv)# bridge-domain 200 Untagged Traffic Configuration Example In this example, untagged traffic is bridged to the bridge domain and forwarded to the switchport trunk. Router(config)# interface GigabitEthernet2/0/1 Router(config-if)# no ip address Router(config-if)# service instance 1 ethernet Router(config-if-srv)# encapsulation untagged Router(config-if-srv)# bridge-domain 11 Router(config)# interface TenGigabitEthernet1/0/0 Router(config-if)# switchport Router(config-if)# switchport mode trunk Router(config-if)# switchport allowed vlan 11 MPBE with Split Horizon Configuration Example In this example, unknown unicast traffic is flooded on the bridge domain except for the interface from which the traffic originated. Router(config)# interface GigabitEthernet2/0/0 Router(config-if)# no ip address Router(config-if)# service instance 1000 ethernet Router(config-if-srv)# encapsulation dot1q 100 second-dot1q 10-20 Router(config-if-srv)# bridge-domain 100 split-horizon Router(config-if)# service instance 1001 ethernet Router(config-if-srv)# encapsulation dot1q 101 second-dot1q 21-30 Router(config-if-srv)# bridge-domain 101 split-horizon Router(config-if)# service instance 1010 ethernet Router(config-if-srv)# encapsulation dot1q 100 Router(config-if-srv)# rewrite ingress tag symmetric translate 1-to-2 dot1q 10 second-dot1q 100 symmetric Router(config-if-srv)# bridge-domain 10 split-horizon Router(config-if)# mls qos trust dscp12-98 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks In this example, service instances are configured on Ethernet interfaces and terminated on the bridge domain. Router(config)# interface GigabitEthernet2/0/0 Router(config-if)# service instance 100 ethernet Router(config-if-srv)# encapsulation dot1q 1000 Router(config-if-srv)# bridge-domain 10 Router(config)# interface GigabitEthernet1/0/0 Router(config-if)# switchport Router(config-if)# switchport mode trunk Router(config-if)# switchport trunk allowed vlan 10 In this example, VPLS is configured in the core with multiple bridge domains. ! l2 vfi vpls10 manual vpn id 10 neighbor 20.0.0.2 encapsulation mpls ! l2 vfi vpls100 manual vpn id 100 neighbor 20.0.0.2 encapsulation mpls ! l2 vfi vpls11 manual vpn id 11 neighbor 20.0.0.2 encapsulation mpls ! interface Vlan100 mtu 9216 no ip address xconnect vfi vpls1 end Verification Use the following commands to verify operation. . Command Purpose Router# show ethernet service evc [id evc-id | interface interface-id] [detail] Displays information pertaining to a specific EVC if an EVC ID is specified, or pertaining to all EVCs on an interface if an interface is specified. The detail option provides additional information on the EVC. Router# show ethernet service instance [id instance-id interface interface-id | interface interface-id] [detail] Displays information about one or more service instances: If a service instance ID and interface are specified, only data pertaining to that particular service instance is displayed. If only an interface ID is specified, displays data for all service instances on the given interface. Router# show ethernet service interface [interface-id] [detail] Displays information in the Port Data Block (PDB). Router# show mpls l2 vc detail Displays detailed information related to the virtual connection (VC). 12-99 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Configuring QoS on Ethernet SPAs The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For information about the QoS features supported by the Ethernet SPAs, see the “Configuring QoS Features on a SIP” section on page 4-94. For Fast Ethernet SPAs and the 2-Port Gigabit Ethernet SPA, the following QoS behavior applies: • In both the ingress and egress directions, all QoS features calculate packet size similarly to how packet size calculation is performed by the FlexWAN and Enhanced FlexWAN modules on the Cisco 7600 series router. • Specifically, all features consider the IEEE 802.3 Layer 2 headers and the Layer 3 protocol payload. The CRC, interframe gap, and preamble are not included in the packet size calculations. Note For Fast Ethernet SPAs, QoS cannot change the speed of an interface (for example, Fast Ethernet SPAs cannot change QoS settings whenever an interface speed is changed between 100M to 10M). When the speed is changed, the user must also adjust the QoS setting accordingly. Over-subscription on Gigabit Ethernet SPAs Over-subscription on Gigabit Ethernet SPAs Ethernet SPAs have the capability to classify incoming frames from the link to low or high priority queues. This capability is used to provide oversubscription handling for SIP-400. This allows the SIP-400 to prioritize high-priority control traffic over lower priority traffic, providing greater connection stability during periods of over-subscription. Table 12-7 lists the incoming frames on the ingress side that can be prioritized into the following classes. If any packet is marked with the priority values listed in Table 12-7, it moves to a high priority queue; else, it moves to a low priority queue. Router# show mpls forwarding (Output should have the label entry l2ckt) Displays the contents of the MPLS Label Forwarding Information Base (LFIB). Router# show platform software efp-client Displays service instance details. Command Purpose12-100 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Table 12-7 Prioritization of Incoming Frames Note The Gigabit Ethernet SPAs only look at the 802.1p bits to make the classification decision if the packet is tagged, L3 bits are ignored on tagged packets. Supported Features and Restrictions In 12.2(33) SRB and later releases, oversubscription is supported on the SIP-400 card with certain SPA combinations. On the ingress side, oversubscription is supported on SPAs that : • Have the capability to do packet classification, and • Use separate SPI4 queues for different priorities. In Cisco IOS 12.2(33)SRB Release, oversubscription is only supported for two 2-Port Copper and Optical Gigabit Ethernet SPAs. In the Cisco IOS 12.2(33)SRC Release support for oversubscription is extended to the 1-Port 10-Gigabit Ethernet SPA. Ingress oversubscription is only supported on Ethernet SPAs. Cisco IOS 12.2(33)SRC Release supports the following specific SPA combinations: • Any combination of POS, ATM, CEoPs, and serial or channelized SPAs up to OC-48 aggregate bandwidth • One 2-Port Gigabit Ethernet SPA or 2-Port Copper and Optical Gigabit Ethernet SPA and up to OC-24 equivalents of POS, ATM, CEoPs, and serial or channelized SPAs. • One2-Port Copper and Optical Gigabit Ethernet SPA or two 2-Port 5GEv2 SPAs. (These are the ingress oversubscription combinations. This is the only case where the SIP-400 is oversubscribed on ingress. Except for the 1-Port 10 GE-v2 SPA, all of them are also supported in the Cisco IOS 12.2(33)SRB Release. If the combination of SPAs installed on the SIP-400 is not in accordance with the given list, the following console message is displayed: Priority Usage 0 (Highest) Intelligent SPAs SPA IPC control traffic 1 Classified high priority traffic Note This includes frames with these attributes: • IPv4 TOS 6,7 • DSCP 48,56 • MPLS EXP 6,7 • IPV6 EF • 802.1p (COS) 6,7: 802.1p (COS) marking preceedes all the other marking criteria. This is present only with VLAN-tagged packets. 2 Unclassified traffic 3 (Lowest) Classified low priority traffic12-101 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Error Message Total SPA bandwidth exceeds line card capacity, installed combination of SPA interfaces is not supported. A maximum of 32 total ingress SPI4 ports are supported on the SIP-400. All supported combinations listed in the previous section require fewer than 32 SPI4 ports. However, if a SPA is inserted which causes the total required to exceed 32 SPI4 ports, that SPA will not be able to power up. Each ATM or POS SPA requires one ingress SPI4 port per physical port. Each Gigabit Ethernet SPA interface requires two ingress SPI4 ports. If the maximum ingress SPI4 ports required exceeds 32 because of the SPA combination installed, the fourth GigE SPA will not be permitted to power up. The following message is displayed on the console: Error Message SPI4 port limit exceeded, SPA in subslot number has been powered down. As long as the SPI port limits are not exceeded, the SPAs will be permitted to power up. Quality-of-Service (QoS) QoS on SIP-400 The mls qos trust command is not supported on SIP-400 interfaces. Instead, the bits are always be set in the DBUS header as follows: • Packet Type Method used to set COS bits in DBUS header • Untagged bridged packetCOS bits in DBUS header are cleared • Tagged bridged packetCOS bits from tag header are copied to COS bits in DBUS header • Routed packetIP precedence/DSCP value used to set COS bits in DBUS header QoS on SIP-600 The SIP-600 line card supports the mls qos trust commands. The packet fields from which the DBUS COS bits are derived depends on the packet type and whether the ingress port is trusted. Ingress oversubscription performance On SIP-400, when using a mix of low and high priority traffic, a maximum of 2.5 Gbps untagged or tagged high priority traffic can be forwarded with no high priority packet drops at any packet size. When the amount of high priority traffic exceeds 2.5 Gbps, some high priority packet drops may occur. Egress oversubscription performance On SIP-400, when using a mix of low and high priority traffic, a maximum of 3.0 Gbps worth of untagged or tagged high priority traffic can be forwarded with no high priority drops at any packet size. Listed below are some circumstances where performance degradation can be seen: • Performance degrades with smaller packets. • Dot1q tagged packets. If additional checks need to be performed on the dot1q packet to process MPB-E, MPLSoGRE, dot1q-tunneling or EoMPLS information. • QOS features applied to the main Ethernet interface or a dot1q subinterface can degrade performance. • Hierarchical searches of parent or child policies lower performance due to multiple key formation and searches.12-102 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks • When a single policer is applied to all the interfaces, packets from each interface have to contend for one SRAM lock for that policer, causing packets to wait for the lock before proceeding. • Certain set actions causes recalculations of the CRC in the IP header, increasing the amount of cycles required for processing the newly formed IP packet. QOS Configuration Example for SIP-400 Ethernet Interfaces This example illustrates how to properly configure a SIP-400 linecard to ensure high priority traffic is not dropped on ingress or egress. Step 1 First, a class map to select high priority traffic should be defined. The following class map is designed to match the SPA classification rules: class-map match-any high match cos 5 6 7 match mpls experimental topmost 5 6 7 match precedence 5 6 7 match dscp ef Step 2 Next, policy maps must be configured. A child policy map is required since IOS does not support priority classes on the parent level for ingress. A queue limit is set for all non-priority traffic to ensure a sufficient number of buffers are available for the high priority packets. policy-map video-child class high priority class class-default queue-limit 25000 In the parent policy map, the shape command is used since at least one QOS parameter must be configured. However, this service policy is to be applied to Gigabit Ethernet interfaces so no shaping occurs with a shape value of one Gbps. policy-map video class class-default shape average 1000000000 service-policy video-child Step 3 Finally, the parent service policy should be applied to each SIP-400 interface. If high priority traffic is expected in both directions on the interface, the same service policy should be applied for both ingress and egress sides. interface gi5/0/0 service-policy input video service-policy output video int gi5/0/1 service-policy input video service-policy output video int gi5/0/2 service-policy input video service-policy output video int gi5/0/3 service-policy input video service-policy output video int gi5/0/4 service-policy input video service-policy output video SIP-400-5#show hardware subslot 0 drops-rx spi4 Show receive drops info for Subslot 0:12-103 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Tasks Bad Pkt drop counter : 0x0 Ingress EOP error pkt counter : 0x0 VLAN Rx Osub Drop Counter SRAM: Addr:0x5 Pkt: 4366664 Byte: 261999840 Addr:0x6 Pkt: 4366661 Byte: 261999660 Addr:0x7 Pkt: 4366661 Byte: 261999660 Addr:0x8 Pkt: 4366662 Byte: 261999720 Addr:0x9 Pkt: 264 Byte: 15840 ISAEDA Rx Osub Drop Counter SRAM: Addr:0x13FF Pkt: 17466912 Byte:1048014720 VLAN TCAM Catch All Drops: VLAN Rx Hit : Pkt: 0 VLAN Rx Unicast Send : Pkt: 0 Byte: 0 VLAN Rx Mcast Send : Pkt: 0 Byte: 0 VLAN Rx Bcast Send : Pkt: 0 Byte: 0 VLAN Rx Osub Drop : Pkt: 0 Byte: 0 HSRPDA TCAM Catch All Drops: HSRPDA Rx Hit : Pkt: 0 Saving the Configuration To save your running configuration to nonvolatile random-access memory (NVRAM), use the following command in privileged EXEC configuration mode: For information about managing your system image and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals Command Reference publications that correspond to your Cisco IOS software release. Shutting Down and Restarting an Interface on a SPA You can shut down and restart any of the interface ports on a SPA independently of each other. Shutting down an interface stops traffic and enters the interface into an “administratively down” state. There are no restrictions for online insertion and removal (OIR) on Fast Ethernet or Gigabit Ethernet SPAs. Fast Ethernet and Gigabit Ethernet SPAs can be removed from a SIP at any time. SIPs populated with any type of SPAs can be removed from the router at any time. If you are preparing for an OIR of a SPA, it is not necessary to independently shut down each of the interfaces prior to deactivation of the SPA. The hw-module subslot [x/y] reload command automatically stops traffic on the interfaces and deactivates them along with the SPA in preparation for OIR. In similar fashion, you do not need to independently restart any interfaces on a SPA after OIR of a SPA or SIP. Command Purpose Router# copy running-config startup-config Writes the new configuration to NVRAM.12-104 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Verifying the Interface Configuration To shut down an interface on a SPA, use the following command in interface configuration mode: To restart an interface on a SPA, use the following command in interface configuration mode: Verifying the Interface Configuration Besides using the show running-configuration command to display your router configuration settings, you can use the show interfaces gigabitethernet command to get detailed information on a per-port basis for your Gigabit Ethernet SPAs, and the show interfaces fastethernet command to get detailed information on a per-port basis for your Fast Ethernet SPAs. The following example provides sample output for interface port 1 on the SPA located in the top subslot (0) of the SIP that is installed in slot 2 of the Cisco 7600 series router: Router# show interfaces gigabitethernet 2/0/1 GigabitEthernet2/0/1 is up, line protocol is up Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40) Internet address is 2.2.2.1/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Full-duplex, 1000Mb/s, link type is force-up, media type is SX output flow-control is on, input flow-control is on ARP type: ARPA, ARP Timeout 04:00:00 Last input 03:18:49, output 03:18:44, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1703 packets input, 638959 bytes, 0 no buffer Received 23 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 1670 multicast, 0 pause input 1715 packets output, 656528 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Command Purpose Router(config-if)# shutdown Disables an interface. Command Purpose Router(config-if)# no shutdown Restarts a disabled interface.12-105 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples Configuration Examples This section includes the following configuration examples: • Basic Interface Configuration Example, page 12-105 • MAC Address Configuration Example, page 12-105 • MAC Address Accounting Configuration Example, page 12-106 • VLAN Configuration Example, page 12-108 • AToM over GRE Configuration Example, page 12-109 • mVPNoGRE Configuration Examples, page 12-110 • EoMPLS Configuration Example, page 12-111 • Backup Interface for Flexible UNI Configuration Example, page 12-111 • Changing the Speed of a Fast Ethernet SPA Configuration Example, page 12-114 • Ethernet OAM Configuration Example, page 12-116 Basic Interface Configuration Example The following example shows how to enter global configuration mode to specify the interface that you want to configure, configure an IP address for the interface, and save the configuration. This example configures interface port 1 on the SPA that is located in subslot 0 of the SIP, that is installed in slot 3 of the Cisco 7600 series router: ! Enter global configuration mode. ! Router# configure terminal ! Enter configuration commands, one per line. End with CNTL/Z. ! ! Specify the interface address. ! Router(config)# interface gigabitethernet 3/0/1 ! ! Configure an IP address. ! Router(config-if)# ip address 192.168.50.1 255.255.255.0 ! ! Start the interface. ! Router(config-if)# no shut ! ! Save the configuration to NVRAM. ! Router(config-if)# exit Router# copy running-config startup-config MAC Address Configuration Example The following example changes the default MAC address on the interface to 1111.2222.3333: ! Enter global configuration mode. ! Router# configure terminal ! Enter configuration commands, one per line. End with CNTL/Z.12-106 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples ! ! Specify the interface address ! Router(config)# interface gigabitethernet 3/0/1 ! ! Modify the MAC address. ! Router(config-if)# mac-address 1111.2222.3333 MAC Address Accounting Configuration Example The following example enables MAC Address Accounting: Enter global configuration mode. ! Router# configure terminal ! Enter configuration commands, one per line. End with CNTL/Z. ! Enable MAC address accounting Router(config)# ip accounting mac-address {input | output} Router(config-if)# ip accounting ? access-violations Account for IP packets violating access lists on this interface mac-address Account for MAC addresses seen on this interface output-packets Account for IP packets output on this interface precedence Count packets by IP precedence on this interface Router(config-if)# ip accounting mac Router(config-if)# ip accounting mac-address ? input Source MAC address on received packets output Destination MAC address on transmitted packets Router(config-if)# ip accounting mac-address ip Router(config-if)# ip accounting mac-address input ? Specify MAC address accounting for traffic entering the interface. ! Router(config-if)# ip accounting mac-address input ! Specify MAC address accounting for traffic leaving the interface. ! Router(config-if)# ip accounting mac-address output Router(config-if)# end Ver if y th e MAC Ad d r ess on the interface. ! Router# show interfaces GigabitEthernet 4/0/2 mac-accounting GigabitEthernet4/0/2 Input (511 free) 000f.f7b0.5200(26 ): 124174 packets, 7450440 bytes, last: 1884ms ago Total: 124174 packets, 7450440 bytes Output (511 free) 000f.f7b0.5200(26 ): 135157 packets, 8109420 bytes, last: 1884ms ago Total: 135157 packets, 8109420 bytes HSRP Configuration Example The following section provides a configuration example of Router A and Router B, each belonging to three VRRP groups: 12-107 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples Router A Enter global configuration mode. ! Router# configure terminal ! Enter configuration commands, one per line. End with CNTL/Z. ! Router# interface ethernet 1/0 ip address 10.1.0.2 255.0.0.0 Router# vrrp 1 priority 120 Router# vrrp 1 authentication cisco Router# vrrp 1 timers advertise 3 Router# vrrp 1 timers learn Router# vrrp 1 ip 10.1.0.10 Router# vrrp 5 priority 100 Router# vrrp 5 timers advertise 30 Router# vrrp 5 timers learn Router# vrrp 5 ip 10.1.0.50 Router# vrrp 100 timers learn Router# no vrrp 100 preempt Router# vrrp 100 ip 10.1.0.100 no shutdown Router B Enter global configuration mode. ! Router# configure terminal ! Enter configuration commands, one per line. End with CNTL/Z. ! Router# interface ethernet 1/0 ip address 10.1.0.1 255.0.0.0 Router# vrrp 1 priority 100 Router# vrrp 1 authentication cisco Router# vrrp 1 timers advertise 3 Router# vrrp 1 timers learn Router# vrrp 1 ip 10.1.0.10 Router# vrrp 5 priority 200 Router# vrrp 5 timers advertise 30 Router# vrrp 5 timers learn Router# vrrp 5 ip 10.1.0.50 Router# vrrp 100 timers learn Router# no vrrp 100 preempt Router# vrrp 100 ip 10.1.0.100 Router# no shutdown In this configuration, each group has the following properties: • Group 1: – Virtual IP address is 10.1.0.10. – Router A will become the master for this group with priority 120. – Advertising interval is 3 seconds. – Preemption is enabled. • Group 5: 12-108 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples – Router B will become master for this group with priority 200. – Advertising interval is 30 seconds. – Preemption is enabled. • Group 100: – –Router A will become master for this group first because it has a higher IP address (10.1.0.2). – –Advertising interval is the default 1 second. – –Preemption is disabled. MTU Configuration Example The following example sets the interface MTU to 9216 bytes. Note The SPA automatically adds an additional 38 bytes to the configured interface MTU size. Enter global configuration mode. ! Router# configure terminal ! Enter configuration commands, one per line. End with CNTL/Z. ! Specify the interface address ! Router(config)# interface gigabitethernet 3/0/1 ! Configure the interface MTU. ! Router(config-if)# mtu 9216 VLAN Configuration Example The following example creates subinterface number 268 on SPA interface port 2 (the third port), and configures the subinterface on the VLAN with ID number 268, using IEEE 802.1Q encapsulation: Note The SPA does not support ISL encapsulation. Enter global configuration mode. ! Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. ! Specify the interface address ! Router(config)# interface gigabitethernet 3/0/1.268 !12-109 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples Configure dot1q encapsulation and specify the VLAN ID. ! Router(config-subif)# encapsulation dot1q 268 AToM over GRE Configuration Example The following example illustrates an AToM over GRE tunnel configuration between PE1 and PE2. PE1: interface GigabitEthernet4/3/0 ip address 25.25.25.1 255.255.255.0 negotiation auto end interface Tunnel10 ip unnumbered Loopback1 mpls label protocol ldp mpls ip tunnel source 12.12.12.12 tunnel destination 6.6.6.6 end interface Loopback1 ip address 13.13.13.13 255.255.255.255 end interface Loopback10 ip address 12.12.12.12 255.255.255.255 end ip route 2.2.2.2 255.255.255.255 Tunnel10 PE2: interface GigabitEthernet2/3/0 ip address 26.26.26.2 255.255.255.0 negotiation auto end interface Tunnel10 ip unnumbered Loopback1 mpls ip tunnel source 6.6.6.6 tunnel destination 12.12.12.12 end interface Loopback1 ip address 7.7.7.7 255.255.255.255 end interface Loopback0 ip address 6.6.6.6 255.255.255.255 end ip route 3.3.3.3 255.255.255.255 Tunnel1012-110 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples mVPNoGRE Configuration Examples The following example shows the commands to configure the mVPNoGRE feature on a Cisco 7600 SIP-400 interface or subinterface; however, this example uses a Cisco 7600 SIP-400 interface that does not support subinterfaces: Enter global configuration mode. ! Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. ! Specify the Gigabit Ethernet interface to configure. ! Router(config)# interface gigabitethernet 2/0/0 Attach a GRE Tunnel to a Cisco 7600 SIP-400 subinterface. ! Router(config-if)# tunnel-interface tu1 Define the IP traffic that should be tunneled. ! Router(config-if-ti)# ip route 10.0.0.1 255.255.255.0 Router(config-if-ti)# exit When the tunnel-interface command is configured on the Cisco 7600 SIP-400 interface or subinterface, ip pim sparse-mode and tag-switching ip are automatically added to the interface. A static route to IP address contained on the ip route command is internally created. The following example shows the output of a show running interface command after adding or configuring the tunnel-interface command; however, this example uses a Cisco 7600 SIP-400 interface that does not support subinterfaces: Router# show running interface gigabitethernet 2/0/0 ! interface gigabitethernet2/0/0 ip address 10.1.0.1 255.255.255.0 ip pim sparse-mode no keepalive tunnel-interface Tunnel1 ip route 10.11.0.1 255.255.255.0 exit-tunnel-interface tag-switching ip clock source internal end Note You do not need to configure a static route (globally or on the tunnel) to the BGP neighbor on the Cisco 7600 series router. This is automatically done by the ip route command under the tunnel-interface command on the Cisco 7600 SIP-400 interface or subinterface. The following example illustrates the tunnel interface configuration on the Cisco 7600 series router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip pim sparse-dense-mode mpls ip tunnel source 22.22.22.22 tunnel destination 44.44.44.4412-111 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples EoMPLS Configuration Example The following example shows the commands to configure software-based EoMPLS: Enter global configuration mode. ! Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router# vlan 101 ! Router(config)# interface VLAN101 Router(config-if)# xconnect 7.7.7.7 73829 encapsulation MPLS ! Router(config)# interface gigabitethernet 4/1/0.1 Router(config-subif)# encapsulation dot1Q 100 The following example shows the commands to configure Scalable EoMPLS (only for a Cisco 7600 SIP-400 Ethernet interface): Router(config)# interface GigabitEthernet 1/2/1 Router(config-if)# no ip address Router(config-if)# no cdp enable ! Router(config-if)# interface GigabitEthernet 1/2/1.2 Router(config-subif)# encapsulation dot1Q 2 Router(config-subif)# xconnect 5.5.5.5 20002 encapsulation mpls ! ! Router(config-if)# interface GigabitEthernet 1/2/1.4095 Router(config-subif)# encapsulation dot1Q 4095 Router(config-subif)# xconnect 5.5.5.5 24095 encapsulation mpls The following example shows the commands to configure hardware EoMPLS (other ethernet interfaces): Router(config)# interface GigabitEthernet 1/1 Router(config-if)# no ip address Router(config-if)# no cdp enable ! Router(config-subif)# interface GigabitEthernet 1/1.2 Router(config-subif)# encapsulation dot1Q 2 Router(config-subif)# xconnect 5.5.5.5 10002 encapsulation mpls ! Router(config)# interface GigabitEthernet 1/1.3095 Router(config-subif)# encapsulation dot1Q 3095 Router(config-subif)# xconnect 5.5.5.5 13095 encapsulation mpls ! Backup Interface for Flexible UNI Configuration Example Figure 12-5 and the table that follows show a sample configuration that includes several EVCs (service instances), configured as follows: • Service instance EVC4 is configured on primary and backup interfaces (links) that terminate in a bridge domain, with a VPLS uplink onto NPE12.12-112 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples • Service instance EVC2 is configured as scalable Ethernet over MPLS, peering with an SVI VPLS on NPE12. Figure 12-5 Backup Interface for Flexible UNI Configuration NPE10 NPE14 191979 NPE11 72a NPE12 Primary Backup ge2/4.4 ge2/4.2 ge1/3.4 ge1/3.2 gi3/0/0 fa1/0.4 fa1/0.2 gi3/0/1112-113 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples NPE10 Configuration: int ge2/4.4 description npe10 to npe11 gi3/0/11 – backup - bridged encap dot1q 4 ip address 100.4.1.33 255.255.255.0 int ge2/4.2 description npe10 to npe11 gi3/0/11 – backup – xconnect encap dot1q 2 ip address 100.2.1.33 255.255.255.0 U-PE2 Configuration: int ge1/3.4 description npe14 to npe11 gi3/0/0 – primary - bridged encap dot1q 4 ip address 100.4.1.22 255.255.255.0 int ge1/3.2 description npe14 to npe11 gi3/0/0 – primary - xconnect encap dot1q 2 ip address 100.2.1.22 255.255.255.0 U-PE2 Configuration: int fa1/0.4 description 72a to npe12 – bridged encap dot1q 4 ip address 100.4.1.12 255.255.255.0 int fa1/0.2 description 72a to npe12 - xconnect encap dot1q 2 ip address 100.2.1.12 255.255.255.0 12-114 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples Changing the Speed of a Fast Ethernet SPA Configuration Example The following example shows the commands to change the speed of a Fast Ethernet SPA: Note In order to change the speed of a Fast Ethernet SPA, autonegotiation must be disabled. Router# show run interface fastethernet 5/0/1 Building configuration... Current configuration : 86 bytes ! Disable Autonegotiation ! interface FastEthernet5/0/1 ip address 10.1.0.2 255.255.0.0 negotiation auto end Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. interface gigabitEthernet3/0/0 backup interface gigabitEthernet3/0/11 service instance 2 ethernet encapsulation dot1q 2 rewrite ingress tag pop 1 symmetric xconnect 12.0.0.1 2 encapsulation mpls service instance 4 ethernet encapsulation dot1q 4 rewrite ingress tag pop 1 symmetric bridge-domain 4 interface gigabitEthernet3/0/11 service instance 2 ethernet encapsulation dot1q 2 rewrite ingress tag pop 1 symmetric xconnect 12.0.0.1 21 encapsulation mpls service instance 4 ethernet encapsulation dot1q 4 rewrite ingress tag pop 1 symmetric bridge-domain 4 interface GE-WAN 4/3 description npe11 to npe12 ip address 10.3.3.1 255.255.255.0 mpls ip l2 vfi vlan4 manual vpn id 4 neighbor 12.0.0.1 4 encapsulation mpls interface Vlan 4 xconnect vfi vlan4 l2 vfi vlan4 manual vpn id 4 neighbor 11.0.0.1 4 encap mpls interface Vlan4 description npe12 to npe11 xconnect xconnect vfi vlan4 l2 vfi vlan2 manual vpn id 2 neighbor 11.0.0.1 2 encap mpls neighbor 11.0.0.1 21 encap mpls Interface Vlan2 xconnect vfi vlan2 interface GE-WAN 9/4 description npe12 to npe11 ip address 10.3.3.2 255.255.255.0 mpls ip interface fastEthernet 8/2 description npe12 to 72a switchport switchport trunk encap dot1q switchport mode trunk switchport trunk allowed vlan 2-412-115 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples Router(config)# interface fastethernet 5/0/1 Router(config-if)# no negotiation auto Router(config-if)# speed 10 Router(config-if)# Router(config-if)# end Router# show run interface fastethernet 5/01 Building configuration... Current configuration : 112 bytes ! interface FastEthernet 5/0/1 ip address 10.1.0.2 255.255.0.0 speed 10 duplex full no negotiation auto end Router# show interface fastethernet 5/0/1 FastEthernet5/0/1 is up, line protocol is up Hardware is FastEthernet SPA, address is 000a.8b3e.cc00 (bia 000a.8b3e.cc00) Internet address is 10.1.0.2/16 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Full-duplex, 10Mb/s ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:04, output 00:00:04, output hang never Last clearing of "show interface" counters 1d00h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1608 packets input, 547102 bytes, 0 no buffer Received 1 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 1606 packets output, 548403 bytes, 0 underruns Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface fastethernet 5/0/1 Router(config-if)# speed 100 Router(config-if)# end Router# *Apr 25 21:10:36: %SYS-5-CONFIG_I: Configured from console by console Router# show interface fastethernet 5/0/1 FastEthernet5/0/1 is down, line protocol is down Hardware is FastEthernet SPA, address is 000a.8b3e.cc00 (bia 000a.8b3e.cc00) Internet address is 10.1.0.2/16 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Full-duplex, 100Mb/s ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:23, output 00:00:22, output hang never Last clearing of "show interface" counters 1d00h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec12-116 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 12 Configuring the Fast Ethernet and Gigabit Ethernet SPAs Configuration Examples 5 minute output rate 0 bits/sec, 0 packets/sec 1608 packets input, 547102 bytes, 0 no buffer Received 1 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored Ethernet OAM Configuration Example The following Ethernet OAM example shows configuration of Ethernet OAM options using a template, and overriding that configuration with direct configuration at an interface. In this example, the network supports a Gigabit Ethernet interface between the customer edge device and provider edge device: Configure a global OAM template for both PE and CE configuration. ! Router(config)# template oam Router(config-template)# ethernet oam link-monitor symbol-period threshold low 10 Router(config-template)# ethernet oam link-monitor symbol-period threshold high 100 Router(config-template)# ethernet oam link-monitor frame window 100 Router(config-template)# ethernet oam link-monitor frame threshold low 10 Router(config-template)# ethernet oam link-monitor frame threshold high 100 Router(config-template)# ethernet oam link-monitor frame-period window 100 Router(config-template)# ethernet oam link-monitor frame-period threshold low 10 Router(config-template)# ethernet oam link-monitor frame-period threshold high 100 Router(config-template)# ethernet oam link-monitor frame-seconds window 1000 Router(config-template)# ethernet oam link-monitor frame-seconds threshold low 10 Router(config-template)# ethernet oam link-monitor frame-seconds threshold high 100 Router(config-template)# ethernet oam link-monitor receive-crc window 100 Router(config-template)# ethernet oam link-monitor receive-crc threshold high 100 Router(config-template)# ethernet oam link-monitor transmit-crc window 100 Router(config-template)# ethernet oam link-monitor transmit-crc threshold high 100 Router(config-template)# ethernet oam remote-failure dying-gasp action error-disable-interface Router(config-template)# exit ! ! Enable Ethernet OAM on the CE interface ! Router(config)# interface gigabitethernet 4/1/1 Router(config-if)# ethernet oam ! ! Apply the global OAM template named “oam” to the interface. ! Router(config-if)# source template oam ! ! Configure any interface-specific link monitoring commands to ! override the template configuration. The following example disables the high threshold ! link monitoring for receive CRC errors. ! Router(config-if)# ethernet oam link-monitor receive-crc threshold high none ! ! Enable Ethernet OAM on the PE interface ! Router(config)# interface gigabitethernet 8/1/1 Router(config-if)# ethernet oam ! ! Apply the global OAM template named “oam” to the interface. ! Router(config-if)# source template oamC H A P T E R 13-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 13 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs This chapter describes techniques that you can use to troubleshoot the operation of your Fast Ethernet or Gigabit Ethernet SPAs. It includes the following sections: • General Troubleshooting Information, page 13-1 • Performing Basic Interface Troubleshooting, page 13-2 • Understanding SPA Automatic Recovery, page 13-7 • Configuring the Interface for Internal and External Loopback, page 13-8 • Using the Cisco IOS Event Tracer to Troubleshoot Problems, page 13-9 • Preparing for Online Insertion and Removal of a SPA, page 13-10 The first section provides information about basic interface troubleshooting. If you are having a problem with your SPA, use the steps in the “Performing Basic Interface Troubleshooting” section to begin your investigation of a possible interface configuration problem. To perform more advanced troubleshooting, see the other sections in this chapter. General Troubleshooting Information This section describes general information for troubleshooting SIPs and SPAs. It includes the following sections: • Using debug Commands, page 13-1 • Using show Commands, page 13-2 Using debug Commands Along with the other debug commands supported on the Cisco 7600 series router, you can obtain specific debug information for SPAs on the Cisco 7600 series router using the debug hw-module subslot privileged EXEC command. The debug hw-module subslot command is intended for use by Cisco Systems technical support personnel. 13-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 13 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs Performing Basic Interface Troubleshooting Caution Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use. For information about other debug commands supported on the Cisco 7600 series router, refer to the Cisco IOS Debug Command Reference and any related feature documents for the applicable Cisco IOS release. Using show Commands There are several show commands that you can use to monitor and troubleshoot the SIPs and SPAs on the Cisco 7600 series router. This chapter describes using the show interfaces command to perform troubleshooting of your SPA. For more information about show commands to verify and monitor SIPs and SPAs, see Chapter 12, “Configuring the Fast Ethernet and Gigabit Ethernet SPAs” Performing Basic Interface Troubleshooting You can perform most of the basic interface troubleshooting using the show interfaces fastethernet, show interfaces gigabitethernet, or show interfaces tengigabitethernet command and examining several areas of the output to determine how the interface is operating. The following example shows output from both the show interfaces fastethernet, show interfaces gigabitethernet and show interfaces tengigabitethernet commands with some of the significant areas of the output to observe shown in bold: Router# show interfaces fastethernet 3/2/3 FastEthernet3/2/3 is up, line protocol is up Hardware is FastEthernet SPA, address is 000e.d623.e840 (bia 000e.d623.e840) Internet address is 33.1.0.2/16 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 59/255, rxload 83/255 Encapsulation ARPA, loopback not set Keepalive not supported Full-duplex, 100Mb/sARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:11, output 00:00:08, output hang never Last clearing of "show interface" counters 3d00h Input queue: 0/75/626373350/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 32658000 bits/sec, 68032 packets/sec 5 minute output rate 23333000 bits/sec, 48614 packets/sec 17792456686 packets input, 1067548381456 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 130043940 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 12719598014 packets output, 763177809958 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred13-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 13 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs Performing Basic Interface Troubleshooting 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Router# show interfaces gigabitethernet 2/0/1 GigabitEthernet2/0/1 is down, line protocol is down Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40) Internet address is 2.2.2.1/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Full-duplex, 1000Mb/s, link type is force-up, media type is SX output flow-control is on, input flow-control is on ARP type: ARPA, ARP Timeout 04:00:00 Last input 03:18:49, output 03:18:44, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1703 packets input, 638959 bytes, 0 no buffer Received 23 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 1670 multicast, 0 pause input 1715 packets output, 656528 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Router# show interfaces tengigabitethernet 7/0/0 TenGigabitEthernet7/0/0 is up, line protocol is up (connected) Hardware is TenGigEther SPA, address is 0000.0c00.0102 (bia 000f.342f.c340) Internet address is 15.1.1.2/24 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported Full-duplex, 10Gb/s input flow-control is on, output flow-control is on ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:10, output hang never Last clearing of "show interface" counters 20:24:30 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes 237450882 packets input, 15340005588 bytes, 0 no buffer Received 25 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 1676 packets output, 198290 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out13-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 13 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs Performing Basic Interface Troubleshooting To verify that your interface is operating properly, complete the steps in Table 13-1: Table 13-1 Basic Interface Troubleshooting Steps Action Example Step 1 From global configuration mode, enter the show interfaces fastethernet, show interfaces gigabitethernet or show interfaces tengigabitethernet command. Router# show interfaces fastethernet 3/2/3 Router# show interfaces gigabitethernet 2/0/1 Router# show interfaces tengigabitethernet 7/0/0 Step 2 Verify that the interface is up. Router# show interfaces fastethernet 3/2/3 FastEthernet3/2/3 is up, line protocol is up Router# show interfaces gigabitethernet 2/0/1 GigabitEthernet2/0/1 is up, line protocol is up Router# show interfaces tengigabitethernet 7/0/0 TenGigabitEthernet7/0/0 is up, line protocol is up (connected) Step 3 Verify that the line protocol is up. Router# show interfaces fastethernet 3/2/3 FastEthernet3/2/3 is up, line protocol is up Router# show interfaces gigabitethernet 2/0/1 GigabitEthernet2/0/1 is up, line protocol is up Router# show interfaces tengigabitethernet 7/0/0 TenGigabitEthernet7/0/0 is up, line protocol is up (connected) Step 4 Verify that the interface duplex mode matches the remote interface configuration. The following example shows that the local interface is currently operating in full-duplex mode: Router# show interfaces fastethernet 3/2/3 [text omitted] Keepalive not supported Full-duplex, 100Mb/sARP type: ARPA, ARP Timeout 04:00:00 Router# show interfaces gigabitethernet 2/0/1 [text omitted] Keepalive not supported Full-duplex, 1000Mb/s, link type is force-up, media type is SX Router# show interfaces tengigabitethernet 7/0/0 [text omitted] Keepalive not supported Full-duplex, 10Gb/s13-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 13 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs Performing Basic Interface Troubleshooting For more information about the verification steps and possible responses to correct detected problems, see the following sections: • Verifying the Interface Is Up, page 13-5 • Verifying the Line Protocol Is Up, page 13-6 • Verifying Output Hang Status, page 13-6 • Verifying the CRC Counter, page 13-6 • Verifying Late Collisions, page 13-6 • Verifying the Carrier Signal, page 13-7 Verifying the Interface Is Up In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show interfaces tengigabitethernet command, verify that the interface is up. If the interface is down, perform the following corrective actions: • If the interface is administratively down, use the no shutdown interface configuration command to enable the interface. • Be sure that the cable is fully connected. • Verify that the cable is not bent or damaged. If the cable is bent or damaged, the signal will be degraded. Step 5 Verify that the interface speed matches the speed on the remote interface. The following example shows that the local interface is currently operating at 100 Mbps (Fast Ethernet and Gigabit Ethernet) or 10 Gbps (Ten Gigabit Ethernet): Router# show interfaces fastethernet 3/2/3 [text omitted] Keepalive not supported Full-duplex, 100Mb/sARP type: ARPA, ARP Timeout 04:00:00 Router# show interfaces gigabitethernet 2/0/1 [text omitted] Keepalive not supported Full-duplex, 1000Mb/s, link type is force-up, media type is SX Router# show interfaces tengigabitethernet 7/0/0 [text omitted] Full-duplex, 10Gb/s Step 6 Observe the output hang status on the interface. ARP type: ARPA, ARP Timeout 04:00:00 Last input 03:18:49, output 03:18:44, output hang never Step 7 Observe the CRC counter. 0 input errors, 0 CRC, 0 frame, 130043940 overrun, 0 ignored Step 8 Observe the late collision counter. 0 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred Step 9 Observe the carrier signal counters. 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Table 13-1 Basic Interface Troubleshooting Steps (continued) Action Example13-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 13 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs Performing Basic Interface Troubleshooting • Verify that a hardware failure has not occurred. Observe the LEDs to confirm the failure. See the other troubleshooting sections of this chapter, and refer to the Cisco 7600 Series Router SIP, SSC, and SPA Hardware Installation Guide. If the hardware has failed, replace the SPA as necessary. Verifying the Line Protocol Is Up In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show interfaces tengigabitethernet command, verify that the line protocol is up. If the line protocol is down, the line protocol software processes have determined that the line is unusable. Perform the following corrective actions: • Replace the cable. • Check the local and remote interface for misconfiguration. • Verify that a hardware failure has not occurred. Observe the LEDs to confirm the failure. See the other troubleshooting sections of this chapter, and refer to the Cisco 7600 Series Router SIP, SSC, and SPA Hardware Installation Guide. If the hardware has failed, replace the SPA as necessary. Verifying Output Hang Status In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show interfaces tengigabitethernet command, observe the value of the output hang field. The output hang provides the number of hours, minutes, and seconds since the last reset caused by a lengthy transmission. When the number of hours in the field exceeds 24 hours, the number of days and hours is shown. If the field overflows, asterisks are printed. The field shows a value of never if no output hangs have occurred. Verifying the CRC Counter In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show interfaces tengigabitethernet command, observe the value of the CRC counter. Excessive noise will cause high CRC errors accompanied by a low number of collisions. Perform the following corrective actions if you encounter high CRC errors: • Check the cables for damage. • Verify that the correct cables are being used for the SPA interface. Verifying Late Collisions In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show interfaces tengigabitethernet command, observe the value of the late collision counter. Perform the following corrective actions if you encounter late collisions on the interface: • Verify that the duplex mode on the local and remote interface match. Late collisions occur when there is a duplex mode mismatch. • Verify the length of the Ethernet cables. Late collisions result from cables that are too long. 13-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 13 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs Understanding SPA Automatic Recovery Verifying the Carrier Signal In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show interfaces tengigabitethernet command, observe the value of the carrier signal counters. The lost carrier counter shows the number of times that the carrier was lost during transmission. The no carrier counter shows the number of times that the carrier was not present during transmission. Carrier signal resets can occur when an interface is in loopback mode or shut down. Perform the following corrective actions if you observe the carrier signal counter incrementing outside of these conditions: • Check the interface for a malfunction. • Check for a cable problem. Understanding SPA Automatic Recovery When Fast Ethernet or Gigabit Ethernet SPAs encounter thresholds for certain types of errors and identify a fatal error, the SPAs initiate an automatic recovery process. You do not need to take any action unless the error counters reach a certain threshold, and multiple attempts for automatic recovery by the SPA fail. The Gigabit Ethernet SPAs might perform automatic recovery for the following types of errors: • SPI4 TX/RX out of frame • SPI4 TX train valid • SPI4 TX DIP4 • SPI4 RX DIP2 When Automatic Recovery Occurs If the SPI4 errors occur more than 25 times within 10 milliseconds, the SPA automatically deactivates and reactivates itself. Error messages are logged on the console indicating the source of the error and the status of the recovery. If Automatic Recovery Fails If the SPA attempts automatic recovery more than five times in an hour, then the SPA deactivates itself and remains deactivated. To troubleshoot automatic recovery failure for a SPA, perform the following steps: Step 1 Use the show hw-module subslot slot/subslot oir command to verify the status of the SPA. The status is shown as “failed” if the SPA has been powered off due to five consecutive failures. Step 2 If you verify that automatic recovery has failed, perform OIR of the SPA. For information about performing OIR, see the “Preparing for Online Insertion and Removal of a SPA” section on page 13-10. Step 3 If reseating the SPA after OIR does not resolve the problem, replace the SPA hardware.13-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 13 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs Configuring the Interface for Internal and External Loopback Configuring the Interface for Internal and External Loopback Loopback support is useful for testing the interface without connectivity to the network, or for diagnosing equipment malfunctions between the interface and a device. The Fast Ethernet and Gigabit Ethernet SPAs support both an internal and an external loopback mode. The external loopback mode requires the use of a loopback cable and implements a loopback through the transceiver on the SPA. You can also configure an internal loopback without the use of a loopback cable that implements a loopback at the PHY device internally on a Fast Ethernet or Gigabit Ethernet interface port, or at the MAC device internally on a Fast Ethernet or Gigabit Ethernet interface port. By default, loopback is disabled. Configuring the Interface for Internal Loopback Different Fast Ethernet and Gigabit Ethernet interfaces use different loopback commands. To enable internal loopback at the PHY device for an interface on a SPA, use one of the following commands beginning in interface configuration mode: Configuring the Interface for External Loopback Before beginning external loopback testing, remember that the external loopback mode requires the use of a loopback cable. External loopback cannot be configured on Fast Ethernet SPAs. To enable external loopback on Gigabit Ethernet SPAs, use the following commands beginning in interface configuration mode: Verifying Loopback Status To verify whether loopback is enabled on an interface port on a SPA, use the show interfaces fastethernet, show interfaces gigabitethernet or show interfaces tengigabitethernet in privileged EXEC command and observe the value shown in the “loopback” field. Command or Action Purpose Router(config-if)# loopback Enables an interface for internal loopback on the Gigabit Ethernet SPA. Router(config-if)# loopback internal Enables an interface for internal loopback on the Gigabit Ethernet SPA. Router(config-if)# loopback mac Enables an interface for internal loopback at the MAC controller level on the Fast Ethernet SPA. Router(config-if)# loopback driver Enables an interface for internal loopback at the transceiver level on the Fast Ethernet SPA. Command Purpose Router(config-if)# loopback external Enables an interface for external loopback on the Gigabit Ethernet SPA.13-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 13 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs Using the Cisco IOS Event Tracer to Troubleshoot Problems The following example shows that loopback is disabled for interface port 3 on the Fast Ethernet SPA installed in subslot 2 of the SIP that is located in slot 3 of the Cisco 7600 series router: Router# show interfaces fastethernet 3/2/3 FastEthernet3/2/3 is up, line protocol is up Hardware is FastEthernet SPA, address is 000e.d623.e840 (bia 000e.d623.e840) Internet address is 33.1.0.2/16 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 59/255, rxload 83/255 Encapsulation ARPA, loopback not set The following example shows that loopback is disabled for interface port 0 (the first port) on the Gigabit Ethernet SPA installed in the top (0) subslot of the SIP that is located in slot 3 of the Cisco 7600 series router: Router# show interfaces gigabitethernet 3/0/0 GigabitEthernet3/0/0 is up, line protocol is up Hardware is GigMac 1 Port 10 GigabitEthernet, address is 0008.7db3.8dfe (bia ) Internet address is 10.0.0.2/24 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set The following example shows that loopback is disabled for interface port 0 (the first port) on the Ten Gigabit Ethernet SPA installed in the top (0) subslot of the SIP that is located in slot 7 of the Cisco 7600 series router: Router# show interfaces tengigabitethernet 7/0/0 TenGigabitEthernet7/0/0 is up, line protocol is up (connected) Hardware is TenGigEther SPA, address is 0000.0c00.0102 (bia 000f.342f.c340) Internet address is 15.1.1.2/24 MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Using the Cisco IOS Event Tracer to Troubleshoot Problems Note This feature is intended for use as a software diagnostic tool and should be configured only under the direction of a Cisco Technical Assistance Center (TAC) representative. The Event Tracer feature provides a binary trace facility for troubleshooting Cisco IOS software. This feature gives Cisco service representatives additional insight into the operation of the Cisco IOS software and can be useful in helping to diagnose problems in the unlikely event of an operating system malfunction or, in the case of redundant systems, Route Processor switchover. Event tracing works by reading informational messages from specific Cisco IOS software subsystem components that have been preprogrammed to work with event tracing, and by logging messages from those components into system memory. Trace messages stored in memory can be displayed on the screen or saved to a file for later analysis. The SPAs currently support the “spa” component to trace SPA OIR-related events. For more information about using the Event Tracer feature, refer to the following URL: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/evnttrcr.html13-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 13 Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs Preparing for Online Insertion and Removal of a SPA Preparing for Online Insertion and Removal of a SPA The Cisco 7600 series router supports online insertion and removal (OIR) of the SIP, in addition to each of the SPAs. Therefore, you can remove a SIP with its SPAs still intact, or you can remove a SPA independently from the SIP, leaving the SIP installed in the router. This means that a SIP can remain installed in the router with one SPA remaining active, while you remove another SPA from one of the SIP subslots. If you are not planning to immediately replace a SPA into the SIP, then be sure to install a blank filler plate in the subslot. The SIP should always be fully installed with either functional SPAs or blank filler plates. For more information about activating and deactivating SPAs in preparation for OIR, see the “Preparing for Online Insertion and Removal of SIPs and SPAs” topic in the “Troubleshooting a SIP” chapter in this guide. P A R T 6 Packet over SONET Shared Port Adapters C H A P T E R 14-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 14 Overview of the POS SPAs This chapter provides an overview of the release history, and feature and Management Information Base (MIB) support for the Packet over SONET (POS) SPAs on the Cisco 7600 series router. This chapter includes the following sections: • Release History, page 14-1 • POS Technology Overview, page 14-2 • Supported Features, page 14-2 • Restrictions, page 14-5 • Supported MIBs, page 14-6 • SPA Architecture, page 14-7 • Displaying the SPA Hardware Type, page 14-10 Release History Release Modification 15.1(1)S Support for Network Clocking and SSM functionality was extended. 15.0(1)S Support for Network Clocking and SSM functionality was added. Cisco IOS Release 12.2(33)SRA Support for the following hardware was introduced on the Cisco 7600 series router: • The 2-Port and 4-Port OC-48c/STM-16 POS SPA was introduced on the Cisco 7600 SIP-600. • The 1-Port OC-48c/STM-16 POS SPA was introduced on the Cisco 7600 SIP-400. Cisco IOS Release 12.2(18)SXF2 Support for the 1-Port OC-192c/STM-64 POS/RPR VSR Optics SPA was introduced on the Cisco 7600 SIP-600 on the Cisco 7600 series router and Catalyst 6500 series switch.14-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs POS Technology Overview POS Technology Overview Packet-over-SONET is a high-speed method of transporting IP traffic between two points. This technology combines the Point-to-Point Protocol (PPP) with Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy (SDH) interfaces. SONET is an octet-synchronous multiplex scheme defined by the American National Standards Institute (ANSI) standard (T1.1051988) for optical digital transmission at hierarchical rates from 51.840 Mbps to 2.5 Gbps (Synchronous Transport Signal, STS-1 to STS-48) and greater. SDH is an equivalent international standard for optical digital transmission at hierarchical rates from 155.520 Mbps (Synchronous Transfer Mode-1 [STM-1]) to 2.5 Gbps (STM-16) and greater. SONET specifications have been defined for single-mode fiber and multimode fiber. The POS SPAs on the Cisco 7600 series router allow transmission over both single-mode and multimode fiber at various optical carrier rates. SONET/SDH transmission rates are integral multiples of 51.840 Mbps. The following transmission multiples are currently specified and used on the POS SPAs on the Cisco 7600 series router: • OC-3c/STM-1—155.520 Mbps • OC-12c/STM-4—622.080 Mbps • OC-48—2.488 Gbps • OC-192c/STM-64—9.953 Gbps Supported Features This section provides a list of some of the primary features supported by the POS SPA hardware and software: • Jumbo frames (up to 9216 bytes) • Online insertion and removal (OIR) from the SIP, or OIR of the SIP with the SPA inserted. • Small form-factor pluggable (SFP) optics module OIR • Field-programmable gate array (FPGA) upgrade support The POS SPAs also support the following groups of features: Cisco IOS Release 12.2(18)SXF Support for the following hardware was introduced on the Cisco 7600 series router and Catalyst 6500 series switch: • 1-Port OC-192c/STM-64 POS/RPR SPA • 1-Port OC-192c/STM-64 POS/RPR XFP SPA Cisco IOS Release 12.2(18)SXE Support for the following hardware was introduced on the Cisco 7600 series router and Catalyst 6500 series switch: • 2-Port OC-3c/STM-1 POS SPA • 4-Port OC-3c/STM-1 POS SPA • 1-Port OC-12c/STM-4 POS SPA14-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs Supported Features • SONET/SDH Compliance Features, page 14-3 • SONET/SDH Error, Alarm, and Performance Monitoring Features, page 14-3 • SONET/SDH Synchronization Features, page 14-4 • WAN Protocol Features, page 14-4 • Network Management Features, page 14-5 SONET/SDH Compliance Features This section lists the SONET/SDH compliance features supported by the POS SPAs on the Cisco 7600 series router: • 1+1 SONET Automatic Protection Switching (APS) as per G.783 Annex A • 1+1 SDH Multiplex Section Protection (MSP) as per G.783 Annex A • American National Standards Institute (ANSI) T1.105 • ITU-T G.707, G.783, G.957, G.958 • Telcordia GR-253-CORE: SONET Transport Systems: Common Generic Criteria • Telcordia GR-1244: Clocks for the Synchronized Network: Common Generic Criteria SONET/SDH Error, Alarm, and Performance Monitoring Features This section lists the SONET/SDH error, alarm, and performance monitoring features supported by the POS SPAs on the Cisco 7600 series router: • Signal failure bit error rate (SF-BER) • Signal degrade bit error rate (SD-BER) • Signal label payload construction (C2) • Path trace byte (J1) • Section: – Loss of signal (LOS) – Loss of frame (LOF) – Error counts for B1 – Threshold crossing alarms (TCA) for B1 • Line: – Line alarm indication signal (LAIS) – Line remote defect indication (LRDI) – Line remote error indication (LREI) – Error counts for B2 – Threshold crossing alarms (TCA) for B2 • Path: – Path alarm indication signal (PAIS) – Path remote defect indication (PRDI)14-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs Supported Features – Path remote error indication (PREI) – Error counts for B3 – Threshold crossing alarms (TCA) for B3 – Loss of pointer (LOP) – New pointer events (NEWPTR) – Positive stuffing event (PSE) – Negative stuffing event (NSE) SONET/SDH Synchronization Features This section lists the SONET/SDH synchronization features supported by the POS SPAs on the Cisco 7600 series router: • Local (internal) timing (for inter-router connections over dark fiber or Wavelength Division Multiplex [WDM] equipment) • Loop (line) timing (for connecting to SONET/SDH equipment) • +/– 20 ppm clock accuracy over full operating temperature • Network Clocking and the Synchronization Status Message(SSM) functionality for the Channelized SPAs in a Cisco 7600 SIP-400 only. The POS SPAs supporting this feature for Cisco IOS Release 15.0(1)S are: – SPA-2xOC3-POS – SPA-4xOC3-POS – SPA-1xOC12-POS – SPA-2xOC12-POS The POS SPA supporting this feature for Cisco IOS Release 15.1(1)S is: – SPA-1XOC48-POS/RPR For more information on configuring the network clock see, Configuring Boundary Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400, page 12-29 WAN Protocol Features This section lists the WAN protocols supported by the POS SPAs on the Cisco 7600 series router: • RFC 1661, The Point-to-Point Protocol (PPP) • RFC 1662, PPP in HDLC framing • RFC 2615, PPP over SONET/SDH (with 1+x43 self-synchronous payload scrambling) • RFC 3518, Point-to-Point Protocol (PPP) Bridging Control Protocol (BCP)—See Table 14-1 for BCP feature restrictions on the Cisco 7600 series router • Cisco Protect Group Protocol over UDP/IP (Port 1972) for APS and MSP • Multiprotocol Label Switching (MPLS)14-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs Restrictions Network Management Features This section lists the network management features supported by the POS SPAs on the Cisco 7600 series router: • Simple Network Management Protocol (SNMP) Management Information Base (MIB) counters • Local (diagnostic) loopback • Network loopback • NetFlow Data Export • IP over the Section Data Communications Channel (SDCC)—See Table 14-1 for SDCC feature restrictions on the Cisco 7600 series router • RFC 3592 performance statistics for timed intervals (current, 15-minute, multiple 15-minute, and 1-day intervals): – Regenerator section – Multiplex section – Path errored seconds – Severely errored seconds – Severely errored framed seconds Restrictions Note For other SIP-specific features and restrictions see also Chapter 3, “Overview of the SIPs and SSC” Table 14-1provides information about POS feature compatibility and restrictions by SIP and SPA combination. Table 14-1 POS Feature Compatibility and Restrictions by SIP and SPA Combination Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600 Bridge Control Protocol (BCP) 2-Port and 4-Port OC-3c/STM-1 POS SPA—Supported. • 1-Port OC-12c/STM-4 POS SPA—Supported. • 2-Port and 4-Port OC-3c/STM-1 POS SPA—Supported. • 1-Port OC-48c/STM-16 POS SPA—Supported. Not supported on any POS SPAs. Dynamic Packet Transport (DPT), which includes RPR/SRP Not supported on any POS SPAs. Not supported on any POS SPAs. Not supported on any POS SPAs. Frame Relay Supported on all POS SPAs. Supported on all POS SPAs. Not supported on any POS SPAs.14-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs Supported MIBs Supported MIBs The following MIBs are supported in Cisco IOS Release 12.2(18)SXF2 for the 2-Port and 4-Port OC-3c/STM-1 POS SPA, 1-Port OC-12c/STM-4 POS SPA, 1-Port OC-192c/STM-64 POS/RPR SPA, 1-Port OC-192c/STM-64 POS/RPR XFP SPA, and 1-Port OC-192c/STM-64 POS/RPR VSR Optics SPA on the Cisco 7600 series router: • CISCO-APS-MIB • CISCO-ENTITY-ASSET-MIB • CISCO-ENTITY-FRU-CONTROL-MIB • CISCO-ENVMON-MIB (For NPEs, NSEs, line cards, and MSCs only) • CISCO-EXTENDED-ENTITY-MIB • CISCO-OPTICAL-MIB • ENTITY-MIB • OLD-CISCO-CHASSIS-MIB • IF-MIB • SONET-MIB (RFC 2558, Definitions of Managed Objects for SONET/SDH Interface Type) Multilink PPP Not supported on any OC-3 POS SPAs. Not supported on any OC-3 POS SPAs. Not supported on any OC-3 POS SPAs. Section Data Communications Channel (SDCC) • 2-Port OC-3c/STM-1 POS SPA—Supported. • 4-Port OC-3c/STM-1 POS SPA—SDCC is supported on up to two ports. • 2-Port OC-3c/STM-1 POS SPA—Supported. • 4-Port OC-3c/STM-1 POS SPA—SDCC is supported on up to two ports. • 1-Port OC-12c/STM-4 POS SPA—Supported. • 1-Port OC-48c/STM-16 POS SPA—Not supported. Not supported on any POS SPAs. Bandwidth-limited Priority Queuing Not supported on any POS SPAs. Not supported on any POS SPAs. Not supported on any POS SPAs. Note The POS SPAs do not support bandwidth-limited priority queueing, but support only strict priority policy maps, that is, the priority command without any parameters. Table 14-1 POS Feature Compatibility and Restrictions by SIP and SPA Combination (continued) Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-60014-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs SPA Architecture For more information about MIB support on Cisco xxxx series routers, refer to the Cisco 7600 Series Internet Router MIB Specifications Guide, at the following URL: http://www.cisco.com/en/US/products/hw/routers/ps368/prod_technical_reference_list.html To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://tools.cisco.com/ITDIT/MIBS/servlet/index If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. SPA Architecture This section provides an overview of the architecture of the POS SPAs and describes the path of a packet in the ingress and egress directions. Some of these areas of the architecture are referenced in the SPA software and can be helpful to understand when troubleshooting or interpreting some of the SPA CLI and show command output. 4-Port OC-3c/STM-1 POS SPA Architecture Figure 14-1 identifies some of the hardware devices that are part of the POS SPA architecture. The figure shows the four ports that are supported by the 4-Port OC-3c/STM-1 POS SPA only. Figure 14-1 4-Port OC-3c/STM-1 POS SPA Architecture Every incoming and outgoing packet on the 4-Port OC-3c/STM-1 POS SPA goes through the SONET/SDH framer and field-programmable gate array (FPGA) devices. Optics SONET/SDH Streams Packets SONET/SDH Framer FPGA Packets SPA Connector To Host From 12928114-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs SPA Architecture Path of a Packet in the Ingress Direction The following steps describe the path of an ingress packet through the 4-Port OC-3c/STM-1 POS SPA: 1. The framer receives SONET/SDH streams from the SFP optics, extracts clocking and data, and processes the section, line, and path overhead. 2. The framer extracts the POS frame payload and verifies the frame size and frame check sequence (FCS). 3. The framer passes valid frames to the field-programmable gate array (FPGA) on the SPA. 4. The FPGA on the SPA transfers frames to the host through the SPI4.2 bus for further processing and switching. Path of a Packet in the Egress Direction The following steps describe the path of an egress packet through the 4-Port OC-3c/STM-1 POS SPA: 1. The host sends packets to the FPGA on the SPA using the SPI4.2 bus. 2. The FPGA on the SPA stores the data in the appropriate channel’s first-in first-out (FIFO) queue. 3. The FPGA on the SPA passes the packet to the framer. 4. The framer accepts the data and stores it in the appropriate channel queue. 5. The framer adds the FCS and SONET/SDH overhead. 6. The framer sends the data to the SFP optics for transmission onto the network. 1-Port OC-192c/STM-64 POS/RPR XFP SPA Architecture Figure 14-2 identifies the primary hardware devices that are part of the POS SPA architecture. The figure shows a single optics transceiver supported by both of the POS SPAs. However, the 1-Port OC-192c/STM-64 POS/RPR SPA and 1-Port OC-192c/STM-64 POS/RPR VSR Optics SPA support fixed optics, while the 1-Port OC-192c/STM-64 POS/RPR XFP SPA supports XFP optics. The path of a packet remains the same except for where the optic transceiver support resides. Figure 14-2 1-Port OC-192c/STM-64 POS/RPR XFP SPA Architecture In POS mode, every incoming and outgoing packet on the OC-192 POS SPAs goes through the SONET/SDH framer and SPI4.2 interface. SONET/SDH Streams Optics Transceiver SPI4.2 Bus Packets SONET/SDH Framer SPA Connector To Host From 12979614-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs SPA Architecture Path of a Packet in the Ingress Direction The following steps describe the path of an ingress packet through the 1-Port OC-192c/STM-64 POS/RPR XFP SPA: 1. The framer receives SONET/SDH streams from the XFP optics, extracts clocking and data, and processes the section, line, and path overhead. 2. The framer extracts the POS frame payload and verifies the frame size and frame check sequence (FCS). 3. The framer passes valid frames to the System Packet Level Interface 4.2 (SPI4.2) interface on the SPA. 4. The SPI4.2 interface transfers frames to the host through the SPI4.2 bus for further processing and switching. Path of a Packet in the Egress Direction The following steps describe the path of an egress packet through the 1-Port OC-192c/STM-64 POS/RPR XFP SPA: 1. The host sends packets to the SPA using the SPI4.2 bus. 2. The SPA stores the data in the appropriate channel’s first-in first-out (FIFO) queue. 3. The SPA passes the packet to the framer. 4. The framer accepts the data and stores it in the appropriate channel queue. 5. The framer adds the FCS and SONET/SDH overhead. 6. The framer sends the data to the XFP optics for transmission onto the network. 2-Port OC-48c/STM-16 POS SPA Architecture Figure 14-3 identifies the primary hardware devices that are part of the 2-Port OC-48c/STM-16 POS SPA architecture. Figure 14-3 2-Port OC-48c/STM-16 POS SPA Architecture SONET/SDH Framer SONET/SDH Streams 138848 POS Processor Ring MAC External SDRAM Optics Transceivers SONET/SDH Streams Host To From SPA Connector Packets/ SPI4.2 Bus14-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs Displaying the SPA Hardware Type Path of a Packet in the Ingress Direction The following steps describe the path of an ingress packet through the 2-Port OC-48c/STM-16 POS SPA: 1. The framer receives SONET/SDH streams from the SFP optics, extracts clocking and data, and processes the section, line, and path overhead. 2. The framer detects Loss of Signal (LOS), Loss of Frame (LOF), Severely Errored Frame (SEF), Line Alarm Indication Signal (AIS-L), Loss of Pointer (LOP), Line Remote Defect Indication Signal (Enhanced RDI-L), Path Alarm Indication Signal (AIS-P), Standard and Enhanced Path Remote Defect Indication Signal (RDI-P), Path Remote Error Indication (Enhanced REI-P). The framer extracts or inserts DCC bytes. 3. The framer processes the S1 synchronization status byte, the pointer action bytes (per Telcordia GR-253-CORE), and extracts or inserts DCC bytes. 4. The POS processor extracts the POS frame payload and verifies the frame size and frame check sequence (FCS). 5. The POS processor supports PPP, Frame Relay, or HDLC modes and optionally performs payload scrambling. 6. The POS processor passes valid frames to the System Packet Level Interface 4.2 (SPI4.2) interface on the SPA. 7. The SPI4.2 interface transfers frames to the host through the SPI4.2 bus for further processing and switching. Path of a Packet in the Egress Direction The following steps describe the path of an egress packet through the 2-Port OC-48c/STM-16 POS SPA: 1. The host sends packets to the SPA using the SPI4.2 bus. 2. The SPA stores the data in the appropriate SPI4 channel’s first-in first-out (FIFO) queue. 3. The SPA passes the packet from the SPI4 interface to the POS processor where it is encapsulated in a POS frame and FCS is added. 4. The POS frame is sent to the SONET/SDH framer where it is placed into the SONET payload. 5. The framer adds the FCS and SONET/SDH overhead. 6. The framer sends the data to the SFP optics for transmission onto the network. Displaying the SPA Hardware Type To verify the SPA hardware type that is installed in your Cisco 7600 series router, you can use the show idprom command. For other hardware information, you can also use the show interfaces or show controllers commands. There are several other commands on the Cisco 7600 series router that also provide SPA hardware information. For more information about these commands, see the “Command Summary for POS SPAs” and the “SIP and SPA Commands” chapters in this guide. Table 14-2 shows the hardware description that appears in the show command output for each type of SPA that is supported on the Cisco 7600 series router.14-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs Displaying the SPA Hardware Type Example of the show idprom Command The following example shows sample output for the show idprom module detail command for a 4-Port OC-3c/STM-1 POS SPA installed in subslot 3 of the SIP installed in slot 2 of the router: Router# show idprom module 2/3 detail IDPROM for SPA module #2/3 (FRU is '4-port OC3/STM1 POS Shared Port Adapter') EEPROM version : 4 Compatible Type : 0xFF Controller Type : 1088 Hardware Revision : 0.230 Boot Timeout : 0 msecs PCB Serial Number : PRTA0304155 Part Number : 73-9313-02 73/68 Board Revision : 04 Fab Version : 02 RMA Test History : 00 RMA Number : 0-0-0-0 RMA History : 00 Deviation Number : 0 Product Identifier (PID) : SPA-4XOC3-POS Version Identifier (VID) : V01 . . Table 14-2 SPA Hardware Descriptions in show Commands SPA Description in show interfaces Command Description in show idprom Command 2-Port OC-3c/STM-1 POS SPA Hardware is Packet over Sonet 2-port OC3/STM1 POS Shared Port Adapter / SPA-2XOC3-POS 4-Port OC-3c/STM-1 POS SPA Hardware is Packet over Sonet 4-port OC3/STM1 POS Shared Port Adapter / SPA-4XOC3-POS 1-Port OC-12c/STM-4 POS SPA Hardware is Packet over Sonet 1-port OC12/STM4 POS Shared Port Adapter / SPA-1XOC12-POS 1-Port OC-48c/STM-16 POS SPA Hardware is Packet over Sonet 1-port OC48/STM16 POS/RPR Shared Port Adapter / SPA-1XOC48POS/RPR 2-Port OC-48c/STM-16 POS SPA Hardware is Packet over Sonet 2-port OC48/STM16 POS/RPR Shared Port Adapter / SPA-2XOC48POS/RPR 4-Port OC-48c/STM-16 POS SPA Hardware is Packet over Sonet 4-port OC48/STM16 POS/RPR Shared Port Adapter / SPA-4XOC48POS/RPR 1-Port OC-192c/STM-64 POS/RPR SPA Hardware is Packet over Sonet 1-port OC192/STM64 POS/RPR Shared Port Adapter / SPA-OC192POS-VSR / SPA-OC192POS-LR 1-Port OC-192c/STM-64 POS/RPR XFP SPA Hardware is Packet over Sonet 1-port OC192/STM64 POS/RPR XFP Optics Shared Port Adapter / SPA-OC192POS-XFP14-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs Displaying the SPA Hardware Type . Example of the show interfaces Command The following example shows output from the show interfaces pos command on a Cisco 7600 series router with a 4-Port OC-3c/STM-1 POS SPA installed in slot 5: Router# show interfaces pos 5/0/1 POS5/0/1 is up, line protocol is up Hardware is Packet over Sonet Internet address is 10.5.5.5/8 MTU 4470 bytes, BW 155000 Kbit, DLY 100 usec, reliability 96/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive not set Scramble disabled Last input 00:00:11, output 00:00:11, output hang never Last clearing of ''show interface'' counters 00:00:23 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 5 packets input, 520 bytes Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 5 packets output, 520 bytes, 0 underruns 0 output errors, 0 applique, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Example of the show controllers Command The following example shows output from the show controllers pos command on a Cisco 7600 series router for the first interface (0) of a POS SPA installed in subslot 2 of a SIP installed in chassis slot 3: Router# show controllers pos 3/2/0 POS3/2/0 SECTION LOF = 0 LOS = 0 BIP(B1) = 0 LINE AIS = 0 RDI = 0 FEBE = 0 BIP(B2) = 0 PATH AIS = 0 RDI = 0 FEBE = 0 BIP(B3) = 0 PLM = 0 UNEQ = 0 TIM = 0 TIU = 0 LOP = 0 NEWPTR = 0 PSE = 0 NSE = 0 Active Defects: None Active Alarms: None Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA Framing: SONET APS COAPS = 0 PSBF = 0 State: PSBF_state = False Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 Rx Synchronization Status S1 = 00 14-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs Displaying the SPA Hardware Type S1S0 = 00, C2 = CF Remote aps status (none); Reflected local aps status (none) CLOCK RECOVERY RDOOL = 0 State: RDOOL_state = False PATH TRACE BUFFER: STABLE Remote hostname : sip-sw-7600-2 Remote interface: POS3/2/1 Remote IP addr : 0.0.0.0 Remote Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 Clock source: internal 14-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 14 Overview of the POS SPAs Displaying the SPA Hardware TypeC H A P T E R 15-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 15 Configuring the POS SPAs This chapter provides information about configuring the Packet over SONET (POS) shared port adapters (SPAs) on the Cisco 7600 series router. This chapter includes the following sections: • Configuration Tasks, page 15-1 • Verifying the Interface Configuration, page 15-15 • Configuration Examples, page 15-16 For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals Command Reference publications that correspond to your Cisco IOS software release. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Configuration Tasks This section describes how to configure POS SPAs and includes information about verifying the configuration. It includes the following topics: • Specifying the Interface Address on a SPA, page 15-2 • Modifying the Interface MTU Size, page 15-2 • Modifying the POS Framing, page 15-3 • Modifying the Keepalive Interval, page 15-5 • Modifying the CRC Size, page 15-6 • Modifying the Clock Source, page 15-6 • Modifying SONET Payload Scrambling, page 15-8 • Configuring the Encapsulation Type, page 15-8 • Configuring APS, page 15-9 • Configuring POS Alarm Trigger Delays, page 15-10 • Configuring SDCC, page 15-13 • Saving the Configuration, page 15-1415-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks • Shutting Down and Restarting an Interface on a SPA, page 15-15 Specifying the Interface Address on a SPA SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, SPA, and interface in the CLI. The interface address format is slot/subslot/port, where: • slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. • subslot—Specifies the secondary slot of the SIP where the SPA is installed. • port—Specifies the number of the individual interface port on a SPA. The following example shows how to specify the first interface (0) on a SPA installed in the first subslot of a SIP (0) installed in chassis slot 3: Router(config)# interface serial 3/0/0 This command shows a serial SPA as a representative example, however the same slot/subslot/port format is similarly used for other SPAs (such as ATM and POS) and other non-channelized SPAs. Modifying the Interface MTU Size The Cisco IOS software supports three different types of configurable maximum transmission unit (MTU) options at different levels of the protocol stack: • Interface MTU—Checked by the SPA on traffic coming in from the network. Different interface types support different interface MTU sizes and defaults. The interface MTU defines the maximum packet size allowable (in bytes) for an interface before drops occur. If the frame is smaller than the interface MTU size, but is not smaller than three bytes of payload size, then the frame continues to process. • IP MTU—Can be configured on a subinterface and is used by the Cisco IOS software to determine whether fragmentation of a packet takes place. If an IP packet exceeds the IP MTU size, then the packet is fragmented. • Tag or Multiprotocol Label Switching (MPLS) MTU—Can be configured on a subinterface and allows up to six different labels, or tag headers, to be attached to a packet. The maximum number of labels is dependent on your Cisco IOS software release. Different encapsulation methods and the number of MPLS MTU labels add additional overhead to a packet. For example, for an Ethernet packet, SNAP encapsulation adds an 8-byte header, dot1q encapsulation adds a 2-byte header, and each MPLS label adds a 4-byte header (n labels x 4 bytes). Interface MTU Configuration Guidelines When configuring the interface MTU size on the POS SPAs, consider the following guidelines: • If you are also using MPLS, be sure that the mpls mtu command is configured for a value less than or equal to the interface MTU. • If you change the interface MTU size, the giant counter increments when the interface receives a packet that exceeds the MTU size that you configured, plus an additional 88 bytes for overhead, and an additional 2 or 4 bytes for the configured cyclic redundancy check (CRC). For example, with a maximum MTU size of 9216 bytes, the giant counter increments:15-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks – For a 16-bit CRC (or FCS), when receiving packets larger than 9306 bytes (9216 + 88 + 2). – For a 32-bit CRC, when receiving packets larger than 9308 bytes (9216 + 88 + 4). • The Frame Relay Local Management Interface (LMI) protocol requires that all permanent virtual circuit (PVC) status reports fit into a single packet. Using the default MTU of 4470 bytes, this limits the number of data-link connection identifiers (DLCIs) to 890. The following formula demonstrates how to determine the maximum DLCIs for a configured interface MTU: – Maximum DLCIs = (MTU bytes – 20)/(5 bytes per DLCI) – Maximum DLCIs for the default MTU = (4470 – 20)/5 = 890 DLCIs per interface Interface MTU Configuration Task To modify the MTU size on an interface, use the following command in interface configuration mode: To return to the default MTU size, use the no form of the command. Verifying the MTU Size To verify the MTU size for an interface, use the show interfaces pos privileged EXEC command and observe the value shown in the “MTU” field. The following example shows an MTU size of 4470 bytes for interface port 0 (the first port) on the SPA installed in subslot 1 of the SIP that is located in slot 2 of the Cisco 7600 series router: Router# show interfaces pos 2/1/0 POS2/1/0 is up, line protocol is up (APS working - active) Hardware is Packet over Sonet Internet address is 10.1.1.1/24 MTU 4470 bytes, BW 155000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255. . Modifying the POS Framing POS framing can be specified as SONET (Synchronous Optical Network) or SDH (Synchronous Digital Hierarchy). SONET and SDH are a set of related standards for synchronous data transmission over fiber- optic networks. SONET is the United States version of the standard published by the American National Standards Institute (ANSI). SDH is the international version of the standard published by the International Telecommunications Union (ITU). To modify the POS framing, use the following command in interface configuration mode: To return to the default, use the no form of the command. Command Purpose Router(config-if)# mtu bytes Configures the maximum packet size for an interface, where: • bytes—Specifies the maximum number of bytes for a packet. The default is 4470 bytes.15-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks Verifying the POS Framing To verify the POS framing, use the show controllers pos privileged EXEC command and observe the value shown in the “Framing” field. The following example shows that POS framing mode is set to SONET for the first interface (0) on the POS SPA installed in subslot 2 of a SIP installed in chassis slot 3: Router# show controllers pos 3/2/0 POS3/2/0 SECTION LOF = 0 LOS = 0 BIP(B1) = 0 LINE AIS = 0 RDI = 0 FEBE = 0 BIP(B2) = 0 PATH AIS = 0 RDI = 0 FEBE = 0 BIP(B3) = 0 PLM = 0 UNEQ = 0 TIM = 0 TIU = 0 LOP = 0 NEWPTR = 0 PSE = 0 NSE = 0 Active Defects: None Active Alarms: None Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA Framing: SONET APS COAPS = 0 PSBF = 0 State: PSBF_state = False Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 Rx Synchronization Status S1 = 00 S1S0 = 00, C2 = CF Remote aps status (none); Reflected local aps status (none) CLOCK RECOVERY RDOOL = 0 State: RDOOL_state = False PATH TRACE BUFFER: STABLE Remote hostname : sip-sw-7600-2 Remote interface: POS3/2/1 Remote IP addr : 0.0.0.0 Remote Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 Clock source: internal 15-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks Modifying the Keepalive Interval When the keepalive feature is enabled, a keepalive packet is sent at the specified time interval to keep the interface active. The keepalive interval must be configured to be the same on both ends of the POS link. To modify the keepalive interval, use the following command in interface configuration mode: To disable keepalive packets, use the no form of this command. Note If keepalives are enabled and you are trying to configure line loopback on a POS interface, the keepalive protocol will fail and periodically reset the interface based on the keepalive timeout and cause Layer 1 errors on the other end of the link that is trying to do the loopbacks. You can avoid this by using the no keepalive command on the POS interface that is configured for line loopback. The side that is not in line loopback detects that its keepalive is being looped back and functions properly. An interface configured for internal loopback also functions properly with keepalives enabled. Verifying the Keepalive Interval To verify the keepalive interval, use the show interfaces pos privileged EXEC command and observe the value shown in the “Keepalive” field. The following example shows that keepalive is enabled for interface port 0 on the POS SPA installed in the SIP that is located in slot 2 of the Cisco 7600 series router: Router# show interfaces pos 2/0/0 Hardware is Packet over Sonet Internet address is 10.1.1.1.2 MTU 9216 bytes, BW 622000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Keepalive set (10 sec) . . . Command Purpose Router(config-if)# keepalive [period [retries]] Specifies the frequency at which the Cisco IOS software sends messages to the other end of the link, to ensure that a network interface is alive, where: • period—Specifies the time interval in seconds for sending keepalive packets. The default is 10 seconds. • retries—Specifies the number of times that the device will continue to send keepalive packets without response before bringing the interface down. The default is 5 retries.15-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks Modifying the CRC Size CRC is an error-checking technique that uses a calculated numeric value to detect errors in transmitted data. The CRC size indicates the length in bits of the FCS. The CRC size must be configured to be the same on both ends of the POS link. To modify the CRC size, use the following command in interface configuration mode: To return to the default CRC size, use the no form of the command. Verifying the CRC Size To verify the CRC size, use the show interfaces pos privileged EXEC command and observe the value shown in the “CRC” field. The following example shows that the CRC size is 16 for interface port 0 on the POS SPA installed in the SIP that is located in slot 2 of the Cisco 7600 series router: Router# show interfaces pos 2/0/0 Hardware is Packet over Sonet Internet address is 10.1.1.2.1 MTU 9216 bytes, BW 622000 Kbit, DLY 100 usec reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set . . . Modifying the Clock Source A clock source of internal specifies that the interface clocks its transmitted data from its internal clock. A clock source of line specifies that the interface clocks its transmitted data from a clock recovered from the line’s receive data stream. For information about the recommended clock source settings for POS router interfaces, refer to Configuring Clock Settings on POS Router Interfaces at the following URL: http://www.cisco.com/en/US/tech/tk482/tk607/technologies_tech_note09186a0080094bb9.shtml Command Purpose Router(config-if)# crc [16 | 32] (As Required) Specifies the length of the cyclic redundancy check (CRC), where: • 16—Specifies a 16-bit length CRC. This is the default. • 32—Specifies a 32-bit length CRC. The CRC size must be configured to be the same on both ends of the POS link.15-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks To modify the clock source, use the following command in interface configuration mode: To return to the default clock source, use the no form of this command. Verifying the Clock Source To verify the clock source, use the show controllers pos privileged EXEC command and observe the value shown in the “Clock source” field. The following example shows that the clock source is internal for interface port 0 on the POS SPA installed in subslot 0 of the SIP that is located in slot 2 of the Cisco 7600 series router: Router# show controllers pos 2/0/0 POS2/0/0 SECTION LOF = 0 LOS = 1 BIP(B1) = 7 LINE AIS = 0 RDI = 1 FEBE = 20 BIP(B2) = 9 PATH AIS = 0 RDI = 0 FEBE = 0 BIP(B3) = 5 PLM = 0 UNEQ = 0 TIM = 0 TIU = 0 LOP = 0 NEWPTR = 0 PSE = 0 NSE = 0 Active Defects: None Active Alarms: None Alarm reporting enabled for: SF SLOS SLOF B1-TCA LAIS LRDI B2-TCA PAIS PLOP PRDI PUNEQ B3-TCA RDOOL APS COAPS = 2 PSBF = 0 State: PSBF_state = False Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 Rx Synchronization Status S1 = 00 S1S0 = 02, C2 = CF CLOCK RECOVERY RDOOL = 0 State: RDOOL_state = False PATH TRACE BUFFER: STABLE Remote hostname : RouterTester. Port 102/1 Remote interface: Remote IP addr : Remote Rx(K1/K2): / Tx(K1/K2): / BER thresholds: SF = 10e-5 SD = 10e-6 Command Purpose Router(config-if)# clock source {line | internal} Specifies the clock source for the POS link, where: • line—The link uses the recovered clock from the line. This is the default. • internal—The link uses the internal clock source.15-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 Clock source: internal . Modifying SONET Payload Scrambling SONET payload scrambling applies a self-synchronous scrambler (x43+1) to the Synchronous Payload Envelope (SPE) of the interface to ensure sufficient bit transition density. The default configuration is SONET payload scrambling disabled. SONET payload scrambling must be configured to be the same on both ends of the POS link. To modify SONET payload scrambling, use the following command in interface configuration mode: To disable SONET payload scrambling, use the no form of this command. Verifying SONET Payload Scrambling To verify SONET payload scrambling, use the show interfaces pos privileged EXEC command and observe the value shown in the “Scramble” field. The following example shows that SONET payload scrambling is disabled for interface port 0 on the POS SPA installed in subslot 0 of the SIP that is located in slot 2 of the Cisco 7600 series router: Router# show interfaces pos 2/0/0 Hardware is Packet over Sonet Internet address is 10.0.0.1/24 MTU 9216 bytes, BW 622000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive not set Scramble disabled . Configuring the Encapsulation Type By default, the POS interfaces support High-Level Data Link Control (HDLC) encapsulation. The encapsulation method can be specified as HDLC, Point-to-Point Protocol (PPP) or Frame Relay. The encapsulation type must be configured to be the same on both ends of the POS link. To modify the encapsulation method, use the following command in interface configuration mode: Command Purpose Router(config-if)# pos scramble-atm Enables SONET payload scrambling. Command Purpose Router(config-if)# encapsulation encapsulation-type Specifies the encapsulation method used by the interface, where: • encapsulation-type—Can be HDLC, PPP, or Frame Relay. The default is HDLC.15-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks Verifying the Encapsulation Type To verify the encapsulation type, use the show interfaces pos privileged EXEC command and observe the value shown in the “Encapsulation” field. The following example shows the encapsulation type is HDLC for port 0 on the POS SPA installed in subslot 0 of the SIP that is located in slot 2 of the Cisco 7600 series router: Router# show interfaces pos 2/0/0 Hardware is Packet over Sonet Internet address is 10.0.0.1/24 MTU 9216 bytes, BW 622000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive not set Scramble disabled . . . Configuring APS Automatic protection switching (APS) allows switchover of POS circuits in the event of circuit failure and is often required when connecting SONET equipment to telco equipment. APS refers to the mechanism of using a “protect” POS interface in the SONET network as the backup for a “working” POS interface. When the working interface fails, the protect interface quickly assumes its traffic load. Depending on the configuration, the two circuits may be terminated in the same router, or in different routers. The performance enhancement of PPP/MLPPP APS does not impact the original PPP/MLPPP scalability on Cisco 7600. For more information about APS, refer to A Brief Overview of Packet Over SONET APS at the following URL: http://www.cisco.com/en/US/tech/tk482/tk607/technologies_tech_note09186a0080093eb5.shtml To configure the working POS interface, use the following command in interface configuration mode: To remove the POS interface as a working interface, use the no form of this command. Command Purpose Router(config-if)# aps working circuit-number Configures a POS interface as a working APS interface, where: • circuit-number—Specifies the circuit number associated with this working interface.15-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks To configure the protect POS interface, use the following command in interface configuration mode: To remove the POS interface as a protect interface, use the no form of this command. Verifying the APS Configuration To verify the APS configuration or to determine if a switchover has occurred, use the show aps command. The following is an example of a router configured with a working interface. In this example, POS interface 0/0/0 is configured as a working interface in group 1, and the interface is selected (that is, active). Router# show aps POS0/0/0 working group 1 channel 1 Enabled Selected The following is an example of a router configured with a protect interface. In this example, POS interface 2/1/1 is configured as a protect interface in group 1. The output also shows that the working channel is located on the router with the IP address 10.0.0.1 and that the interface currently selected is enabled. Router# show aps POS2/1/1 APS Group 1: protect channel 0 (inactive) Working channel 1 at 10.0.0.1 (Enabled) SONET framing; SONET APS signalling by default Remote APS configuration: (null) . Configuring POS Alarm Trigger Delays A trigger is an alarm that, when activated, causes the line protocol to go down. The POS alarm trigger delay helps to ensure uptime of a POS interface by preventing intermittent problems from disabling the line protocol. The POS alarm trigger delay feature delays the setting of the line protocol to down when trigger alarms are received. If the trigger alarm was sent because of an intermittent problem, the POS alarm trigger delay can prevent the line protocol from going down when the line protocol is functional. Line-Level and Section-Level Triggers The pos delay triggers line command is used for POS router interfaces connected to internally-protected Dense Wavelength Division Multiplexing (DWDM) systems. This command is invalid for interfaces that are configured as working or protect APS. Normally a few microseconds of line- or section-level alarms Command Purpose Router(config-if)# aps protect circuit-number ip-address Configures a POS interface as a protect APS interface, where: • circuit-number—Specifies the number of the circuit to enable as a protect interface. • ip-address—Specifies the IP address of the router that has the working POS interface.15-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks brings down the link until the alarm has been clear for ten seconds. If you configure holdoff, the link-down trigger is delayed for 100 milliseconds. If the alarm stays up for more than 100 milliseconds, the link is brought down. If the alarm clears before 100 milliseconds, the link remains up. The following line- and section-level alarms are triggers, by default, for the line protocol to go down: • Line alarm indication signal (LAIS) • Section loss of signal (SLOS) • Section loss of frame (SLOF) You can issue the pos delay triggers line command to delay a down trigger of the line protocol on the interface. You can set the delay from 50 to 10000 milliseconds. The default delay is 100 milliseconds. To configure POS line- or section-level triggers, use the following commands beginning in interface configuration mode: To disable alarm trigger delays, use the no form of the pos delay triggers line command. To determine which alarms are reported on the POS interface, and to display the BER thresholds, use the show controllers pos command. Command Purpose Step 1 Router(config-if)# pos delay triggers line ms Specifies a delay for setting the line protocol to down when a line-level trigger alarm is received, where: • ms—Specifies the delay in milliseconds. The default delay is 100 milliseconds. Step 2 Router(config-if)# pos threshold {b1-tca | b2-tca | b3-tca | sd-ber | sf-ber} rate Configures the POS bit error rate (BER) threshold values of the specified alarms, where: • b1-tca rate—Specifies the B1 BER threshold crossing alarm. The default is 6. • b2-tca rate—Specifies the B2 BER threshold crossing alarm. The default is 6. • b3-tca rate—Specifies the B3 BER threshold crossing alarm. The default is 6. • sd-ber rate—Specifies the signal degrade BER threshold. The default is 6. • sf-ber rate—Specifies the signal failure BER threshold. The default is 3. • rate—Specifies the bit error rate from 3 to 9 (10e-n). The default varies by the type of threshold that you configure. Step 3 Router(config-if)# pos ais-shut Sends a line alarm indication signal (AIS-L) to the other end of the link after a shutdown command has been issued to the specified POS interface. AIS-L is also known as LAIS when alarm-related output is generated using the show controllers pos command. By default, the AIS-L is not sent to the other end of the link. Stops transmitting the AIS-L by issuing either the no shutdown or the no pos ais-shut commands.15-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks Path-Level Triggers You can issue the pos delay triggers path command to configure various path alarms as triggers and to specify an activation delay between 50 and 10000 milliseconds. The default delay value is 100 milliseconds. The following path alarms are not triggers by default. You can configure these path alarms as triggers and also specify a delay: • Path alarm indication signal (PAIS) • Path remote defect indication (PRDI) • Path loss of pointer (PLOP) • sd-ber (signal degrade [SD] bit error rate [BER]) • sf-ber (signal failure [SF] BER) • b1-tca (B1 BER threshold crossing alarm [TCA]) • b2-tca (B2 BER TCA) • b3-tca (B3 BER TCA) The pos delay triggers path command can also bring down the line protocol when the higher of the B2 and B3 error rates is compared with the signal failure (SF) threshold. If the SF threshold is crossed, the line protocol of the interface goes down. To configure POS path-level triggers, use the following command in interface configuration mode: To disable path-level triggers, use the no form of this command. Verifying POS Alarm Trigger Delays To verify POS alarm trigger delays, use the show controllers pos privileged EXEC command and observe the values shown in the “Line alarm trigger delay” and “Path alarm trigger delay” fields. The following example shows the POS alarm trigger delays for interface port 0 on the POS SPA installed in the SIP that is located in slot 2 of the Cisco 7600 series router: Router# show controllers pos 2/0/0 details POS2/0/0 SECTION LOF = 0 LOS = 1 BIP(B1) = 5 LINE AIS = 0 RDI = 1 FEBE = 5790 BIP(B2) = 945 PATH AIS = 0 RDI = 0 FEBE = 0 BIP(B3) = 5 PLM = 0 UNEQ = 0 TIM = 0 TIU = 0 LOP = 1 NEWPTR = 0 PSE = 0 NSE = 0 Active Defects: None Command Purpose Router(config-if)# pos delay triggers path ms Specifies that path-level alarms should act as triggers and specifies a delay for setting the line protocol to down when a path-level trigger alarm is received, where: • ms—Specifies the delay in milliseconds. The default delay is 100 milliseconds.15-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks Active Alarms: None Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA Line alarm trigger delay = 100 ms Path alarm trigger delay = 100 ms . . . Configuring SDCC Before any management traffic can traverse the section data communication channel (SDCC) links embedded in the POS SPA overhead, the SDCC interfaces must be configured and activated. SDCC Configuration Guidelines When configuring SDCC on a POS SPA, consider the following guidelines: • SDCC must be enabled on the main POS interfaces. • SDCC supports only HDLC and PPP encapsulation, not Frame Relay. SDCC Configuration Task To configure the POS SPAs for SDCC, complete the following steps: Verifying the SDCC Interface Configuration To verify the SDCC interface, use the show interfaces sdcc privileged EXEC command and observe the value shown in the “Hardware is” field. The following example shows the SDCC interface port 1 on the POS SPA installed in subslot 0 of the SIP that is located in slot 5 of the Cisco 7600 series router: Router# show interfaces sdcc 5/0/1 SDCC5/0/1 is up, line protocol is up Hardware is SDCC Internet address is 10.14.14.14/8 MTU 1500 bytes, BW 155000 Kbit, DLY 20000 usec, reliability 5/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive not set Last input 00:01:24, output never, output hang never Last clearing of ''show interface'' counters 00:01:30 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 5 packets input, 520 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 5 packets output, 520 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions15-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Tasks • The default mode for all SPA interfaces is POS. To change between POS and SRP modes, you must shut down the SPA interface. • Whenever you change modes on a POS SPA, the SPA automatically reloads. • To change the SRP mate configuration, you must shut down the SPA interfaces. • You cannot configure subinterfaces on an SRP interface. • To distinguish between the two rings, one is referred to as the “inner” ring and the other as the “outer” ring. SRP operates by sending data packets in one direction (downstream) and sending the corresponding control packets in the opposite direction (upstream) on the other fiber. An SRP node uses SRP side A to receive (RX) outer ring data and transmit (TX) inner ring data. The node uses SRP side B to receive (RX) inner ring data and transmit (TX) outer ring data. Side A on one node connects to Side B on an adjacent SRP node. For configuration of SRP on POS SPAs in multiple slots on the same SIP, the lower-numbered slot and subslot combination hosts the SRP interface and becomes “Side A” of the SRP interface. The slot number of the side-A interface must be lower than the slot location of the SRP mate (side B) interface. • To configure SRP options, you must specify the slot and subslot location of the side-A interface, in addition to a port number. SRP Mode Configuration Guidelines When enabling SRP mode, consider the following guidelines: • hw-module subslot srp command You only need to configure the hw-module subslot srp command on the host SRP interface—not on the mate SRP interface. • The host SRP interface becomes “Side A” of the SRP interface. When configuring SPAs that are installed in different slots on the same SIP for SRP, the slot number of the side-A interface must be lower than the slot location of the SRP mate (side B) interface. Also, you must specify the side-A interface location for configuration of any SRP options. • The SIP reads the information it receives from the hardware cable mating to validate the mate cable connectivity with your software configuration. • When you change the SPA mode, the SPA automatically reloads. Saving the Configuration To save your running configuration to nonvolatile random-access memory (NVRAM), use the following command in privileged EXEC configuration mode: For more information about managing configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. Command Purpose Router# copy running-config startup-config Writes the new configuration to NVRAM.15-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Verifying the Interface Configuration Shutting Down and Restarting an Interface on a SPA You can shut down and restart any of the interface ports on a SPA independently of each other. Shutting down an interface stops traffic and then enters the interface into an “administratively down” state. If you are preparing for an OIR of a SPA, it is not necessary to independently shut down each of the interfaces prior to deactivation of the SPA. You do not need to independently restart any interfaces on a SPA after OIR of a SPA or SIP. To shut down an interface on a SPA, use the following command in interface configuration mode: To restart an interface on a SPA, use the following command in interface configuration mode: Verifying the Interface Configuration Besides using the show running-configuration command to display your Cisco 7600 series router configuration settings, you can use the show interfaces pos and show controllers pos commands to get detailed information on a per-port basis for your POS SPAs. Verifying Per-Port Interface Status The following example provides sample output for interface port 0 (the first port) on the SPA located in the subslot 0 of the SIP that is installed in slot 3 of the Cisco 7600 series router: Router# show interfaces pos 3/0/0 POS3/0/0 is up, line protocol is up Hardware is Packet over Sonet MTU 4470 bytes, BW 622000 Kbit, DLY 100 usec, reliability 194/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY, crc 16, loopback not set Keepalive set (10 sec) Scramble disabled LMI enq sent 18, LMI stat recvd 0, LMI upd recvd 0 LMI enq recvd 1473, LMI stat sent 1473, LMI upd sent 0, DCE LMI up LMI DLCI 1023 LMI type is CISCO frame relay DCE FR SVC disabled, LAPF state down Broadcast queue 0/256, broadcasts sent/dropped 2223/1, interface broadcasts 1977 Last input 00:00:05, output 00:00:05, output hang never Last clearing of "show interface" counters 04:46:02 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 47019 packets input, 163195100 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) Command Purpose Router(config-if)# shutdown Disables an interface. Command Purpose Router(config-if)# no shutdown Restarts a disabled interface.15-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Examples 14332 runts, 925 giants, 0 throttles 0 parity 17820 input errors, 1268 CRC, 0 frame, 0 overrun, 0 ignored, 10 abort 49252 packets output, 170900767 bytes, 0 underruns 0 output errors, 0 applique, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 3 carrier transitions. Monitoring Per-Port Interface Statistics The following is sample output from the show controllers pos command on a Cisco 7600 series router for POS interface 4/3/0 (which is the interface for port 0 of the SPA in subslot 3 of the SIP in chassis slot 4): Router# show controllers pos 4/3/0 POS4/3/0 SECTION LOF = 0 LOS = 0 BIP(B1) = 65535 LINE AIS = 0 RDI = 0 FEBE = 65535 BIP(B2) = 16777215 PATH AIS = 0 RDI = 0 FEBE = 65535 BIP(B3) = 65535 PLM = 0 UNEQ = 0 TIM = 0 TIU = 0 LOP = 0 NEWPTR = 3 PSE = 0 NSE = 0 Active Defects: None Active Alarms: None Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA Framing: SONET APS COAPS = 1 PSBF = 0 State: PSBF_state = False Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 Rx Synchronization Status S1 = 00 S1S0 = 00, C2 = CF Remote aps status (none); Reflected local aps status (none) CLOCK RECOVERY RDOOL = 0 State: RDOOL_state = False PATH TRACE BUFFER: STABLE Remote hostname : woodson Remote interface: POS3/0/0 Remote IP addr : 0.0.0.0 Remote Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 Clock source: internal Configuration Examples This section includes the following examples for configuring a POS SPA installed in a Cisco 7600 series router: • Basic Interface Configuration Example, page 15-17 • MTU Configuration Example, page 15-1715-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Examples • POS Framing Configuration Example, page 15-18 • Keepalive Configuration Example, page 15-18 • CRC Configuration Example, page 15-18 • Clock Source Configuration Example, page 15-19 • SONET Payload Scrambling Configuration Example, page 15-19 • Encapsulation Configuration Example, page 15-19 • APS Configuration Example, page 15-19 • POS Alarm Trigger Delays Configuration Example, page 15-21 • SDCC Configuration Example, page 15-21 Basic Interface Configuration Example The following example shows how to enter global configuration mode to enter global configuration mode to specify the interface that you want to configure, configure an IP address for the interface, enable the interface, and save the configuration. This example configures interface port 0 (the first port) of the SPA located in subslot 0 of the SIP that is installed in slot 2 of the Cisco 7600 series router: !Enter global configuration mode ! Router# configure terminal ! ! Specify the interface address ! Router(config)# interface pos 2/0/0 ! ! Configure an IP address ! Router(config-if)# ip address 192.168.50.1 192.255.255.0 ! ! Enable the interface ! Router(config-if)# no shutdown ! ! Save the configuration to NVRAM ! Router(config-if)# exit Router# copy running-config startup-config MTU Configuration Example The following example sets the MTU to 4470 bytes on interface port 1 (the second port) of the SPA located in the bottom subslot (1) of the SIP that is installed in slot 2 of the Cisco 7600 series router: !Enter global configuration mode ! Router# configure terminal ! ! Specify the interface address !15-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Examples Router(config)# interface pos 2/1/1 ! ! Configure MTU ! Router(config-if)# mtu 4470 POS Framing Configuration Example The following example shows how to change from the default POS framing of SONET to SDH: !Enter global configuration mode ! Router# configure terminal ! ! Specify the interface address ! Router(config)# interface pos 2/1/1 ! (The default pos framing is sonet) ! !Modify the framing type ! Router(config-if)# pos framing sdh Keepalive Configuration Example The following example shows how to change from the default keepalive period of 10 seconds to 20 seconds: !Enter global configuration mode ! Router# configure terminal ! ! Specify the interface address ! Router(config)# interface pos 2/1/1 ! ! Configure keepalive 20 ! Router(config-if)# keepalive 20 CRC Configuration Example The following example shows how to change the CRC size from 32 bits to the default 16 bits for POS SPAs: !Enter global configuration mode ! Router# configure terminal ! ! Specify the interface address ! Router(config)# interface pos 2/1/1 ! ! Configure crc 16 ! Router(config-if)# crc 1615-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Examples Clock Source Configuration Example The following example shows how to change from the default clock source of internal to line: !Enter global configuration mode ! Router# configure terminal ! ! Specify the interface address ! Router(config)# interface pos 2/1/1 ! ! Configure the clock source ! Router(config-if)# clock source line SONET Payload Scrambling Configuration Example The following example shows how to change from a default SONET payload scrambling of disabled to enabled: !Enter global configuration mode ! Router# configure terminal ! ! Specify the interface address ! Router(config)# interface pos 2/1/1 ! ! Configure the SONET payload scrambling ! Router(config-if)# pos scramble-atm Encapsulation Configuration Example The following example shows how to change from the default encapsulation method of HDLC to PPP: !Enter global configuration mode ! Router# configure terminal ! Specify the interface address Router(config)# interface pos 2/1/1 ! ! Configure ppp ! Router(config-if)# encapsulation ppp APS Configuration Example The following example shows the configuration of APS on router A and router B, and how to configure more than one protect or working interface on a router by using the aps group command. See Figure 15-1.15-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Examples Figure 15-1 Basic APS Configuration In this example, router A is configured with the working interface and router B is configured with the protect interface. If the working interface on router A becomes unavailable, the connection will automatically switch over to the protect interface on router B. The loopback interface is used as the interconnect. The aps group command is used even when a single protect group is configured. The following example shows how to configure Router A for this scenario: !Enter global configuration mode ! Router# configure terminal ! ! Configure a loopback interface as the protect interconnect path ! Router(config)# interface loopback 1 Router(config-if)# ip address 10.10.10.10 255.0.0.0 ! Configure the POS interface address for the APS working interface ! Router(config)# interface pos 2/0/0 ! ! Configure the POS interface IP address and other interface parameters ! Router(config-if)# ip address 172.16.1.8 255.255.0.0 Router(config-if)# no ip directed-broadcast Router(config-if)# no keepalive Router(config-if)# crc 32 ! ! Configure the APS group number by which to associate APS interfaces ! Router(config-if)# aps group 1 ! ! Configure a circuit number for the APS working interface ! Router(config-if)# aps working 1 The following example shows how to configure Router B for this scenario: !Enter global configuration mode ! Router# configure terminal ! ! Configure the POS interface address for the APS protect interface ! Router(config)# interface pos 3/0/0 ! ! Configure the POS interface IP address and other interface parameters ! Router A E 0/0 POS 2/0/0 Working interface SONET network equipment Add Drop Multiplexer (ADM) E 0/0 Router B POS 3/0/0 Protect interface 11688315-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Examples Router(config-if)# ip address 172.16.1.9 255.255.0.0 Router(config-if)# no ip directed-broadcast Router(config-if)# no keepalive Router(config-if)# crc 32 ! ! Configure the APS group number by which to associate APS interfaces ! Router(config-if)# aps group 1 ! ! Configure a circuit number for the protect interface and an IP address for the router ! that has the APS working interface. In this case, the loopback interface address is ! used. ! Router(config-if)# aps protect 1 10.10.10.10 POS Alarm Trigger Delays Configuration Example The following example shows how to change POS line-level and path-level alarm trigger delays from the default of 100 milliseconds to 200 milliseconds: !Enter global configuration mode ! Router# configure terminal ! ! Specify the interface address ! Router(config)# interface pos 2/1/1 ! Router(config-if)# pos delay triggers line 200 Router(config-if)# pos delay triggers path 200 SDCC Configuration Example Router(config-if)# exit Router(config))# hw-module subslot 1/0 srp mate 1/1 ! ! Configure an SRP interface ! Router(config)# interface srp 1/0/0 Router(config-if)# mac-address 0003.0003.0003 Router(config-if)# ip address 10.4.4.1 255.255.255.0 Router(config-if)# no ip directed-broadcast Router(config-if)# ipv6 address 10:4:4::1/64 Router(config-if)# service-policy output parent15-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 15 Configuring the POS SPAs Configuration Examples P A R T 7 Serial Shared Port Adapters C H A P T E R 16-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 16 Overview of the Serial SPAs This chapter provides an overview of the release history, features, and supported MIBs for the following SPAs: • Cisco 7600 SIP-200 with the 2- and 4-Port T3/E3 SPAs, the 8-Port Channelized T1/E1 SPA, the 1-Port Channelized OC-3/STM-1 SPA, and the -2 or 4-Port CT3 SPA • Cisco 7600 SIP-400 with the 1-Port Channelized OC-12/STM-4 SPA This chapter includes the following sections: • Release History, page 16-1 • Supported Features, page 16-2 • Restrictions, page 16-2 • SPA Features, page 16-3 • Supported MIBs, page 16-6 • Displaying the SPA Hardware Type, page 16-8 Release History Release Modification 15.1(1)S Support for Network Clocking and SSM functionality was extended. 15.0(1)S Support for Network Clocking and SSM functionality was added. Cisco IOS Release 12.2(33)SRD1 Support for 1-Port Channelized OC-12/STM-4 SPA Cisco IOS Release 12.2(33)SRC Support for the following software features was introduced on the Cisco 7600 SIP-200 on the Cisco 7600 series router: • Programmable BERT pattern enhancements for the 1-Port Channelized OC-3/STM-1 SPA and the 2- and 4-Port CT3 SPAs16-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs Supported Features Supported Features This section provides a list of some of the primary features supported by the Cisco 7600 SIP-200 and SPA hardware and software. • Online insertion and removal (OIR). • Supports up to four single-height or two double-height Shared Port Adaptors (SPAs). • Field Programmable Gate Array (FPGA) upgrade support. • The SIP-200 supports the standard FPGA upgrade methods for the Cisco 7600 series router. Restrictions This section provides a list of Cisco 7600 SIP-200 configuration restrictions. Note For other SIP-specific features and restrictions see also Chapter 3, “Overview of the SIPs and SSC” in this guide. • On a 2-port or 4-port Channelized T3 SPA, when one of the T3 ports is configured as DS3 clear channel interface and the other T3s are configured with large number (greater than or equal to 400) of low bandwidth channels (NxDS0, N=1, 2, 3, or 4), the DS3 clear channel interface is not able to run at 100% DS3 line rate when those low bandwidth channels are idle (that is, not transmitting or receiving packets). This issue does not occur if those low bandwidth channels are not idle. • On a 2-Port and 4-Port Channelized T3 SPA or 1-Port Channelized OC-3/STM-1 SPA, the maximum number of channels is limited to 1023 per SPA. • On a 2-Port and 4-Port Channelized T3 SPA or 1-Port Channelized OC-3/STM-1 SPA, the maximum number of FIFO buffers is 4096. The FIFO buffers are shared among the interfaces; how they are shared is determined by speed. If all the FIFO buffers have been assigned to existing interfaces, a new interface cannot be created, and the "%Insufficient FIFOs to create channel group" error message is seen. FIFO allocation information is provided in Table 16-1. To find the number of available FIFO buffers, use the show controller t3 command: Router# show controller t3 3/0/0 Cisco IOS Release 12.2(33)SRA Support for the following hardware was introduced on the Cisco 7600 SIP-200 on the Cisco 7600 series router: • 1-Port Channelized OC-3/STM-1 SPA Cisco IOS Release 12.2(18)SXE Support for the following hardware was introduced on the Cisco 7600 SIP-200 on the Cisco 7600 series router and Catalyst 6500 series switch: • 2-Port T3/E3 SPA (SPA-2XT3/E3) • 4-Port T3/E3 SPA (SPA-4XT3/E3) • 8-Port T1/E1 SPA (SPA-8XCHT1/E1) • 2-Port CT3 SPA (SPA-2XCT3/DS0) • 4-Port CT3 SPA (SPA-4XCT3/DS0)16-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs SPA Features T3 3/0/0 is up. Hardware is SPA-4XCT3/DS0 IO FPGA version: 2.6, HDLC Framer version: 0 T3/T1 Framer(1) version: 2, T3/T1 Framer(2) version: 2 SUBRATE FPGA version: 1.4 HDLC controller available FIFO buffers 3112 • On the 1-Port Channelized OC-12/STM-4 SPA, the SDH, E1/E3 modes are not supported. • On the 1-Port Channelized OC-12/STM-4 SPA, the MFR, FRF.12 (in sync with other channelized SPAs on SIP400) is not supported. Note Effective from Cisco IOS Release 15.1(3)S and 12.2(33)SRE05, the SPA-1xCHOC12/DS0 boots up with admin down status and the original SPA status is restored after one second of the SPA bootup. Please wait for a second after the log message "SPA_OIR-6-ONLINECARD: SPA (SPA-1XCHOC12/DS0) online in subslot" is displayed, to configure the SPA. SPA Features The following is a list of some of the significant software features supported by the 2- and 4-Port T3/E3 SPA, the 8-Port Channelized T1/E1 SPA, the 1-Port Channelized OC-3/STM-1 SPA, and the 2- and 4-Port CT3 SPAs. • Software selectable between T1, E1, T3 or E3 framing on each card (ports are configured as all T1, E1, T3, or E3). Applies to the 2- and 4-Port T3/E3 SPA and 8-Port Channelized T1/E1 SPA. • Layer 2 encapsulation support: – Point-to-Point Protocol (PPP) – High-level Data Link Control (HDLC) – Frame Relay • Internal or network clock (selectable per port) Table 16-1 FIFO Allocation Number of Timeslots Number of FIFO Buffers 1-6 DS0 4 7-8 DS0 6 9 DS0 6 10-12 DS0 8 13–23 DS0 12 1–6 E1 TS 4 7–9 E1 TS 6 11–16 E1 TS 8 17–31 E1 TS 16 T1 12 E1 16 DS3 33616-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs SPA Features • Online insertion and removal (OIR) • Hot standby router protocol (HSRP) • Alarm reporting: 24-hour history maintained, 15-minute intervals on all errors • 16- and 32-bit cyclic redundancy checks (CRC) supported (16-bit default) • Local and remote loopback • Bit error rate testing (BERT) pattern generation and detection per port Note BERT is not supported on the 8-Port Channelized T1/E1 SPA. • Programmable BERT patterns enhancements Note The programmable BERT patterns enhancements are not supported on the 2- and 4-Port T3/E3 SPAs or the 8-Port Channelized T1/E1 SPA. • Dynamic provisioning—Dynamic provisioning allows for the addition of new customer circuits within a channelized interface without affecting other customers. • FPD (field programmable device upgrades) • End-to-end FRF.12 fragmentation support • Link Fragmentation and Interleaving (LFI) support • Compressed Real-Time Protocol (cRTP)—8-Port Channelized T1/E1 SPA and 2-Port and 4-Port Channelized T3 SPA only. For more information about configuring cRTP, see the “Configuring Compressed Real-Time Protocol” section on page 4-5. • Network Clocking and the Synchronization Status Message(SSM) functionality for the Channelized SPAs in a Cisco 7600 SIP-400 only. The Channelized SPAs supporting this feature for Cisco IOS Release 15.0(1)S are: – 8-Port Channelized T1/E1 SPA – 1-Port Channelized OC3/STM-1 SPA The Channelized SPA supporting this feature for Cisco IOS Release 15.1(1)S is: – 1-Port Channelized OC-12/STM-4 SPA For more information on configuring the network clock see, Configuring Boundary Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400, page 12-29 • T1 features – All ports can be fully channelized down to DS0 – Data rates in multiples of 56 Kbps or 64 Kbps per channel – Maximum 1.536 Mbps for each T1 port – D4 Superframe (SF) and Extended Superframe (ESF) support for each T1 port – ANSI T1.403 and AT&T TR54016 CI FDL support – Internal and receiver recovered clocking modes – Short haul and long haul channel service unit (CSU) support – Binary eight-zero substitution (B8ZS) and alternate mark inversion (AMI) line encoding16-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs SPA Features Note B8ZS and AMI line encoding are not configurable for TW on the 2-Port and 4-Port Channelized T3 SPA. – Support for Multilink Point to Point Protocol (MLPPP) for full T1s on the same SPA (hardware based) and across SPAs (software based) – Support for Multilink Frame Relay (MLFR) • E1 features – Maximum 1.984 Mbps for each E1 port in framed mode and a 2.048 Mbps in unframed E1 mode – All ports can be fully channelized down to DS0 – Compliant with ITU G7.03, G.704, ETSI and ETS300156 – Internal and receiver recovered clocking modes – Hi-density bipolar with three zones (HDB3) and AMI line encoding – Support for MLPPP for full E1s on the same SPA (hardware based) and across SPAs (software based). – Support for MLFR • E3 features – Full-Duplex connectivity at E3 rate (34.368 MHz) – Supports ITU-T G.751 or G.832 framing (software selectable) – HD3B line coding – Compliant with E3 pulse mask – Line build-out: configured for up to 450 feet (135 m) of type 728A or equivalent coaxial cable – Loopback modes: data terminal equipment (DTE), local, dual, and network – E3 alarm/event detection (once per second polling) - Alarm indication signal (AIS) - Loss of frame (LOF) - Remote alarm indication (RAI) – Subrate and scrambling features for these data service unit (DSU) vendors: - Digital Link - ADC Kentrox • T3 features – Binary 3-zero substitution (B3ZS) line coding – Compliant with DS3 pulse mask per ANSI T1.102-1993 – DS3 far-end alarm and control (FEAC) channel support – Full-Duplex connectivity at DS3 rate (44.736 MHz) – 672 DS0s per T3 – Loopback modes: DTE, local, remote, dual, and network – C-bit or M23 framing (software selectable) – Line build-out: configured for up to 450 feet (135 m) of type 734A or equivalent coaxial cable16-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs Supported MIBs – DS3 alarm/event detection (once per second polling) - AIS - Out of frame (OOF) - Far-end receive failure (FERF) – Generation and termination of DS3 Maintenance Data Link (MDL) in C-bit framing – Full FDL support and FDL performance monitoring – Subrate and scrambling features for these DSU vendors: - Digital Link - ADC Kentrox - Adtran - Verilink - Larscom Note On a 2-port or 4-port Channelized T3 SPA, when one of the T3 ports is configured as DS3 clear channel interface and the other T3s are configured with large number (greater than or equal to 400) of low bandwidth channels (NxDS0, N=1, 2, 3, or 4), the DS3 clear channel interface is not able to run at 100% DS3 line rate when those low bandwidth channels are idle (that is, not transmitting or receiving packets). This issue does not occur if those low bandwidth channels are not idle. The following features are supported on the 1-Port Channelized OC-12/STM-4 SPA: • CCAT POS, DS3/E3, VCAT POS/Ethernet interfaces • Maximum of 128 VCAT groups (VCG) • Each VCG configurable for HDLC, GFP Framing (Layer 1) • Each VCG can carry POS (hdlc/ppp/frame-relay) or Ethernet payload (Layer 2) • Bandwidth on each VCG can be NxSTS-1/NxVT1.5/NxVT2 • Maximum of 48 high-order (STS-1) members in a VCG • Maximum of 64 low-order (VT1.5/VT2) members in a VCG • Maximum of 336 VT1.5/252 VT2 members per SPA • Link Capacity Adjustment Scheme (LCAS) Supported MIBs The following MIBs are supported in Cisco IOS Release 12.2S for the serial SPAs on the Cisco 7600 series router. All serial SPAs: • CISCO-ENTITY-ALARM-MIB • CISCO-CLASS-BASED-QOS-MIB • CISCO-ENVMON-MIB (For NPEs, NSEs, line cards, and SIPs only)16-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs Supported MIBs • CISCO-ENTITY-ASSET-MIB • CISCO-ENTITY-FRU-CONTROL-MIB • CISCO-ENTITY-SENSOR-MIB • ENTITY-MIB • IF-MIB • RMON-MIB • MPLS-LDP-MIB • MPLS-LSR-MIB • MPLS-TE-MIB • MPLS-VPN-MIB 2- and 4-Port T3/E3 SPAs: • DS3/E3 MIB 8-Port Channelized T1/E1 SPA: • DS1/E1 MIB 2- or 4-Port CT3 SPA: • DS1-MIB • DS3-MIB • CISCO-FRAME-RELAY-MIB • IANAifType-MIB • RFC1381-MIB 1-Port Channelized OC-12/STM-4 SPA: • Cisco Optical MIB • SONET MIB (RFC 2558) • Performance Statistics for Timed Intervals (RFC 1595) • SONET/SDH MIB (RFC 1595) • DS-3/E3 MIB (RFC 1407) • DS1/E1 MIB (RFC1406) • MIB-II • Ethernet MIB • Cisco Extended Asset MIB For more information about MIB support on the Cisco 7600 series router, refer to the Cisco 7600 Series Internet Router MIB Specifications Guide found at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/7600mibs/index.htm To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://tools.cisco.com/ITDIT/MIBS/servlet/index16-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs Displaying the SPA Hardware Type If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Displaying the SPA Hardware Type To verify the SPA hardware type that is installed in your Cisco 7600 series router, you can use the show diagbus command or the show interface command (once the interface has been configured). There are several other commands on the Cisco 7600 series router that also provide SPA hardware information. Table 16-2 shows the hardware description that appears in the show command output for each type of SPA that is supported on the Cisco 7600 series router. Virtual Tributary Alarms Seven circuit emulation alarm types on the virtual tributary are introduced with the Cisco IOS Release 12.2(33)SRE and Cisco IOS Release 12.2(33)SRC4 on the 1-Port Channelized STM-1/OC-3 SPA . The alarm details are displayed with the show controller output on the 1-Port Channelized STM-1/OC-3 SPA . These are described in the following table: Table 16-2 SPA Hardware Descriptions in show Commands SPA Description in show interfaces and show controllers Commands 4-Port T3/E3 SPA “Hardware is SPA-4XT3/E3” 2-Port T3/E3 SPA “Hardware is SPA-2XT3/E3” 8-Port Channelized T1/E1 SPA “Hardware is SPA-T1E1” 2-Port CT3 SPA “Hardware is 2 ports CT3 SPA” 4-Port CT3 SPA “Hardware is 4 ports CT3 SPA” 1-Port Channelized OC12/STM-4 SPA “Hardware is 1 port CHOC12/STM-4 SPA” Alarm Description LP-LOP Indicates an LOP on the virtual tributary level LP-AIS Indicates an AIS on the virtual tributary level LP-RFI Remote Defect Indication on the virtual tributary level LP-UNEQ Indicates that the virtual tributary sizes are not the same, like VT-E1 and VT-T1 LP-MIS Indicates that there is a mismatch on the virtual tributaries16-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs Virtual Tributary Alarms Examples of the show interface Command The following example shows output from the show interface serial 5/0/0 command on a Cisco 7600 series router with a 4-Port T3/E3 SPA installed in slot 5: Serial5/0/0 is up, line protocol is up Hardware is SPA-4XT3/E3[3/0] MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 248/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input 00:00:06, output 00:00:07, output hang never Last clearing of ''show interface'' counters 00:00:01 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 applique, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions The following example shows output from the show interface serial 6/0/1 command on a Cisco 7600 series router with a 8-Port Channelized T1/E1 SPA installed in slot 6: Serial6/0/1:0 is up, line protocol is up Hardware is SPA-T1E1 MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, crc 16, loopback not set Keepalive set (10 sec) LCP Open, multilink Open Last input 00:00:03, output 00:00:03, output hang never Last clearing of "show interface" counters 5d17h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3194905708 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 74223 packets input, 1187584 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 74227 packets output, 1187751 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 4 carrier transitions no alarm present Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags LP-T_MIS Indicates that there is a SONET trace mismatch on the virtual tributary level LP-RDI Remote Failure Indication on the virtual tributary level Alarm Description16-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs Virtual Tributary Alarms Examples of the show controllers Command The following example shows output from the show controller serial command on a Cisco 7600 series router with a 4-Port T3/E3 SPA installed in slot 5: Router# show controllers serial 5/0/2 Serial5/0/2 - Framing is c-bit, Clock Source is Line Bandwidth limit is 44210, DSU mode 0, Cable length is 10 rx FEBE since last clear counter 0, since reset 0 Data in current interval (807 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 306 Unavailable Secs 500 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 1: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 2: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs [output omitted] The following example shows output from the show controller command on a Cisco 7600 series router with a 8-Port Channelized T1/E1 SPA installed in slot 6: Router# show controllers t1 T1 6/0/0 is up. Applique type is Channelized T1 Cablelength is long gain36 0db No alarms detected. alarm-trigger is not set Framing is ESF, Line Code is B8ZS, Clock Source is Line. Data in current interval (394 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs Total Data (last 24 hours) 0 Line Code Violations, 0 Path Code Violations, 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins, 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs T1 6/0/1 is up. Applique type is Channelized T1 Cablelength is long gain36 0db No alarms detected. alarm-trigger is not set Framing is ESF, Line Code is B8ZS, Clock Source is Line. Data in current interval (395 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs Total Data (last 24 hours) 0 Line Code Violations, 0 Path Code Violations, 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins, 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs16-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs Virtual Tributary Alarms The following example shows output from the show controllers command on a Cisco 7600 series router with a 4-Port CT3 SPA installed in slot 3: Router# show controllers t3 T3 3/1/2 is up. Hardware is 4 ports CT3 SPA ATLAS FPGA version: 0, FREEDM336 version: 0 TEMUX84(1) version: 0, TEMUX84(1) version: 0 SUBRATE FPGA version: 0 Applique type is Channelized T3 No alarms detected. Framing is M23, Line Code is B3ZS, Clock Source is Internal Equipment customer loopback Data in current interval (146 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation, 0 P-bit Err Secs 0 P-bit Severely Err Secs, 0 Severely Err Framing Secs 0 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs 0 Severely Errored Line Secs 0 Far-End Errored Secs, 0 Far-End Severely Errored Secs 0 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 0 Far-end path failures 0 Far-end code violations, 0 FERF Defect Secs 0 AIS Defect Secs, 0 LOS Defect Secs T1 1 is up timeslots: 1-24 FDL per AT&T 54016 spec. No alarms detected. Framing is ESF, Clock Source is Internal Data in current interval (104 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs 0 Unavail Secs, 0 Stuffed Secs 0 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs Total Data (last 2 15 minute intervals): 0 Line Code Violations,0 Path Code Violations, 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins, 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs 0 Unavail Secs, 0 Stuffed Secs 0 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs The following example shows the output from the show controller sonet command on a Cisco 7600 series router with a 1-Port Channelized OC-12/STM-4 SPA installed: Router# show controllers sonet 2/0/0 Router#show controller sonet SONET 2/0/0 is up. Hardware is SPA-1XCHOC12/DS0 Applique type is Channelized Sonet/SDH Clock Source is Line Medium info: Type: Sonet, Line Coding: NRZ, SECTION: LOS = 1 LOF = 0 BIP(B1) = 234 SONET/SDH Section Tables INTERVAL CV ES SES SEFS 04:30-04:40 0 72 72 72 LINE: AIS = 0 RDI = 0 REI = 12755371 BIP(B2) = 3062 Active Defects: None Active Alarms: None16-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs Virtual Tributary Alarms Alarm reporting enabled for: SLOS SLOF Defect reporting enabled for: SF B1-TCA B2-TCA BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-6 B2 = 10e-6 SONET/SDH Line Tables INTERVAL CV ES SES UAS 04:30-04:40 19706 72 2 0 High Order Path: PATH 1: AIS = 0 RDI = 0 REI = 238693 BIP(B3) = 65856 LOP = 0 PSE = 248 NSE = 268 NEWPTR = 0 LOM = 0 PLM = 0 UNEQ = 0 Active Alarms: None Active Defects: None Alarm/Defect reporting enabled for: PLOP LOM B3-TCA TCA threshold: B3 = 10e-6 Rx: S1S0 = 00, C2 = 02 K1 = 00, K2 = 00 J0 = 01 Tx: S1S0 = 00, C2 = 02 K1 = 00, K2 = 00 J0 = 01 PATH TRACE BUFFER : STABLE PATH TRACE BUFFER : STABLE STS-1 1, VTG 1, T1 1 (VT1.5 1/1/1) is down VT Receiver has LP-T_MIS. timeslots: 1-24 FDL per AT&T 54016 spec. Transmitter is sending LOF Indication. Receiver is getting AIS. Framing is ESF, Clock Source is Internal Data in current interval (0 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs 0 Unavail Secs, 0 Stuffed Secs The following example shows the output from the show controller sonet command on a Cisco 7600 series router with a 1-Port Channelized OC-12/STM-4 SPA installed: Router# show controllers sonet 2/0/0 Router#show controller sonet SONET 2/0/0 is up. Hardware is SPA-1XCHOC12/DS0 Applique type is Channelized Sonet/SDH Clock Source is Line Medium info: Type: Sonet, Line Coding: NRZ, SECTION: LOS = 1 LOF = 0 BIP(B1) = 234 SONET/SDH Section Tables INTERVAL CV ES SES SEFS 04:30-04:40 0 72 72 72 LINE: AIS = 0 RDI = 0 REI = 12755371 BIP(B2) = 3062 Active Defects: None Active Alarms: None Alarm reporting enabled for: SLOS SLOF Defect reporting enabled for: SF B1-TCA B2-TCA BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-6 B2 = 10e-6 SONET/SDH Line Tables INTERVAL CV ES SES UAS 04:30-04:40 19706 72 2 016-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs Virtual Tributary Alarms High Order Path: PATH 1: AIS = 0 RDI = 0 REI = 238693 BIP(B3) = 65856 LOP = 0 PSE = 248 NSE = 268 NEWPTR = 0 LOM = 0 PLM = 0 UNEQ = 0 Active Alarms: None Active Defects: None Alarm/Defect reporting enabled for: PLOP LOM B3-TCA TCA threshold: B3 = 10e-6 Rx: S1S0 = 00, C2 = 02 K1 = 00, K2 = 00 J0 = 01 Tx: S1S0 = 00, C2 = 02 K1 = 00, K2 = 00 J0 = 01 PATH TRACE BUFFER : STABLE OC3.STS1 2/2/0.1 is down. Hardware is SPA-1CHOC3-CE-ATM Applique type is VT1.5 STS-1 1, VTG 1, T1 1 (VT1.5 1/1/1) STS-1 1, VTG 1, T1 2 (VT1.5 1/1/2) Not configured. STS-1 1, VTG 1, T1 3 (VT1.5 1/1/3) Not configured. STS-1 1, VTG 1, T1 4 (VT1.5 1/1/4) Not configured. STS-1 1, VTG 5, T1 1 (VT1.5 1/5/1) is down VT Receiver has no alarm. timeslots: 1-24 FDL per AT&T 54016 spec. Transmitter is sending LOF Indication. Receiver is getting AIS. Framing is ESF, Clock Source is Internal Data in current interval (0 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs 0 Unavail Secs, 0 Stuffed Secs16-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 16 Overview of the Serial SPAs Virtual Tributary AlarmsC H A P T E R 17-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 17 Configuring the 8-Port Channelized T1/E1 SPA This chapter provides information about configuring the 8-Port Channelized T1/E1 SPA on the Cisco 7600 series router. It includes the following sections: • Configuration Tasks, page 17-1 • Verifying the Interface Configuration, page 17-20 • Configuration Examples, page 17-21 For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Configuration Tasks This section describes how to configure the 8-Port Channelized T1/E1 SPA for the Cisco 7600 series router and includes information about verifying the configuration. It includes the following topics: • Required Configuration Tasks, page 17-1 • Specifying the Interface Address on a SPA, page 17-6 • Optional Configurations, page 17-6 • Saving the Configuration, page 17-20 Required Configuration Tasks This section lists the required configuration steps to configure the 8-Port Channelized T1/E1 SPA. Some of the required configuration commands implement default values that might be appropriate for your network. If the default value is correct for your network, then you do not need to configure the command. • Setting the Card Type • Enabling the Interfaces on the Controller • Verifying Controller Configuration17-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks • Setting the IP Address • Verifying Interface Configuration Note To better understand the address format used to specify the physical location of the SIP, SPA, and interfaces, see the “Specifying the Interface Address on a SPA” section on page 17-6. Setting the Card Type The SPA is not functional until the card type is set. Information about the SPA is not indicated in the output of any show commands until the card type has been set. There is no default card type. Note Mixing of interface types is not supported. All ports on a SPA must be of the same type. To set the card type for the 8-Port Channelized T1/E1 SPA, complete these steps: Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# card type {e1 | t1} slot subslot Sets the serial mode for the SPA: • t1—Specifies T1 connectivity of 1.536 Mbps. B8ZS is the default line code for T1. • e1—Specifies a wide-area digital transmission scheme used predominantly in Europe that carries data at a rate of 1.984 Mbps in framed mode and a 2.048 Mbps in unframed E1 mode. • slot subslot—Specifies the location of the SPA. See the “Specifying the Interface Address on a SPA” section on page 17-6. Step 3 Router(config)# exit Exits configuration mode and returns to the EXEC command interpreter prompt.17-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Enabling the Interfaces on the Controller To create the interfaces for the 8-Port Channelized T1/E1 SPA, complete these steps: Command Purpose Step 1 Router(config)# controller {t1 | e1} slot/subslot/port Select the controller to configure and enter controller configuration mode. • t1—Specifies the T1 controller. • e1—Specifies the E1 controller. • slot/subslot/port—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 17-6. Step 2 Router(config-controller)# clock source {internal | line} Sets the clock source. Note The clock source is set to internal if the opposite end of the connection is set to line and the clock source is set to line if the opposite end of the connection is set to internal. • internal—Specifies that the internal clock source is used. • line—Specifies that the network clock source is used. This is the default for T1 and E1. Step 3 Router(config-controller)# linecode {ami | b8zs | hdb3} Selects the linecode type. • ami—Specifies Alternate Mark Inversion (AMI) as the linecode type. Valid for T1 and E1 controllers. • b8zs—Specifies binary 8-zero substitution (B8ZS) as the linecode type. Valid for T1 controller only. This is the default for T1 lines. • hdb3—Specifies high-density binary 3 (hdb3) as the linecode type. Valid for E1 controller only. This is the default for E1 lines. Step 4 For T1 controllers Router(config-controller)# framing {sf | esf} For E1 controllers Router(config-controller)# framing {crc4 | no-crc4} Selects the framing type. • sf—Specifies Super Frame as the T1 frame type. • esf—Specifies Extended Super Frame as the T1 frame type. This is the default for T1. • crc4—Specifies CRC4 as the E1 frame type. This is the default for E1. • no-crc4—Specifies no CRC4 as the E1 frame type.17-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Verifying Controller Configuration Use the show controllers command to verify the controller configuration: Router(config)# show controllers t1 T1 6/0/1 is up. Applique type is Channelized T1 Cablelength is long gain36 0db No alarms detected. alarm-trigger is not set Framing is ESF, Line Code is B8ZS, Clock Source is Line. Data in current interval (395 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs Total Data (last 24 hours) Step 5 Router(config-controller)# channel-group t1 t1-number {timeslots range | unframed} [speed {56 | 64}] Define the time slots that belong to each T1 or E1 circuit. • t1 t1-number— Channel-group number. When configuring a T1 data line, channel-group numbers can be values from 1 to 28. When configuring an E1 data line, channel-group numbers can be values from 0 to 30. • timeslots range— One or more time slots or ranges of time slots belonging to the channel group. The first time slot is numbered 1. For a T1 controller, the time slot range is from 1 to 24. For an E1 controller, the time slot range is from 1 to 31. • unframed—Unframed mode (G.703) uses all 32 time slots for data. None of the 32 time slots are used for framing signals. • speed—(Optional) Speed of the underlying DS0s. – 56— – 64— Note The default is 64 is speed is not mentioned in the config. Note Each channel group is presented to the system as a serial interface that can be configured individually. Note Once a channel group has been created with the channel-group command, the channel group cannot be changed without removing the channel group. To remove a channel group, see the section Changing a Channel Group Configuration, page 17-17. Step 6 Router(config)# exit Exits configuration mode and returns to the EXEC command interpreter prompt. Command Purpose17-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks 0 Line Code Violations, 0 Path Code Violations, 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins, 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs Setting the IP Address To set the IP address for the 8-Port Channelized T1/E1 SPA, complete these steps: Verifying Interface Configuration Use the show interfaces command to verify the interface configuration: Router(config)# show interfaces . . . Serial6/0/1:0 is up, line protocol is up Hardware is SPA-T1E1 MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, crc 16, loopback not set Keepalive set (10 sec) LCP Open, multilink Open Last input 00:00:03, output 00:00:03, output hang never Last clearing of "show interface" counters 5d17h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3194905708 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 74223 packets input, 1187584 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 74227 packets output, 1187751 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 4 carrier transitions no alarm present Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags . . Command Purpose Step 1 Router(config)# interface serial slot/subslot/port:channel-group Selects the interface to configure from global configuration mode. • slot/subslot/port:channel-group—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 17-6. Step 2 Router(config-if)# ip address address mask Sets the IP address and subnet mask. • address—IP address. • mask—Subnet mask. Step 3 Router(config)# exit Exits configuration mode and returns to the EXEC command interpreter prompt.17-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Specifying the Interface Address on a SPA SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, SPA, and interface in the CLI. The interface address format is slot/subslot/port, where: • slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. • subslot—Specifies the secondary slot of the SIP where the SPA is installed. • port—Specifies the number of the individual interface port on a SPA. The following example shows how to specify the first interface (0) on a SPA installed in the first subslot of a SIP (0) installed in chassis slot 3: Router(config)# interface serial 3/0/0 This command shows a serial SPA as a representative example, however the same slot/subslot/port format is similarly used for other SPAs (such as ATM and POS) and other non-channelized SPAs. For the 8-Port Channelized T1/E1 SPA, the interface address format is slot/subslot/port:channel-group, where: • channel-group—Specifies the logical channel group assigned to the timeslots within the T1 link. For more information about identifying slots and subslots, see the “Identifying Slots and Subslots for SIPs, SSCs, and SPAs” section on page 4-2. Optional Configurations There are several standard, but optional, configurations that might be necessary to complete the configuration of your serial SPA. • Configuring Framing, page 17-7 • Configuring Encapsulation, page 17-8 • Configuring the CRC Size for T1, page 17-9 • Configuring FDL, page 17-10 • Configuring Multilink Point-to-Point Protocol (Hardware-based), page 17-11 • Configuring MLFR for T1/E1, page 17-14 • Invert Data on the T1/E1 Interface, page 17-16 • Changing a Channel Group Configuration, page 17-17 • Configuring Multipoint Bridging, page 17-17 • Configuring Bridging Control Protocol Support, page 17-17 • Configuring BCP on MLPPP, page 17-17 • LFI Guidelines, page 17-19 • HW MLPPP LFI Guidelines, page 17-20 • FRF.12 LFI Guidelines, page 17-20 • Configuring QoS Features on Serial SPAs, page 17-2017-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Configuring Framing Framing is used to synchronize data transmission on the line. Framing allows the hardware to determine when each packet starts and ends. To configure framing, use the following commands. Verifying Framing Configuration Use the show controllers command to verify the framing configuration: Router# show controllers t1 T1 6/0/0 is down. Applique type is Channelized T1 Cablelength is long gain36 0db Receiver has loss of frame. alarm-trigger is not set Framing is ESF, Line Code is B8ZS, Clock Source is Line. Data in current interval (717 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 717 Unavail Secs Total Data (last 24 hours) 0 Line Code Violations, 0 Path Code Violations, 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins, 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 86400 Unavail Secs Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# controller {t1 | e1} slot/subslot/port Selects the controller to configure. • t1—Specifies the T1 controller. • e1—Specifies the E1 controller. • slot/subslot/port—Specifies the location of the controller. See the “Specifying the Interface Address on a SPA” section on page 17-6. For T1 controllers Router(config-controller)# framing {sf | esf} For E1 controllers Router(config-controller)# framing {crc4 | no-crc4} Set the framing on the interface. • sf—Specifies Super Frame as the T1 frame type. • esf—Specifies extended Super Frame as the T1 frame type. This is the default. for T1. • crc4—Specifies CRC4 frame as the E1 frame type. This is the default for E1. • no-crc4—Specifies no CRC4 frame as the E1 frame type.17-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Configuring Encapsulation When traffic crosses a WAN link, the connection needs a Layer 2 protocol to encapsulate traffic. To set the encapsulation method, use the following commands: Verifying Encapsulation Use the show interfaces serial command to verify encapsulation on the interface: Router# show interfaces serial 6/0/0:0 Serial6/0/0:0 is down, line protocol is down Hardware is SPA-T1E1 MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, crc 32, loopback not set Keepalive set (10 sec) LCP Closed, multilink Closed Last input 1w0d, output 1w0d, output hang never Last clearing of "show interface" counters 6d23h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1152 kilobits/sec 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port:channel-group Selects the interface to configure. • slot/subslot/port:channel-group—Specifies the location of the interface. See: “Specifying the Interface Address on a SPA” section on page 17-6 Router(config-if)# encapsulation encapsulation-type {hdlc | ppp | frame-relay} Set the encapsulation method on the interface. • hdlc—High-Level Data Link Control (HDLC) protocol for serial interface. This encapsulation method provides the synchronous framing and error detection functions of HDLC without windowing or retransmission. This is the default for synchronous serial interfaces. • ppp—PPP (for serial interface). • frame-relay—Frame Relay (for serial interface).17-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions alarm present Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags Configuring the CRC Size for T1 All 8-Port Channelized T1/E1 SPA interfaces use a 16-bit cyclic redundancy check (CRC) by default, but also support a 32-bit CRC. CRC is an error-checking technique that uses a calculated numeric value to detect errors in transmitted data. The designators 16 and 32 indicate the length (in bits) of the frame check sequence (FCS). A CRC of 32 bits provides more powerful error detection, but adds overhead. Both the sender and receiver must use the same setting. CRC-16, the most widely used CRC throughout the United States and Europe, is used extensively with WANs. CRC-32 is specified by IEEE 802 and as an option by some point-to-point transmission standards. It is often used on Switched Multimegabit Data Service (SMDS) networks and LANs. To set the length of the cyclic redundancy check (CRC) on a T1 interface, use these commands: Verifying the CRC Size Use the show interfaces serial command to verify the CRC size set on the interface: Router# show interfaces serial 6/0/0:0 Serial6/0/0:0 is up, line protocol is up Hardware is SPA-T1E1 MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, crc 32, loopback not set Keepalive set (10 sec) LCP Open, multilink Open Last input 00:00:38, output 00:00:00, output hang never Last clearing of "show interface" counters 01:46:16 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 1272 packets input, 20396 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 6 input errors, 3 CRC, 0 frame, 0 overrun, 0 ignored, 3 abort 1276 packets output, 20460 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port:channel-group Selects the interface to configure. • slot/subslot/port:channel-group—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 17-6. Router(config-if)# crc {16 | 32} Selects the CRC size in bits. • 16—16-bit CRC. This is the default • 32—32-bit CRC.17-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks 0 carrier transitions no alarm present Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags Configuring FDL Facility Data Link (FDL) is a 4-kbps channel provided by the Extended Super Frame (ESF) T1 framing format. The FDL performs outside the payload capacity and allows you to check error statistics on terminating equipment without intrusion. Verifying FDL Use the show controllers t1 command to verify the fdl setting: Router# show controllers t1 T1 6/0/1 is up. Applique type is Channelized T1 Cablelength is long gain36 0db No alarms detected. alarm-trigger is not set Framing is ESF, FDL is ansi, Line Code is B8ZS, Clock Source is Line. Data in current interval (742 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs Total Data (last 73 15 minute intervals): 1278491 Line Code Violations, 3 Path Code Violations, 0 Slip Secs, 1 Fr Loss Secs, 177 Line Err Secs, 0 Degraded Mins, 3 Errored Secs, 0 Bursty Err Secs, 1 Severely Err Secs, 227 Unavail Secs . . . Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# controller t1 slot/subslot/port Selects the controller to configure. • slot/subslot/port—Specifies the location of the controller. See the “Specifying the Interface Address on a SPA” section on page 17-6. Router(config-controller)# fdl [ansi | att | both] If the framing format was configured for esf, configures the format used for Facility Data Link (FDL). • ansi—Select ansi for FDL to use the ANSI T1.403 standard. • att—Select att for FDL to use the AT&T TR54016 standard. • both—Specifies support for both AT&T technical reference 54016 and ANSI T1.403 for ESF FDL exchange support.17-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Configuring Multilink Point-to-Point Protocol (Hardware-based) Multilink Point to Point Protocol (MLPPP) allows you to combine T1 or E1 lines into a bundle that has the combined bandwidth of multiple T1/E1 lines. You choose the number of bundles and the number of T1 or E1 lines in each bundle. MLPPP for T1/E1 Configuration Guidelines The required conditions are: • Only T1 or E1 links in a bundle • All links on the same SPA • Maximum of 12 links in a bundle. Note Some notes about hardware-based MLPPP: Only 3 fragmentation sizes are possible 128, 256 and 512 bytes Fragmentation is enabled by default, default size is 512 bytes Fragmentation size is configured using the ppp multilink fragment-delay command after using the interface multilink command. The least of the fragmentation sizes (among the 3 sizes possible) satisfying the delay criteria is configured. (For example, a 192 byte packet causes a delay of 1 millisecond on a T1 link, so the nearest fragmentation size is 128 bytes.) The show ppp multilink command indicates the MLPPP type and the fragmentation size: Router# show ppp multilink Multilink1, bundle name is Patriot2 Bundle up for 00:00:13 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned 0 discarded, 0 lost received, 206/255 load 0x0 received sequence, 0x0 sent sequence Member links: 2 active, 0 inactive (max not set, min not set) Se4/2/0/1:0, since 00:00:13, no frags rcvd Se4/2/0/2:0, since 00:00:10, no frags rcvd Distributed fragmentation on. Fragment size 512. Multilink in Hardware. Fragmentation is disabled explicitly by using the no ppp multilink fragmentation command after using the interface multilink command.17-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Create a Multilink Bundle To create a multilink bundle, use the following commands: Assign an interface to a Multilink Bundle To assign an interface to a multilink bundle, use the following commands: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface multilink group-number Creates a multilink interface and enters multilink interface mode. • group-number—The group number for the multilink bundle. Note Multilink interface creation is not supported beyond 65535. If you configure a multilink interface number that is more than 65535, on a switchover, you will experience a connectivity loss. Router(config-if)# ip address address mask Sets the IP address for the multilink group. • address—The IP address. • mask—The IP netmask. Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port/t1-number:channel-group Selects the interface to configure and enters interface configuration mode. See the “Specifying the Interface Address on a SPA” section on page 17-6. • slot/subslot/port/t1-number:channel-group—Selects the interface to configure. Router(config-if)# encapsulation ppp Enables PPP encapsulation. Router(config-if)# multilink-group group-number Assigns the interface to a multilink bundle. • group-number—The multilink group number for the T1 or E1 bundle. Router(config-if)# ppp multilink Enables multilink PPP on the interface. Repeat these commands for each interface you want to assign to the multilink bundle.17-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Configuring fragmentation size on an MLPPP Bundle (optional) To configure the fragmentation size on a multilink PPP bundle, use the following commands: Disabling the fragmentation on an MLPPP Bundle (optional) To assign an interface to a multilink bundle, use the following commands: Verifying Multilink PPP Use the show ppp multilink command to verify the PPP multilinks: Router# show ppp multilink Multilink1, bundle name is mybundle Bundle up for 01:40:50 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned 0 discarded, 0 lost received, 1/255 load 0x0 received sequence, 0x0 sent sequence Member links: 5 active, 0 inactive (max not set, min not set) Se6/0/0/1:0, since 01:40:50, no frags rcvd Se6/0/1/1:0, since 01:40:09, no frags rcvd Se6/0/3/1:0, since 01:15:44, no frags rcvd Se6/0/4/1:0, since 01:03:17, no frags rcvd Se6/0/6/1:0, since 01:01:06, no frags rcvd Se6/0/6:0, since 01:01:06, no frags rcvd Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface multilink slot/subslot/port/t1-number:channel-group Creates a multilink interface and enters multilink interface mode. • channel-group—The group number for the multilink bundle. Range 1 to 2147483647. Router(config-if)# ppp multilink fragment-delay delay Sets the fragmentation size satisfying the configured delay on the multilink bundle. • delay—delay in milliseconds Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface multilink group-number Creates a multilink interface and enters multilink interface mode. • group-number—The group number for the multilink bundle. Range 1 to 2147483647. Router(config-if)# no ppp multilink fragmentation Disables the fragmentation on the multilink bundle.17-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Configuring MLFR for T1/E1 Multilink Frame Relay (MLFR) allows you to combine T1/E1 lines into a bundle that has the combined bandwidth of multiple T1/E1 lines. You choose the number of bundles and the number of T1/E1 lines in each bundle. This allows you to increase the bandwidth of your network links beyond that of a single T1/E1 line. MLFR for T1/E1 Configuration Guidelines MLFR will function in hardware if all of the following conditions are met: • Only T1 or E1 member links • All links are on the same SPA • Maximum of 12 links in a bundle Create a Multilink Bundle To create a multilink bundle, use the following commands: Assign an Interface to a Multilink Bundle To assign an interface to a multilink bundle, use the following commands: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface mfr number Configures a multilink Frame Relay bundle interface. • number—The number for the Frame Relay bundle. Router(config-if)# frame-relay multilink bid name (Optional) Assigns a bundle identification name to a multilink Frame Relay bundle. • name—The name for the Frame Relay bundle. Note The bundle identification (BID) will not go into effect until the interface has gone from the down state to the up state. One way to bring the interface down and back up again is by using the shut and no shut commands in interface configuration mode. Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port:channel-group Selects the interface to assign. • slot/subslot/port:channel-group—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 17-6.17-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Verifying Multilink Frame Relay Use the show frame-relay multilink detailed command to verify the Frame Relay multilinks: router# show frame-relay multilink detailed Bundle: MFR49, State = down, class = A, fragmentation disabled BID = MFR49 No. of bundle links = 1, Peer's bundle-id = Bundle links: Serial6/0/0:0, HW state = up, link state = Add_sent, LID = test Cause code = none, Ack timer = 4, Hello timer = 10, Max retry count = 2, Current count = 0, Router(config-if)# encapsulation frame-relay mfr number [name] Creates a multilink Frame Relay bundle link and associates the link with a bundle. • number—The number for the Frame Relay bundle. • name—The name for the Frame Relay bundle. Router(config-if)# frame-relay multilink lid name (Optional) Assigns a bundle link identification name with a multilink Frame Relay bundle link. • name—The name for the Frame Relay bundle. Note The bundle link identification (LID) will not go into effect until the interface has gone from the down state to the up state. One way to bring the interface down and back up again is by using the shut and no shut commands in interface configuration mode. Router(config-if)# frame-relay multilink hello seconds (Optional) Configures the interval at which a bundle link will send out hello messages. The default value is 10 seconds. • seconds—Number of seconds between hello messages sent out over the multilink bundle. Router(config-if)# frame-relay multilink ack seconds (Optional) Configures the number of seconds that a bundle link will wait for a hello message acknowledgment before resending the hello message. The default value is 4 seconds. • seconds—Number of seconds a bundle link will wait for a hello message acknowledgment before resending the hello message. Router(config-if)# frame-relay multilink retry number (Optional) Configures the maximum number of times a bundle link will resend a hello message while waiting for an acknowledgment. The default value is 2 tries. • number—Maximum number of times a bundle link will resend a hello message while waiting for an acknowledgment. Command Purpose17-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Peer LID = , RTT = 0 ms Statistics: Add_link sent = 21, Add_link rcv'd = 0, Add_link ack sent = 0, Add_link ack rcv'd = 0, Add_link rej sent = 0, Add_link rej rcv'd = 0, Remove_link sent = 0, Remove_link rcv'd = 0, Remove_link_ack sent = 0, Remove_link_ack rcv'd = 0, Hello sent = 0, Hello rcv'd = 0, Hello_ack sent = 0, Hello_ack rcv'd = 0, outgoing pak dropped = 0, incoming pak dropped = 0 Invert Data on the T1/E1 Interface If the interface on the 8-Port Channelized T1/E1 SPA is used to drive a dedicated T1 line that does not have B8ZS encoding, you must invert the data stream on the connecting CSU/DSU or on the interface. Be careful not to invert data on both the CSU/DSU and the interface, as two data inversions will cancel each other out. To invert data on a T1/E1 interface, use the following commands: Use the show running configuration command to verify that invert data has been set: Router# show running configuration . . . interface Serial6/0/0:0 no ip address encapsulation ppp logging event link-status load-interval 30 invert data no cdp enable ppp chap hostname group1 ppp multilink multilink-group 1 ! . . . Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port:channel-group Selects the serial interface. Router(config-if)# invert data Inverts the data stream.17-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Changing a Channel Group Configuration To alter the configuration of an existing channel group, the channel group needs to be removed first. To remove an existing channel group, use the following commands: Configuring Multipoint Bridging Multipoint bridging (MPB) enables the connection of multiple ATM PVCs, Frame Relay PVCs, BCP ports, and WAN Gigabit Ethernet subinterfaces into a single broadcast domain (virtual LAN), together with the LAN ports on that VLAN. This enables service providers to add support for Ethernet-based Layer 2 services to the proven technology of their existing ATM and Frame Relay legacy networks. Customers can then use their current VLAN-based networks over the ATM or Frame Relay cloud. This also allows service providers to gradually update their core networks to the latest Gigabit Ethernet optical technologies, while still supporting their existing customer base. For MPB configuration guidelines and restrictions and feature compatibility tables, see the “Configuring Multipoint Bridging” section on page 4-36. Configuring Bridging Control Protocol Support The Bridging Control Protocol (BCP) enables forwarding of Ethernet frames over SONET networks and provides a high-speed extension of enterprise LAN backbone traffic through a metropolitan area. The implementation of BCP on the SPAs includes support for IEEE 802.1D, IEEE 802.1Q Virtual LAN (VLAN), and high-speed switched LANs. For BCP configuration guidelines and restrictions and feature compatibility tables, see the “BCP Feature Compatibility by SIP and SPA Combination”. Configuring BCP on MLPPP BCP on MLPPP Configuration Guidelines • Only Distributed MLPPP is supported • Only channelized interfaces allowed, and member links must be from the same controller card • Only trunk port BCP is supported on MLPPP • Bridging can be configured only on the bundle interface Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# controller {t1 | e1} slot/subslot/port Select the controller to configure and enter controller configuration mode. • slot/subslot/port—Specifies the location of the interface. See: Specifying the Interface Address on a SPA, page 17-6. Router(config-controller)# no channel-group t1 t1-number Select the channel group you want to remove. • t1 t1-number—Channel-group number. Follow the steps in the section: Enabling the Interfaces on the Controller, page 17-3. Create a new channel group with the new configuration.17-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Note BCP on MLPPP operates only in trunk mode. For more inforation on trunk mode, see the “Configuring BCP in Trunk Mode” section on page 4-60. Note When you manually configure the MTU and MRRU values on the bundle interface with BCP on MLPPP, you should set the MRRU value to atleast 20 bytes more than the MTU value. This configuration ensures that the packets wth size up to the configured MTU value on the multilink interface are not dropped because of the MRRU restrictions. Configuring BCP on MLPPP Trunk Mode To configure BCP on MLPPP trunk mode, perform these steps: Command Purpose Step 1 Router(config)# interface multilink Selects the multilink interface. Step 2 Router(config-if)# switchport Puts an interface that is in Layer 3 mode into Layer 2 mode for Layer 2 configuration. Step 3 Router(config-if)# switchport trunk allowed vlan 100 By default, no VLANs are allowed. Use this command to explicitly allow VLANs; valid values for vlan-list are from 1 to 4094. Step 4 Router(config-if)# switchport mode trunk Configures the router port connected to the switch as a VLAN trunk port. Step 5 Router(config-if)# switchport nonegotiate Puts the LAN port into permanent trunking mode but prevents the port from generating DTP frames Step 6 Router(config-if)# no ip address Removes the assigned IP address. Step 7 Router(config-if)# ppp multilink Enables this interface to support MLP. Step 8 Router(config-if)# multilink-group 1 Assigns this interface to the multilink group. Step 9 Router(config-if)# interface Serial1/0/0.1/1/1/1:0 Designates a serial interface as a multilink bundle. Step 10 Router(config-if)# no ip address Unassigns the IP address. Step 11 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 12 Router(config-if)# ppp multilink Enables this interface to support MLP. Step 13 Router(config-if)# multilink-group 1 Assigns this interface to the multilink group 1. Step 14 Router(config-if)# interface Serial1/0/0.1/1/1/2:0 Designates a serial interface as a multilink bundle. Step 15 Router(config-if)# no ip address Unassigns the IP address. Step 16 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 17 Router(config-if)# ppp multilink Enables this interface to support MLP. Step 18 Router(config-if)# multilink-group 1 Assigns this interface to the multilink group 2. Step 19 Router(config-if)# shutdown Shuts down an interface.17-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Tasks Verifying BCP on MLPPP Trunk Mode To display information about Multilink PPP, use the show ppp multilink command in EXEC mode. The following shows an example of show ppp multilink: Router# show ppp multilink Multilink1, bundle name is group 1 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned, sequence 0x0/0x0 rcvd/sent 0 discarded, 0 lost received, 1/255 load Member links: 4 active, 0 inactive (max no set, min not set) Serial1/0/0/:1 Serial1/0/0/:2 Serial1/0/0/:3 Serial1/0/0/:4 FRF.12 Guidelines FRF.12 functions in hardware. Note the following: • Only 3 fragmentation sizes are available: 128 bytes, 256 bytes, and 512 bytes. The supported fragment sizes - 128, 256 and 512 - include the FRF and NLPID headers in addition to the payload. • If you have a configuration where a C7600 router acts as a Provider Edge(PE) router between Customer Edge(CE) routers, you can configure C7600 in plain Frame Relay or Frame Relay Fragmentation mode. If you enable Frame Relay Fragmentation only at the CE routers and C7600 acts as a plain Frame Relay interface, the configuration works fine. In a configuration of C7600 with any of the three SPAs(8-Port Channelized T1/E1 SPA,1-Port Channelized OC-3/STM-1 SPA or 2 or 4-Port CT3 SPA), where Frame Relay is configured on the serial interface and Frame Relay Fragmentation is enabled in any of the sub interfaces, the fragmented packets may be dropped in the transparant DLCIs. If you want such a configuration to work, you should set the fragment size value on the main interface larger than any CE router fragmentation size using the command frame-relay fragment x end-to-end, where x is the fragmentation size on the main interface. LFI Guidelines LFI can function two ways—using FRF.12 or MLPPP. MLPPP LFI can be done in both hardware and software while FRF.12 LFI is done only in hardware. Step 20 Router(config-if)# no shutdown Reopens an interface. Step 21 Router(config-if)# switchport trunk allowed vlan vlan-list By default, no VLANs are allowed. Use this command to explicitly allow VLANs; valid values for vlan-list are from 1 to 4094. Command Purpose Command Purpose Router(config-if)# show ppp multilink Displays information on a multilink group.17-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Verifying the Interface Configuration HW MLPPP LFI Guidelines LFI using MLPPP will function only in hardware if there is just one member link in the MLPPP bundle. The link can be a fractional T1 or full T1. Note the following: • The ppp multilink interleave command needs to be configured to enable interleaving. • Only three fragmentation sizes are supported: 128 bytes, 256 bytes, and 512 bytes. • Fragmentation is enabled by default, the default size being 512 bytes. • A policy-map having a priority class needs to applied to main interface. • When hardware-based LFI is enabled, fragmentation counters are not displayed. FRF.12 LFI Guidelines LFI using FRF.12 is always done is hardware. Note the following: • The fragmentation is configured at the main interface • Only 3 fragmentation sizes are available: 128 bytes, 256 bytes, and 512 bytes. • A policy-map having a priority class needs to applied to main interface. Configuring QoS Features on Serial SPAs The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For information about the QoS features supported by the serial SPAs, see the “Configuring QoS Features on a SIP” section on page 4-94. Saving the Configuration To save your running configuration to nonvolatile random-access memory (NVRAM), use the following command in privileged EXEC configuration mode: For more information about managing configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. Verifying the Interface Configuration Besides using the show running-configuration command to display your Cisco 7600 series router configuration settings, you can use the show interfaces serial and the show controllers serial commands to get detailed information on a per-port basis for your 8-Port Channelized T1/E1 SPA. Command Purpose Router# copy running-config startup-config Writes the new configuration to NVRAM.17-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Examples Verifying Per-Port Interface Status To find detailed interface information on a per-port basis for the 8-Port Channelized T1/E1 SPA, use the show interfaces serial command. The following example provides sample output for interface port 0 on the SPA located in the first subslot of the SIP installed in slot 6 of a Cisco 7609 router: Router# show interface serial 6/0/0:0 Serial6/0/0:0 is up, line protocol is up Hardware is SPA-T1E1 MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, crc 32, loopback not set Keepalive set (10 sec) LCP Open, multilink Open Last input 00:00:38, output 00:00:00, output hang never Last clearing of "show interface" counters 01:46:16 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 1272 packets input, 20396 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 6 input errors, 3 CRC, 0 frame, 0 overrun, 0 ignored, 3 abort 1276 packets output, 20460 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions no alarm present Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags Configuration Examples This section includes the following configuration examples: • Framing and Encapsulation Configuration Example, page 17-21 • CRC Configuration Example, page 17-22 • Facility Data Link Configuration Example, page 17-22 • MLPPP Configuration Example, page 17-23 • Invert Data on the T1/E1 Interface Example, page 17-24 • MFR Configuration Example, page 17-23 Framing and Encapsulation Configuration Example The following example sets the framing and encapsulation for the controller and interface: ! Specify the controller and enter controller configuration mode ! Router(config)# controller t1 6/0/0 ! ! Specify the framing method ! Router(config-controller)# framing esf17-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Examples ! ! Exit controller configuration mode and return to global configuration mode ! Router(config-controller)# exit ! ! Specify the interface and enter interface configuration mode ! Router(config)# interface serial 6/0/0:0 ! ! Specify the encapsulation protocol ! Router(config-if)# encapsulation ppp ! ! Exit interface configuratin mode ! Router(config-if)# exit ! ! Exit global configuration mode ! Router(config)# exit CRC Configuration Example The following example sets the CRC size for the interface: ! Specify the interface and enter interface configuration mode ! Router(config)# interface serial 6/0/0:0 ! ! Specify the CRC size ! Router(config-if)# crc 32 ! ! Exit interface configuration mode and return to global configuration mode ! Router(config-if)# exit ! ! Exit global configuration mode ! Router(config)# exit Facility Data Link Configuration Example The following example configures Facility Data Link: ! Specify the controller and enter controller configuration mode ! Router(config)# controller t1 6/0/0 ! ! Specify the FDL specification ! Router(config-controller)# fdl ansi ! ! Exit controller configuration mode and return to global configuration mode ! Router(config-controller)# exit ! ! Exit global configuration mode ! Router(config)# exit17-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Examples MLPPP Configuration Example The following example creates a PPP Multilink bundle: ! Enter global configuration mode ! Router# configure terminal ! ! Create a multilink bundle and assign a group number to the bundle ! Router(config)# interface multilink 1 ! ! Specify an IP address for the multilink group ! Router(config-if)# ip addres 123.456.789.111 255.255.255.0 ! ! Enable Multilink PPP ! Router(config-if)# ppp multilink ! ! Leave interface multilink configuration mode ! Router(config-if)# exit ! ! Specify the interface to assign to the multilink bundle ! Router(config)# interface serial 3/1//0:1 ! ! Enable PPP encapsulation on the interface ! Router(config-if)# encapsulation PPP ! ! Assign the interface to a multilink bundle ! Router(config-if)# multilink-group 1 ! ! Enable Multilink PPP ! Router(config-if)# ppp multilink ! ! Exit interface configuration mode ! Router(config-if)# exit ! ! Exit global configuration mode ! Router(config)# exit MFR Configuration Example The following example configures Multilink Frame Relay (MFR): ! Create a MFR interface and enter interface configuration mode ! Router(config)# interface mfr 49 ! ! Assign the bundle identification (BID) name ‘test’ to a multilink bundle. ! Router(config-if)# frame-relay multilink bid test ! ! Exit interface configuration mode and return to global configuration mode17-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 17 Configuring the 8-Port Channelized T1/E1 SPA Configuration Examples ! Router(config-if)# exit ! ! Specify the serial interface to assign to a multilink bundle ! Router(config)# interface serial 5/1/3:0 ! ! Creates a multilink Frame Relay bundle link and associates the link with a multilink bundle ! Router(config-if)# encapsulation frame-relay mfr 49 ! ! Assigns a bundle link identification (LID) name with a multilink bundle link ! Router(config-if)# frame-relay multilink lid test ! ! Configures the interval at which the interface will send out hello messages ! Router(config-if)# frame-relay multilink hello 15 ! ! Configures the number of seconds the interface will wait for a hello message acknowledgement before resending the hello message ! Router(config-if)# frame-relay multilink ack 6 ! ! Configures the maximum number of times the interface will resend a hello message while waiting for an acknowledgement ! Router(config-if)# frame-relay multilink retry 5 ! ! Exit interface configuration mode and return to global configuration mode ! Router(config-if)# exit ! ! Exit global configuration mode ! Router(config)# exit Invert Data on the T1/E1 Interface Example The following example inverts the data on the serial interface: ! Enter global configuration mode ! Router# configure terminal ! ! Specify the serial interface and enter interface configuration mode ! Router(config)# interface serial 5/1/3:0 ! ! Configure invert data ! Router(config-if)# invert data ! ! Exit interface configuration mode and return to global configuration mode ! Router(config-if)# exit ! ! Exit global configuration mode ! Router(config)# exitC H A P T E R 18-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs This chapter provides information about configuring the 2-Port and 4-Port Clear Channel T3/E3 Shared Port Adapters (SPAs) on the Cisco 7600 series router. It includes the following sections: • Configuration Tasks, page 18-1 • Verifying the Interface Configuration, page 18-17 • Configuration Examples, page 18-19 For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Configuration Tasks This section describes how to configure the 2-Port Clear Channel T3/E3 SPA for the Cisco 7600 series router and includes information about verifying the configuration. It includes the following topics: • Required Configuration Tasks, page 18-2 • Specifying the Interface Address on a SPA, page 18-5 • Optional Configurations, page 18-5 • Saving the Configuration, page 18-1718-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Required Configuration Tasks This section lists the required configuration steps to configure the 2-Port and 4-Port Clear Channel T3/E3 SPA. Some of the required configuration commands implement default values that might be appropriate for your network. If the default value is correct for your network, then you do not need to configure the command. • Setting the Card Type • Configure the Interface Note To better understand the address format used to specify the physical location of the Spa Interface Processor (SIP), SPA, and interfaces, see the: “Specifying the Interface Address on a SPA” section on page 18-5. Setting the Card Type The SPA is not functional until the card type is set. Information about the SPA is not indicated in the output of any show commands until the card type has been set. There is no default card type. Note Mixing of interface types is not supported. All ports on a SPA will be the of the same type. To set the card type for the 2-Port and 4-Port Clear Channel T3/E3 SPA, complete these steps: Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# card type {t3 | e3} slot subslot Sets the serial mode for the SPA: • t3—Specifies T3 connectivity of 44210 kbps through the network, using B3ZS coding. • e3—Specifies a wide-area digital transmission scheme used predominantly in Europe that carries data at a rate of 34010 kbps. • slot subslot—Specifies the location of the SPA. See the: “Specifying the Interface Address on a SPA” section on page 18-5 Step 3 Router(config)# exit Exit configuration mode and return to the EXEC command interpreter prompt.18-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Configure the Interface To set the ip address for the 2-Port and 4-Port Clear Channel T3/E3 SPA, complete these steps: Verifying Controller Configuration Use the show controllers command to verify the controller configuration: Router# show controllers serial 6/0/0 Serial6/0/0 - Framing is c-bit, Clock Source is Line Bandwidth limit is 44210, DSU mode 0, Cable length is 10 rx FEBE since last clear counter 2, since reset 0 Data in current interval (546 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 1: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs . . . Data in Interval 44: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 560 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Total Data (last 44 15 minute intervals): 0 Line Code Violations, 0 P-bit Coding Violation, Command Purpose Step 1 Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters interface configuration mode. • slot/subslot/port—Specifies the location of the interface. See the: “Specifying the Interface Address on a SPA” section on page 18-5 Step 2 Router(config-if)# ip address address mask Sets the IP address and subnet mask. • address—IP address • mask—Subnet mask Step 3 Router(config-if)# clock source {internal | line} Sets the clock source to internal. • internal—Specifies that the internal clock source is used. • line—Specifies that the network clock source is used. This is the default. Step 4 Router(config-if)# no shut Enables the interface. Step 5 Router(config)# exit Exits configuration mode and returns to the EXEC command interpreter prompt.18-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks 0 C-bit Coding Violation, 0 P-bit Err Secs, 0 P-bit Sev Err Secs, 0 Sev Err Framing Secs, 0 Unavailable Secs, 24750 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Transmitter is sending AIS. Receiver has loss of signal. 40434 Sev Err Line Secs, 0 Far-End Err Secs, 0 Far-End Sev Err Secs 0 P-bit Unavailable Secs, 0 CP-bit Unavailable Secs 0 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 0 Far-end path failures No FEAC code is being received MDL transmission is disabled Use the show controllers brief command to view a subset of the show controllers output: Router# show controllers serial 6/0/2 brief Serial6/0/2 - Framing is c-bit, Clock Source is Internal Bandwidth limit is 44210, DSU mode 0, Cable length is 10 rx FEBE since last clear counter 0, since reset 22 No alarms detected. No FEAC code is being received MDL transmission is disabled Verifying Interface Configuration Use the show interfaces command to verify the interface configuration: Router# show interfaces serial 6/0/0 Serial6/0/0 is up, line protocol is up Hardware is SPA-4T3E3 MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 255/255, txload 12/255, rxload 56/255 Encapsulation FRAME-RELAY, crc 16, loopback not set Keepalive set (10 sec) LMI enq sent 13477, LMI stat recvd 13424, LMI upd recvd 0, DTE LMI up LMI enq recvd 19, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE FR SVC disabled, LAPF state down Broadcast queue 0/256, broadcasts sent/dropped 0/0, interface broadcasts 0 Last input 00:00:09, output 00:00:09, output hang never Last clearing of "show interface" counters 1d13h Input queue: 0/75/3/3891 (size/max/drops/flushes); Total output drops: 5140348 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 9716000 bits/sec, 28149 packets/sec 5 minute output rate 2121000 bits/sec, 4466 packets/sec 14675957334 packets input, 645694448563 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 14562482078 packets output, 640892196653 bytes, 0 underruns 0 output errors, 0 applique, 4 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions rxLOS inactive, rxLOF inactive, rxAIS inactive txAIS inactive, rxRAI inactive, txRAI inactive18-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Serial6/0/0.16 is up, line protocol is up Hardware is SPA-4T3E3 Internet address is 110.1.1.2/24 MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 255/255, txload 11/255, rxload 53/255 Encapsulation FRAME-RELAY Specifying the Interface Address on a SPA SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, SPA, and interface in the CLI. The interface address format is slot/subslot/port, where: • slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. • subslot—Specifies the secondary slot of the SIP where the SPA is installed. • port—Specifies the number of the individual interface port on a SPA. The following example shows how to specify the first interface (0) on a SPA installed in the first subslot of a SIP (0) installed in chassis slot 3: Router(config)# interface serial 3/0/0 This command shows a serial SPA as a representative example, however the same slot/subslot/port format is similarly used for other SPAs (such as ATM and POS) and other non-channelized SPAs. For more information about identifying slots and subslots, see the “Identifying Slots and Subslots for SIPs, SSCs, and SPAs” section on page 4-2. Optional Configurations There are several standard, but optional configurations that might be necessary to complete the configuration of your serial SPA. • Configuring Data Service Unit Mode, page 18-6 • Configuring Maintenance Data Link, page 18-8 • Configuring Scramble, page 18-10 • Configuring Framing, page 18-12 • Configuring Encapsulation, page 18-13 • Configuring Cable Length, page 18-14 • Configuring Invert Data, page 18-15 • Configuring the Trace Trail Buffer, page 18-16 • Configuring Multipoint Bridging, page 18-17 • Configuring Bridging Control Protocol Support, page 18-17 • Configuring QoS Features on Serial SPAs, page 18-17 • Saving the Configuration, page 18-1718-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Configuring Data Service Unit Mode Configure the SPA to connect with customer premise Data Service Units (DSUs) by setting the DSU mode. Subrating a T3 or E3 interface reduces the peak access rate by limiting the data transfer rate. To configure the DSU mode and bandwidth, use the following commands: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters interface configuration mode. • slot/subslot/port—Specifies the location of the interface. See the: “Specifying the Interface Address on a SPA” section on page 18-5 T3 Router(config-if)# dsu mode {0 | 1 | 2 | 3 | 4} E3 Router(config-if)# dsu mode {0 | 1} Specifies the interoperability mode used by a T3 controller. • 0—Connects a T3/E3 controller to another T3/E3 controller or to a Digital Link DSU (DL3100 in T3 mode and DL3100E in E3 mode). This is the default. • 1—Connects a T3/E3 controller to a Kentrox DataSMART T3/E3 IDSU. • 2—Connects a T3 controller to a Larscom Access-T45 DS3 DSU. • 3—Connects a T3 controller to an Adtran T3SU 300. • 4—Connects a T3 controller to a Verilink HDM 2182.18-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Verifying DSU Mode Use the show controllers serial command to display the DSU settings: Router# show controllers serial 6/0/0 Serial6/0/0 - Framing is c-bit, Clock Source is Line Bandwidth limit is 44210, DSU mode 0, Cable length is 10 rx FEBE since last clear counter 2, since reset 0 Data in current interval (546 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs Router(config-if)# dsu bandwidth kbps Specifies the allowable bandwidth. • kbps—The bandwidth range and increment values are based on the specific DSU. Default for T3 mode is 44010 kbps and 34010 kbps for E3 mode. • Digital Link DL3100 – range: 300 to 44210 kbps – increments: 300 kbps • Digital Link DL3100E – range: 358 to 34010 kbps – increments: 358 kbps • Kentrox DataSMART T3/E3 IDSU – range: 1000 to 34000 kbps (E3 mode) – range: 1500 to 44210 kbps (T3 mode) – increments: 500 kbps • Larscom Access-T45 DS3 – range: 3100 to 44210 kbps – increments: 3100 kbps • Adtran T3SU 300 – range: 80 to 44210 kbps – increments: 80 kbps • Verilink HDM 2182 – range: 1600 to 31600 kbps – increments: 1600 kbps Router(config-if)# remote {accept | fullrate} Specifies where the DSU bandwidth is set. • accept—Accept incoming remote requests to reset the DSU bandwidth. • fullrate—Set far end DSU to its fullrate bandwidth. Command Purpose18-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 1: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs . . . Configuring Maintenance Data Link MDL messages are used to communicate identification information between local and remote ports. The type of information included in MDL messages includes the equipment identification code (EIC), location identification code (LIC), frame identification code (FIC), unit, Path Facility Identification (PFI), port number, and Generator Identification numbers. Note C-bit framing has to be enabled in order to transport MDL messages between source and destination T3 ports. To configure Maintenance Data Link (MDL), use the following commands. Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the interface to configure. • slot/subslot/port—Specifies the location of the interface. See the: “Specifying the Interface Address on a SPA” section on page 18-518-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Router(config-if)# mdl [string {eic | fic | generator | lic | pfi | port | unit} string}] | [transmit {idle-signal | path | test-signal}] Configures the Maintenance Data Link (MDL) message. • eic string—Equipment identification code (up to 10 characters), which is a value used to describe a specific piece of equipment according to ANSI T1.107-1995. • fic string—Frame identification code (up to 10 characters), which is a value used to identify where the equipment is located within a building at a given location according to ANSI T1.107-1995. • generator string—Specifies the Generator number string sent in the MDL Test Signal message; can be up to 38 characters. • lic string—Location identification code (up to 11 characters), which is a value used to describe a specific location according to ANSI T1.107-1995. • pfi string—Specifies the Path Facility Identification Code sent in the MDL Path message; can be up to 38 characters. • port string—Specifies the Port number string sent in the MDL Idle Signal message; can be up to 38 characters. • unit string—Unit identification code (up to 6 characters), which is a value that identifies the equipment location within a subslot according to ANSI T1.107-1995. • transmit idle-signal—Enables transmission of the MDL idle signal message. An MDL idle signal message, as defined by ANSI T1.107, is distinguished from path and test signal messages in that it contains a port number as its final data element. • transmit path—Enables transmission of the MDL path message. An MDL path message, as defined by ANSI T1.107, is distinguished from idle and test signal messages in that it contains a facility identification code as its final data element. • transmit test-signal—Enables transmission of the MDL test signal message. An MDL test signal message, as defined by ANSI T1.107, is distinguished from path and idle signal messages in that it contains a generator number as its final data element. Command Purpose18-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Verifying MDL Use the show controllers serial command to display the MDL settings: Router# show controllers serial 6/0/0 Serial6/0/0 - Framing is c-bit, Clock Source is Line Bandwidth limit is 44210, DSU mode 0, Cable length is 10 rx FEBE since last clear counter 2, since reset 0 Data in current interval (546 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 1: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs . . . Data in Interval 96: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Total Data (last 24 hours) 0 Line Code Violations, 0 P-bit Coding Violation, 0 C-bit Coding Violation, 0 P-bit Err Secs, 0 P-bit Sev Err Secs, 0 Sev Err Framing Secs, 0 Unavailable Secs, 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs No alarms detected. 0 Sev Err Line Secs, 1 Far-End Err Secs, 0 Far-End Sev Err Secs 0 P-bit Unavailable Secs, 0 CP-bit Unavailable Secs 0 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 0 Far-end path failures No FEAC code is being received MDL transmission is enabled EIC: tst, LIC: 67, Test Signal GEN_NO: test Far-End MDL Information Received EIC: tst, LIC: 67, Test Signal GEN_NO: test Configuring Scramble T3/E3 scrambling is used to assist clock recovery on the receiving end. Scrambling is designed to randomize the pattern of 1s and 0s carried in the physical layer frame. Randomizing the digital bits can prevent continuous, nonvariable bit patterns—in other words, long strings of all 1s or all 0s. Several physical layer protocols rely on transitions between 1s and 0s to maintain clocking.18-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Scrambling can prevent some bit patterns from being mistakenly interpreted as alarms by switches placed between the Data Service Units (DSUs). To configure scrambling, use the following commands: Verifying Scramble Configuration Use the show controllers serial command to display the scrambling setting: Router# show controllers serial 6/0/0 Serial6/0/0 - Framing is c-bit, Clock Source is Line Bandwidth limit is 44210, DSU mode 0, Cable length is 10 rx FEBE since last clear counter 2, since reset 0 Scrambling is enabled Data in current interval (356 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 1: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs . . . Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the interface to configure. • slot/subslot/port—Specifies the location of the interface. See the: “Specifying the Interface Address on a SPA” section on page 18-5 Router(config-if)# [no] scramble Enables scrambling. Scrambling is disabled by default. • scramble—Enable scramble. • no scramble—Disable scramble. Note When using framing bypass, no scrambling must be configured.18-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Configuring Framing Framing is used to synchronize data transmission on the line. Framing allows the hardware to determine when each packet starts and ends. To configure framing, use the following commands. Verifying Framing Configuration Use the show controllers serial command to display the framing method: Router# show controllers serial 6/0/0 Serial6/0/0 - Framing is c-bit, Clock Source is Line Bandwidth limit is 44210, DSU mode 0, Cable length is 10 rx FEBE since last clear counter 2, since reset 0 Data in current interval (546 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 1: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs . . . Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the interface to configure. • slot/subslot/port—Specifies the location of the T3/E3 interface. See the: “Specifying the Interface Address on a SPA” section on page 18-5 T3 Router(config-if)# framing {bypass | c-bit | m13} E3 Router(config-if)# framing {bypass | g751| g832} Sets the framing on the interface. • bypass—Configure framing bypass to use the full T3 or E3 bandwidth • c-bit—Specifies C-bit parity framing. This is the default for T3. • m13—Specifies M13 framing. • g751— Specifies g751 framing. This is the default for E3. • g832—Specifies g832 framing.18-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Configuring Encapsulation When traffic crosses a WAN link, the connection needs a Layer 2 protocol to encapsulate traffic. To set the encapsulation method, use the following commands: Verifying Encapsulation Use the show interfaces command to display the encapsulation method: Router# show interfaces serial 6/0/1 Serial6/0/1 is up, line protocol is up Hardware is SPA-4T3E3 MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 255/255, txload 223/255, rxload 222/255 Encapsulation FRAME-RELAY, crc 16, loopback not set Keepalive set (10 sec) LMI enq sent 13076, LMI stat recvd 13076, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 0 LMI type is ANSI Annex D frame relay DTE FR SVC disabled, LAPF state down Broadcast queue 0/256, broadcasts sent/dropped 0/0, interface broadcasts 0 Last input 00:00:04, output 00:00:04, output hang never Last clearing of "show interface" counters 1d12h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 38579000 bits/sec, 109611 packets/sec 5 minute output rate 38671000 bits/sec, 109852 packets/sec 14374551065 packets input, 632486376132 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 14408526130 packets output, 633974757440 bytes, 0 underruns 0 output errors, 0 applique, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions rxLOS inactive, rxLOF inactive, rxAIS inactive txAIS inactive, rxRAI inactive, txRAI inactive Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the interface to configure. • slot/subslot/port—Specifies the location of the interface. See the: “Specifying the Interface Address on a SPA” section on page 18-5 Router(config-if)# encapsulation {hdlc | ppp | frame-relay} Sets the encapsulation method on the interface. • hdlc—High-Level Data Link Control (HDLC) protocol for serial interface. This is the default. • ppp—PPP (for serial interface). • frame-relay—Frame Relay (for serial interface).18-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Configuring Cable Length The cablelength command compensates for the loss in decibels based on the distance from the device to the first repeater in the circuit. A longer distance from the device to the repeater requires that the signal strength on the circuit be boosted to compensate for loss over that distance. To configure cable length, use the following commands: Verify Cable Length Setting Use the show interfaces serial command to verify the cable length setting: Router# show interfaces serial 4/0/0 Serial4/0/0 - Framing is c-bit, Clock Source is Internal Bandwidth limit is 44210, DSU mode 0, Cable length is 200 rx FEBE since last clear counter 0, since reset 22 Data in current interval (446 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 1: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 2: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs . . . Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters interface configuration mode. • slot/subslot/port—Specifies the location of the interface. See the: “Specifying the Interface Address on a SPA” section on page 18-5 Router(config-if)# cablelength length Sets the cable length. • length—Range is 0-450 feet. The default is 10 feet.18-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Configuring Invert Data Delays between the TE clock and data transmission indicate that the transmit clock signal might not be appropriate for the interface rate and length of cable being used. Different ends of the wire may have variances that differ slightly. Invert the clock signal to compensate for these factors. To configure invert data, use the following commands: Verify Invert Data Setting Use the show running configuration command to verify that invert data was set on the interface: Router# show running configuration . . . interface Serial6/0/0 ip address 51.1.1.1 255.255.255.0 logging event link-status dsu bandwidth 44210 framing c-bit cablelength 10 clock source internal invert data mdl string eic tst mdl string lic 67 mdl string generator test mdl transmit path mdl transmit test-signal no cdp enable ! . . . Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters interface configuration mode. • slot/subslot/port—Specifies the location of the interface. See the: “Specifying the Interface Address on a SPA” section on page 18-5 Router(config-if)# invert {data} Inverts the data. • data—Invert the data stream.18-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Tasks Configuring the Trace Trail Buffer Configure TTB to send messages to the remote device. The TTB messages check for the continued presence of the transmitter. To configure TTB, use the following commands: Verify TTB Settings Use the show controllers serial command to display the TTB settings for the interface: Router# show controllers serial 6/0/0 Serial6/0/0 - Framing is c-bit, Clock Source is Line Bandwidth limit is 44210, DSU mode 0, Cable length is 10 rx FEBE since last clear counter 2, since reset 0 Data in current interval (546 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 1: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs . . . No alarms detected. TTB transmission is disabled TTB Rx: country: us soperator: s snode: sn rnode: rn x: x serial: 1 Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters interface configuration mode. • slot/subslot/port—Specifies the location of the interface. See the: “Specifying the Interface Address on a SPA” section on page 18-5 Router(config-if)# ttb {country | rnode | serial | snode | soperator | x} string Sends a Trace Trail Buffer message in E3 g.832 framing mode. • country—Two character country code • rnode—Receive node code • serial—M.1400 serial • snode—Sending location/Node ID code • soperator—Sending operator code. (must be numeric) • x—X0 • string—TTB message.18-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Verifying the Interface Configuration Configuring Multipoint Bridging Multipoint bridging (MPB) enables the connection of multiple ATM PVCs, Frame Relay PVCs, BCP ports, and WAN Gigabit Ethernet subinterfaces into a single broadcast domain (virtual LAN), together with the LAN ports on that VLAN. This enables service providers to add support for Ethernet-based Layer 2 services to the proven technology of their existing ATM and Frame Relay legacy networks. Customers can then use their current VLAN-based networks over the ATM or Frame Relay cloud. This also allows service providers to gradually update their core networks to the latest Gigabit Ethernet optical technologies, while still supporting their existing customer base. For MPB configuration guidelines and restrictions and feature compatibility tables, see the “Configuring Multipoint Bridging” section on page 4-36 of Chapter 4, “Configuring the SIPs and SSC.” Configuring Bridging Control Protocol Support The Bridging Control Protocol (BCP) enables forwarding of Ethernet frames over SONET networks and provides a high-speed extension of enterprise LAN backbone traffic through a metropolitan area. The implementation of BCP on the SPAs includes support for IEEE 802.1D, IEEE 802.1Q Virtual LAN (VLAN), and high-speed switched LANs. For BCP configuration guidelines and restrictions and feature compatibility tables, see the “BCP Feature Compatibility” in Chapter 4, “Configuring the SIPs and SSC.” Configuring QoS Features on Serial SPAs The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For information about the QoS features supported by the serial SPAs, see the “Configuring QoS Features on a SIP” section on page 4-94 of Chapter 4, “Configuring the SIPs and SSC.” Saving the Configuration To save your running configuration to nonvolatile random-access memory (NVRAM), use the following command in privileged EXEC configuration mode: For more information about managing configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. Verifying the Interface Configuration Besides using the show running-configuration command to display your Cisco 7600 series router configuration settings, you can use the show interfaces serial and the show controllers serial commands to get detailed information on a per-port basis for your 2-Port and 4-Port Clear Channel T3/E3 SPA. Command Purpose Router# copy running-config startup-config Writes the new configuration to NVRAM.18-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Verifying the Interface Configuration Verifying Per-Port Interface Status To find detailed interface information on a per-port basis for the 2-Port and 4-Port Clear Channel T3/E3 SPA, use the show interfaces serial command. The following example provides sample output for interface port 1 on the SPA located in the first subslot of the SIP installed in slot 5 of a Cisco 7600 series router: Router# show interface serial 5/0/1 Serial5/0/1 is up, line protocol is up Hardware is SPA-4T3E3 Internet address is 120.1.1.1/24 MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 255/255, txload 234/255, rxload 234/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input 00:00:00, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 40685000 bits/sec, 115627 packets/sec 5 minute output rate 40685000 bits/sec, 115624 packets/sec 4652915554 packets input, 204728203496 bytes, 0 no buffer Received 4044 broadcasts (0 IP multicast) 130 runts, 0 giants, 0 throttles 0 parity 1595 input errors, 543 CRC, 0 frame, 0 overrun, 0 ignored, 922 abort 4653081242 packets output, 204735493748 bytes, 0 underruns 0 output errors, 0 applique, 4 interface resets 0 output buffer failures, 0 output buffers swapped out 2 carrier transitions Monitoring Per-Port Interface Statistics To find detailed status and statistical information on a per-port basis for the 2-Port and 4-Port Clear Channel T3/E3 SPA, use the show controllers serial command. The following example provides sample output for interface port 1 on the SPA located in the first subslot of the SIP that is installed in slot 5 of the Cisco 7600 series router: show controller serial 5/0/2 Serial5/0/2 - Framing is c-bit, Clock Source is Line Bandwidth limit is 44210, DSU mode 0, Cable length is 10 rx FEBE since last clear counter 0, since reset 0 Data in current interval (807 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 306 Unavailable Secs 500 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 1: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 2: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation18-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Examples 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 3: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 562 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 4: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 560 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs . . . Total Data (last 44 15 minute intervals): 0 Line Code Violations, 0 P-bit Coding Violation, 0 C-bit Coding Violation, 0 P-bit Err Secs, 0 P-bit Sev Err Secs, 0 Sev Err Framing Secs, 0 Unavailable Secs, 24750 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Transmitter is sending AIS. Receiver has loss of signal. 40434 Sev Err Line Secs, 0 Far-End Err Secs, 0 Far-End Sev Err Secs 0 P-bit Unavailable Secs, 0 CP-bit Unavailable Secs 0 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 0 Far-end path failures No FEAC code is being received MDL transmission is disabled Configuration Examples This section includes the following configuration examples: • DSU Configuration Example, page 18-19 • MDL Configuration Example, page 18-20 • Scrambling Configuration Example, page 18-20 • Framing Configuration Example, page 18-20 • Encapsulation Configuration Example, page 18-21 • Cable Length Configuration Example, page 18-21 • Invert Data Configuration Example, page 18-21 • Trace Trail Buffer Configuration Example, page 18-21 DSU Configuration Example The following example confgiures DSU on interface port 0 on slot 4, subslot 1.18-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Examples ! Specify the serial interface and enter interface configuration mode ! Router(config)# interface serial 4/1/0 ! ! Specify the DSU mode ! Router(config-if)# dsu mode 0 ! ! Specify the DSU bandwidth ! Router(config-if)# dsu bandwidth 10000 ! ! Set the DSU bandwidth to accept or reject the incoming remote requests ! Router(config-if)# dsu remote accept MDL Configuration Example The following example configures the MDL strings on interface port 0 on slot 4, subslot 1. ! Specify the serial interface and enter interface configuration mode ! Router(config)# interface serial 4/1/0 ! ! Specify the MDL strings ! Router(config-if)# mdl string eic beic Router(config-if)# mdl string lic beic Router(config-if)# mdl string fic bfix Router(config-if)# mdl string unit bunit Router(config-if)# mdl string pfi bpfi Router(config-if)# mdl string port bport Router(config-if)# mdl string generator bgen Router(config-if)# mdl transmit path Router(config-if)# mdl transmit idle-signal Router(config-if)# mdl transmit test-signal Scrambling Configuration Example The following example configures scrambling on the T3/E3 interface: ! Enter global configuration mode ! Router# configure terminal ! ! Specify the serial interface and enter interface configuration mode ! Router(config)# interface serial 4/1/3 ! ! Enable scrambling ! Router(config-if)# scrambling Framing Configuration Example The following example configures framing on interface port 1 on slot 4, subslot 1. ! Specify the serial interface and enter interface configuration mode18-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Examples ! Router(config)# interface serial 4/1/1 ! ! Specify the framing method ! Router(config-if)# framing m13 Encapsulation Configuration Example The following example configures encapsulation on interface port 1 on slot 4, subslot 1. ! Specify the serial interface and enter interface configuration mode ! Router(config)# interface serial 4/1/1 ! ! Specify the encapsulation method ! Router(config-if)# encapsulation PPP Cable Length Configuration Example The following example configures sets the cable length to 200 feet: ! Enter global configuration mode ! Router# configure terminal ! ! Specify the serial interface and enter interface configuration mode ! Router(config)# interface serial 4/1/3 ! ! Specify the cable length ! Router(config-if)# cablelength 200 Invert Data Configuration Example The following example enables invert data: ! Enter global configuration mode ! Router# configure terminal ! ! Specify the serial interface and enter interface configuration mode ! Router(config)# interface serial 4/1/3 ! ! Enable invert data ! Router(config-if)# invert data Trace Trail Buffer Configuration Example The following example configures the TTB attributes: ! Enter global configuration mode18-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 18 Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs Configuration Examples ! Router# configure terminal ! ! Specify the serial interface and enter interface configuration mode ! Router(config)# interface serial 4/1/3 ! ! Specify the TTB attributes ! Router(config-if)# ttb country ab Router(config-if)# ttb soperator 56 Router(config-if)# ttb snode 34 Router(config-if)# ttb rnode cd Router(config-if)# ttb x 7 Router(config-if)# ttb serial 12C H A P T E R 19-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs This chapter provides information about configuring the 2-Port and 4-Port Channelized T3 Shared Port Adapters (SPAs) on the Cisco 7600 series router. It includes the following sections: • Configuration Tasks, page 19-1 • Verifying the Interface Configuration, page 19-25 • Configuration Examples, page 19-28 For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Configuration Tasks This section describes how to configure the serial SPAs for the Cisco 7600 series router and includes information about verifying the configuration. It includes the following topics: • Required Configuration Tasks, page 19-2 • Specifying the Interface Address on a SPA, page 19-7 • Optional Configurations, page 19-8 • Saving the Configuration, page 19-2519-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Required Configuration Tasks This section lists the required configuration steps to configure the 2-Port and 4-Port Channelized T3 SPA. Some of the required configuration commands implement default values that might be appropriate for your network. • Configuring the T3 Controller, page 19-2 • Configuring the Logical T1 Interfaces, page 19-3 • Verifying T3 Controller Configuration, page 19-5 • Verifying Interface Configuration, page 19-6 Note To better understand the address format used to specify the physical location of the SPA Interface Processor (SIP), SPA, and interfaces, see the section Specifying the Interface Address on a SPA, page 19-7. Configuring the T3 Controller To configure the T3 controller for the 2-Port and 4-Port Channelized T3 SPA, complete these steps: Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# controller t3 slot/subslot/port Selects the controller to configure and enters controller configuration mode. • slot/subslot/port—Specifies the location of the CT3 SPA port. See: “Specifying the Interface Address on a SPA” section on page 19-7. Step 3 Router(config-controller)# [no] channelized (Optional) Specifies the channelization mode. • channelized—In channelized mode, the T3 link can be channelized into 28 T1s, and each T1 can be further channelized into 24 DS0s. This is the default. • no channelized—In the unchannelized mode the T3 link provides a single high-speed data channel of 44210 kbps.19-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Configuring the Logical T1 Interfaces If channelized mode is configured for the T3 controller, use the following procedure to configure the logical T1 interfaces. Step 4 Router(config-controller)# framing {auto-detect | c-bit | m23} (Optional) Specifies the framing type in channelized mode. • auto-detect—Detects the framing type at the device at the end of the line and switches to that framing type. If both devices are set to auto-detect, c-bit framing is used. • c-bit—Specifies C-bit parity framing. This is the default. • m23—Specifies M23 framing. Note To set the framing type for an un-channelized T3, see: “Configuring T3 Framing” section on page 19-14. Step 5 Router(config-controller)# clock source {internal | line} (Optional) Specifies the clock source. • internal—Specifies that the internal clock source is used. Default for channelized mode. • line—Specifies that the network clock source is used. Default for un-channelized mode. Step 6 Router(config-controller)# cablelength {0 - 450} (Optional) Specifies the cable length. The default is 224 ft. • 0-450—Cable length in feet. Command Purpose Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# controller t3 slot/subslot/port Selects the controller to configure and enters controller configuration mode. • slot/subslot/port—Specifies the location of the CT3 SPA port. See: “Specifying the Interface Address on a SPA” section on page 19-719-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Step 3 Router(config-controller)# t1 t1-number channel-group channel-number timeslots range [speed {56 | 64}] Specifies the T1 channel and timeslots to be mapped to each channel. • t1-number—T1 number from 1–28. • channel-number—Specifies a channel-group mapping(0–23) under the designated T1. • range—List of timeslots under the channel-group. Timeslots assigned to this T1 can be 1–24 or a combination of subranges within 1– 24. You can indicate a range using a hyphen, commas, or a combination of both. One timeslot equals one DS0. • speed 56 or 64— Specifies the speed of a timeslot as either 56 or 64 kbps. The default speed of 64 kbps is not mentioned in the config. Step 4 Router(config-controller)# t1 t1-number framing {esf | sf [hdlc-idle {0x7e | 0xff}] [mode {j1}]} (Optional) Specifies the T1 framing type using the framing command. • sf—Specifies Super Frame as the T1 frame type. Note If you select sf framing, you should consider disabling yellow alarm detection because the yellow alarm can be incorrectly detected with sf framing. • esf—Specifies Extended Super Frame as the T1 frame type. This is the default. • hdlc-idle— The hdlc-idle option allows you to set the idle pattern for the T1 interface to either 0x7e (the default) or 0xff. Command Purpose19-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Verifying T3 Controller Configuration Use the show controllers command to verify the controller configuration: Router# show controllers t3 T3 3/1/0 is administratively down. T3 3/1/1 is administratively down. T3 3/1/2 is up. Hardware is 4 ports CT3 SPA ATLAS FPGA version: 0, FREEDM336 version: 0 TEMUX84(1) version: 0, TEMUX84(1) version: 0 SUBRATE FPGA version: 0 Applique type is Channelized T3 No alarms detected. Framing is M23, Line Code is B3ZS, Clock Source is Internal Equipment customer loopback Data in current interval (746 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation, 0 P-bit Err Secs 0 P-bit Severely Err Secs, 0 Severely Err Framing Secs 0 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs 0 Severely Errored Line Secs 0 Far-End Errored Secs, 0 Far-End Severely Errored Secs 0 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 0 Far-end path failures 0 Far-end code violations, 0 FERF Defect Secs 0 AIS Defect Secs, 0 LOS Defect Secs T1 1 is up timeslots: 1-24 FDL per AT&T 54016 spec. No alarms detected. Framing is ESF, Clock Source is Internal Data in current interval (177 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs 0 Unavail Secs, 0 Stuffed Secs 0 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs Step 5 Router(config-controller)# t1 channel-number clock source {internal | line} (Optional) Specifies the T1 clock source. • internal—Specifies that the internal clock source is used. This is the default. • line—Specifies that the network clock source is used. Step 6 Configure the serial interfaces. Note After a T1 channel is configured, it appears to the Cisco IOS software as a serial interface; therefore, all the configuration commands for a serial interface are available. However, not all commands are applicable to the T1 interface. All the encapsulation formats, such as PPP, HDLC, and Frame Relay are applicable to the configured T1. Encapsulation can be set via the serial interface configuration commands. For detailed interface configuration information, see the Cisco IOS Interface Configuration Guide, Release 12.2 at: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_book09186 a0080087098.html Command Purpose19-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Total Data (last 2 15 minute intervals): 0 Line Code Violations,0 Path Code Violations, 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins, 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs 0 Unavail Secs, 0 Stuffed Secs 0 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs T1 2 Not configured. T1 3 Not configured. . . . T3 3/1/3 is up. Hardware is 4 ports CT3 SPA ATLAS FPGA version: 0, FREEDM336 version: 0 TEMUX84(1) version: 0, TEMUX84(1) version: 0 SUBRATE FPGA version: 0 Applique type is Subrate T3 No alarms detected. MDL transmission is disabled FEAC code received: No code is being received Framing is C-BIT Parity, Line Code is B3ZS, Clock Source is Line Equipment customer loopback Data in current interval (657 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation, 0 P-bit Err Secs 0 P-bit Severely Err Secs, 0 Severely Err Framing Secs 0 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs 0 Severely Errored Line Secs 0 Far-End Errored Secs, 0 Far-End Severely Errored Secs 0 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 0 Far-end path failures 0 Far-end code violations, 0 FERF Defect Secs 0 AIS Defect Secs, 0 LOS Defect Secs Verifying Interface Configuration Use the show interface serial command to verify the interface configuration. The following example shows the ouput for the serial interface for an un-channelized T3: Router# show interface serial3/0/0 Serial3/0/0 is down, line protocol is down Hardware is Channelized/ClearChannel CT3 SPA MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 parity19-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 applique, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 1 carrier transitions alarm present DSU mode 0, bandwidth 44210 Kbit, scramble 0, VC 0 The following example shows the output for a serial interface for the first T1 on a channelized T3: Router# show interface serial3/0/1/1:0 Serial3/0/1/1:0 is administratively down, line protocol is down Hardware is Channelized/ClearChannel CT3 SPA MTU 1500 bytes, BW 832 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions alarm present VC 1: timeslot(s): 2-14, Transmitter delay 0, non-inverted data Specifying the Interface Address on a SPA SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, SPA, and interface in the CLI. The interface address format is slot/subslot/port, where: • slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. • subslot—Specifies the secondary slot of the SIP where the SPA is installed. • port—Specifies the number of the individual interface port on a SPA. The following example shows how to specify the first interface (0) on a SPA installed in the first subslot of a SIP (0) installed in chassis slot 3: Router(config)# interface serial 3/0/0 This command shows a serial SPA as a representative example, however the same slot/subslot/port format is similarly used for other SPAs (such as ATM and POS) and other non-channelized SPAs. For the 4-Port Channelized T3 SPA, the interface address format is slot/subslot/port/t1-number:channel-group, where: • t1-number—Specifies the logical T1 number in channelized mode. • channel-group—Specifies the logical channel group assigned to the timeslots within the T1 link. For more information about identifying slots and subslots, see the “Identifying Slots and Subslots for SIPs, SSCs, and SPAs” section on page 4-2.19-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Optional Configurations There are several standard, but optional configurations that might be necessary to complete the configuration of your serial SPA. • Configuring the Data Service Unit Mode, page 19-9 • Configuring Maintenance Data Link, page 19-10 • Configuring Encapsulation, page 19-13 • Configuring T3 Framing, page 19-14 • Configuring FDL, page 19-15 • Configuring Scramble, page 19-16 • Configuring Multilink Point-to-Point Protocol (Hardware-based), page 19-17 • .Configuring MLFR for T1/E1, page 19-20 • Configuring Multipoint Bridging, page 19-22 • Configuring Bridging Control Protocol Support, page 19-22 • Configuring BCP on MLPPP, page 19-22 • FRF.12 Guidelines, page 19-24 • LFI Guidelines, page 19-24 • Hardware MLPPP LFI Guidelines, page 19-25 • FRF.12 LFI Guidelines, page 19-25 • Configuring QoS Features on Serial SPAs, page 19-2519-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Configuring the Data Service Unit Mode Configure the SPA to connect with customer premise Data Service Units (DSUs) by setting the DSU mode. Subrating a T3 or E3 interface reduces the peak access rate by limiting the data transfer rate. To configure the Data Service Unit (DSU) mode, use the following commands. z Verifying DSU Mode Use the show controllers serial command to display the DSU mode of the controller: Router# show controllers serial Serial3/1/0 - Framing is c-bit, Clock Source is Internal Bandwidth limit is 44210, DSU mode 0, Cable length is 10 rx FEBE since last clear counter 0, since reset 0 Data in current interval (0 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs 0 Severely Errored Line Secs 0 Far-End Errored Secs, 0 Far-End Severely Errored Secs 0 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 0 Far-end path failures 0 Far-end code violations, 0 FERF Defect Secs 0 AIS Defect Secs, 0 LOS Defect Secs Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# interface serial slot/subslot/port Selects the controller to configure and enters controller configuration mode. • slot/subslot/port—Specifies the location of the controller. See: Specifying the Interface Address on a SPA, page 19-7 Step 3 Router(config-if)# dsu mode {0 | 1 | 2 | 3 | 4} Specifies the interoperability mode used by the T3 controller. • 0—Connects a T3 controller to another T3 controller or to a Digital Link DSU. Bandwidth range is from 300 to 44210 kbps. This is the default. • 1—Connects a T3 controller to a Kentrox DSU. Bandwidth range is from 1500 to 35000, or 44210 kbps. Note If the bandwidth is set between 35000–44210 kbps, an error message is displayed. • 2—Connects a T3 controller to a Larscom DSU. Bandwidth range is from 3100 to 44210 kbps. • 3—Connects a T3 controller to an Adtran T3SU 300. Bandwidth range is from 75 to 44210 kbps. • 4—Connects a T3 controller to a Verilink HDM 2182. Bandwidth range is from 1500 to 44210 kbps. Step 4 Router(config-if)# dsu bandwidth kbps Specifies the maximum allowable bandwidth. • kbps—Bandwidth range is from 1 to 44210 kbps.19-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Transmitter is sending AIS. . . . Configuring Maintenance Data Link MDL messages are used to communicate identification information between local and remote ports. The type of information included in MDL messages includes the equipment identification code (EIC), location identification code (LIC), frame identification code (FIC), unit, Path Facility Identification (PFI), port number, and Generator Identification numbers. To configure Maintenance Data Link (MDL), use the following commands: Command Purpose Router# configure terminal Enters global configuration mode.19-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Router(config)# controller t3 slot/subslot/port Selects the controller to configure and enters controller configuration mode. • slot/subslot/port—Specifies the location of the interface. See: Specifying the Interface Address on a SPA, page 19-7 Router(config-controller)# mdl [string {eic | fic | generator | lic | pfi | port | unit} string}] | [transmit {idle-signal | path | test-signal}] Configures the MDL message. • string eic—Specifies the Equipment Identification Code; can be up to 10 characters. • string fic—Specifies the Frame Identification Code; can be up to 10 characters. • string generator—Specifies the Generator number string sent in the MDL Test Signal message; can be up to 38 characters. • string lic— Specifies the Location Identification Code; can be up to 11 characters. • string pfi—Specifies the Path Facility Identification Code sent in the MDL Path message; can be up to 38 characters. • string port—Specifies the Port number string sent in the MDL Idle Signal message; can be up to 38 characters. • string unit—Specifies the Unit Identification Code; can be up to 6 characters. • transmit idle-signal—Enable MDL Idle-Signal message transmission • transmit path—Enable MDL Path message transmission. • transmit test-signal—Enable MDL Test-Signal message transmission. Command Purpose19-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Verifying MDL Use the show controller command to display the MDL settings: Router# show controller t3 3/0/0 T3 3/0/0 is down. Hardware is 2 ports CT3 SPA ATLAS FPGA version: 0, FREEDM336 version: 0 TEMUX84(1) version: 0, TEMUX84(1) version: 0 SUBRATE FPGA version: 0 Applique type is Subrate T3 Receiver has loss of signal. MDL transmission is enabled EIC: new, LIC: US, FIC: 23, UNIT: myunit Path FI: test pfi Idle Signal PORT_NO: New-port Test Signal GEN_NO: test-message FEAC code received: No code is being received Framing is C-BIT Parity, Line Code is B3ZS, Clock Source is Line Equipment customer loopback Data in current interval (869 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation, 0 P-bit Err Secs 0 P-bit Severely Err Secs, 0 Severely Err Framing Secs 869 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs 0 Severely Errored Line Secs 0 Far-End Errored Secs, 0 Far-End Severely Errored Secs 869 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 0 Far-end path failures 0 Far-end code violations, 0 FERF Defect Secs 0 AIS Defect Secs, 870 LOS Defect Secs19-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Configuring Encapsulation When traffic crosses a WAN link, the connection needs a Layer 2 protocol to encapsulate traffic. To set the encapsulation method, use the following commands: Verifying Encapsulation Use the show interface serial command to display the encapsulation method: Router# show interface serial3/0/0 Serial3/0/0 is down, line protocol is down Hardware is Channelized/ClearChannel CT3 SPA MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 applique, 2 interface resets Command Purpose Router# configure terminal Enters global configuration mode. Channelized Router(config)# interface serial slot/subslot/port/t1-number:channel-group Un-channelized Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters interface configuration mode. • Channelized: slot/subslot/port/t1-number:channel-group— Specifies the location of the interface. See: Specifying the Interface Address on a SPA, page 19-7 • Un-channelized: slot/subslot/port—Specifies the location of the interface. See: Specifying the Interface Address on a SPA, page 19-7 Router(config-if)# encapsulation {hdlc | ppp | frame-relay} Set the encapsulation method on the interface. • hdlc—High-Level Data Link Control (HDLC) protocol for serial interface. This is the default. • ppp—Point-to-Point Protocol (PPP) (for serial interface). • frame-relay—Frame Relay (for serial interface).19-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks 0 output buffer failures, 0 output buffers swapped out 1 carrier transitions alarm present DSU mode 0, bandwidth 44210 Kbit, scramble 0, VC 0 Configuring T3 Framing To set the T3 framing type, use the following commands: Verifying Framing Use the show controller command to display the framing type: Router# show controller t3 3/0/0 T3 3/0/0 is down. Hardware is 2 ports CT3 SPA ATLAS FPGA version: 0, FREEDM336 version: 0 TEMUX84(1) version: 0, TEMUX84(1) version: 0 SUBRATE FPGA version: 0 Applique type is Subrate T3 Receiver has loss of signal. Framing is M13, Line Code is B3ZS, Clock Source is Line Equipment customer loopback Data in current interval (656 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation, 0 P-bit Err Secs 0 P-bit Severely Err Secs, 0 Severely Err Framing Secs 666 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs 0 Severely Errored Line Secs 0 Far-End Errored Secs, 0 Far-End Severely Errored Secs 0 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 0 Far-end path failures 0 Far-end code violations, 0 FERF Defect Secs 0 AIS Defect Secs, 666 LOS Defect Secs Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters interface configuration mode. • slot/subslot/port—Specifies the location of the interface. See: “Specifying the Interface Address on a SPA” section on page 19-7 Router(config-if)# framing {c-bit | m13} Specifies the framing type in unchannelized mode. • c-bit—Specifies C-bit parity framing. This is the default. • m13—Specifies DS3 Framing M13 (same as M23).19-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Configuring FDL Facility Data Link (FDL) is a far-end performance reporting tool. In ansi mode, you can enable 1-second transmissions of performance reports on both ends of the T1 connection. To configure FDL, use the following commands: Verifying FDL Use the show controller command to display the FDL setting: Router# show controller t3 3/0/1/1 T3 3/0/1 is down. Hardware is 2 ports CT3 SPA ATLAS FPGA version: 0, FREEDM336 version: 0 TEMUX84(1) version: 0, TEMUX84(1) version: 0 SUBRATE FPGA version: 0 Applique type is Channelized T3 Receiver has loss of signal. Framing is M23, Line Code is B3ZS, Clock Source is Internal Equipment customer loopback Data in current interval (456 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation, 0 P-bit Err Secs 0 P-bit Severely Err Secs, 0 Severely Err Framing Secs 456 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs 0 Severely Errored Line Secs 0 Far-End Errored Secs, 0 Far-End Severely Errored Secs 0 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 0 Far-end path failures 0 Far-end code violations, 0 FERF Defect Secs 0 AIS Defect Secs, 456 LOS Defect Secs T1 1 is down timeslots: 2-14 FDL per ANSI T1.403 and AT&T 54016 spec. Configured for FDL remotely line looped (bell) Transmitter is sending LOF Indication. Receiver is getting AIS. Framing is ESF, Clock Source is Line BERT running on timeslots 2,3,4,5,6,7,8,9,10,11,12,13,14, BERT test result (running) Test Pattern : All 1's, Status : Not Sync, Sync Detected : 0 Interval : 2 minute(s), Time Remain : 2 minute(s) Bit Errors (since BERT started): 0 bits, Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# controller t3 slot/subslot/port Selects the controller to configure and enters controller configuration mode. • slot/subslot/port—Specifies the location of the interface. See: “Specifying the Interface Address on a SPA” section on page 19-7 Router(config-controller)# t1 number fdl {ansi} (Optional) Enables FDL. • number—Specifies the T1 channel number. • ansi—Specifies the FDL bit per the ANSI T1.403 specification.19-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Bits Received (since BERT started): 0 Kbits Bit Errors (since last sync): 0 bits Bits Received (since last sync): 0 Kbits Data in current interval (703 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs 713 Unavail Secs, 0 Stuffed Secs 357 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs Configuring Scramble T3 scrambling is used to assist clock recovery on the receiving end. Scrambling is designed to randomize the pattern of 1s and 0s carried in the physical layer frame. Randomizing the digital bits can prevent continuous, nonvariable bit patterns—in other words, long strings of all 1s or all 0s. Several physical layer protocols rely on transitions between 1s and 0s to maintain clocking. Scrambling can prevent some bit patterns from being mistakenly interpreted as alarms by switches placed between the Data Service Units (DSUs). To configure scrambling, use the following commands: Verifying Scrambling Use the show interface serial command to display the scramble setting: Router# show interface serial3/0/0 Serial3/0/0 is down, line protocol is down Hardware is Channelized/ClearChannel CT3 SPA MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters interface configuration mode. • slot/subslot/port—Specifies the location of the interface. See: “Specifying the Interface Address on a SPA” section on page 19-7 Router(config-if)# scramble [0 | 1] Enables scrambling. Scrambling is disabled by default. • Scramble settings: 1—enabled 0—disabled19-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 applique, 4 interface resets 0 output buffer failures, 0 output buffers swapped out 1 carrier transitions alarm present DSU mode 0, bandwidth 44210 Kbit, scramble 1, VC 0 Configuring Multilink Point-to-Point Protocol (Hardware-based) Multilink Point to Point Protocol (MLPPP) allows you to combine T1 or E1 lines into a bundle that has the combined bandwidth of multiple T1/E1 lines. You choose the number of bundles and the number of T1 or E1 lines in each bundle. MLPPP for T1/E1 Configuration Guidelines The required conditions are: • Only T1 or E1 links in a bundle • All links on the same SPA • Maximum of 12 links in a bundle. Note Some notes about hardware-based MLPPP: Only 3 fragmentation sizes are possible 128, 256 and 512 bytes Fragmentation is enabled by default, default size is 512 bytes Fragmentation size is configured using the ppp multilink fragment-delay command after using the interface multilink command. The least of the fragmentation sizes (among the 3 sizes possible) satisfying the delay criteria is configured. (e.g., a 192 byte packet causes a delay of 1 millisecond on a T1 link, so the nearest fragmentation size is 128 bytes. The show ppp multilink command will indicate the mlppp type and the fragmentation size: Router# show ppp multilink Multilink1, bundle name is Patriot2 Bundle up for 00:00:13 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned 0 discarded, 0 lost received, 206/255 load 0x0 received sequence, 0x0 sent sequence Member links: 2 active, 0 inactive (max not set, min not set) Se4/2/0/1:0, since 00:00:13, no frags rcvd Se4/2/0/2:0, since 00:00:10, no frags rcvd Distributed fragmentation on. Fragment size 512. Multilink in Hardware. Fragmentation is disabled explicitly by using the no ppp multilink fragmentation command after using the interface multilink command.19-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Create a Multilink Bundle To create a multilink bundle, use the following commands: Assign an interface to a Multilink Bundle To assign an interface to a multilink bundle, use the following commands: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface multilink group-number Creates a multilink interface and enter multilink interface mode. • group-number—The group number for the multilink bundle. Router(config-if)# ip address address mask Sets the IP address for the multilink group. • address—The IP address. • mask—The IP netmask. Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port/t1-number:channel-group Selects the interface to configure and enters interface configuration mode. See: “Specifying the Interface Address on a SPA” section on page 19-7 • slot/subslot/port/t1-number:channel-group—Selec t the interface to configure. Router(config-if)# encapsulation ppp Enables PPP encapsulation. Router(config-if)# multilink-group group-number Assigns the interface to a multilink bundle. • group-number—The multilink group number for the T1 or E1 bundle. Router(config-if)# ppp multilink Enables multilink PPP on the interface. Repeat these commands for each interface you want to assign to the multilink bundle.19-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Configuring fragmentation size on an MLPPP Bundle (optional) To configure the fragmentation size on a multilink ppp bundle, use the following commands: Disabling the fragmentation on an MLPPP Bundle (optional) To assign an interface to a multilink bundle, use the following commands: Verifying Multilink PPP Use the show ppp multilink command to verify the PPP multilinks: router# show ppp multilink Multilink1, bundle name is mybundle Bundle up for 01:40:50 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned 0 discarded, 0 lost received, 1/255 load 0x0 received sequence, 0x0 sent sequence Member links: 5 active, 0 inactive (max not set, min not set) Se6/0/0/1:0, since 01:40:50, no frags rcvd Se6/0/1/1:0, since 01:40:09, no frags rcvd Se6/0/3/1:0, since 01:15:44, no frags rcvd Se6/0/4/1:0, since 01:03:17, no frags rcvd Se6/0/6/1:0, since 01:01:06, no frags rcvd Se6/0/6:0, since 01:01:06, no frags rcvd Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface multilink slot/subslot/port/t1-number:channel-group Creates a multilink interface and enters multilink interface mode. • group-number—The group number for the multilink bundle. Range 1-2147483647 Router(config-if)# ppp multilink fragment-delay delay Sets the fragmentation size satisfying the configured delay on the multilink bundle. • delay—delay in milliseconds Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface multilink group-number Creates a multilink interface and enters multilink interface mode. • group-number—The group number for the multilink bundle. Range 1-2147483647 Router(config-if)# no ppp multilink fragmentation Disables the fragmentation on the multilink bundle.19-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks .Configuring MLFR for T1/E1 Multilink Frame Relay (MLFR) allows you to combine T1/E1 lines into a bundle that has the combined bandwidth of multiple T1/E1 lines. You choose the number of bundles and the number of T1/E1 lines in each bundle. This allows you to increase the bandwidth of your network links beyond that of a single T1/E1 line. MLFR for T1/E1 Configuration Guidelines MLFR will function in hardware if all of the following conditions are met: • Only T1 or E1 member links • All links are on the same SPA • Maximum of 12 links in a bundle Create a Multilink Bundle To create a multilink bundle, use the following commands: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface mfr number Configures a multilink Frame Relay bundle interface. • number—The number for the Frame Relay bundle. Router(config-if)# frame-relay multilink bid name (Optional) Assigns a bundle identification name to a multilink Frame Relay bundle. • name—The name for the Frame Relay bundle. Note The bundle identification (BID) will not go into effect until the interface has gone from the down state to the up state. One way to bring the interface down and back up again is by using the shut and no shut commands in interface configuration mode.19-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Assign an Interface to a Multilink Bundle To assign an interface to a multilink bundle, use the following commands: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port:channel-group Selects the interface to assign. • slot/subslot/port:channel-group—Specifies the location of the interface.“Specifying the Interface Address on a SPA” section on page 19-7 Router(config-if)# encapsulation frame-relay mfr number [name] Creates a multilink Frame Relay bundle link and associates the link with a bundle. • number—The number for the Frame Relay bundle. • name—The name for the Frame Relay bundle. Router(config-if)# frame-relay multilink lid name (Optional) Assigns a bundle link identification name with a multilink Frame Relay bundle link. • name—The name for the Frame Relay bundle. Note The bundle link identification (LID) will not go into effect until the interface has gone from the down state to the up state. One way to bring the interface down and back up again is by using the shut and no shut commands in interface configuration mode. Router(config-if)# frame-relay multilink hello seconds (Optional) Configures the interval at which a bundle link will send out hello messages. The default value is 10 seconds. • seconds—Number of seconds between hello messages sent out over the multilink bundle. Router(config-if)# frame-relay multilink ack seconds (Optional) Configures the number of seconds that a bundle link will wait for a hello message acknowledgment before resending the hello message. The default value is 4 seconds. • seconds—Number of seconds a bundle link will wait for a hello message acknowledgment before resending the hello message. Router(config-if)# frame-relay multilink retry number (Optional) Configures the maximum number of times a bundle link will resend a hello message while waiting for an acknowledgment. The default value is 2 tries. • number—Maximum number of times a bundle link will resend a hello message while waiting for an acknowledgment.19-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Verifying Multilink Frame Relay Use the show frame-relay multilink detailed command to verify the Frame Relay multilinks: Router# show frame-relay multilink detailed Bundle: MFR49, State = down, class = A, fragmentation disabled BID = MFR49 No. of bundle links = 1, Peer's bundle-id = Bundle links: Serial6/0/0:0, HW state = up, link state = Add_sent, LID = test Cause code = none, Ack timer = 4, Hello timer = 10, Max retry count = 2, Current count = 0, Peer LID = , RTT = 0 ms Statistics: Add_link sent = 21, Add_link rcv'd = 0, Add_link ack sent = 0, Add_link ack rcv'd = 0, Add_link rej sent = 0, Add_link rej rcv'd = 0, Remove_link sent = 0, Remove_link rcv'd = 0, Remove_link_ack sent = 0, Remove_link_ack rcv'd = 0, Hello sent = 0, Hello rcv'd = 0, Hello_ack sent = 0, Hello_ack rcv'd = 0, outgoing pak dropped = 0, incoming pak dropped = 0 Configuring Multipoint Bridging Multipoint bridging (MPB) enables the connection of multiple ATM PVCs, Frame Relay PVCs, BCP ports, and WAN Gigabit Ethernet subinterfaces into a single broadcast domain (virtual LAN), together with the LAN ports on that VLAN. This enables service providers to add support for Ethernet-based Layer 2 services to the proven technology of their existing ATM and Frame Relay legacy networks. Customers can then use their current VLAN-based networks over the ATM or Frame Relay cloud. This also allows service providers to gradually update their core networks to the latest Gigabit Ethernet optical technologies, while still supporting their existing customer base. For MPB configuration guidelines and restrictions and feature compatibility tables, see the “Configuring Multipoint Bridging” section on page 4-36 of Chapter 4, “Configuring the SIPs and SSC.” Configuring Bridging Control Protocol Support The Bridging Control Protocol (BCP) enables forwarding of Ethernet frames over SONET networks and provides a high-speed extension of enterprise LAN backbone traffic through a metropolitan area. The implementation of BCP on the SPAs includes support for IEEE 802.1D, IEEE 802.1Q Virtual LAN (VLAN), and high-speed switched LANs. For BCP configuration guidelines and restrictions and feature compatibility tables, see the “BCP Feature Compatibility” section on page 4-56 of Chapter 4, “Configuring the SIPs and SSC.” Configuring BCP on MLPPP BCP on MLPPP Configuration Guidelines • Only Distributed MLPPP is supported • Only channelized interfaces allowed, and member links must be from the same controller card • Only trunk port BCP is supported on MLPPP • Bridging can be configured only on the bundle interface19-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Note BCP on MLPPP operates only in trunk mode. Note When you manually configure the MTU and MRRU values on the bundle interface with BCP on dMLPPP, you should set the MRRU value to atleast 20 bytes more than the MTU value. This configuration ensures that the packets wth size up to the configured MTU value on the multilink interface are not dropped because of the MRRU restrictions. Configuring BCP on MLPPP Trunk Mode To configure BCP on MLPPP trunk mode, perform these steps: Command Purpose Step 1 Router(config)# interface multilink Selects the multilink interface. Step 2 Router(config-if)# switchport Puts an interface that is in Layer 3 mode into Layer 2 mode for Layer 2 configuration. Step 3 Router(config-if)#switchport trunk allowed vlan 100 By default, no VLANs are allowed. Use this command to explicitly allow VLANs; valid values for vlan-list are from 1 to 4094. Step 4 Router(config-if)#switchport mode trunk Configures the router port connected to the switch as a VLAN trunk port. Step 5 Router(config-if)#switchport nonegotiate Puts the LAN port into permanent trunking mode but prevents the port from generating DTP frames Step 6 Router(config-if)#no ip address Step 7 Router(config-if)#ppp multilink Enables this interface to support MLP. Step 8 Router(config-if)#multilink-group 1 Assigns this interface to the multilink group. Step 9 Router(config-if)# interface Serial1/0/0.1/1/1/1:0 Designates a serial interface as a multilink bundle. Step 10 Router(config-if)# no ip address Unassigns the IP address. Step 11 Router(config-if)#encapsulation ppp Enables PPP encapsulation. Step 12 Router(config-if)#ppp multilink Enables this interface to support MLP. Step 13 Router(config-if)# multilink-group 1 Assigns this interface to the multilink group 1. Step 14 Router(config-if)#interface Serial1/0/0.1/1/1/2:0 Designates a serial interface as a multilink bundle. Step 15 Router(config-if)#no ip address Unassigns the IP address. Step 16 Router(config-if)#encapsulation ppp Enables PPP encapsulation. Step 17 Router(config-if)#ppp multilink Enables this interface to support MLP. Step 18 Router(config-if)# multilink-group 1 Assigns this interface to the multilink group 2. Step 19 Router(config-if)# shutdown Shuts down an interface.19-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Tasks Verifying BCP on MLPPP Trunk Mode To display information about Multilink PPP, use the show ppp multilink command in EXEC mode. The following shows an example of show ppp multilink: Router# show ppp multilink Multilink1, bundle name is group 1 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned, sequence 0x0/0x0 rcvd/sent 0 discarded, 0 lost received, 1/255 load Member links: 4 active, 0 inactive (max no set, min not set) Serial1/0/0/:1 Serial1/0/0/:2 Serial1/0/0/:3 Serial1/0/0/:4 FRF.12 Guidelines FRF.12 functions in hardware. Note the following: • Only 3 fragmentation sizes are available - 128 bytes, 256 bytes, and 512 bytes. The supported fragment sizes - 128, 256 and 512 - include the FRF and NLPID headers in addition to the payload. • If you have a configuration where a C7600 router acts as a Provider Edge(PE) router between Customer Edge(CE) routers, you can configure C7600 in plain Frame Relay or Frame Relay Fragmentation mode. If you enable Frame Relay Fragmentation only at the CE routers and C7600 acts as a plain Frame Relay interface, the configuration works fine. In a configuration of C7600 with any of the three SPAs(8-Port Channelized T1/E1 SPA,1-Port Channelized OC-3/STM-1 SPA or 2 or 4-Port CT3 SPA), where Frame Relay is configured on the serial interface and Frame Relay Fragmentation is enabled in any of the sub interfaces, the fragmented packets may be dropped in the transparant DLCIs. If you want such a configuration to work, you should set the fragment size value on the main interface larger than any CE router fragmentation size usingthe command frame-relay fragment x end-to-end, where x is the fragmentation size on the main interface. LFI Guidelines LFI can function two ways - using FRF.12 or MLPPP. MLPPP LFI can be done in both hardware and software while FRF.12 LFI is done only in hardware. Step 20 Router(config-if)# no shutdown Reopens an interface. Step 21 Router(config-if)# switchport trunk allowed vlan vlan-list By default, no VLANs are allowed. Use this command to explicitly allow VLANs; valid values for vlan-list are from 1 to 4094. Command Purpose Command Purpose Router(config-if)# show ppp multilink Displays information on a multilink group.19-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Saving the Configuration Hardware MLPPP LFI Guidelines LFI using MLPPP will function only in hardware if there is just one member link in the MLPPP bundle. The link can be a fractional T1 or full T1. Note the following: • The ppp multilink interleave command needs to be configured to enable interleaving. • Only three fragmentation sizes are supported - 128 bytes, 256 bytes, and 512 bytes. • Fragmentation is enabled by default, the default size being 512 bytes. • A policy-map having a priority class needs to applied to main interface. • When hardware-based LFI is enabled, fragmentation counters are not displayed. FRF.12 LFI Guidelines LFI using FRF.12 is always done is hardware. Note the following: • The fragmentation is configured at the main interface • Only 3 fragmentation sizes are available - 128 bytes, 256 bytes, and 512 bytes. • A policy-map having a priority class needs to applied to main interface. Configuring QoS Features on Serial SPAs The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For information about the QoS features supported by the serial SPAs, see the “Configuring QoS Features on a SIP” section on page 4-94 of Chapter 4, “Configuring the SIPs and SSC.” Saving the Configuration To save your running configuration to nonvolatile random-access memory (NVRAM), use the following command in privileged EXEC configuration mode: For more information about managing configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. Verifying the Interface Configuration Besides using the show running-configuration command to display your Cisco 7600 series router configuration settings, you can use the show interfaces serial and the show controllers serial commands to get detailed information on a per-port basis for your 2-Port and 4-Port Clear Channel T3/E3 SPA. Command Purpose Router# copy running-config startup-config Writes the new configuration to NVRAM.19-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Verifying the Interface Configuration Verifying Per-Port Interface Status To find detailed interface information on a per-port basis for the 2-Port and 4-Port Channelized T3 SPA, use the show interfaces serial command. The following example provides sample output for the serial interface on an un-channelized T3: Router# show interface serial3/0/0 Serial3/0/0 is down, line protocol is down Hardware is Channelized/ClearChannel CT3 SPA MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 applique, 4 interface resets 0 output buffer failures, 0 output buffers swapped out 1 carrier transitions alarm present DSU mode 0, bandwidth 44210 Kbit, scramble 1, VC 0 The following example provides sample output for the serial interface on a channelized T3: Router# show interface serial3/0/1/1:0 Serial3/0/1/1:0 is down, line protocol is down Hardware is Channelized/ClearChannel CT3 SPA MTU 1500 bytes, BW 832 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions alarm present VC 1: timeslot(s): 2-14, Transmitter delay 0, non-inverted data To find detailed status and statistical information on a per-port basis for the 2-Port and 4-Port Clear Channel T3/E3 SPA, use the show controllers serial command. The following example provides sample controller statistics for the third port on the SPA located in the first subslot of the SIP-200 that is installed in slot 5 of a Cisco 7609 router:19-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Verifying the Interface Configuration show controller serial 5/0/2 Serial5/0/2 - Framing is c-bit, Clock Source is Line Bandwidth limit is 44210, DSU mode 0, Cable length is 10 rx FEBE since last clear counter 0, since reset 0 Data in current interval (807 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 306 Unavailable Secs 500 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 1: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 2: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 3: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 562 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Data in Interval 4: 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation 0 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 560 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs . . . Total Data (last 44 15 minute intervals): 0 Line Code Violations, 0 P-bit Coding Violation, 0 C-bit Coding Violation, 0 P-bit Err Secs, 0 P-bit Sev Err Secs, 0 Sev Err Framing Secs, 0 Unavailable Secs, 24750 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs Transmitter is sending AIS. Receiver has loss of signal. 40434 Sev Err Line Secs, 0 Far-End Err Secs, 0 Far-End Sev Err Secs 0 P-bit Unavailable Secs, 0 CP-bit Unavailable Secs 0 CP-bit Far-end Unavailable Secs 0 Near-end path failures, 0 Far-end path failures No FEAC code is being received MDL transmission is disabled19-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Examples Configuration Examples This section includes the following configuration examples: • DSU Configuration Example, page 19-28 • MDL Configuration Example, page 19-28 • Encapsulation Configuration Example, page 19-29 • Framing—Unchannelized Mode Configuration Example, page 19-29 • Facility Data Link Configuration Example, page 19-29 • Scrambling Configuration Example, page 19-29 • Creating a Multilink Bundle Configuration Example, page 19-30 • Assigning a T1 Interface to a Multilink Bundle Configuration Example, page 19-30 DSU Configuration Example The following example sets the DSU mode on interface port 0 on slot 4, subslot 1. ! Specify the interface and enter interface configuration mode. ! Router(config-int)# interface t3 4/1/0 ! !Specifies the interoperability mode used by the T3 interface. ! Router(config-int)# dsu mode 2 ! !Specifies the maximum allowable bandwidth. Router(config-int)# dsu bandwidth 23000 MDL Configuration Example The following example configures the MDL strings on controller port 0 on slot 4, subslot 1. ! Enter controller configuration mode. ! Router(config)# controller t3 4/1/0 ! ! Specify the mdl strings. ! Router(config-controller)# mdl string eic beic Router(config-controller)# mdl string lic beic Router(config-controller)# mdl string fic bfix Router(config-controller)# mdl string unit bunit Router(config-controller)# mdl string pfi bpfi Router(config-controller)# mdl string port bport Router(config-controller)# mdl string generator bgen Router(config-controller)# mdl transmit path Router(config-controller)# mdl transmit idle-signal Router(config-controller)# mdl transmit test-signal19-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Examples Encapsulation Configuration Example The following example configures encapsulation on a channelized T1 interface. ! Specify the interface to configure and enter interface configuration mode. ! Router(config)# interface serial 4/1/1/1:0 ! ! Specify the encapsulation method. ! Router(config-if)# encapsulation ppp The following example configures encapsulation and framing on a un-channelized T3 interface. ! Specify the interface to configure and enter interface configuration mode. ! Router(config)# interface serial 4/1/1 ! ! Specify the encapsulation method. ! Router(config-if)# encapsulation ppp Framing—Unchannelized Mode Configuration Example The following example configures framing on an un-channelized T3 interface. ! Specify the interface to configure and enter interface configuration mode. ! Router(config)# interface serial 4/1/1 ! ! Specify the framing type. ! Router(config-if)# framing m13 Facility Data Link Configuration Example The following example configures FDL on a channelized T1 interface. ! Specify the controller to configure and enter controller configuration mode. ! Router(config)# controller t3 3/1/0 ! ! Specify the T1 controller and set the FDL bit. ! Router(config-controller)# t1 1 fdl ansi Scrambling Configuration Example The following example configures scrambling on the T3 interface: ! Enter global configuration mode. ! Router# configure terminal ! ! Specify the interface to configure and enter interface configuration mode. ! Router(config)# interface serial 4/1/3 !19-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 19 Configuring the 2-Port and 4-Port Channelized T3 SPAs Configuration Examples ! Enable scrambling. ! Router(config-if)# scrambling Creating a Multilink Bundle Configuration Example ! ! Enter global configuration mode. ! Router# configure terminal ! ! Create a multilink interface and enter interface configuration mode. ! Router(config)# interface multilink 1 ! ! Specify the IP address for the interface. ! Router(config-if)# ip address 123.345.678.21 255.255.255.0 ! Assigning a T1 Interface to a Multilink Bundle Configuration Example ! ! Enter global configuration mode. ! Router# configure terminal ! ! Specify the T1 interface and enter interface configuration mode. ! Router(config)# interface serial 1/0/1/1:0 ! ! Specify PPP encapsulation. ! Router(config-if)# encapsulation ppp ! ! Specify the multilink bundle the T1 will belong to. ! Router(config-if)# multilink-group 1 !C H A P T E R 20-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs This chapter provides information about configuring the 1-Port Channelized OC-3/STM-1 SPA on Cisco 7600 series routers and 1-Port Channelized OC-12/STM-4 SPA on SIP 400 introduced with IOS release 12.2(33) SRD 1. The new 1-Port Channelized OC-12/STM-4 SPA terminates channelized IP services on the service provider edge and maintains feature parity with 1-Port Channelized OC-3/STM-1 SPA on Cisco 7600 series router SIP-200 line cardand the Channelized OC-12 OSM line card. This chapter includes the following sections: • Configuration Tasks, page 20-1 • Verifying the Interface Configuration, page 20-26 • Stateful MLPPP MR-APS, page 20-27 For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the Related Documentation, page -xlvii. Configuration Tasks This section describes how to configure the 1-Port Channelized OC-3/STM-1 SPA and 1-Port Channelized OC-12/STM-4 SPA for the Cisco 7600 series routers and includes information about verifying the configuration. Up to 3 STS-1 connections can be configured on the 1-Port Channelized OC-3/STM-1 SPA. Each STS-1 connection can be configured as a T3 controller or as a VT controller. A maximum of 1023 interfaces can be configured. Up to 12 STS-1 connections can be configured on the 1-Port Channelized OC-12/STM-4 SPA. Each STS-1 connection can be configured as a T3 controller or as a VT controller. STS-1 can be clubbed together to support the concatenated POS interface. A maximum of 2000 interfaces can be configured. This document shows how to configure the 1-Port Channelized OC-3/STM-1 SPA and 1-Port Channelized OC-12/STM-4 SPAs in either SONET or SDH framing modes. SDH mode is not supported on1-Port Channelized OC-12/STM-4 SPA as of now.20-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks It includes the following topics: • Use the show controllers command to verify the controller configuration., page 20-14 • Selection of Physical Port and Controller Configuration, page 20-2 • Optional Configurations, page 20-15 • Saving the Configuration, page 20-26 Required Configuration Tasks This section lists the required steps to configure the 1-Port Channelized OC-3/STM-1 SPA and the 1-Port Channelized OC-12/STM-4 SPA. Some of the required configuration commands implement default values that might be appropriate for your network. If the default value is correct for your network, then you do not need to configure the command. • Selection of Physical Port and Controller Configuration • Interface Naming • SONET mode Configuration • SDH mode Configuration • Configure Channelized DS3 in SONET Mode • POS Interface Configuration • Verifying Interface Configuration Note To better understand the address format used to specify the physical location of the Cisco 7600 SIP-200, SPA, and interfaces, see the: “Selection of Physical Port and Controller Configuration” section on page 20-2. Selection of Physical Port and Controller Configuration To select the physical port and controller configuration on the 1-Port Channelized STM-1/OC-3 SPA or 1-Port Channelized OC12/STM4 , use the following command: controller sonet slot / subslot / port If the 1-Port Channelized OC-3/STM-1 SPA sits in subslot 0 of a Cisco 7600 SIP-200 / SIP-400(releases from SRC onwards) in slot3, the 1-Port Channelized OC-3/STM-1 SPA port would be identified as controller SONET 3/0/0. Since there is only 1 port on a 1-Port Channelized OC-3/STM-1 SPA, the port number is always 0. If the 1-Port Channelized OC12/STM4 sits in subslot 0 of a 7600-SIP-400(releases from SRD1 onwards) in slot3, the 1-Port Channelized OC12/STM4 port would be identified as controller SONET 3/0/0. Since there is only 1 port on a 1-Port Channelized OC12/STM4, the port number is always 0. Note The terms slot and bay are used interchangebly in this document.20-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Interface Naming Interface names are automatically generated, and the format will be dependent on the mode each particular line card is operating on. The name format of the serial interface created are listed below. SONET mode • If framing is SONET and mode is vt-15 where VTG range is 1-7 and DS1(T1) range is 1-4: interface serial [slot / subslot / port].[sts-1#/ vtg/ ds1#]:[channel-group] Note Based on the CLI configuration, channel-group value varies from 0 to 23 for DS1. • If framing is SONET and mode is CT3 where DS1 range is 1-28: interface serial [slot / subslot / port].[sts-1# / ds1#]:[channel-group] Note Based on the CLI configuration, channel-group value varies from 0 to 23 for DS1. • If framing is SONET and mode is CT3-E1 where E1 range is 1-21: interface serial [slot / subslot / port].[sts-1# / e1#]:[channel-group] Note Based on the CLI configuration, channel-group value varies from 0 to 30 for E1 and 0 to 23 for T1. • If framing is SONET and mode is T3: interface serial [slot / subslot / port.sts-1#] SDH mode • If SDH-AUG mapping is au-4 and if the tug-3 is mode t3/e3: interface serial [slot / subslot /< port>./ ] Note Based on the CLI configuration, the STS range varies from 1 to 12, the AU-4 varies from 1 to 4, the TUG-3 varies from 1 to 3, and the TUG-2 varies from 1 to 7. • If SDH-AUG mapping is au-3 in c-11 mode: interface serial [slot / subslot / port.au-3 / / ]:[channel-group] • If framing is SDH with c-12 mode: interface serial [slot/ subslot / < port>./ / /< e1>]:[channel-group] Note If the aug mapping is au-3, then the only supported mode is c-11 ( carrying a DS1(T1)). For POS mode This configuration is only for 1-Port Channelized OC12/STM4 SPA and the only supported mode is SONET mode. If framing is SONET :20-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks interface pos [slot / subslot / port]:[sts-1#] Here sts-1# indicates the starting sts of the POS interface. For example, if the SPA is in 3/0/0 and the POS interface is created for the first 3 sts-1s, then the interface name is POS3/0/0:1. Also, if the the SPA is in 3/0/0 and the POS interface created for the all sts-1s, the interface name is still POS3/0/0:1, but the differentiating factor is the interface bandwidth. For OC3, the interface bandwidth is 15550 kbit and it is 622000 kbit for OC12 POS. Selection of Physical Port and Controller Configuration—SONET mode To create the interface for the 1-Port Channelized OC-3/STM-1 SPA or 1-Port Channelized OC12/STM4 SPA, complete these steps: SONET mode Configuration To configure the SONET controller, complete these steps: Command Purpose Step 1 Router(config)# controller sonet slot/subslot/port Select the controller to configure and enter controller configuration mode. • slot/subslot/port—Specifies the location of the interface. See the: “Selection of Physical Port and Controller Configuration” section on page 20-2 Command Purpose Step 1 For SONET controllers: Router(config-controller)# framing sonet Selects the framing type. sonet—Specifies SONET as the frame type. This is the default. Step 2 Router(config-controller)# clock source {internal | line} Sets the clock source. Note The clock source is set to internal if the opposite end of the connection is set to line and the clock source is set to line if the opposite end of the connection is set to internal. • internal—Specifies that the internal clock source is used. • line—Specifies that the network clock source is used. This is the default for T1 and E1.20-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Step 3 Router(config-controller)# [no] loopback {local | network ] Enables or disables loopback mode on a sonet controller. • local loopback—loops data from the transmit path to the receive path. • network loopback—loops data received on the receiving path to the transmiting path and back out the external port. Default is disabled loopback. Step 4 In SONET framing: Router(config-controller)#sts-1 sts-1# sts-1 #—Specifies the SONET STS level. Step 5 Router(config-ctrlr-sts1)# [no] mode {vt-15 | ct3 | t3 | ct3-e1} Specifies the mode of operation of a STS-1 path: • vt-15—A STS-1 is divided into 7 VTGs. Each VTG is then divided into 4 VT1.5’s, each carrying a T1. • ct3—A STS-1 carry a DS3 signal divided into 28 T1s (PDH) • t3—STS-1 carries a unchannelized (clear channel) T3 • ct3-e1—The channelized T3 is carrying E1 circuits Note Effective from Release 15.1(1)S, the CT3-E1 mode is supported on the 1-Port Channelized OC12/STM4 SPA. Step 6 Router(config-ctrlr-sts1)# vtg? <1-7> vtg number <1-7> vtg—Specifies the VTG number. Step 7 RouterC(config-ctrlr-sts1)# vtg 1 t1 1 {bert |channel-group |clock |description |fdl |framing |loopback |shutdown |yellow } RouterC(config-ctrlr-sts1)#vtg 1 t1 1 channel-group 0-23 Channel group number RouterC(config-ctrlr-sts1)# vtg 1 t1 1 channel-group 0 timeslots List of timeslots in the channel group RouterC(config-ctrlr-sts1)# vtg 1 t1 1 channel-group 0 timeslots 1-24 List of timeslots which comprise the channel RouterC(config-ctrlr-sts1)# vtg 1 t1 1 channel-group 0 timeslots 1 speed Specify the speed of the underlying DS0s RouterC(config-ctrlr-sts1)# vtg 1 t1 1 channel-group 0 timeslots 1 Configures the T1s on the VTGs. For SONET framing, vtg# range is 1 to 7. Command Purpose20-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks SDH mode Configuration To configure SDH mode, complete the following steps: Note Effective from Release 15.1(1)S, SDH mode is supported on the1-Port Channelized OC12/STM4 SPA. Command Purpose Step 1 For SDH controllers: Router(config-controller)# framing sdh Selects the framing type. • sonet—Specifies SONET as the frame type. This is the default. • sdh—Specifies SDH as the frame type. Step 2 Router(config-controller)# aug mapping {au-3 | au-4} Configures AUG mapping for SDH only. If the AUG mapping is configured to be au-4, then the following muxing/alignment/mapping will be used: TUG-3 <--> VC-4 <--> AU-4 <--> AUG If the mapping is configured to be au-3, then the following muxing/alignment/mapping will be used: VC-3 <--> AU-3 <--> AUG This command will be available only when sdh framing is configured. Default is au-4. Step 3 Router(config-controller)# aug mapping(stm#) au-4 or Router(config-controller)# aug mapping (stm#) au-3 Router(config-controller)# aug mapping {au-3 | au-4} Configures AUG mappings for SDH only20-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Step 4 If AUG mapping is AU-4: au-4 tug-3 If AUG mapping is AU-3: au-3 Enters the configuration submode for the given TUG-3. Depending on currently configured AUG mapping setting, this command will further specify TUG-3, AU-3 or STS-1 muxing. As the result, the CLI command parser enters into config-ctrlr-tug3, config-ctrlr-au3 or config-ctrlr-sts1# parser mode, which makes only relevant commands visible. The AU-4 number rangess from 1 to 4 for OC12 SPA and 1 for OC3. The AU-3 number ranges from 1 to 12 for OC12 SPA and from 1 to 3 for OC3. The STS-1 number ranges 1 to 12 for OC12 SPA and is from 1 to 3 for OC3. Step 5 In SDH framing in AU-4 mode: [no] mode {c-12 | t3 | e3} C-11 and c-12 are container level-n (SDH) Channelized T3s. They are types of T3 channels that are subdivided into 28 T1 channels. • c-12—Specifies a AU-4/TUG-3 is divided into 7 tug2. Each tug2 then divided into 3 TU12’s, each carrying an E1 (C-12). • t3—Specifies a STS-1 or AU-4/TUG3 carries a unchannelized (clear channel) T3. • e3—Specifies a AU-4/TUG3 carries a unchannelized (clear channel) E3 . In CHOC-3/STM1 SPA, you cannot configure both T3 and E3 at the same time. Note Only c-11 is supported in AU-3. Command Purpose20-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Configure Channelized DS3 in SONET Mode To configure channelized DS3 mode, complete the following steps: Command Purpose Step 1 Router(config)# controller sonet slot/subslot/port Select the controller to configure and enter controller configuration mode. • slot/subslot/port—Specifies the location of the interface. See the: “Selection of Physical Port and Controller Configuration” section on page 20-2 Step 2 Router(config-controller)#sts-1 sts1# The sts-1# is from 1 to y, y being the Sonet STS level, such as in OC-3. Step 3 Router(config)#mode ct3 Sets the interface in channelized DS3 mode. Step 4 Router(config-ctrlr-sts)# t3 framing {c-bit | m23 | auto-detect} Specifies the framing mode. • c-bit—Specifies C-bit parity framing. • m23—Specifies M23 framing. • auto-detect Step 5 Router(config-ctrlr-sts)# clock source {internal | line} Sets the clock source for the given T3 controller under STS. Note The clock source is set to internal if the opposite end of the connection is set to line and the clock source is set to line if the opposite end of the connection is set to internal. • internal—Specifies that the internal clock source is used. • line—Specifies that the network clock source is used. Step 6 Router(config-ctrlr-sts)# [no] t3 loopback {local | network [line | payload] | remote [line | payload]} Enables or disables loopback mode on a SONET controller. • local loopback—loops data from the transmit path to the receive path. • network loopback—loops data received on the external port to the transmit path and back out the external port. Note Effective from Release 15.1(1)S, network loopback is supported on the 1-Port Channelized OC12/STM4 SPA. • Remote loopback—Applicable only to c-bit framing. When you configure locally, this mode performs the remote end network loopback. Default is no loopback.20-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Step 7 Router(config-ctrlr-sts)# [no] t3 mdl string [eic | fic | generator | lic | pfi | port | unit} string [no] t3 mdl transmit {path | idle-signal | test-signal} Configures MDL support. • eic—Specified equipment ID code • fic— frame ID code • generator—generator number in MDL test signal • lic—location ID code • pfi—facility ID code in MDL path message • port— port number in MDL idle string message • unit—unit code Default is no mdl string and no mdl transmit. Step 8 Router(config-ctrlr-sts)# t3 equipment {customer | network} loopback Equipment customer loopback enables the port to honor remote loopback request. Equipment network loopback disables this functionality. Note Remote loopbacks are only available in c-bit framing mode. Step 9 Router(config-ctrlr-sts)#t3 bert pattern pattern interval 1-14400 Enables BERT testing. Command Purpose20-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks POS Interface Configuration To configure the OC-3 or OC 12 POS interfaces, complete the following steps: Use the show interface pos command to verify the POS configurationand use the interface pos //: sts-1# command to debug the POS configuration. Following is a sample configuration for verifying the POS configuration: Router#show interface pos 4/1/0:1 POS4/1/0:1 is down, line protocol is down Hardware is SPA_1xCHOC12 MTU 4470 bytes, BW 155000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Command Purpose Step 1 Router(config-controller)# sts-1 start-sts-1#-end-sts-1# pos This commnad creates the POS interface.The start-sts-1 and end-sts-1 denotes the STS from which the PTS interface is created and ended. Step 2 Router(config)#Interface pos [slot/subslot/port]: [sts-1] This command configures the POS interface. Step 3 Router(config-if)#[no] encap ? bstun Block Serial tunneling (BSTUN) frame-relay Frame Relay networks hdlc Serial HDLC synchronous lapb LAPB (X.25 Level 2) ppp Point-to-Point protocol sdlc SDLC sdlc-primary SDLC (primary) sdlc-secondary SDLC (secondary) smds Switched Megabit Data Service (SMDS) stun Serial tunneling (STUN) x25 X.25 This command configures the encapsulation on the POS interface and sets it to the required value. Step 4 Router(config-if)# [no] pos ? delay Delay POS alarm triggers flag Specify byte value scramble-atm Enable POS SPE scrambling threshold Set BER threshold values This command enables or disables scrambling on the POS interface. Step 5 Router(config-if)#CRC {crc16 |crc32} This command configures the CRC setting to crc16 or crc32 at both connected SPAs. Step 6 Router(config-if)#invert data This command configures the Invert Data setting. This should be the same for both connected SPAs.20-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Scramble disabled Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Non-inverted data Note NSTS-1 is the number of the first STS-1 on the POS interface. The value of N can be 1,4,7 or 10.20-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks DS1 Configuration (Channelized T3 mode) To configure DS1 complete the following steps: E1 Configuration (Channelized T3/E3 mode) E1 configuration must be done in channelized DS3 mode. To configure E1, complete the following steps: Command Purpose Step 1 Router(config-ctrlr-sts1)#[no] t1 t1# clock source {internal | line} Configures the clocking source. Step 2 Router(config-ctrlr-sts1)#[no] t1 t1# fdl ansi Enables the one-second transmission of the remote performance reports via Facility Data Link (FDL) per ANSI T1.403. Note FDL will run in ATT mode without this command. ATT mode is not mutually exclusive or different from ANSI mode, ANSI mode is a super-set of ATT mode. Step 3 Router(config-ctrlr-sts1)#[no] t1 t1# framing {sf | esf} Router(config-ctrlr-sts1)#[no] t1 t1# yellow {detection | generation} Enables detection and generation of DS1 yellow alarms. Step 4 Router(config-ctrlr-sts1)#[no] prefix t1 t1# shutdown Shuts down the configured T1. Step 5 Router(config-ctrlr-sts1)#[no] t1 t1# channel-group channel-group# timeslots list-of-timeslots speed [56 | 64] Specifies the line speed in kilobits per second. Valid values are 56 and 64. Step 6 Router(config-ctrlr-sts1)#[no] t1 t1# loopback {local | network line | remote {line fdl {ansi | bellcore} | payload fdl ansi}} Note Local network payload loopback is not supported due to TEMUX-84/TEMUX-84E limitations. Note Only 6 E1 berts can be performed concurrently due to TEMUX-84/TEMUX-84E limitations. Command Purpose Step 1 Router(config-ctrlr-sts1)#[no] e1 e1# channel-group channel-group# timeslots list-of-timeslots speed [56 | 64] • E1 range is 1-4. • Timeslot range is 1-31. • Speed is 64 by default. Speed as 56 denotes that each ds0 speed will be 56kbps instead of 64 kbps to connect some legacy T1s. Step 2 Router(config-ctrlr-sts1)#[no] e1 e1# [unframed | framing] {crc4 | no-crc4} Cofiguration of crc/no-crc4 is applicable only for the framed E1configuration. Unframed E1 doesnt need the configuration.20-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks BERT Test Configuration To configure BERT test, complete the following: Unchannelized E3 Serial Interface Configuration To configure an unchannelized E3 serial interface, complete the following commnads. The commands are configurable under the serial interface only and not configurable under controller. Step 3 Router(config-ctrlr-sts1)#[no] e1 e1# clock source {internal | line} Configures clock source. Step 4 Router(config-ctrlr-sts1)#[no] e1 e1# national bits pattern Sets the national reserved bits on an E1 line. Pattern is the hexadecimal value in the range 0x0 to 0x1F (hexadecimal) or 0 to 31 (decimal). Step 5 Router(config-ctrlr-sts1)#[no] e1 e1# loopback [local | network] Router(config-ctrlr-sts1)#[no] e1 e1# loopback [network] {line} Local loopback is used to loop the data from the transmit path to the receive path. Network loopback is used to loop the data received from the external port to the transmit path and back to the external port. Step 6 Router(config-ctrlr-sts1)#[no] e1 e1# shutdown Shuts the configured E1. Command Purpose Command Purpose Step 1 Router(config-ctrlr-sts1)#[no] [ [e1 | t1] [e1# | t1#] bert pattern {2^11 | 2^15 || 2^20 QRSS } interval time Send a BERT pattern on a DS1/E1 line. Command Purpose Step 1 Router(config)# interface serial [slot/subslot/port]./ • au-4 — Specifies the E3 interface under which AU-4 index. For OC3 SPA, since there is only one AU-4, this value is always 1. • Tug- 3— Specifies the index under which path the E3 is configured. Step 2 Router(config-if)#[no] dsu mode { cisco | digital-link | kentrox } • cisco—Specifies cisco as the DSU mode. • digital-link—Specifies Digital link as the DSU mode. Range is from 300-34010. • kentrox—Specifies kentrox as the DSU mode. Range is 1000-24500, 34010. Default is cisco. Step 3 Router(config-if)#[no] dsu bandwidth number Specifies the maximum allowed bandwidth in KBPS. 20-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Use the show controllers command to verify the controller configuration. Following is a a sample configuration to display a T1 1 with VTG 1 in SONET VT-15 mode Router(config)# show controllers sonet3/0/0.1/1/1 SONET 3/0/0 is down. Path mode VT15 STS-1 1, VTG 1, T1 1 (VT1.5 1/1/1) is down timeslots: 1-24 FDL per AT&T 54016 spec. Receiver is getting AIS. Framing is ESF, Clock Source is Internal Data in current interval (623 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs 623 Unavail Secs, 0 Stuffed Secs Data in Interval 1: 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs 900 Unavail Secs, 0 Stuffed Secs Verifying Interface Configuration Use the show interface serial command to verify the interface configuration: Router(config)# show interface serial Serial2/0/0.1/2 unassigned YES TFTP administratively down down Serial2/1/0.1/1/1:0 unassigned YES unset down down Serial2/1/0.1/2/4:0 unassigned YES unset down down Serial2/1/0.1/2/4:1 unassigned YES unset down down Serial2/1/0.2/1:0 unassigned YES unset down down Serial2/1/0.2/2:0 unassigned YES unset down down Serial2/1/0.2/3:0 unassigned YES unset down down Serial2/1/0.3 unassigned YES unset down down UUT#sh int Serial2/1/0.1/1/1:0 Serial2/1/0.1/1/1:0 is down, line protocol is down Hardware is Channelized-T3 MTU 1500 bytes, BW 192 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation HDLC, crc 16, loopback not set Step 4 Router(config-if)#[no] national bit {0 | 1} Default is 0. Step 5 Router(config-if)#[no] crc {16 | 32} Default is 16 bit (CRC-CITT). Step 6 Router(config-if)#[no] loopback {network | local | dte |dual} Step 7 Router(config-if)#[no] shutdown Command Purpose Step 1 Router(config)# interface serial [slot/subslot/port]./ • au-4 — Specifies the E3 interface under which AU-4 index. For OC3 SPA, since there is only one AU-4, this value is always 1. • Tug- 3— Specifies the index under which path the E3 is configured.20-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops Available Bandwidth 192 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions alarm present VC 2: timeslot(s): 1-3, Transmitter delay 0, non-inverted data Following is a sample configuration: UUT#sh run | beg 2/1/0 controller SONET 2/1/0 ais-shut framing sonet clock source line overhead j0 1 ! sts-1 1 mode vt-15 vtg 1 t1 1 channel-group 0 timeslots 1-3 vtg 2 t1 4 channel-group 0 timeslots 1-2,5-6 vtg 2 t1 4 channel-group 1 timeslots 3,7,9 ! sts-1 2 mode ct3 t1 1 channel-group 0 timeslots 1-24 t1 2 channel-group 0 timeslots 1-12 t1 3 channel-group 0 timeslots 1 ! sts-1 3 mode t3 ! controller T3 3/1/0 shutdown cablelength 224 ! controller T3 3/1/1 shutdown cablelength 224 !! interface Loopback0 ip address 172.10.11.1 255.255.255.255 . . Optional Configurations There are several standard, but optional, configurations that might be necessary to complete the configuration of your serial SPA. • Configuring Encapsulation, page 20-1620-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks • Configuring the CRC Size for T1, page 20-17 • Configuring FDL, page 20-17 • Configuring Multilink Point-to-Point Protocol (Hardware-based), page 20-18 • Configuring APS, page 20-20 • Configuring MLFR, page 20-22 • FRF.12 Guidelines, page 20-25 • FRF.12 Guidelines, page 20-25 • LFI Guidelines, page 20-25 • HW MLPPP LFI Guidelines, page 20-25 • FRF.12 LFI Guidelines, page 20-25 • Configuring QoS Features on Serial SPAs, page 20-26 Configuring Encapsulation When traffic crosses a WAN link, the connection needs a Layer 2 protocol to encapsulate traffic. To set the encapsulation method, use the following commands: Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# interface serial For addressing information, refer to the “Interface Naming” section on page 20-3. Selects the interface to configure. • slot/subslot/port:channel-group—Specifies the location of the interface. Step 3 Router(config-if)# encapsulation encapsulation-type {hdlc | ppp | frame-relay} Set the encapsulation method on the interface. • hdlc—High-Level Data Link Control (HDLC) protocol for serial interface. This encapsulation method provides the synchronous framing and error detection functions of HDLC without windowing or retransmission. This is the default for synchronous serial interfaces. • ppp—PPP (for serial interface). • frame-relay—Frame Relay (for serial interface). Step 4 Router(config-if)# crc {16 | 32} Selects the CRC size in bits. • 16—16-bit CRC. This is the default • 32—32-bit CRC.20-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Configuring the CRC Size for T1 The 1-Port Channelized OC-3/STM-1 SPA interface uses a 16-bit cyclic redundancy check (CRC) by default, but also support a 32-bit CRC. CRC is an error-checking technique that uses a calculated numeric value to detect errors in transmitted data. The designators 16 and 32 indicate the length (in bits) of the frame check sequence (FCS). A CRC of 32 bits provides more powerful error detection, but adds overhead. Both the sender and receiver must use the same setting. CRC-16, the most widely used CRC throughout the United States and Europe, is used extensively with WANs. CRC-32 is specified by IEEE 802 and as an option by some point-to-point transmission standards. It is often used on Switched Multimegabit Data Service (SMDS) networks and LANs. To set the length of the cyclic redundancy check (CRC) on a T1 interface, use these commands: Configuring FDL Facility Data Link (FDL) is a 4-kbps channel provided by the Extended Super Frame (ESF) T1 framing format. The FDL performs outside the payload capacity and allows you to check error statistics on terminating equipment without intrusion. Verifying FDL Use the show controllers command to verify the FDL setting: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial For addressing information, refer to the “Interface Naming” section on page 20-3. Selects the interface to configure. • slot/subslot/port:channel-group—Specifies the location of the interface. Router(config-if)#crc {16|32} Configures the CRC based on the configuration value. If you do not set any value, the default value of 16 is assigned. Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# controller sonet slot/subslot/port See the “Interface Naming” section on page 20-3. Selects the controller to configure. • slot/subslot/port—Specifies the location of the controller. Router(config-controller)# sts-1 If the framing format was configured for esf, configures the format used for Facility Data Link (FDL). Router(config-controller)vtg 1 t1 1 fdl ansi • vtg—Specifies the VTG number • t1— Specifies the T1 number for which FDL need to be configured. • ansi—Select ANSI for FDL to use the ANSI T1.403 standard. 20-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Router(config)# show controllers sonet3/0/0.1/1/1 SONET 3/0/0 is down. Path mode VT15 STS-1 1, VTG 1, T1 1 (VT1.5 1/1/1) is down timeslots: 1-24 FDL per ANSI T1.403 and AT&T 54016 spec. Receiver is getting AIS. Framing is ESF, Clock Source is Internal Data in current interval (805 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs 805 Unavail Secs, 0 Stuffed Secs Data in Interval 1: 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs 900 Unavail Secs, 0 Stuffed Secs Configuring Multilink Point-to-Point Protocol (Hardware-based) Multilink Point to Point Protocol (MLPPP) allows you to combine interfaces which correspond to an entire T1 or E1 multilink bundle. You choose the number of bundles and the number of T1 or E1 lines in each bundle. MLPPP Configuration Guidelines The required conditions are: • Only T1 or E1 links in a bundle • All links on the same SPA • Maximum of 12 links in a bundle. Note Some notes about hardware-based MLPPP: Only 3 fragmentation sizes are possible 128, 256 and 512 bytes Fragmentation is enabled by default, default size is 512 bytes Fragmentation size is configured using the ppp multilink fragment-delay command after using the interface multilink command. The least of the fragmentation sizes (among the 3 sizes possible) satisfying the delay criteria is configured. (e.g., a 192 byte packet causes a delay of 1 millisecond on a T1 link, so the nearest fragmentation size is 128 bytes. The show ppp multilink command will indicate the MLPPP type and the fragmentation size: Router# show ppp multilink Multilink1, bundle name is Patriot2 Bundle up for 00:00:13 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned 0 discarded, 0 lost received, 206/255 load 0x0 received sequence, 0x0 sent sequence Member links: 2 active, 0 inactive (max not set, min not set)20-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Se4/2/0.1/1/1:0, since 00:00:13, no frags rcvd Se4/2/0.1/1/2:0, since 00:00:10, no frags rcvd Distributed fragmentation on. Fragment size 512. Multilink in Hardware. Fragmentation is disabled explicitly by using the no ppp multilink fragmentation command after using the interface multilink command. Create a Multilink Bundle To create a multilink bundle, use the following commands: Assign an Interface to a Multilink Bundle To assign an interface to a multilink bundle, use the following commands: Configuring Fragmentation Size on an MLPPP Bundle (optional) To configure the fragmentation size on a multilink ppp bundle, use the following commands: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface multilink group-number Creates a multilink interface and enter multilink interface mode. • group-number—The group number for the multilink bundle. Router(config-if)# ip address address mask Sets the IP address for the multilink group. • address—The IP address. • mask—The IP netmask. Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial For addressing information, refer to the “Interface Naming” section on page 20-3. Selects the interface to configure and enters interface configuration mode. Router(config-if)# encapsulation ppp Enables PPP encapsulation. Router(config-if)# multilink-group group-number Assigns the interface to a multilink bundle. • group-number—The multilink group number for the T1 or E1 bundle. Router(config-if)# ppp multilink Enables multilink PPP on the interface. Repeat these commands for each interface you want to assign to the multilink bundle.20-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Disabling the Fragmentation on an MLPPP Bundle (optional) To assign an interface to a multilink bundle, use the following commands: Configuring APS Automatic protection switching (APS) allows switchover of the channelized OC3/OC12 channels in the event of failure. APS refers to the mechanism of using a protect interface in the network as the backup for a working interface. When the working interface fails, the protect interface quickly assumes its traffic load. Depending on the configuration, the two circuits may be terminated in the same router, or in different routers. MLPPP MR-APS switchover time on all serial SPAs that support PPP encapsulation and APS on the SIP 400 is enhanced in 12.2(33) SRD2 release. MLPPP APS switchover time on the Cisco 7600 platform is a combination of the time spent executing the software and the time required for LCP, IPCP negotiations by the newly forwarding MLP Bundle. In 12.2(33) SRD2, Cisco 7600 platform software is optimized to help faster MLPPP APS switchover time. Further, to help reduce the LCP, IPCP negotiation time, the granularity of the ppp timeout retry command is also enhanced in 12.2(33)SRD2, to include millisecond values. The PPP timeout retry determines how long the PPP state machine for LCP waits for a response from the remote peer before transmitting the next configuration request packet. The first configuration request packet from the new active APS router is used by the APS unaware router to bring down the PPP sessions. The second configuration request packet from the new active APS router triggers LCP negotiation. There is no change in the Default PPP timeout retry value (2secs). In SRD2 release, minimum supported configurable ppp timeout retry value is 255msec. Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface multilink For addressing information, refer to the “Interface Naming” section on page 20-3. Creates a multilink interface and enters multilink interface mode. • group-number—The group number for the multilink bundle. Range 1-65535 Router(config-if)# ppp multilink fragment-delay delay Sets the fragmentation size satisfying the configured delay on the multilink bundle. • delay—delay in milliseconds Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface multilink group-number Creates a multilink interface and enters multilink interface mode. • group-number—The group number for the multilink bundle. Range 1-65535 Router(config-if)# no ppp multilink fragmentation Disables the fragmentation on the multilink bundle.20-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Note Configuring the PPP retry timeout to be 250ms increases the CPU load on the router but the faster PPP retry timeout speeds up the PPP re-negotiation to help the overall switchover time The performance enhancement of PPP/MLPPP APS does not impact the original PPP/MLPPP scalability on Cisco 7600. For more information about APS, refer to A Brief Overview of Packet Over SONET APS at the following URL: http://www.cisco.com/en/US/tech/tk482/tk607/technologies_tech_note09186a0080093eb5.shtml To configure the working interface, use the following command in interface configuration mode: To remove the channelized interface as a working interface, use the no form of this command. To configure the protect channelized interface, use the following command in interface configuration mode: To revert the protect interfaceconfiguration on the channelized interface, use the no form of this command. To configure the ppp timeout retry channelized interface, use the following command in interface configuration mode: Command Purpose Router(config)# controller sonet slot/subslot/port Selects the interface to configure and enters controller configuration mode. slot/subslot/port—Specifies the location of the controller. Router(config-if)# aps working Configures a channelized OC3/OC12 interface as a working APS interface Command Purpose Router(config)# controller sonet slot/subslot/port Selects the interface to configure and enters controller configuration mode. slot/subslot/port—Specifies the location of the interface. Router(config-if)# aps protect Configures a channelized OC3/OC12 interface as a protect APS interface Command Purpose20-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks To remove thetimeout retry configuration on the interface, use the no form of this command. Verifying the APS Configuration To verify the APS configuration or to determine if a switchover has occurred, use the show aps command. The following is an example of the show aps command anda typical a configuration on the sonet controller for APS on 1-Port Channelized OC-12/STM-4 SPA and 1-Port Channelized OC-3/STM-1 SPA Router#sh aps SONET 3/0/0 APS Group 1: working channel 1 (Active) Protect at 1.0.0.1 PGP timers (from protect): hello time=1; hold time=3 PGP timers (configured): hello time=1; hold time=3 SONET framing Remote APS configuration: (null) controller SONET 3/0/0 ais-shut threshold sf-ber 3 framing sonet clock source line aps group 1 aps working 1 aps timers 1 3 Configuring MLFR Multilink Frame Relay (MLFR) allows you to combine T1/E1 lines into a bundle that has the combined bandwidth of multiple T1/E1 lines. You choose the number of bundles and the number of T1/E1 lines in each bundle. This allows you to increase the bandwidth of your network links beyond that of a single T1/E1 line. Router(config)# interface serial slot/subslot/port:channel-group Selects the interface to configure and enters interface configuration mode. slot/subslot/port:channel-group—Specifies the location of the interface. Router(config-if)# ppp timeout retry <0-255> [<0-999>] Configures the PPP Control Protocol retry timer on the channelized serial interface, in milliseconds Note The msecs timer increases the load on the router and should not be used except for the APS retry timeout configuration. Note This command is backward compatible with previous release trains up till12.2(33)SRC for the 1-Port Channelized OC-3/STM-1 SPA and up till 12.2(33)SRD for the 1-Port Channelized OC-12/STM-4 SPA.20-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks MLFR Configuration Guidelines MLFR will function in hardware if all of the following conditions are met: • Only T1 or E1 member links • All links are on the same SPA • Maximum of 12 links in a bundle • Only supported on OC3/STM-1 SPA on SIP-200 Create a Multilink Bundle To create a multilink bundle, use the following commands: Assign an Interface to a Multilink Bundle To assign an interface to a multilink bundle, use the following commands: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface mfr number Configures a multilink Frame Relay bundle interface. • number—The number for the Frame Relay bundle. Router(config-if)# frame-relay multilink bid name (Optional) Assigns a bundle identification name to a multilink Frame Relay bundle. • name—The name for the Frame Relay bundle. Note The bundle identification (BID) will not go into effect until the interface has gone from the down state to the up state. One way to bring the interface down and back up again is by using the shut and no shut commands in interface configuration mode. Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial For addressing information, refer to the “Interface Naming” section on page 20-3. Selects the interface to assign. Router(config-if)# encapsulation frame-relay mfr number [name] Creates a multilink Frame Relay bundle link and associates the link with a bundle. • number—The number for the Frame Relay bundle. • name—The name for the Frame Relay bundle.20-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Verifying Multilink Frame Relay Use the show frame-relay multilink detailed command to verify the Frame Relay multilinks: router# show frame-relay multilink detailed Bundle: MFR49, State = down, class = A, fragmentation disabled BID = MFR49 No. of bundle links = 1, Peer's bundle-id = Bundle links: Serial6/0/0:0, HW state = up, link state = Add_sent, LID = test Cause code = none, Ack timer = 4, Hello timer = 10, Max retry count = 2, Current count = 0, Peer LID = , RTT = 0 ms Statistics: Add_link sent = 21, Add_link rcv'd = 0, Add_link ack sent = 0, Add_link ack rcv'd = 0, Add_link rej sent = 0, Add_link rej rcv'd = 0, Remove_link sent = 0, Remove_link rcv'd = 0, Remove_link_ack sent = 0, Remove_link_ack rcv'd = 0, Router(config-if)# frame-relay multilink lid name (Optional) Assigns a bundle link identification name with a multilink Frame Relay bundle link. • name—The name for the Frame Relay bundle. Note The bundle link identification (LID) will not go into effect until the interface has gone from the down state to the up state. One way to bring the interface down and back up again is by using the shut and no shut commands in interface configuration mode. Router(config-if)# frame-relay multilink hello seconds (Optional) Configures the interval at which a bundle link will send out hello messages. The default value is 10 seconds. • seconds—Number of seconds between hello messages sent out over the multilink bundle. Router(config-if)# frame-relay multilink ack seconds (Optional) Configures the number of seconds that a bundle link will wait for a hello message acknowledgment before resending the hello message. The default value is 4 seconds. • seconds—Number of seconds a bundle link will wait for a hello message acknowledgment before resending the hello message. Router(config-if)# frame-relay multilink retry number (Optional) Configures the maximum number of times a bundle link will resend a hello message while waiting for an acknowledgment. The default value is 2 tries. • number—Maximum number of times a bundle link will resend a hello message while waiting for an acknowledgment. Command Purpose20-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks Hello sent = 0, Hello rcv'd = 0, Hello_ack sent = 0, Hello_ack rcv'd = 0, outgoing pak dropped = 0, incoming pak dropped = 0 FRF.12 Guidelines FRF.12 functions in hardware and it is supported only onOC-3/STM-1 SPA with SIP200 only. Note the following: • Only 3 fragmentation sizes are available - 128 bytes, 256 bytes, and 512 bytes. The supported fragment sizes - 128, 256 and 512 - include the FRF and NLPID headers in addition to the payload. • If you have a configuration where a C7600 router acts as a Provider Edge(PE) router between Customer Edge(CE) routers, you can configure C7600 in plain Frame Relay or Frame Relay Fragmentation mode. If you enable Frame Relay Fragmentation only at the CE routers and C7600 acts as a plain Frame Relay interface, the configuration works fine. In a configuration of C7600 with any of the three SPAs(8-Port Channelized T1/E1 SPA,1-Port Channelized OC-3/STM-1 SPA or 2 or 4-Port CT3 SPA), where Frame Relay is configured on the serial interface and Frame Relay Fragmentation is enabled in any of the sub interfaces, the fragmented packets may be dropped in the transparant DLCIs. If you want such a configuration to work, you should set the fragment size value on the main interface larger than any CE router fragmentation size using the command frame-relay fragment x end-to-end, where x is the fragmentation size on the main interface. LFI Guidelines LFI can function two ways - using FRF.12 or MLPPP. MLPPP LFI can be done in both hardware and software while FRF.12 LFI is done only in hardware. HW MLPPP LFI Guidelines LFI using MLPPP will function only in hardware if there is just one member link in the MLPPP bundle. The link can be a fractional T1 or full T1. Note the following: • The ppp multilink interleave command needs to be configured to enable interleaving. • Only three fragmentation sizes are supported - 128 bytes, 256 bytes, and 512 bytes. • Fragmentation is enabled by default, the default size being 512 bytes. • A policy-map having a priority class needs to applied to main interface. • Effective 12.2 SRB release, the bundle scale on a SIP200 is increased from 256 to 1024. FRF.12 LFI Guidelines LFI using FRF.12 is always done is hardware. Note the following: • The fragmentation is configured at the main interface • Only 3 fragmentation sizes are available - 128 bytes, 256 bytes, and 512 bytes. • A policy-map having a priority class needs to applied to main interface.20-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Verifying the Interface Configuration Configuring QoS Features on Serial SPAs The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For information about the QoS features supported by the serial SPAs, see the Configuring QoS Features on Serial SPAs, page 20-26 of Chapter 4, “Configuring the SIPs and SSC.” Saving the Configuration To save your running configuration to nonvolatile random-access memory (NVRAM), use the following command in privileged EXEC configuration mode: For more information about managing configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. Verifying the Interface Configuration Besides using the show running-configuration command to display your Cisco 7600 series router configuration settings, you can use the show interface serial and the show controllers serial commands to get detailed information on a per-port basis for your1-Port Channelized OC-3/STM-1 SPA. Verifying Per-Port Interface Status To find detailed interface information on a per-port basis for the 1-Port Channelized OC-3/STM-1 SPA use the show interface serial command. The following example provides sample output for interface port 0 on the SPA located in the second subslot of the Cisco 7600 SIP-200 installed in slot 2 of a Cisco 7600 series router in ct3 mode of SONET framing: Router# show interface serial 2/1/0.2/1:0 Serial2/1/0.2/1:0 is down, line protocol is down Hardware is Channelized-T3 MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops Available Bandwidth 1536 kilobits/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 output buffer failures, 0 output buffers swapped out Command Purpose Router# copy running-config startup-config Writes the new configuration to NVRAM.20-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Configuration Tasks 0 carrier transitions alarm present VC 5: timeslot(s): 1-24, Transmitter delay 0, non-inverted data UUT#sh int Serial2/1/0.3 Serial2/1/0.3 is down, line protocol is down Hardware is CHOCx SPA MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, rely 255/255, load 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops Available Bandwidth 44210 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 parity (Remaining output omitted) Configuration Tasks This section describes common configurations for the 1-Port Channelized OC-3/STM-1 SPA on a Cisco 7600 series router. It contains procedures for the following configurations: • Configuring CRTP, page 20-27 Configuring CRTP For information on configuring cRTP, see Configuring Distributed Compressed Real-Time Protocol at the following URL: http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfdcrtp.html Stateful MLPPP MR-APS Multi Router-Automatic Protection Switching (MR-APS) provides Layer 1 switchover under 50 ms, across the two routers, for optical links . However, if the MLPPP/PPP sessions exist on the optical link during an MR-APS switchover, all the active Multilink Point to Point Protocol (MLPPP)/Point to Point Protocol (PPP) sessions need to renegotiate. The renegotiation process increases the switchover time and traffic loss. The Stateful MLPPP with MR-APS Inter-Chassis Redundancy feature provides the Inter Chassis-Stateful Switchover (IC-SSO) for MLPPP and PPP sessions across the two routers without the PPP/MLPPP session renegotiation. The IC-SSO synchronizes the MLPPP sessions between the router hosting the active (working) MR-APS controllers and the router hosting the standby (protect) MR-APS controllers. Using the state information synchronized from the router hosting the active MR-APS controllers, the second router (with standby MR-APS controllers) maintains the forwarding plane in ready state to forward the traffic immediately after an MR-APS switchover occurs. 20-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS The Inter-chassis MR-APS MLPPP SSO combines existing IOS High Availability (HA) infrastructure that synchronizes PPP/MLPPPP states between the route processors on the same router chassis along with the Inter Chassis Redundancy Manager (ICRM), to provide stateful switchover of PPP/MLPPP sessions across the routers. This feature is supported on 1xCHOC3-STM1 SPA and 1xCHOC12-STM4 SPA. The 1xCHOC12-STM4 SPA is supported on SIP400 line card only and 1xCHOC3-STM1 is supported on SIP200 and SIP400 line cards for Cisco 7600 Series Routers. Note For platform independent information of this feature, see the Wide-Area Networking Configuration Guide at: http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/15_1s/wan_15_1s_book.html MR-APS Deployment The MR-APS deployment involves multiple cell sites connected to the provider network using the bundled T1/E1 connections. The T1/E1 connections are aggregated into the Optical Carrier 3 (OC3) or Optical Carrier 12 (OC12) links using the Add-Drop Multiplexers (ADMs). Figure 20-1 shows the MR-APS deployment using the Cisco 7600 Routers. Figure 20-1 MR-APS Deployment To implement this feature, you need to configure the MR-APS IC-SSO on the two Cisco 7600 Routers, Working and Protect, as shown in this figure. Unlike the conventional SSO model, where one router is active and the other is in standby mode, MR-APS deployment involves both the routers (Working and Protect) in active state with synchronized SONET controllers on both the routers. The controllers running on one router are in the standby mode on the other router and vice versa. When the MR-APS detects a failure in a SONNET OC3 or OC12 controller on the Working router, it activates the corresponding standby controller on the Protect router. This switchover from inactive to active state ensures minimum traffic outage and is achieved by ensuring that the MLPPP/PPP sessions per SONET controller (APS group) are stateful across the routers. Inter Chassis Redundancy Manager ICRM provides these capabilities for stateful MLPPP with MR-APS Inter-Chassis Redundancy implementation: • Node health monitoring for complete node, PE, or box failure detection. ICRM also communicates failures to the applications registered with an ICRM group. • Reliable data channels to transfer the state information. Cell Site B A C PGP/ICRM 246767 Working ADM R2 Protect20-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS • Detects active RP failure as node failure and notifies the controllers. • ICRM on the standby RP re-establishes the communication channel with peer node if the active RP fails. Automatic Protection Switching APS allows switchover of the OC3 or OC12 controllers in the event of a network failure. APS involves a protect interface in the network as the backup for an active (working) interface. When the active interface fails, the protect interface quickly takes care of the traffic load. Depending on the configuration, the two interfaces may be terminated on the same router, or on different routers. Based on where the interfaces terminates, APS is categorized into two types: Single Router-APS (SR-APS) and Multi Router-APS (MR-APS). Additionally, the APS is responsible for managing the active and standby progression events on the APS groups. Each APS group is a logical representation of a physical SONET controller redundancy state. For more information on APS, see Configuring APS. Failure Protection Scenarios The Stateful MLPPP feature provides network resiliency by protecting against: • Active APS SONET controller, SPA, or Line card failure • RP and Node failure Active APS SONET controller, SPA, or Line card failure Figure 20-2 shows MLPPP sessions in MR-APS configuration before an active APS group fails. On the Router A active RP, grp1 is the APS group1 and group2 is the APS group 2. All the sessions of the group1 are active and all the sessions of group2 are standby on Router A. Similarly, on the Router B, all the sessions of the group2 are active and all the sessions of group1 are in the standby state. 20-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Figure 20-2 MLPPP Sessions Before an Active APS Group Fails When an APS group on Router A fails, the APS informs the corresponding standby APS group on the Router B to take over as active APS group. The standby APS group on Router B changes state to the active and all the sessions in the group become active. The APS group on Router A is re-initialize and moved to the standby state. Figure 20-3 shows how the MLPPP sessions switchover after an active APS (group1) fails: Working sonet Protect sonet Router A Active RP 246765 Working sonet Protect sonet Router B Active RP mlp sessions mlp sessions group2 standby group2 active group1 standby group1 active ADM ADM ADM ADM20-31 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Figure 20-3 MLPPP Sessions After an Active APS Group Fails Route Processor and Node failure The ICRM treats an active RP failure as a complete node failure. It sends the failure notification and communicates the go-active event to the standby APS groups. The standby APS groups move to active state on receiving the go-active event message. When the failed node comes up, the ICRM establishes fresh connection with all the APS groups on the node. All the APS groups are synchronized between the two routers, and the APS groups on the second router are moved to the standby state. Figure 20-4 shows APS groups on the two peer nodes, Router A and Router B. Working sonet Protect sonet Router A Active RP 246766 Working sonet Protect sonet mlp sessions mlp sessions group2 standby group2 active group1 active group1 standby ADM ADM ADM ADM Router B Active RP20-32 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Figure 20-4 APS Groups on Peer Nodes When the active RP of the Router A fails, the APS groups are switched over to the Router B making all the APS groups on the Router B active. All the APS groups on the standby RP of Router A are set to the initial state after the standby RP changes to active on the Router A. The applications that are RP SSO aware (non ICRM clients) switchover to the standby RP on Router A. Figure 20-5 shows the APS groups after the active RP on the Router A fails. Figure 20-5 APS Groups After the Active RP on Router A Fails The ICRM establishes fresh connections with the new active RP on the Router A and the APS synchronizes the group states from Router B to Router A (in standby state). This event triggers all the APS groups on Router A to move to standby state and the synchronization process is initiated from the Router B. On the Router A, the failed RP reboots as the new standby RP and RP SSO aware applications are synchronized to the new standby RP. Router A Active RP 246768 RPSSO aware MLPPP/PPP session-active Standby RP RPSSO aware MLPPP/PPP session-standby PPP/MLPPP sessiononactive APS Group icm Router B Active RP Standby RP PPP/MLPPP sessiononstandby Group icm Router A Active RP 246769 RPSSO aware MLPPP/PPP session-active Standby RP RPSSO aware MLPPP/PPP session-standby PPP/MLPPP sessiononactive APS Group icm Router B Active RP Standby RP PPP/MLPPP sessiononstandby Group icm20-33 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Restrictions for Stateful MLPPP with MR-APS Inter-Chassis Redundancy Following restrictions apply for Stateful MLPPP with MR-APS Inter-Chassis Redundancy: • Both the routers should have same MR-APS configuration. • The In-Service Software Upgrade (ISSU) functionality is not supported. • Applications running over MLP/PPP sessions such as the Internet Group Management Protocol (IGMP) and Transmission Control Protocol (TCP) are not synchronized across the routers. On the APS switchover, IGMP joints and TCP sessions are re-established. • APS session throttling for the groups is not supported. • Broadband sessions such as Point-to-Point Protocol over X (PPPoX) and IP are not supported. • Intelligent Services Gateway (ISG) features are not supported on APS groups. • The Authentication, Authorization and Accounting (AAA) protocol is not supported for MR-APS switchover. • APS revertive mode is not supported. Configuring Stateful MLPPP with MR-APS Inter-Chassis Redundancy To configure Stateful MLPPP with MR-APS Inter-Chassis Redundancy, you need to configure the two Cisco 7600 Series Routers with ICRM and MR-APS configuration. Figure 20-1 shows typical infrastructure for Stateful MLPPP with MR-APS Inter-Chassis Redundancy implementation. The configuration involves these steps: • Configuring MR-APS Inter-Chassis Redundancy on the Working Router • Configuring MR-APS Inter-Chassis Redundancy on the Protect Router Configuring MR-APS Inter-Chassis Redundancy on the Working Router SUMMARY STEPS 1. enable 2. configure terminal 3. redundancy 4. interchassis group group-id 5. monitor peer bfd 6. member ip ip-address 7. end 8. configure terminal 9. interface gigabitethernet slot/port 10. ip address ip_address subnet_mask 11. no shutdown 12. load-interval seconds 13. negotiation {forced | auto}20-34 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS 14. mpls ip 15. mpls label protocol {ldp | tdp | both} 16. bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier 17. end 18. configure terminal 19. interface gigabitethernet slot/port 20. ip address ip_address subnet_mask 21. no shutdown 22. negotiation {forced | auto} 23. cdp {enable | disable} 24. end 25. configure terminal 26. controller sonet slot/bay/port 27. no ais-shut 28. framing sonet 29. clock source {line [primary | bits | independent] | internal [independent] | free-running} 30. sts-1 sts1-number 31. mode vt-15 32. vtg vtg_number t1 t1_line_number channel-group channel-number timeslots list-of-timesolts 33. end 34. configure terminal 35. interface multilink1 36. ip address ip_address subnet_mask 37. carrier-delay msec msec 38. ppp multilink 39. ppp multilink group group-number 40. ppp multilink endpoint {hostname | ip ip-address | mac lan-interface | none | phone telephone-number | string char-string} 41. ppp timeout retry seconds 42. end 43. configure terminal 44. interface serial instance 45. no ip address 46. encapsulation ppp 47. ppp multilink 48. ppp multilink group group-number 49. end 50. configure terminal20-35 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS 51. controller sonet slot/bay/port 52. shutdown 53. aps group group_id 54. aps [working | protect] aps-group-number [ip_address_of_working] 55. aps interchassis group icrm-group-number 56. no shutdown 57. end DETAILED STEPS Command Purpose Step 1 enable Example: Working-Router> enable Enables the privileged EXEC mode. • Enter your password if prompted. Step 2 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 3 redundancy Example: Working-Router(config)# redundancy Enters the redundancy configuration mode. Step 4 interchassis group group-id Example: Working-Router(config-red)# interchassis group 50 Configures an interchassis group within the redundancy configuration mode and enters the interchassis redundancy mode. Step 5 monitor peer bfd Example: Working-Router(config-r-ic)# monitor peer bfd Configures the BFD to monitor the state of the peer routers. The default option is route-watch. Step 6 member ip ip-address Example: Working-Router(config-r-ic)# member ip 60.60.60.2 Configures the IP address of the Multichassis Link Aggregation Control Protocol (mLACP) peer member group.20-36 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 7 end Example: Working-Router(config-r-ic)# end Ends the configuration session and returns to the EXEC mode. Step 8 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 9 interface gigabitethernet slot/subslot/port Example: Working-Router(config)# interface GigabitEthernet3/1/0 Specifies the gigabit ethernet interface to configure ICRM connection, where: slot/subslot/port—Specifies the location of the interface. Step 10 ip address ip_address subnet_mask Example: Working-Router(config-if)# ip address 60.60.60.1 255.255.255.0 Configures the IP address of the interface. Step 11 no shutdown Example: Working-Router(config-if)#no shutdown Reverses the shutdown of an interface. Step 12 load-interval seconds Example: Working-Router(config-if)# load-interval 30 Sets the duration to calculate the load. Step 13 negotiation {forced | auto} Example: Working-Router(config-if)# negotiation auto Enables the advertisement of speed, duplex mode, and flow control on a gigabit ethernet interface. Step 14 mpls ip Example: Working-Router(config-if)# mpls ip Enables Multi Protocol Label Switching (MPLS). Step 15 mpls label protocol {ldp | tdp | both} Example: Working-Router(config-if)# mpls label protocol both Specifies that both label distribution protocols are supported on the interface. Command Purpose20-37 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 16 bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier Example: Working-Router(config-if)# bfd interval 50 min_rx 150 multiplier 3 Enables BFD on the interface. Step 17 end Example: Working-Router(config-if)# end Ends the configuration session and returns to the EXEC mode. Step 18 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 19 interface gigabitethernet slot/subslot/port Example: Working-Router(config-if)# interface GigabitEthernet3/1/1 Specifies the gigabit ethernet interface to configure PGP link: slot/subslot/port—Specifies the location of the interface. Step 20 ip address ip_address subnet_mask Example: Working-Router(config-if)# ip address 12.2.1.2 255.255.255.0 Configures the IP address of the interface. Step 21 no shutdown Example: Working-Router(config-if)#no shutdown Reverses the shutdown of an interface. Step 22 negotiation {forced | auto} Example: Working-Router(config-if)# negotiation auto Enables the advertisement of speed, duplex mode, and flow control on a gigabit ethernet interface. Step 23 cdp {enable|disable} Example: Working-Router(config-if)# cdp enable Enables the Cisco Discovery Protocol on an interface Step 24 end Example: Working-Router(config-if)# end Ends the configuration session and returns to the EXEC mode. Command Purpose20-38 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 25 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 26 controller sonet slot/bay/port Example: Working-Router(config)#controller SONET 4/2/0 Selects and configures a SONET controller and enters controller configuration mode. slot/subslot/port—Specifies the location of the interface. Step 27 no ais-shut Example: Working-Router(config-controller)# no ais-shut Disables automatic insertion of a Line Alarm Indication Signal (LAIS) in the SONET signal. Step 28 framing sonet Example: Working-Router(config-controller)# framing sonet Configures the controller for SONET framing. SONET framing is the default option. Step 29 clock source {line [primary | bits | independent] | internal [independent] | free-running} Example: Working-Router(config-controller)# clock source line Sets the clocking for individual T1 or E1 links. Specifies that the phase lock loop (PLL) on this controller derives its clocking from the external source connected to the controller (generally the telephone company’s central office). Step 30 sts-1 sts1-number Example: Working-Router(config-controller)# sts-1 1 Specifies the STS identifier. Step 31 mode vt-15 Example: Working-Router(config-ctrlr-sts1)# mode vt-15 Specifies the STS-1 mode of operation. Step 32 vtg vtg_number t1 t1_line_number channel-group channel-number timeslots list-of-timesolts Example: Working-Router(config-ctrlr-sts1)# vtg 1 t1 1 channel-group 0 timeslots 1-24 Creates a Circuit Emulation Services over Packet Switched Network circuit emulation (CESoPSN) CEM group. Command Purpose20-39 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 33 end Example: Working-Router(config-ctrlr-sts1)#end Ends the configuration session and returns to the EXEC mode. Step 34 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 35 interface multilink1 Example: Working-Router(config)#interface multilink1 Enters the multilink interface configuration mode. Step 36 ip address ip_address subnet_mask Example: Working-Router(config-if)# ip address 11.1.1.2 255.255.255.0 Configures the IP address of the interface. Step 37 carrier-delay msec msec Example: Working-Router(config-if)# carrier-delay msec 1 Sets the duration to propagate the link status to other modules. Step 38 ppp multilink Example: Working-Router(config-if)# ppp multilink Enables MLPPP. Step 39 ppp multilink group group-number Example: Working-Router(config-if)# ppp multilink group 1 Specifies the physical link to associate to a designated multilink group interface. Command Purpose20-40 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 40 ppp multilink endpoint {hostname | ip ip-address | mac lan-interface | none | phone telephone-number | string char-string} Example: Working-Router(config-if)# ppp multilink endpoint string mlp_aps_1 Overrides or changes the default endpoint discriminator that the system uses when negotiating the use of MLPPP with the peer system. The command attributes are: • hostname: Indicates to use the hostname configured for the router. This is useful when multiple routers are using the same username to authenticate, but have different hostnames. • ip: Indicates to use the supplied IP address. • mac: Indicates to use the specified LAN interface whose MAC address is to be used. • none: Causes negotiation of the Link Control Protocol (LCP) without requesting the endpoint discriminator option. This is useful when the router connects to a malfunctioning peer system that does not handle the endpoint discriminator option properly. • phone: Indicates to use the specified telephone number. Accepts E.164-compliant, full international telephone numbers. • string: Indicates to use the supplied character string. Step 41 ppp timeout retry seconds Example: Working-Router(config-if)# ppp timeout retry 0 250 Sets the PPP timeout retry parameters. Note Replace the seconds argument with the maximum time, in seconds, to wait for a response during PPP negotiation. Range is from 1 to 10 seconds. The default is 3 seconds. Step 42 end Example: Working-Router(config-if)# end Ends the configuration session and returns to the EXEC mode. Step 43 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 44 interface serial instance Example: Working-Router(config-if)# interface Serial4/2/0.1/1/1:0 Configures a serial interface and enter the interface configuration mode. Command Purpose20-41 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 45 no ip address Example: Working-Router(config-if)# no ip address Removes the configured IP address from the interface. Step 46 encapsulation ppp Example: Working-Router(config-if)# encapsulation ppp Enables PPP encapsulation of traffic on the specified interface. Step 47 ppp multilink Example: Working-Router(config-if)# ppp multilink Enables MLP. Step 48 ppp multilink group group-number Example: Working-Router(config-if)# ppp multilink group 1 Specifies the physical link to attach to the designated multilink group interface. Step 49 end Example: Working-Router(config-if)# end Ends the configuration session and returns to the EXEC mode.. Step 50 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 51 controller sonet slot/bay/port Example: Working-Router(config)# controller sonet 4/2/0 Selects and configures a SONET controller and enters the controller configuration mode. slot/subslot/port—Specifies the location of the interface. Step 52 shutdown Example: Working-Router(config-controller)#shutd own Shuts down the SONET controller. Step 53 aps group group_id Example: Working-Router(config-controller)#aps group 1 Configures the APS group for a SONET controller. Command Purpose20-42 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Configuration Example This example describes how to configure MR-APS Inter-Chassis Redundancy on a Working router. Working-Router>enable Working-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Working-Router(config)#redundancy Working-Router(config-red)#interchassis group 1 Working-Router(config-r-ic)#monitor peer bfd Working-Router(config-r-ic)#member ip 60.60.60.2 Working-Router(config-r-ic)#end Working-Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Working-Router(config)#interface GigabitEthernet3/1/0 <<<<<<< ICRM link >>>>>>>> Working-Router(config-if)#ip address 60.60.60.1 255.255.255.0 Working-Router(config-if)#no shutdown Working-Router(config-if)#load-interval 30 Working-Router(config-if)#negotiation auto Working-Router(config-if)#mpls ip Working-Router(config-if)#mpls label protocol both Working-Router(config-if)#bfd interval 50 min_rx 150 multiplier 3 Working-Router(config-if)#end Working-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Working-Router(config-if)#interface GigabitEthernet3/1/1 <<<<< PGP Link>>>>>>> Working-Router(config-if)#ip address 12.2.1.2 255.255.255.0 Step 54 aps [working | protect] aps-group-number [ip_address_of_working] Example: Working-Router(config-controller)# aps working 1 Configures the APS group as the working interface. Note The attribute, ip_address_of_working, is only required for configuring the Protect router configuration. Step 55 aps interchassis group icrm-group-number Example: Working-Router(config-controller)# aps interchassis group 1 Associates the APS group to an ICRM group number. Step 56 no shutdown Example: Working-Router(config-controller)#no shutdown Reverses the shutdown of an interface. Step 57 end Example: Working-Router(config-controller)#end Ends the configuration session and returns to the EXEC mode. Command Purpose20-43 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Working-Router(config-if)no shutdown Working-Router(config-if)#negotiation auto Working-Router(config-if)#cdp enable Working-Router(config-if)#end Working-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Working-Router(config)#controller SONET 4/2/0 Working-Router(config-controller)#no ais-shut Working-Router(config-controller)#framing sonet Working-Router(config-controller)#clock source line Working-Router(config-controller)#sts-1 1 Working-Router(config-ctrlr-sts1)#mode vt-15 Working-Router(config-ctrlr-sts1)#vtg 1 t1 1 channel-group 0 timeslots 1-24 Working-Router(config-ctrlr-sts1)#end Working-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Working-Router(config)#interface Multilink1 Working-Router(config-if)#ip address 11.1.1.2 255.255.255.0 Working-Router(config-if)#carrier-delay msec 1 Working-Router(config-if)#ppp multilink Working-Router(config-if)#ppp multilink group 1 Working-Router(config-if)#ppp multilink endpoint string mlp_aps_1 Working-Router(config-if)#ppp timeout retry 0 250 Working-Router(config-if)#end Working-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Working-Router(config)#interface Serial4/2/0.1/1/1:0 Working-Router(config-if)#no ip address Working-Router(config-if)#encapsulation ppp Working-Router(config-if)#ppp multilink Working-Router(config-if)#ppp multilink group 1 Working-Router(config-if)#end Working-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Working-Router(config)#controller sonet 4/2/0 Working-Router(config-controller)#shutdown Working-Router(config-controller)#aps group 1 Working-Router(config-controller)#aps working 1 Working-Router(config-controller)#aps interchassis group 1 Working-Router(config-controller)#no shutdown Working-Router(config-controller)#end Configuring MR-APS Inter-Chassis Redundancy on Protect Router SUMMARY STEPS 1. enable 2. configure terminal 3. redundancy 4. interchassis group group-id 5. monitor peer bfd 6. member ip ip-address 7. end 8. configure terminal 9. interface gigabitethernet slot/port20-44 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS 10. ip address ip_address subnet_mask 11. no shutdown 12. load-interval seconds 13. negotiation {forced | auto} 14. mpls ip 15. mpls label protocol {ldp | tdp | both} 16. bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier 17. end 18. configure terminal 19. interface gigabitethernet slot/port 20. ip address ip_address subnet_mask 21. no shutdown 22. negotiation {forced | auto} 23. cdp {enable|disable} 24. end 25. configure terminal 26. controller sonet slot/bay/port 27. no ais-shut 28. framing sonet 29. clock source {line [primary | bits | independent] | internal [independent] | free-running} 30. sts-1 sts1-number 31. mode vt-15 32. vtg vtg_number t1 t1_line_number channel-group channel-number timeslots list-of-timesolts 33. end 34. configure terminal 35. interface multilink1 36. ip address ip_address subnet_mask 37. carrier-delay msec msec 38. ppp multilink 39. ppp multilink group group-number 40. ppp multilink endpoint {hostname | ip ip-address | mac lan-interface | none | phone telephone-number | string char-string} 41. ppp timeout retry seconds 42. end 43. configure terminal 44. interface serial instance 45. no ip address 46. encapsulation ppp 20-45 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS 47. ppp multilink 48. ppp multilink group group-number 49. end 50. configure terminal 51. controller sonet slot/bay/port 52. shutdown 53. aps group group_id 54. aps [working | protect] aps-group-number [ip_address_of_working] 55. aps interchassis group icrm-group-number 56. no shutdown 57. end DETAILED STEPS Command Purpose Step 1 enable Example: Protect-Router>enable Enables the privileged EXEC mode. • Enter your password if prompted. Step 2 configure terminal Example: Protect-Router#configure terminal Enters the global configuration mode. Step 3 redundancy Example: Protect-Router(config)#redundancy Enters the redundancy configuration mode. Step 4 interchassis group group-id Example: Protect-Router(config-red)#interchassis group 1 Configures an interchassis group within the redundancy configuration mode and enters the interchassis redundancy mode. Step 5 monitor peer bfd Example: Protect-Router(config-r-ic)#monitor peer bfd Configures the BFD option to monitor the state of the peer. The default option is route-watch.20-46 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 6 member ip ip-address Example: Protect-Router(config-r-ic)#member ip 60.60.60.1 Configures the IP address of the mLACP peer member group. Step 7 end Example: Protect-Router(config-r-ic)#end Ends the configuration session and returns to the EXEC mode. Step 8 configure terminal Example: Protect-Router#configure terminal Enters the global configuration mode. Step 9 interface gigabitethernet slot/subslot/port Example: Protect-Router(config)#interface GigabitEthernet2/1/0 Specifies the gigabit ethernet interface to configure the ICRM connection, where: slot/subslot/port—Specifies the location of the interface. Step 10 ip address ip_address subnet_mask Example: Protect-Router(config-if)#ip address 60.60.60.2 255.255.255.0 Configures the the IP address of the interface. Step 11 no shutdown Example: Working-Router(config-if)#no shutdown Reverses the shutdown of an interface. Step 12 load-interval seconds Example: Protect-Router(config-if)#load-interval 30 Sets the duration to calculate the load. Step 13 negotiation {forced | auto} Example: Protect-Router(config-if)#negotiation auto Enables the advertisement of speed, duplex mode, and flow control on a the gigabit ethernet interface. Step 14 mpls ip Example: Protect-Router(config-if)#mpls ip Enables MPLS. Command Purpose20-47 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 15 mpls label protocol {ldp | tdp | both} Example: Protect-Router(config-if)#mpls label protocol both Specifies that both label distribution protocols are supported on the interface. Step 16 bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier Example: Protect-Router(config-if)#bfd interval 50 min_rx 150 multiplier 3 Enables BFD on the interface. Step 17 end Example: Protect-Router(config-if)#end Ends the configuration session and returns to the EXEC mode.. Step 18 configure terminal Example: Protect-Router#configure terminal Enters the global configuration mode. Step 19 interface gigabitethernet slot/subslot/port Example: Protect-Router(config-if)#interface GigabitEthernet2/1/1 Specifies the gigabit ethernet interface to configure the PGP link, where: slot/subslot/port—Specifies the location of the interface. Step 20 ip address ip_address subnet_mask Example: Protect-Router(config-if)#ip address 12.2.1.1 255.255.255.0 Configures the IP address of the interface. Step 21 no shutdown Example: Working-Router(config-if)#no shutdown Reverses the shutdown of an interface. Step 22 negotiation {forced | auto} Example: Protect-Router(config-if)#negotiation auto Enables the advertisement of speed, duplex mode, and flow control on a gigabit ethernet interface. Step 23 end Example: Protect-Router(config-if)#end Ends the configuration session and returns to the EXEC mode. Command Purpose20-48 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 24 configure terminal Example: Protect-Router#configure terminal Enters the global configuration mode. Step 25 controller sonet slot/bay/port Example: Protect-Router(config)#controller SONET 3/2/0 Selects and configures a SONET controller and enters the controller configuration mode. slot/subslot/port—Specifies the location of the interface. Step 26 no ais-shut Example: Protect-Router(config-controller)#no ais-shut Disables the automatic insertion of a LAIS in the SONET signal. Step 27 framing sonet Example: Protect-Router(config-controller)#frami ng sonet Configures the controller for SONET framing. SONET framing is the default option. Step 28 clock source {line [primary | bits | independent] | internal [independent] | free-running} Example: Protect-Router(config-controller)#clock source line Sets clocking for individual T1 or E1 links. This command specifies that the PLL on this controller derives its clocking from the external source connected to the controller (generally the telephone company’s central office). Step 29 sts-1 sts1-number Example: Protect-Router(config-controller)#sts-1 1 Specifies the STS identifier. Step 30 mode vt-15 Example: Protect-Router(config-ctrlr-sts1)# mode vt-15 Specifies the STS-1 mode of operation. Step 31 vtg vtg_number t1 t1_line_number channel-group channel-number timeslots list-of-timesolts Example: Protect-Router(config-ctrlr-sts1)#vtg 1 t1 1 channel-group 0 timeslots 1-24 Creates a Circuit Emulation Services over Packet Switched Network circuit emulation (CESoPSN) CEM group. Command Purpose20-49 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 32 end Example: Protect-Router(config-ctrlr-sts1)#end Ends the configuration session and returns to the EXEC mode. Step 33 configure terminal Example: Protect-Router#configure terminal Enters the global configuration mode. Step 34 interface multilink1 Example: Protect-Router(config)#interface multilink1 Enters multilink interface configuration mode. Step 35 ip address ip_address subnet_mask Example: Protect-Router(config-if)#ip address 11.1.1.2 255.255.255.0 Configures the IP address for the interface. Step 36 carrier-delay msec msec Example: Protect-Router(config-if)#carrier-delay msec 1 Sets the duration to propagate the link status to other modules. Step 37 ppp multilink Example: Protect-Router(config-if)#ppp multilink Enables MLPPP. Step 38 ppp multilink group group-number Example: Protect-Router(config-if)#ppp multilink group 1 Specifies the physical link to associate to the designated multilink group interface. Command Purpose20-50 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 39 ppp multilink endpoint {hostname | ip ip-address | mac lan-interface | none | phone telephone-number | string char-string} Example: Protect-Router(config-if)#ppp multilink endpoint string mlp_aps_1 Overrides or changes the default endpoint discriminator that the system uses while negotiating the use of MLP with the peer system. • hostname: Indicates to use the hostname configured for the router. This is useful when multiple routers are using the same username to authenticate, but have different hostnames. • ip: Indicates to use the supplied IP address. • mac: Indicates to use the specified LAN interface whose MAC address is to be used. • none: Causes negotiation of the Link Control Protocol (LCP) without requesting the endpoint discriminator option. This is useful when the router connects to a malfunctioning peer system that does not handle the endpoint discriminator option properly. • phone: Indicates to use the specified telephone number. Accepts E.164-compliant, full international telephone numbers. • string: Indicates to use the supplied character string. Step 40 ppp timeout retry seconds Example: Protect-Router(config-if)#ppp timeout retry 0 250 Sets the PPP timeout retry parameters. Note Replace the seconds argument with the maximum time, in seconds, to wait for a response during PPP negotiation. Range is from 1 to 10 seconds. The default is 3 seconds. Step 41 end Example: Protect-Router(config-if)#end Ends the configuration session and returns to the EXEC mode. Step 42 configure terminal Example: Protect-Router#configure terminal Enters the global configuration mode. Step 43 interface serial instance Example: Protect-Router(config-if)#interface Serial3/2/0.1/1/1:0 Configures the serial interface and enters the interface configuration mode. slot/subslot/port—Specifies the location of the interface. Step 44 no ip address Example: Protect-Router(config-if)#no ip address Removes the configured IP address on the interface. Command Purpose20-51 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Step 45 encapsulation ppp Example: Protect-Router(config-if)#encapsulation ppp Enables PPP encapsulation of traffic on the specified interface. Step 46 ppp multilink Example: Protect-Router(config-if)#ppp multilink Enables MLPPP. Step 47 ppp multilink group group-number Example: Protect-Router(config-if)#ppp multilink group 1 Specifies the physical link to attach to the designated multilink group interface. Step 48 end Example: Protect-Router(config-if)#end Ends the configuration session and returns to the EXEC mode. Step 49 configure terminal Example: Protect-Router#configure terminal Enters the global configuration mode. Step 50 controller sonet slot/bay/port Example: Protect-Router(config)#controller sonet 3/2/0 Selects and configures a SONET controller and enters the controller configuration mode. slot/subslot/port—Specifies the location of the interface. Step 51 shutdown Example: Protect-Router(config-controller)#shutd own Shuts down the SONET controller. Step 52 aps group group_id Example: Protect-Router(config-controller)#aps group 1 Configures the APS group for a SONET controller. Command Purpose20-52 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Example This example displays the steps to configure MR-APS Inter-Chassis Redundancy on the Protect router. Protect-Router>enable Protect-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Protect-Router(config)#redundancy Protect-Router(config-red)#interchassis group 1 Protect-Router(config-r-ic)#monitor peer bfd Protect-Router(config-r-ic)#member ip 60.60.60.1 Protect-Router(config-r-ic)#end Protect-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Protect-Router(config)#interface GigabitEthernet2/1/0 Protect-Router(config-if)#ip address 60.60.60.2 255.255.255.0 Protect-Router(config-if)#no shutdown Protect-Router(config-if)#load-interval 30 Protect-Router(config-if)#negotiation auto Protect-Router(config-if)#mpls ip Protect-Router(config-if)#mpls label protocol both Protect-Router(config-if)#bfd interval 50 min_rx 150 multiplier 3 Protect-Router(config-if)#end Protect-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Protect-Router(config-if)#interface GigabitEthernet2/1/1 Protect-Router(config-if)#ip address 12.2.1.1 255.255.255.0 Step 53 aps [working | protect] aps-group-number [ip_address_of_working] Example: Protect-Router(config-controller)#aps protect 1 12.2.1.2 Configures the APS group as protect interface. The attribute, ip_address_of_working, is the ip address of the PGP link interface on the working router. Step 54 aps interchassis group icrm-group-number Example: Protect-Router(config-controller)#aps interchassis group 1 Associates the APS group to an ICRM group number. Step 55 no shutdown Example: Protect-Router(config-controller)#no shutdown Reverses the shutdown of an interface. Step 56 end Example: Protect-Router(config-controller)#end Ends the configuration session and returns to the EXEC mode. Command Purpose20-53 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Protect-Router(config-if)#no shutdown Protect-Router(config-if)#negotiation auto Protect-Router(config-if)#end Protect-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Protect-Router(config)#controller SONET 3/2/0 Protect-Router(config-controller)#no ais-shut Protect-Router(config-controller)#framing sonet Protect-Router(config-controller)#clock source line Protect-Router(config-controller)#sts-1 1 Protect-Router(config-ctrlr-sts1)#mode vt-15 Protect-Router(config-ctrlr-sts1)#vtg 1 t1 1 channel-group 0 timeslots 1-24 Protect-Router(config-ctrlr-sts1)#end Protect-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Protect-Router(config)#interface Multilink1 Protect-Router(config-if)#ip address 11.1.1.2 255.255.255.0 Protect-Router(config-if)#carrier-delay msec 1 Protect-Router(config-if)#ppp multilink Protect-Router(config-if)#ppp multilink group 1 Protect-Router(config-if)#ppp multilink endpoint string mlp_aps_1 Protect-Router(config-if)#ppp timeout retry 0 250 Protect-Router(config-if)#end Protect-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Protect-Router(config)#interface Serial3/2/0.1/1/1:0 Protect-Router(config-if)#no ip address Protect-Router(config-if)#encapsulation ppp Protect-Router(config-if)#ppp multilink Protect-Router(config-if)#ppp multilink group 1 Protect-Router(config-if)#end Protect-Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Protect-Router(config)#controller sonet 3/2/0 Protect-Router(config-controller)#shut Protect-Router(config-controller)#aps group 1 Protect-Router(config-controller)#aps protect 1 12.2.1.2 Protect-Router(config-controller)#aps interchassis group 1 Protect-Router(config-controller)#no shutdown Protect-Router(config-controller)#end Removing Stateful MLPPP with MR-APS Inter-Chassis Redundancy Complete these steps to remove Stateful MLPPP with MR-APS Inter-Chassis Redundancy implementation from the Working and Protect routers: Summary Steps 1. enable 2. configure terminal 3. controller sonet slot|bay|port 4. shutdown 5. no aps interchassis group icrm-group-number 6. no aps group group_id 7. no aps [working | protect] aps-group-number [ip_address_of_working]20-54 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS 8. no shutdown 9. configure terminal 10. redundancy 11. no interchassis group group-id 12. end DETAILED STEPS Command Purpose Step 1 enable Example: Protect-Router>enable Enables the privileged EXEC mode. • Enter your password if prompted. Step 2 configure terminal Example: Protect-Router#configure terminal Enters the global configuration mode. Step 3 controller sonet slot/bay/port Example: Protect-Router(config)#controller SONET 1/2/0 Configures a SONET controller and enters the controller configuration mode. slot/subslot/port—Specifies the location of the interface. Step 4 shutdown Example: Protect-Router(config)#shutdown Shuts down the SONET controller. Step 5 no aps interchassis group icrm-group-number Example: Protect-Router(config-controller)#no aps interchassis group 1 Removes an APS group from an ICRM group number. Step 6 no aps group group_id Example: Protect-Router(config-controller)#no aps group 1 Unconfigures the APS group for a SONET controller. Step 7 no aps [working | protect] aps-group-number [ip_address_of_working] Example: Protect-Router(config-controller)#no aps working 1 Unconfigures the APS working or protect configuration.20-55 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Configuration Example This example describes how to remove MR-APS Inter-Chassis Redundancy configuration from a router. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#controller SONET 3/2/0 Router(config-controller)#shutdown Router(config-controller)#no aps interchassis group 1 Router(config-controller)#no aps group 1 Router(config-controller)#no aps working 1 Router(config-controller)#no shutdown Router(config-controller)#exit Router(config)#redundancy Router(config-red)#no interchassis group 1 Router(config-red)#end Step 8 no shutdown Example: Protect-Router(config-controller)#no shutdown Reverses the shutdown of an interface. Step 9 end Example: Protect-Router(config-controller)#end Ends the configuration session and returns to the EXEC mode. Step 10 configure terminal Example: Protect-Router#configure terminal Enters the global configuration mode. Step 11 redundancy Example: Protect-Router(config)#redundancy Enters the redundancy configuration mode. Step 12 no interchassis group group-id Example: Protect-Router(config-red)#no interchassis group 1 Unconfigures an interchassis group within the redundancy configuration mode. Step 13 end Example: Protect-Router(config-controller)#end Ends the configuration session and returns to the EXEC mode. Command Purpose20-56 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Verification Use these commands to verify Stateful MLPPP with MR-APS Inter-Chassis Redundancy implementation:20-57 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Command Purpose Protect-Router# show aps SONET 3/2/0 APS Group 1: protect channel 0 (Inactive) (HA) Working channel 1 at 60.60.60.1 (Enabled) (HA) bidirectional, non-revertive PGP timers (extended for HA): hello time=1; hold time=10 hello fail revert time=120 SONET framing; SONET APS signalling by default Received K1K2: 0x00 0x05 No Request (Null) Transmitted K1K2: 0x00 0x05 No Request (Null) Remote APS configuration: (null) Working-Router#show aps SONET 1/2/0 APS Group 1: working channel 1 (Active) (HA) Protect at 60.60.60.2 PGP timers (from protect): hello time=1; hold time=10 SONET framing Remote APS configuration: (null) Displays detailed information about the APS configuration. You can use this command on both the Protect and Working routers.20-58 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Protect-Router#show rgf group Total RGF groups: 1 ----------------------------------------------- ----------- STANDBY RGF GROUP RGF Group ID : 1 RGF Peer Group ID: 0 ICRM Group ID : 1 APS Group ID : 1 RGF State information: My State Present : Standby-hot Previous : Standby-bulk Peer State Present: Active-fast Previous: Standby-cold Misc: Communication state Up aps_bulk: 0 aps_stby: 0 peer_stby: 0 -> Driven Peer to [peer Standby Bulk] Progression -> We sent Bulk Sync start Progression to Active RGF GET BUF: 366 RGF RET BUF 366 Working-Router#show rgf group Total RGF groups: 1 ----------------------------------------------- ----------- ACTIVE RGF GROUP RGF Group ID : 1 RGF Peer Group ID: 0 ICRM Group ID : 1 APS Group ID : 1 RGF State information: My State Present : Active-fast Previous : Standby-cold Peer State Present: Standby-hot Previous: Standby-bulk Misc: Communication state Up aps_bulk: 0 aps_stby: 0 peer_stby: 0 -> Driven Peer to [Peer Standby Hot] Progression -> Standby sent Bulk Sync start Progression RGF GET BUF: 366 RGF RET BUF 366 Displays information about state of the router and the peer. If the value of My State Present is Standby-hot, the router is in standby state. If the value of My State Present is Active-fast, the router is in active state. Command Purpose20-59 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APS Troubleshooting Tips Table 20-1 provides troubleshooting tips for the Stateful MLPPP with MR-APS Inter-Chassis Redundancy: Table 20-1 Troubleshooting Stateful MLPPP with MR-APS Inter-Chassis Redundancy Problem Solution Unable to configure APS. Use the debug aps command on both the Working and Protect routers. You can use the debug aps command to debug these issues: • APS related issues • Configuration problem • Problem with APS state transition • Problem with APS events .20-60 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-29 Chapter 20 Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs Stateful MLPPP MR-APSC H A P T E R 21-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA The Cisco 1-Port Channelized OC-48/DS3 STM-16 (1xCHOC48/DS3) is a dual-hight high power SPA that provides channelized SONET or SDH router interface to the corresponding network. The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA provide IP services engine technology on channelized packet over SONET (POS) or Synchronous Digital Hierarchy (SDH) interfaces. Each SPA provides up to 48 channelized POS/SDH, DS-3, or E3 interfaces. The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA fits into SIP400 line card of the Cisco 7600 series Routers. The SIP 400 line card has four half height bays; the 1-Port Channelized OC-48/DS3 STM-16 occupies two bays of the SIP 400 line card. The Cisco 1-Port Channelized OC-48/STM-16 SPA provides the network scalability with low initial cost and ease of upgrades. It channels one OC-48 or STM-16 interface into DS-3, E3, OC-3c, STM-1c, OC-12c, or STM-4c channels and provides an extensive set of service-enabling features while providing equal line rate to all the ports. The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA provides a minimum bandwidth of DS3 (T3 or E3). For the Optical Channel (OC), use either SONET or SDH framing. The basic unit of framing in SDH is STM-1 (Synchronous Transport Module, level 1), which operates at 155.52 Mbps. In case of SONET, the basic unit of framing is STS-3c (Synchronous Transport Signal 3, concatenated) or OC-3c, depending on whether the signal is carried electrically (STS) or optically (OC). The bit-rate for STM-1 and STS-3c/OC-3c is same. SONET also provides an additional basic unit of transmission, the STS-1 (Synchronous Transport Signal 1) or OC-1, operating at 51.84 Mbps (one third of an STM-1/STS-3c/OC-3c carrier). Modes and Sub-modes Supported on the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Table 21-1 lists the modes and sub-modes supported on the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA. 21-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Interface Naming Table 21-1 Modes and Sub-moodes Supported on the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Interface Naming The standard interface naming convention is used for naming the SONET/SDH interfaces. The interface names for SONET are: • For T3/E3 mode: interface serial //. • For POS interface: interface POS //: Here, the NSTS-1 is the identifier of the first STS-1 on the POS interface and the value of N ranges between 1 to 48. The interface names for SDH are: • For T3/E3 mode: interface serial //. • For serial interface: interface serial //./ • For POS interface: interface serial // LED States The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA has three LEDs: • CAR (Carrier/Alarm) LED • ACT (Active Loopback) LED • STATUS LED Table 21-2 describes the various states of the LEDs on the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA. Table 21-2 States of the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA LEDs Framing Mode Sub-Mode SPA Capability Supported SONET STS T3 Yes Yes POS STS-3c Yes Yes STS-12c Yes Yes STS-48 c Yes Yes SDH AU3 T3/E3 Yes Yes AU4 T3/E3 Yes Yes POS STM-1c Yes Yes POS STM-4c Yes Yes POS STM-16c Yes Yes21-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Restrictions for Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Restrictions for Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Following restrictions apply for the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA: • The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA does not support ATM/Ethernet capabilities. • While upgrading the FPD on the SPA, do not reload the SPA. Reloading the SPA might render it unusable. • The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA does not support Generic Framing Protocol (GFP) and Virtual Concatenated (VCAT) circuits. • Network clock recovery is not supported. However, the system clock is transmitted on the SPA with the clock source internal configuration. Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA You can configure SONET or SDH framing on the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA: • Configuring Interfaces Using SONET Framing • Configuring Interfaces with SDH Framing Configuring Interfaces Using SONET Framing When using SONET framing, you can channelize each port on the 1-Port Channelized OC-48/STM-16 ISE line cards to have one of the following configurations: • 1 STS-48c POS interface LED Label Color State Description CAR Off Off The port is not enabled by the software. Green On The port is enabled by the software and there is a valid signal without any alarms. Amber On The port is enabled by the software and there is at least one alarm. ACT Off Off The port is disabled. Green On The port is enabled by the software and the loopback function is off. Amber On The port is enabled by the software and the loopback function is on. Status Off Off The SPA power is off. Amber On The SPA power is on and SPA configuration is in progress. Green On The SPA is ready and operational.21-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA • 4 STS-12c POS interfaces • 16 STS-3c POS interfaces • 48 DS3 serial interfaces • A combination of STS-12c POS interfaces, STS-3c POS interfaces, and DS3 interfaces, provided that the SONET time slot grouping rule is followed. Configuring POS Interface (OC3/OC12/OC48) Using SONET Framing with STS-1 Mapping SUMMARY STEPS 1. enable 2. configure terminal 3. controller sonet slot/bay/port 4. framing sonet | sdh 5. clock source line | internal 6. sts-1 start_sts-1_number - end_sts-1_number pos 7. end DETAILED STEPS Command Purpose Step 1 enable Example: Working-Router> enable Enables the privileged EXEC mode. • Enter your password when prompted. Step 2 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 3 controller sonet slot/bay/port Example: Working-Router(config)# controller sonet 4/0/0 Enters the SONET controller configuration sub-mode and specifies the SONET controller name and instance identifier using the slot/bay/port notation. Step 4 framing sonet | sdh Example: Working-Router(config-controller)# framing sonet Configures the controller framing as either SDH or SONET (default). 21-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuration Example This example describes how to configure POS interface using SONET framing with STS-1 mapping. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#controller sonet 4/0/0 Router(config-controller)#framing sonet Router(config-controller)#clock source line Router(config-controller)#sts-1 1 - 3 pos Router(config-controller)#end Configuring Serial Interface (T3) Using SONET Framing with STS-1 Mapping SUMMARY STEPS 1. enable 2. configure terminal 3. controller sonet slot/bay/port 4. framing sonet | sdh 5. clock source line | internal 6. sts-1 sts-1_number 7. mode t3 8. end Step 5 clock source [internal | line] Example: Working-Router(config-controller)# clock source line Configures the SONET port Transmit (Tx) clock source where the keyword internal sets the internal clock and the keyword line sets the clock recovered from the line (default). • The line keyword is used whenever the clocking is derived from the network; the internal keyword is used when two routers are connected back-to-back or over fiber and no clocking is available. Step 6 sts-1 start_sts-1_number - end_sts-1_number Example: Working-Router(config-controller)# sts-1 1 - 3 pos Creates an OC3 POS interface using the SONET framing. Step 7 end Example: Working-Router(config-controller)# end Ends the configuration session and returns to the EXEC mode. Command Purpose21-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA DETAILED STEPS Configuration Example This example describes how to configure a serial interface using SONET framing with STS-1 mapping. Command Purpose Step 1 enable Example: Working-Router> enable Enables the privileged EXEC mode. • Enter your password when prompted. Step 2 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 3 controller sonet slot/bay/port Example: Working-Router(config)# controller sonet 4/0/0 Enters the SONET controller configuration sub-mode and specifies the SONET controller name and instance identifier with the slot/bay/port notation. Step 4 framing sonet | sdh Example: Working-Router(config-controller)# framing sonet Configures the controller framing as either SDH or SONET (default). Step 5 clock source [internal | line] Example: Working-Router(config-controller)# clock source line Configures the SONET port Transmit (Tx) clock source where the keyword internal sets the internal clock and line sets the clock recovered from the line (default). • The line keyword is used whenever the clocking is derived from the network; the internal keyword is used when two routers are connected back-to-back or over fiber and no clocking is available. Step 6 sts-1 sts-1_number Example: Working-Router(config-controller)# sts-1 1 Configures the serial interface using SONET framing. The value of sts-1_number ranges from 1 to 48. Step 7 mode t3 Example: Working-Router(config-controller)# mode t3 Configures serial interface mode to T3. Step 8 end Example: Working-Router(config-controller)# end Ends the configuration session and returns to the EXEC mode.21-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#controller sonet 4/0/0 Router(config-controller)#framing sonet Router(config-controller)#clock source line Router(config-controller)#sts-1 1 Router(config-controller)#mode t3 Router(config-controller)#end Configuring Interfaces with SDH Framing When using SDH framing with AU-3/AU-4 mapping, you can channelize each port on the 1-Port Channelized OC-48/DS3 STM-16 SPA to have one of the following configuration: • 1 STM-16 POS interface • 4 STM-4 POS interfaces • 16 STM-1 POS interfaces • 48 DS3/E3 serial interfaces • A combination of STM-4 POS interfaces, STM-1 POS interfaces, and DS3/E3 interfaces, provided the SONET time slot grouping rule is followed. Configuring POS Interface (OC3/OC12/OC48) Using SDH Framing with AU-4 Mapping SUMMARY STEPS 1. enable 2. configure terminal 3. controller sonet slot/bay/port_No 4. framing sonet | sdh 5. clock source line | internal 6. au-4 start_au-4_number - end_au-4_number 7. end DETAILED STEPS Command Purpose Step 1 enable Example: Working-Router> enable Enables the privileged EXEC mode. • Enter your password when prompted. Step 2 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode.21-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuration Example This example describes how to configure POS Interface (OC3/OC12/OC48) using SDH framing with au-4 mapping. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#controller sonet 4/0/0 Router(config-controller)#framing sonet Router(config-controller)#clock source line Router(config-controller)#au-4 1 - 4 Router(config-controller)#end Configuring Serial Interface (T3/E3) Using SDH Framing with AU-4 Mapping SUMMARY STEPS 1. enable 2. configure terminal Step 3 controller sonet slot/bay/port Example: Working-Router(config)# controller sonet 4/0/0 Enters the SONET controller configuration sub-mode and specifies the SONET controller name and instance identifier with the slot/bay/port notation. Step 4 framing sonet | sdh Example: Working-Router(config-controller)# framing sdh Configures the controller framing either SDH or SONET (default). Step 5 clock source [internal | line] Example: Working-Router(config-controller)# clock source line Configures the SONET port Transmit (Tx) clock source where the keyword internal sets the internal clock and line sets the clock recovered from the line (default). • The line keyword is used whenever the clocking is derived from the network; the internal keyword is used when two routers are connected back-to-back or over fiber, and no clocking is available. Step 6 au-4 start_au-4_number - end_au-4_number Example: Working-Router(config-controller)# au-4 1 - 4 Creates an OC12 POS interface using SDH framing. Step 7 end Example: Working-Router(config-controller)# end Ends the configuration session and returns to the EXEC mode. Command Purpose21-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA 3. controller sonet slot/bay/port 4. framing sonet | sdh 5. clock source line | internal 6. au-4 au-4_number tug-3 tug-3_number 7. mode t3 | e3 8. end DETAILED STEPS Command Purpose Step 1 enable Example: Working-Router> enable Enables the privileged EXEC mode. • Enter your password when prompted. Step 2 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 3 controller sonet slot/bay/port Example: Working-Router(config)# controller sonet 4/0/0 Enters the SONET controller configuration sub-mode and specifies the SONET controller name and instance identifier with the slot/bay/port notation. Step 4 framing sonet | sdh Example: Working-Router(config-controller)# framing sdh Configures the controller framing either SDH or SONET (default). Step 5 clock source [internal | line] Example: Working-Router(config-controller)# clock source line Configures the SONET port Transmit (Tx) clock source where the keyword internal sets the internal clock and line sets the clock recovered from the line (default). • The line keyword is used whenever the clocking is derived from the network; the internal keyword is used when two routers are connected back-to-back or over fiber, for which no clocking is available. Step 6 au-4 au-4_number tug-3 tug-3_number Example: Working-Router(config-controller)# au-4 1 tug-3 1 Configures the serial interface using SDH framing with AU-4 mapping. The value of au-4_number ranges between 1 and 16 and the value of tug-3_number ranges between 1 and 3.21-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuration Example This example describes how to configure serial interface using SDH framing with AU-4 mapping. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#controller sonet 4/0/0 Router(config-controller)#framing sonet Router(config-controller)#clock source line Router(config-controller)#au-4 1 tug-3 1 Router(config-controller)#mode t3 Router(config-controller)#end Configuring Serial Interface (T3/E3) Using SDH Framing with AU-3 Mapping SUMMARY STEPS 1. enable 2. configure terminal 3. controller sonet slot/bay/port_No 4. framing sonet | sdh 5. clock source line | internal 6. aug-mapping [au-3 | au-4] 7. au-3 au-3_number 8. mode T3 | E3 (Configures the mode of serial interface) 9. end Step 7 mode t3 Example: Working-Router(config-controller)# mode t3 Configures the serial interface mode to T3. Step 8 end Example: Working-Router(config-controller)# end Ends the configuration session and returns to the EXEC mode. Command Purpose21-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA DETAILED STEPS Command Purpose Step 1 enable Example: Working-Router> enable Enables the privileged EXEC mode. • Enter your password when prompted. Step 2 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 3 controller sonet slot/bay/port Example: Working-Router(config)# controller sonet 4/0/0 Enters the SONET controller configuration sub-mode and specifies the SONET controller name and instance identifier with the slot/bay/port notation. Step 4 framing sonet | sdh Example: Working-Router(config-controller)# framing sdh Configures the controller framing either SDH or SONET (default). Step 5 clock source [internal | line] Example: Working-Router(config-controller)# clock source line Configures the SONET port Transmit (Tx) clock source where the keyword internal sets the internal clock and line sets the clock recovered from the line (default). • The line keyword is used whenever the clocking is derived from the network; the internal keyword is used when two routers are connected back-to-back or over fiber, and no clocking is available. Step 6 aug mapping [au-3 | au-4] Example: Working-Router(config-controller)# aug mapping au-3 Specifies the aug mapping. Step 7 au-3 au-3_number Example: Working-Router(config-controller)# au-3 1 Configures the serial interface using the SDH framing with AU-3 mapping. The au3-number identifies the interface number.21-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuration Example This example describes how to configure serial interface (T3/E3) using SDH framing with AU-3 mapping. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#controller sonet 4/0/0 Router(config-controller)#framing sonet Router(config-controller)#clock source line Router(config-controller)#aug mapping au-3 Router(config-controller)#au-3 1 Router(config-controller)#mode t3 Router(config-controller)#end Configuring Interface Using SDH Framing with Mixed (au-3 and au-4) Mapping You can configure an interface using SDH framing to have both the AU-3 and AU-4 mapping. SUMMARY STEPS 1. enable 2. configure terminal 3. controller sonet slot/bay/port_No 4. aug mapping au-3 stm4 stmt4_number 5. aug mapping au-4 stm4 stmt4_number 6. aug mapping au-3 stm4 stmt4_number 7. aug mapping au-4 stm4 stmt4_number 8. au-3 au-3_number 9. mode t3 | e3 10. au-3 au-3_number 11. mode t3 | e3 12. au-3 au-3_number 13. mode t3 | e3 14. exit Step 8 mode t3 Example: Working-Router(config-controller)# mode t3 Configures the serial interface mode to T3. Step 9 end Example: Working-Router(config-controller)# end Ends the configuration session and returns to the EXEC mode. Command Purpose21-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA 15. au-4 au-4_number pos 16. au-4 au-4_number pos 17. au-4 au-4_number pos 18. au-4 au-4_number pos 19. au-3 au-3_number 20. mode t3 | e3 21. au-3 au-3_number 22. mode t3 | e3 23. au-3 au-3_number 24. mode t3 | e3 25. exit 26. au-4 start_au-4_number - end_au-4_number pos 27. end DETAILED STEPS Command Purpose Step 1 enable Example: Working-Router> enable Enables the privileged EXEC mode. • Enter your password when prompted. Step 2 configure terminal Example: Working-Router# configure terminal Enters the global configuration mode. Step 3 controller sonet slot/bay/port Example: Working-Router(config)# controller sonet 4/0/0 Enters the SONET controller configuration sub-mode and specifies the SONET controller name and instance identifier with the slot/bay/port notation. Step 4 aug mapping au-3 stm4 stm4_number Example: Working-Router(config-controller)# aug mapping au-3 stm4 1 Sets the aug mapping for stm4_number to au-3. Step 5 aug mapping au-4 stm4 stm4_number Example: Working-Router(config-controller)# aug mapping au-4 stm4 2 Sets the aug mapping for stm4_number to au-4.21-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Step 6 aug mapping au-3 stm4 stm4_number Example: Working-Router(config-controller)# aug mapping au-3 stm4 3 Sets the aug mapping for stm4_number to au-3. Step 7 aug mapping au-4 stm4 stm4_number Example: Working-Router(config-controller)# aug mapping au-4 stm4 4 Sets the aug mapping for stm4_number to au-4. Step 8 au-3 au-3_number Example: Working-Router(config-controller)# au-3 1 Configures the serial interface using the SDH framing with au-3 mapping. The au3-number identifies the interface number. Step 9 mode t3 | e3 Example: Working-Router(config-ctrlr-au3)# mode t3 Configures the serial interface mode to T3. Step 10 au-3 au-3_number Example: Working-Router(config-ctrlr-au3)# au-3 2 Configures the serial interface using the SDH framing with au-3 mapping. The variable, au3-number, identifies the interface number. Step 11 mode t3 | e3 Example: Working-Router(config-ctrlr-au3)# mode t3 Configures the serial interface mode to T3. Step 12 au-3 au-3_number Example: Working-Router(config-ctrlr-au3)# au-3 12 Configures the serial interface using the SDH framing with au-3 mapping. The variable, au3-number, identifies the interface number. Step 13 mode t3 | e3 Example: Working-Router(config-ctrlr-au3)# mode t3 Configures serial interface mode to T3. Step 14 exit Example: Working-Router(config-ctrlr-au3)# exit Exits the aug configuration mode. Command Purpose21-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Step 15 au-4 au-4_number pos Example: Working-Router(config-controller)# au-4 5 pos Configures OC3 pos interface specified using the au-4_number attribute. Step 16 au-4 au-4_number pos Example: Working-Router(config-controller)# au-4 6 pos Configures OC3 pos interface specified using the au-4_number attribute. Step 17 au-4 au-4_number pos Example: Working-Router(config-controller)# au-4 7 pos Configures OC3 pos interface specified using the au-4_number attribute. Step 18 au-4 au-4_number pos Example: Working-Router(config-controller)# au-4 8 pos Configures OC3 pos interface specified using the au-4_number attribute. Step 19 au-3 au-3_number Example: Working-Router(config-controller)# au-3 25 Configures the serial interface using the SDH framing with au-3 mapping. The au3-number identifies the interface number. Step 20 mode t3 | e3 Example: Working-Router(config-ctrlr-au3)# mode e3 Configures serial interface mode to E3. Step 21 au-3 au-3_number Example: Working-Router(config-ctrlr-au3)# au-3 26 Configures the serial interface using the SDH framing with au-3 mapping. The variable, au3-number, identifies the interface number. Step 22 mode t3 | e3 Example: Working-Router(config-ctrlr-au3)# mode e3 Configures the serial interface mode to E3. Step 23 au-3 au-3_number Example: Working-Router(config-ctrlr-au3)# au-3 36 Configures the serial interface using the SDH framing with au-3 mapping. The variable, au3-number, identifies the interface number. Command Purpose21-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuration Example This example describes how to configure an interface using SDH framing to have both the au-3 and au-4 mapping. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#controller sonet 3/0/0 Router(config-controller)#aug mapping au-3 stm4 1 Router(config-controller)#aug mapping au-4 stm4 2 Router(config-controller)#aug mapping au-3 stm4 3 Router(config-controller)#aug mapping au-4 stm4 4 Router(config-controller)#au-3 1 Router(config-ctrlr-au3)#mode t3 Router(config-ctrlr-au3)#au-3 2 Router(config-ctrlr-au3)#mode t3 Router(config-ctrlr-au3)#au-3 2 Router(config-ctrlr-au3)#au-3 3 Router(config-ctrlr-au3)#mode t3 Router(config-ctrlr-au3)#au-3 12 Router(config-ctrlr-au3)#mode t3 Router(config-ctrlr-au3)#exit Router(config-controller)#au-4 5 pos Router(config-controller)#au-4 6 pos Router(config-controller)#au-4 7 pos Router(config-controller)#au-4 8 pos Router(config-controller)#au-3 25 Router(config-ctrlr-au3)#mode e3 Router(config-ctrlr-au3)#au-3 26 Router(config-ctrlr-au3)#mode e3 Router(config-ctrlr-au3)#au-3 27 Router(config-ctrlr-au3)#mode e3 Step 24 mode t3 | e3 Example: Working-Router(config-ctrlr-au3)# mode e3 Configures the serial interface mode to E3. Step 25 exit Example: Working-Router(config-ctrlr-au3)# exit Exits the aug configuration mode. Step 26 au-4 start_au-4_number end_au-4_number pos Example: Working-Router(config-controller)# au-4 1 tug-3 1 Configures the serial interface using the SDH framing with au-4 mapping. Step 27 end Example: Working-Router(config-controller)# end Ends the configuration session. Command Purpose21-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring BER Testing Router(config-ctrlr-au3)#au-3 36 Router(config-ctrlr-au3)#mode e3 Router(config-ctrlr-au3)#exit Router(config-controller)#au-4 13 - 16 pos Router(config-controller)#exit Configuring BER Testing Bit error rate test (BERT) allow you to test cables and diagnose signal problems in the field. You can configure individual T1 channel groups to run an independent BER test. You set one local serial port to Bit error rate test (BERT) mode while the remaining local serial ports continue to transmit and receive normal traffic. The BER test checks communication between the local and the remote ports. When running a BER test, your system expects to receive the same pattern that it is transmitting. Bit error rate test (BERT) circuitry is built into the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA. There is one pseudo-random binary sequence generator every 16 channels. For each group of 16 channels, BER testing can be run on only one interface at a time. You can set one local DS3 or E3 serial port to BERT mode while the remaining local serial ports continue to transmit and receive the normal traffic. The BERT checks the communication between the local and the remote DS3 or E3 ports. If traffic is not being transmitted or received, create a back-to-back loopback BER test and send out the specified stream to ensure that you receive the same data that was transmitted. To determine if the remote DS3/E3 serial port returns the same BERT pattern, you must manually enable network loopback at the remote DS3/E3 serial port, while you enter a bert pattern interface configuration command for specified time intervals on the local DS3/E3 serial port. With BER tests, you can accurately assess the number of errors on a DS3/E3 link and diagnose signal problems in the field. The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA supports these pseudorandom test patterns: • 2^15—Pseudorandom repeating pattern that is 32,767 bits long. • 2^20—Pseudorandom repeating pattern that is 1,048,575 bits long. • 2^23—Pseudorandom repeating pattern that is 8,388,607 bits long. This pattern is only available for an E3 interface. • Unframed- 2^15—Pseudorandom repeating pattern that is 32,767 bits long, and the DS3 framing bit in the DS3 frame is overwritten when the pattern is inserted in the DS3 frame. • Unframed-2^20—Pseudorandom repeating pattern that is 1,048,575 bits long, and the DS3 framing bit in the DS3 frame is overwritten when the pattern is inserted in the DS3 frame. • Unframed-2^23—Pseudorandom repeating pattern that is 8,388,607 bits long, and the DS3 framing bit in the DS3 frame is overwritten when the pattern is inserted in the DS3 frame. This pattern is only available for an E3 interface. Table 21-3 lists the BERT patterns, the pattern length, and the command. Table 21-3 DS3/E3-Supported BERT Patterns BERT Pattern Pattern Length 1 Command 2^15 32,767 bits long bert pattern 2^15 interval minutes 2^20 1,048,575 bits long bert pattern 2^20 interval minutes 2^23 2 8,388,607 bits long bert pattern 2^23 interval minutes unframed 2^15 32,767 bits long bert pattern unframed-2^15 interval minutes21-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring BER Testing Both the total number of error bits transmitted and the total number of bits received are available for analysis. You can set the testing period from 1 minute to 1440 minutes (240 hours). You can also retrieve the error statistics any time during the BER test. Sending a BERT Pattern on a DS3/E3 Interface To perform a BER test on a serial DS3/E3 interface, select an interface and configure the BERT pattern and test duration with the BERT pattern configuration command as follows: router# configure terminal router(config)# interface serial 5/0:2 router(config-if)# bert pattern 2^15 interval 3 router(config-if)# end You can terminate a BER test during the specified test period with the no bert pattern interval time configuration command. (See the “Terminating a BERT” section on page 21-20.) Inserting Errors in BERT To insert errors when BERT is in progress, select the interface and specify the number of errors to insert in the BER test pattern. You can then display the results while the test is in progress. (See the “Displaying a BERT” section on page 21-18.) router# configure terminal router(config)# interface serial 5/0:2 router(config-if)# bert errors 5 router(config-if)# end Displaying a BERT The following sections discuss displaying BER tests using SONET or SDH with AU-3 mapping, or using SDH with AU-4 mapping. Displaying a BER Test Using SONET or SDH with AU-3 Mapping When framing is SONET or SDH with AU-3 mapping, you can display the results of a BERT anytime during or after the test, using the show controllers sonet command, as follows. See Table 21-4 for a description of the BER test display. router# show controller sonet 5/0:2 bert Interface Serial5/0:2 (DS3 channel 2) BERT information: unframed 2^20 1,048,575 bits long bert pattern unframed-2^20 interval minutes unframed 2^23 2 8,388,607 bits long bert pattern unframed-2^23 interval minutes 1. Pseudo-random repeating pattern. 2. This pattern is only available for an E3 interface. Table 21-3 DS3/E3-Supported BERT Patterns (continued) BERT Pattern Pattern Length 1 Command21-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Configuring BER Testing State :enabled (sync'd) Pattern :2^15 Interval :3 minute Time remaining :00:00:30 Total errors :5 Time this sync :00:02:30 Errors this sync :5 Sync count :1 router(config-if)# end Table 21-4 BERT Display Description BERT Display Description State: enabled (not synchronized) BERT is active, but the hardware is not synchronized. Errors are counted only when the hardware sunchronizes. State: enabled (synchronized) BERT is active, but the hardware has synchronized. Any errors detected are counted. State: disabled (synchronization failed) BERT is completed and the test failed, either because hardware could not synchronize or the DS3/E3 alarms were detected on the interface. State: disabled (synchronized completed) BERT is completed because the interval expired. State: disabled (synchronized aborted) BERT is completed as a result of user request. Pattern One of the supported patterns. Interval Value from 1 to 1440 in minutes. Time remaining Test duration remaining, formatted in hours, minutes, and seconds (hh:mm:ss). Total errors Total number of errors while the hardware is synchronized. Time this sync If the hardware is currently synchronized, the amount of time since the synchronization began. If it is not currently synchronized but was synchronized earlier, indicates the amount of time the last or most recent synchronization period lasted. Formatted in hh:mm:ss. Errors this sync If the hardware is currently synchronized, the number of errors displayed during the current synchronization period. If it is not currently synchronized but was synchronized earlier, the number of errors displayed during the last or most recent synchronization period. Sync count The number of times the hardware synchronized.21-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Verification Displaying BER Test Results Using SDH with AU-4 Mapping When the framing is SDH with AU-4 mapping, you can display the results of a BERT any time during or after the test using the show controllers sonet command. See Table 21-4 for a description of the BER test display. router# show controller sonet 8/1.1:1 bert Interface Serial8/1.1:1 (E3 channel 1) BERT information: State :enabled (sync'd) Pattern :2^20 Interval :5 minute Time remaining :00:01:40 Total errors :9 Time this sync :00:03:20 Errors this sync :9 Sync count :1 Terminating a BERT You can terminate a BERT with the no bert configuration command: router# configure terminal router(config)# interface serial5/0:2 router(config-if)# no bert router(config-if)# end Verification Use these commands to verify the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA configuration and controllers and interface status. • Use the show interfaces pos command to verify the link and line protocol information of the POS interface. Bnet-I4#show interfaces pos4/0/0.1 POS4/0/0:1 is up, line protocol is up Hardware is SPA_1xCHOC48 Internet address is 43.1.0.1/24 MTU 4470 bytes, BW 2488000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 255/255, rxload 99/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Scramble disabled Last input 00:00:01, output 00:00:03, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 970494000 bits/sec, 1234411 packets/sec 30 second output rate 1905696000 bits/sec, 3598151 packets/sec 317747877097 packets input, 30638397396316 bytes, 0 no buffer Received 59051 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 926944872678 packets output, 60782486122738 bytes, 0 underruns 0 output errors, 0 collisions, 5 interface resets 0 unknown protocol drops21-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Verification 0 output buffer failures, 0 output buffers swapped out 3 carrier transitions Non-inverted data • Use the show interfaces pos controller command to verify the link and line protocol of the POS interface. This command also displayes the packet counters and alarms asserted at each path. Bnet-I4#show interfaces pos4/0/0.1 controller POS4/0/0:1 is up, line protocol is up Hardware is SPA_1xCHOC48 Internet address is 43.1.0.1/24 MTU 4470 bytes, BW 2488000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 255/255, rxload 99/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Scramble disabled Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 970652000 bits/sec, 1234611 packets/sec 30 second output rate 1906071000 bits/sec, 3598706 packets/sec 317760222275 packets input, 30639610620098 bytes, 0 no buffer Received 59052 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 926980856434 packets output, 60784868694988 bytes, 0 underruns 0 output errors, 0 collisions, 5 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out 3 carrier transitions Non-inverted data POS4/0/0:1 PATH 1: AIS = 0 RDI = 1 REI = 16 BIP(B3) = 145 LOP = 2 PSE = 7 NSE = 0 NEWPTR = 0 LOM = 0 PLM = 0 UNEQ = 1 Active Defects: None Detected Alarms: None Asserted/Active Alarms: None Alarm reporting enabled for: PLOP LOM B3-TCA TCA threshold: B3 = 10e-6 Rx: C2 = CF Tx: C2 = CF PATH TRACE BUFFER : STABLE 42 6E 65 74 2D 45 31 20 34 2F 30 2F 30 2E 31 00 Bnet-E1 4/0/0.1. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ SONET/SDH Path Tables INTERVAL CV ES SES UAS 07:10-07:24 0 0 0 0 Scramble: no, Width: 48 • Use the show controllers sonet command to display information about the Cisco 1-Port Channelized OC-48/DS3 STM-16 (1xCHOC48/DS3) SPA, including the information regarding all the configured channels.21-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Verification Bnet-I4# show controllers sonet 4/0/0 SONET 4/0/0 is up. Hardware is SPA-1XCHOC48/DS3 Applique type is Channelized Sonet/SDH Clock Source is Internal Medium info: Type: Sonet, Line Coding: NRZ, SECTION: LOS = 2 LOF = 0 BIP(B1) = 57 SONET/SDH Section Tables INTERVAL CV ES SES SEFS 07:10-07:24 0 0 0 0 06:55-07:10 0 0 0 0 06:40-06:55 0 0 0 0 06:25-06:40 0 0 0 0 06:10-06:25 0 0 0 0 05:55-06:10 0 0 0 0 05:40-05:55 0 0 0 0 05:25-05:40 0 0 0 0 05:10-05:25 0 0 0 0 04:55-05:10 0 0 0 0 04:40-04:55 0 0 0 0 04:25-04:40 0 0 0 0 04:10-04:25 0 0 0 0 03:55-04:10 0 0 0 0 03:40-03:55 0 0 0 0 03:25-03:40 0 0 0 0 03:10-03:25 0 0 0 0 02:55-03:10 0 0 0 0 02:40-02:55 0 0 0 0 02:25-02:40 0 0 0 0 02:10-02:25 0 0 0 0 01:55-02:10 0 0 0 0 01:40-01:55 0 0 0 0 01:25-01:40 0 0 0 0 01:10-01:25 0 0 0 0 00:55-01:10 0 0 0 0 00:40-00:55 0 0 0 0 00:25-00:40 0 0 0 0 00:10-00:25 0 0 0 0 23:55-00:10 0 0 0 0 23:40-23:55 0 0 0 0 23:25-23:40 0 0 0 0 23:10-23:25 0 0 0 0 22:55-23:10 0 0 0 0 22:40-22:55 0 0 0 0 22:25-22:40 0 0 0 0 22:10-22:25 0 0 0 0 21:55-22:10 0 0 0 0 21:40-21:55 0 0 0 0 21:25-21:40 0 0 0 0 21:10-21:25 0 0 0 0 20:55-21:10 0 0 0 0 20:40-20:55 0 0 0 0 20:25-20:40 0 0 0 0 20:10-20:25 0 0 0 0 19:55-20:10 0 0 0 0 19:40-19:55 0 0 0 0 19:25-19:40 0 0 0 0 19:10-19:25 0 0 0 0 18:55-19:10 0 0 0 0 18:40-18:55 0 0 0 021-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Verification 18:25-18:40 0 0 0 0 18:10-18:25 0 0 0 0 17:55-18:10 0 0 0 0 17:40-17:55 0 0 0 0 17:25-17:40 0 0 0 0 17:10-17:25 0 0 0 0 16:55-17:10 0 0 0 0 16:40-16:55 0 0 0 0 16:25-16:40 0 0 0 0 16:10-16:25 0 0 0 0 15:55-16:10 0 0 0 0 15:40-15:55 0 0 0 0 15:25-15:40 0 0 0 0 15:10-15:25 0 0 0 0 14:55-15:10 0 0 0 0 14:40-14:55 0 0 0 0 14:25-14:40 0 0 0 0 14:10-14:25 0 0 0 0 13:55-14:10 0 0 0 0 13:40-13:55 0 0 0 0 13:25-13:40 0 0 0 0 13:10-13:25 0 0 0 0 12:55-13:10 0 0 0 0 12:40-12:55 0 0 0 0 12:25-12:40 1 1 0 0 12:10-12:25 0 0 0 0 11:55-12:10 0 0 0 0 11:40-11:55 0 0 0 0 11:25-11:40 0 0 0 0 11:10-11:25 0 0 0 0 10:55-11:10 0 0 0 0 10:40-10:55 0 0 0 0 10:25-10:40 0 0 0 0 10:10-10:25 0 0 0 0 09:55-10:10 0 0 0 0 09:40-09:55 0 0 0 0 09:25-09:40 0 0 0 0 09:10-09:25 0 0 0 0 08:55-09:10 0 0 0 0 08:40-08:55 0 0 0 0 08:25-08:40 0 0 0 0 08:10-08:25 0 0 0 0 07:55-08:10 0 0 0 0 07:40-07:55 4 4 0 0 07:25-07:40 0 0 0 0 07:10-07:25 0 0 0 0 Total of Data in Current and Previous Intervals 07:10-07:24 5 5 0 0 LINE: AIS = 0 RDI = 0 REI = 0 BIP(B2) = 55 Active Defects: None Detected Alarms: None Asserted/Active Alarms: None Alarm reporting enabled for: SLOS SLOF SF B1-TCA B2-TCA BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-6 B2 = 10e-6 Rx: S1S0 = 00 K1 = 00, K2 = 00 J0 = 01 Tx: S1S0 = 00 K1 = 00, K2 = 0021-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Verification J0 = 01 SONET/SDH Line Tables INTERVAL CV ES SES UAS 07:10-07:24 0 0 0 0 06:55-07:10 0 0 0 0 06:40-06:55 0 0 0 0 06:25-06:40 0 0 0 0 06:10-06:25 0 0 0 0 05:55-06:10 0 0 0 0 05:40-05:55 0 0 0 0 05:25-05:40 0 0 0 0 05:10-05:25 0 0 0 0 04:55-05:10 0 0 0 0 04:40-04:55 0 0 0 0 04:25-04:40 0 0 0 0 04:10-04:25 0 0 0 0 03:55-04:10 0 0 0 0 03:40-03:55 0 0 0 0 03:25-03:40 0 0 0 0 03:10-03:25 0 0 0 0 02:55-03:10 0 0 0 0 02:40-02:55 0 0 0 0 02:25-02:40 0 0 0 0 02:10-02:25 0 0 0 0 01:55-02:10 0 0 0 0 01:40-01:55 0 0 0 0 01:25-01:40 0 0 0 0 01:10-01:25 0 0 0 0 00:55-01:10 0 0 0 0 00:40-00:55 0 0 0 0 00:25-00:40 0 0 0 0 00:10-00:25 0 0 0 0 23:55-00:10 0 0 0 0 23:40-23:55 0 0 0 0 23:25-23:40 0 0 0 0 23:10-23:25 0 0 0 0 22:55-23:10 0 0 0 0 22:40-22:55 0 0 0 0 22:25-22:40 0 0 0 0 22:10-22:25 0 0 0 0 21:55-22:10 0 0 0 0 21:40-21:55 0 0 0 0 21:25-21:40 0 0 0 0 21:10-21:25 0 0 0 0 20:55-21:10 0 0 0 0 20:40-20:55 0 0 0 0 20:25-20:40 0 0 0 0 20:10-20:25 0 0 0 0 19:55-20:10 0 0 0 0 19:40-19:55 0 0 0 0 19:25-19:40 0 0 0 0 19:10-19:25 0 0 0 0 18:55-19:10 0 0 0 0 18:40-18:55 0 0 0 0 18:25-18:40 0 0 0 0 18:10-18:25 0 0 0 0 17:55-18:10 0 0 0 0 17:40-17:55 0 0 0 0 17:25-17:40 0 0 0 0 17:10-17:25 0 0 0 0 16:55-17:10 0 0 0 0 16:40-16:55 0 0 0 0 16:25-16:40 0 0 0 021-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Verification 16:10-16:25 0 0 0 0 15:55-16:10 0 0 0 0 15:40-15:55 0 0 0 0 15:25-15:40 0 0 0 0 15:10-15:25 0 0 0 0 14:55-15:10 0 0 0 0 14:40-14:55 0 0 0 0 14:25-14:40 0 0 0 0 14:10-14:25 0 0 0 0 13:55-14:10 0 0 0 0 13:40-13:55 0 0 0 0 13:25-13:40 0 0 0 0 13:10-13:25 0 0 0 0 12:55-13:10 0 0 0 0 12:40-12:55 0 0 0 0 12:25-12:40 1 1 0 0 12:10-12:25 0 0 0 0 11:55-12:10 0 0 0 0 11:40-11:55 0 0 0 0 11:25-11:40 0 0 0 0 11:10-11:25 0 0 0 0 10:55-11:10 0 0 0 0 10:40-10:55 0 0 0 0 10:25-10:40 0 0 0 0 10:10-10:25 0 0 0 0 09:55-10:10 0 0 0 0 09:40-09:55 0 0 0 0 09:25-09:40 0 0 0 0 09:10-09:25 0 0 0 0 08:55-09:10 0 0 0 0 08:40-08:55 0 0 0 0 08:25-08:40 0 0 0 0 08:10-08:25 0 0 0 0 07:55-08:10 0 0 0 0 07:40-07:55 0 0 0 0 07:25-07:40 0 0 0 0 07:10-07:25 0 0 0 0 Total of Data in Current and Previous Intervals 07:10-07:24 1 1 0 0 High Order Path: PATH 1: AIS = 0 RDI = 1 REI = 16 BIP(B3) = 145 LOP = 2 PSE = 7 NSE = 0 NEWPTR = 0 LOM = 0 PLM = 0 UNEQ = 1 Active Defects: None Detected Alarms: None Asserted/Active Alarms: None Alarm reporting enabled for: PLOP LOM B3-TCA TCA threshold: B3 = 10e-6 Rx: C2 = CF Tx: C2 = CF PATH TRACE BUFFER : STABLE 42 6E 65 74 2D 45 31 20 34 2F 30 2F 30 2E 31 00 Bnet-E1 4/0/0.1. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ SONET/SDH Path Tables21-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Verification INTERVAL CV ES SES UAS 07:10-07:24 0 0 0 0 06:55-07:10 0 0 0 0 06:40-06:55 0 0 0 0 06:25-06:40 0 0 0 0 06:10-06:25 0 0 0 0 05:55-06:10 0 0 0 0 05:40-05:55 0 0 0 0 05:25-05:40 0 0 0 0 05:10-05:25 0 0 0 0 04:55-05:10 0 0 0 0 04:40-04:55 0 0 0 0 04:25-04:40 0 0 0 0 04:10-04:25 0 0 0 0 03:55-04:10 0 0 0 0 03:40-03:55 0 0 0 0 03:25-03:40 0 0 0 0 03:10-03:25 0 0 0 0 02:55-03:10 0 0 0 0 02:40-02:55 0 0 0 0 02:25-02:40 0 0 0 0 02:10-02:25 0 0 0 0 01:55-02:10 0 0 0 0 01:40-01:55 0 0 0 0 01:25-01:40 0 0 0 0 01:10-01:25 0 0 0 0 00:55-01:10 0 0 0 0 00:40-00:55 0 0 0 0 00:25-00:40 0 0 0 0 00:10-00:25 0 0 0 0 23:55-00:10 0 0 0 0 23:40-23:55 0 0 0 0 23:25-23:40 0 0 0 0 23:10-23:25 0 0 0 0 22:55-23:10 0 0 0 0 22:40-22:55 0 0 0 0 22:25-22:40 0 0 0 0 22:10-22:25 0 0 0 0 21:55-22:10 0 0 0 0 21:40-21:55 0 0 0 0 21:25-21:40 0 0 0 0 21:10-21:25 0 0 0 0 20:55-21:10 0 0 0 0 20:40-20:55 0 0 0 0 20:25-20:40 0 0 0 0 20:10-20:25 0 0 0 0 19:55-20:10 0 0 0 0 19:40-19:55 0 0 0 0 19:25-19:40 0 0 0 0 19:10-19:25 0 0 0 0 18:55-19:10 0 0 0 0 18:40-18:55 0 0 0 0 18:25-18:40 0 0 0 0 18:10-18:25 0 0 0 0 17:55-18:10 0 0 0 0 17:40-17:55 0 0 0 0 17:25-17:40 0 0 0 0 17:10-17:25 0 0 0 0 16:55-17:10 0 0 0 0 16:40-16:55 0 0 0 0 16:25-16:40 0 0 0 0 16:10-16:25 0 0 0 0 15:55-16:10 0 0 0 0 15:40-15:55 0 0 0 021-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Verification 15:25-15:40 0 0 0 0 15:10-15:25 0 0 0 0 14:55-15:10 0 0 0 0 14:40-14:55 0 0 0 0 14:25-14:40 0 0 0 0 14:10-14:25 0 0 0 0 13:55-14:10 0 0 0 0 13:40-13:55 0 0 0 0 13:25-13:40 0 0 0 0 13:10-13:25 0 0 0 0 12:55-13:10 0 0 0 0 12:40-12:55 0 0 0 0 12:25-12:40 1 1 0 0 12:10-12:25 0 0 0 0 11:55-12:10 0 0 0 0 11:40-11:55 0 0 0 0 11:25-11:40 0 0 0 0 11:10-11:25 0 0 0 0 10:55-11:10 0 0 0 0 10:40-10:55 0 0 0 0 10:25-10:40 0 0 0 0 10:10-10:25 0 0 0 0 09:55-10:10 0 0 0 0 09:40-09:55 0 0 0 0 09:25-09:40 0 0 0 0 09:10-09:25 0 0 0 0 08:55-09:10 0 0 0 0 08:40-08:55 0 0 0 0 08:25-08:40 0 0 0 0 08:10-08:25 0 0 0 0 07:55-08:10 0 0 0 0 07:40-07:55 0 0 0 0 07:25-07:40 0 0 0 0 07:10-07:25 0 0 0 0 Total of Data in Current and Previous Intervals 07:10-07:24 1 1 0 0 sts-1 1 - 48 pos POS4/0/0:1 is up, line protocol is up Hardware is SPA_1xCHOC48 Internet address is 43.1.0.1/24 MTU 4470 bytes, BW 2488000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 255/255, rxload 99/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Scramble disabled Last input 00:00:00, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 970494000 bits/sec, 1234411 packets/sec 30 second output rate 1905754000 bits/sec, 3598138 packets/sec 317784911130 packets input, 30642036917424 bytes, 0 no buffer Received 59054 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 927052821884 packets output, 60789633235494 bytes, 0 underruns 0 output errors, 0 collisions, 5 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out 3 carrier transitions Non-inverted data21-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Verification Path 2: configured as member of a concatenated POS interface Path 3: configured as member of a concatenated POS interface Path 4: configured as member of a concatenated POS interface Path 5: configured as member of a concatenated POS interface Path 6: configured as member of a concatenated POS interface Path 7: configured as member of a concatenated POS interface Path 8: configured as member of a concatenated POS interface Path 9: configured as member of a concatenated POS interface Path 10: configured as member of a concatenated POS interface Path 11: configured as member of a concatenated POS interface Path 12: configured as member of a concatenated POS interface Path 13: configured as member of a concatenated POS interface Path 14: configured as member of a concatenated POS interface Path 15: configured as member of a concatenated POS interface Path 16: configured as member of a concatenated POS interface Path 17: configured as member of a concatenated POS interface Path 18: configured as member of a concatenated POS interface Path 19: configured as member of a concatenated POS interface Path 20: configured as member of a concatenated POS interface Path 21: configured as member of a concatenated POS interface Path 22: configured as member of a concatenated POS interface Path 23: configured as member of a concatenated POS interface Path 24: configured as member of a concatenated POS interface Path 25: configured as member of a concatenated POS interface Path 26: configured as member of a concatenated POS interface Path 27: configured as member of a concatenated POS interface Path 28: configured as member of a concatenated POS interface Path 29: configured as member of a concatenated POS interface Path 30: configured as member of a concatenated POS interface Path 31: configured as member of a concatenated POS interface Path 32: configured as member of a concatenated POS interface Path 33: configured as member of a concatenated POS interface21-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA Verification Path 34: configured as member of a concatenated POS interface Path 35: configured as member of a concatenated POS interface Path 36: configured as member of a concatenated POS interface Path 37: configured as member of a concatenated POS interface Path 38: configured as member of a concatenated POS interface Path 39: configured as member of a concatenated POS interface Path 40: configured as member of a concatenated POS interface Path 41: configured as member of a concatenated POS interface Path 42: configured as member of a concatenated POS interface Path 43: configured as member of a concatenated POS interface Path 44: configured as member of a concatenated POS interface Path 45: configured as member of a concatenated POS interface Path 46: configured as member of a concatenated POS interface Path 47: configured as member of a concatenated POS interface • Use the show interface serial command to verify the link and line protocol information of the serial interface. Router#show interface Serial5/1/0.1 Serial5/1/0.1 is up, line protocol is up Hardware is SPA-1XCHOC48/DS3 Internet address is 27.1.1.2/24 MTU 4470 bytes, BW 44210 Kbit/sec, DLY 200 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY, crc 16, loopback not set Keepalive set (10 sec) LMI enq sent 0, LMI stat recvd 0, LMI upd recvd 0 LMI enq recvd 1, LMI stat sent 1, LMI upd sent 0, DCE LMI up LMI DLCI 1023 LMI type is CISCO frame relay DCE FR SVC disabled, LAPF state down Fragmentation type: end-to-end, size 128, PQ interleaves 0 Broadcast queue 0/256, broadcasts sent/dropped 0/0, interface broadcasts 0 Last input 00:00:01, output 00:00:01, output hang never Last clearing of "show interface" counters 00:00:02 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: Class-based queueing Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 applique, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions no alarm present DSU mode cisco, bandwidth 44210 Kbit, scramble 0, VC 0, non-inverted data21-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 21 Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA VerificationC H A P T E R 22-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 22 Configuring the 4-Port Serial Interface SPA This chapter provides information about configuring the 4-Port Serial Interface Shared Port Adapter (SPA) on the Cisco 7600 series router. It includes the following sections: • Configuration Tasks, page 22-1 • Verifying the Interface Configuration, page 22-22 • Configuration Examples, page 22-23 For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Configuration Tasks This section describes how to configure the 4-Port Serial Interface SPA for the Cisco 7600 series router and includes information about verifying the configuration. It includes the following topics: • Configuring the 4-Port Serial Interface SPA, page 22-1 • Specifying the Interface Address on a SPA, page 22-2 • Verifying the Configuration, page 22-3 • Optional Configurations, page 22-9 • Saving the Configuration, page 22-22 Configuring the 4-Port Serial Interface SPA To configure the 4-Port Serial Interface SPA, complete these steps:22-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Note Each port should first be connected with the appropriate cable before attempting full configuration. Some commands are enabled only based upon the cable type connected to the port. Note The bandwidth of each interface is 2 MB by default; setting the clock rate does not change the interface bandwidth. Cisco recommends that you configure the bandwidth value with the clock rate command at the DCE and DTE side. Note A clock rate of 2016 does not appear in the configuration because it is the default value. Specifying the Interface Address on a SPA SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, SPA, and interface in the CLI (command-line-interface). The interface address format is slot/subslot/port, where: • slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. • subslot—Specifies the secondary slot of the SIP where the SPA is installed. • port—Specifies the number of the individual interface port on a SPA. The following example shows how to specify the first interface (0) on a SPA installed in the first subslot of a SIP (0) installed in chassis slot 3: Router(config)# interface serial 3/0/0 For more information about identifying slots and subslots, see the “Identifying Slots and Subslots for SIPs, SSCs, and SPAs” section on page 4-2. Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 Router(config)# interface serial slot/subslot/port Selects the controller to configure and enters interface configuration mode. • slot/subslot/port—Specifies the location of the 4-Port Serial Interface SPA port. See: “Specifying the Interface Address on a SPA” section on page 22-2. Step 3 Router(config-if)# ip address address mask Sets the IP address and subnet mask. • address—IP address • mask—Subnet mask Step 4 Router(config-if)# clock rate bps Configures the clock rate for the hardware to an acceptable bit rate per second (bps). 22-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Verifying the Configuration After configuring the new interface, use the show commands to display the status of the new interface or all interfaces, and use the ping and loopback commands to check connectivity. This section includes the following subsections: • Show Commands, page 22-3 • Using the ping Command to Verify Network Connectivity, page 22-8 • Using loopback Commands, page 22-8 Show Commands The table below shows the show commands you can use to verify the operation of the 4-Port Serial Interface SPA. Sample displays of the output of selected show commands appear in the section that follows. For complete command descriptions and examples, refer to the publications listed in the “Obtaining Documentation, Obtaining Support, and Security Guidelines” section on page l. Note The outputs that appear in this document may not match the output you receive when running these commands. The outputs in this document are examples only. Verification Examples The following is an example of a show version command with the 4-Port Serial Interface SPA: Router# show version Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_DBG-M), Version 12.2(nightly.SR070910) NIGHTLY BUILD, synced to rainier RAINIER_BASE_FOR_V122_33_SRA_THROTTLE Copyright (c) 1986-2007 by Cisco Systems, Inc. Command Purpose Router# show version or Router# show hardware Displays system hardware configuration, the number of each interface type installed, Cisco IOS software version, names and sources of configuration files, and boot images. Router# show controllers Displays all the current interface processors and their interfaces. Router# show controllers serial Displays serial line statistics. Router# show diagbus slot Displays types of port adapters installed in your system and information about a specific port adapter slot, interface processor slot, or chassis slot. Router# show interfaces type port-adapter-slot-number/ interface-port-number Displays status information about a specific type of interface (for example, serial) in a Cisco 7600 series router. Router# show protocols Displays protocols configured for the entire system and for specific interfaces. Router# show running-config Displays the running configuration file. Router# show startup-config Displays the configuration stored in NVRAM.22-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Compiled Mon 10-Sep-07 22:48 by cuotran ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1) PE1 uptime is 18 hours, 23 minutes Uptime for this control processor is 18 hours, 23 minutes System returned to ROM by reload at 13:30:48 IST Thu Sep 13 2007 (SP by reload) System image file is "disk1:s72033-adventerprisek9_dbg-mz.autobahn76_091007" Last reload type: Normal Reload This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco WS-C6506 (R7000) processor (revision 3.0) with 983008K/65536K bytes of memory. Processor board ID TBM06330552 SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache Last reset from power-on 2 SIP-200 controllers (8 Serial)(2 ATM)(4 Channelized T3)(1 Channelized OC3/STM-1). 1 SIP-400 controller (1 POS)(2 Channelized OC3/STM-1). 2 Virtual Ethernet interfaces 74 Gigabit Ethernet interfaces 8 Serial interfaces 2 ATM interfaces 1 Packet over SONET interface 4 Channelized T3 ports 3 Channelized STM-1 ports 1917K bytes of non-volatile configuration memory. 8192K bytes of packet buffer memory. 65536K bytes of Flash internal SIMM (Sector size 512K). Configuration register is 0x2102 The following is an example of a show hardware command with the 4-Port Serial Interface SPA: Router# show hardware Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_DBG-M), Version 12.2(nightly.SR070910) NIGHTLY BUILD, synced to rainier RAINIER_BASE_FOR_V122_33_SRA_THROTTLE Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Mon 10-Sep-07 22:48 by cuotran ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1) PE1 uptime is 18 hours, 23 minutes Uptime for this control processor is 18 hours, 23 minutes System returned to ROM by reload at 13:30:48 IST Thu Sep 13 2007 (SP by reload) System image file is "disk1:s72033-adventerprisek9_dbg-mz.autobahn76_091007" Last reload type: Normal Reload This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and22-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco WS-C6506 (R7000) processor (revision 3.0) with 983008K/65536K bytes of memory. Processor board ID TBM06330552 SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache Last reset from power-on 2 SIP-200 controllers (8 Serial)(2 ATM)(4 Channelized T3)(1 Channelized OC3/STM-1). 1 SIP-400 controller (1 POS)(2 Channelized OC3/STM-1). 2 Virtual Ethernet interfaces 74 Gigabit Ethernet interfaces 8 Serial interfaces 2 ATM interfaces 1 Packet over SONET interface 4 Channelized T3 ports 3 Channelized STM-1 ports 1917K bytes of non-volatile configuration memory. 8192K bytes of packet buffer memory. 65536K bytes of Flash internal SIMM (Sector size 512K). Configuration register is 0x2102 The following is an example of a show controllers serial command with the 4-Port Serial Interface SPA: Router# show controller serial 3/1/1 Serial3/1/1 - (SPA-4XT-SERIAL) is up Encapsulation : Frame Relay Cable type: RS-232 DTE mtu 1500, max_buffer_size 1524, max_pak_size 1608 enc 84 loopback: Off, crc: 16, invert_data: Off nrzi: Off, idle char: Flag tx_invert_clk: Off, ignore_dcd: Off rx_clockrate: 552216, rx_clock_threshold: 0 serial_restartdelay:60000, serial_restartdelay_def:60000 RTS up, CTS up, DTR up, DCD up, DSR up Note The acronyms are defined as follows: RTS (Request to Send); CTS (Clear To Send); DTR (Data Transmit Ready); DCD (Data Carrier Detect); DSR (Data Set Ready). The following is an example of a show diagbus command with the 4-Port Serial Interface SPA: Router# show diagbus 4 Slot 4: Logical_index 8 4-subslot SPA Interface Processor-200 controller Board is analyzed ipc ready HW rev 1.1, board revision A0 Serial Number: JAB0929078S Part number: 73-8272-08 Slot database information: 22-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Flags: 0x2004 Insertion time: 0x2DC096C4 (07:47:58 ago) Controller Memory Size: 384 MBytes CPU Memory 127 MBytes Packet Memory 511 MBytes Total on Board SDRAM Cisco IOS Software, cwlc Software (sip1-DW-M), Version 12.2(nightly.SR070820) NIGHTLY BUILD, synced to rainier RAINIER_BASE_FOR SPA Information: subslot 4/0: SPA-4XT-SERIAL (0x55A), status: ok The following is an example of a show interfaces serial command with the 4-Port Serial Interface SPA: Router# show interfaces serial2/0/0 Serial 5/1/0 is up, line protocol is up Hardware is SPA-4T Internet address is 192.168.33.1/29 MTU 4470 bytes, BW 8000 Kbit, DLY 100 usec, rely 255/255, load 1/255 Encapsulation HDLC, loopback not set, keepalive not set Clock Source Internal. Last input 00:00:01, output 00:00:00, output hang never Last clearing of "show interface" counters 1h Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 applique, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions The following are examples of the show protocol command with the 4-Port Serial Interface SPA: Router# show protocol Global values: Internet Protocol routing is enabled POS1/2/0 is up, line protocol is up GigabitEthernet3/1 is down, line protocol is down GigabitEthernet3/2 is administratively down, line protocol is down GigabitEthernet3/3 is down, line protocol is down GigabitEthernet3/4 is administratively down, line protocol is down GigabitEthernet3/5 is administratively down, line protocol is down GigabitEthernet3/6 is administratively down, line protocol is down GigabitEthernet3/7 is up, line protocol is up Internet address is 200.0.0.100/24 GigabitEthernet3/8 is administratively down, line protocol is down GigabitEthernet3/9 is administratively down, line protocol is down GigabitEthernet3/10 is administratively down, line protocol is down GigabitEthernet3/11 is administratively down, line protocol is down GigabitEthernet3/12 is administratively down, line protocol is down GigabitEthernet3/13 is administratively down, line protocol is down GigabitEthernet3/14 is administratively down, line protocol is down GigabitEthernet3/15 is administratively down, line protocol is down GigabitEthernet3/16 is administratively down, line protocol is down GigabitEthernet3/17 is administratively down, line protocol is down GigabitEthernet3/18 is administratively down, line protocol is down GigabitEthernet3/19 is administratively down, line protocol is down GigabitEthernet3/20 is administratively down, line protocol is down GigabitEthernet3/21 is administratively down, line protocol is down Router# show protocol | i Serial4/22-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Serial4/0/0 is administratively down, line protocol is down Serial4/0/1 is administratively down, line protocol is down Serial4/0/2 is administratively down, line protocol is down Serial4/0/3 is administratively down, line protocol is down Serial4/2/0 is administratively down, line protocol is down Serial4/2/1 is administratively down, line protocol is down Serial4/2/2 is administratively down, line protocol is down Serial4/2/3 is administratively down, line protocol is down The following is an example of a show running-config command with the 4-Port Serial Interface SPA: Router# show running-config serial Router# show running interface ser4/0/0 Building configuration... Current configuration : 54 bytes ! interface Serial4/0/0 no ip address shutdown end The following is an example of a show running interface command with the 4-Port Serial Interface SPA: Router# show running interface ser4/0/1 Building configuration... Current configuration : 54 bytes ! interface Serial4/0/1 no ip address shutdown end The following is an example of a show startup-config command with the 4-Port Serial Interface SPA: Router# show startup-config | b Serial4/0/0 interface Serial4/0/0 no ip address shutdown ! interface Serial4/0/1 no ip address shutdown ! interface Serial4/0/2 no ip address shutdown ! interface Serial4/0/3 no ip address shutdown !22-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Using the ping Command to Verify Network Connectivity Using the ping command, you can verify that an interface port is functioning properly. This section provides a brief description of this command. Refer to the publications listed in the “Obtaining Documentation, Obtaining Support, and Security Guidelines” section on page l for detailed command descriptions and examples. The ping command sends echo request packets out to a remote device at an IP address that you specify. After sending an echo request, the system waits a specified time for the remote device to reply. Each echo reply is displayed as an exclamation point (!) on the console terminal; each request that is not returned before the specified timeout is displayed as a period (.). A series of exclamation points (!!!!!) indicates a good connection; a series of periods (.....) or the messages [timed out] or [failed] indicate a bad connection. Following is an example of a successful ping command to a remote server with the address 10.0.0.10: Router# ping 10.0.0.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 10.0.0.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/15/64 ms Router# If the connection fails, verify that you have the correct IP address for the destination and that the device is active (powered on), and repeat the ping command. Proceed to the next section, “Using loopback Commands,” to finish checking network connectivity. Using loopback Commands With the loopback test, you can detect and isolate equipment malfunctions by testing the connection between the 4-Port Serial Interface SPA and a remote device such as a modem or a channel service unit (CSU) or a data service unit (DSU). The loopback command places an interface in loopback mode, which enables test packets that are generated from the ping command to loop through a remote device or compact serial cable. If the packets complete the loop, the connection is good. If not, you can isolate a fault to the remote device or compact serial cable in the path of the loopback test. Note You must configure a clock rate on the port before performing a loopback test. However, if no cable is attached to the port, the port is administratively up, and the port is in loopback mode; you do not have to configure a clock rate on the port before performing a loopback test. Depending on the mode of the port, issuing the loopback command checks the following path: • When no compact serial cable is attached to the 4-Port Serial Interface SPA port, or if a data circuit-terminating equipment (DCE) cable is attached to a port that is configured as line protocol up, the loopback command tests the path between the network processing engine and the interface port only (without leaving the network processing engine and port adapter). • When a data terminal equipment (DTE) cable is attached to the port, the loopback command tests the path between the network processing engine and the near (network processing engine) side of the DSU or modem to test the 4-Port Serial Interface SPA and compact serial cable. (The X.21 DTE interface cable does not support this loopback test; see the following Note.)22-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Note The X.21 interface definition does not include a loopback definition. On the 4-Port Serial Interface SPA port adapter, the X.21 DTE interface does not support the loopback function. Because of the internal clock signal present on the 4-Port Serial Interface SPAs, loopback will function on an X.21 DCE interface. This completes the configuration procedure for the new 4-Port Serial Interface SPA port adapter serial interfaces. Optional Configurations The following optional configurations may be necessary to complete the configuration of your serial SPA. • Configuring Timing Signals, page 22-9 • Inverting the Clock Signal, page 22-10 • Configuring NRZI Format, page 22-11 • Configuring Cyclic Redundancy Checks, page 22-11 • Configuring Encapsulation, page 22-13 • Configuring Distributed Multilink PPP, page 22-14 • Configuring MLFR, page 22-17 • Configuring Multipoint Bridging, page 22-19 • Configuring Bridging Control Protocol Support, page 22-19 • Configuring BCP on MLPPP, page 22-19 • FRF.12 Guidelines, page 22-21 • LFI Guidelines, page 22-21 • FRF.12 LFI Guidelines, page 22-21 Configuring Timing Signals All interfaces support both DTE and DCE mode, depending on the mode of the compact serial cable attached to the port. To use a port as a DTE interface, you need only connect a DTE compact serial cable to the port. When the system detects the DTE mode cable, it automatically uses the external timing signal. To use a port in DCE mode, you must connect a DCE compact serial cable and set the clock speed with the clock rate configuration command. You must also set the clock rate to perform a loopback test. This section describes how to set the clock rate on a DCE port and, if necessary, how to invert the clock to correct a phase shift between the data and clock signals. Use the following commands when configuring timing signals: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the controller to configure and enters interface configuration mode.22-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Note Clock rates supported for EIA/TIA-232: 1.2K, 2.4K, 4.8K, 9.6K, 14.4K, 19.2K, 28.8K, 32K, 38.4K, 56K, 64K, 128K. Note Clock rates supported for EIA-530, EIA-530A, EIA-449, V.35(bps): 1.2K, 2.4K, 4.8K, 9.6K, 14.4K, 19.2K, 28.8K, 32K, 38.4K, 56K, 64K, 72K, 115.2K, 128k, 230.4k, 252K, 504k, 1.008M, 2.016M, 4.032M, 8.064M. The other ones are unconfigurable. Note Clock rates supported for X.21: 1.2K, 2.4K, 4.8K, 9.6K, 14.4K, 19.2K, 28.8K, 32K, 38.4K, 56K, 64K, 72K, 115.2K, 128k, 230.4k, 252K, 504k, 2.016M, 4.032M, 8.064M. Inverting the Clock Signal Systems that use long cables or cables that are not transmitting the TxC (clock) signal might experience high error rates when operating at higher transmission speeds. If a SPA-4XT DCE port is reporting a high number of error packets, a phase shift might be the problem: inverting the clock might correct this phase shift. Router(config-if)# invert txclock Invert the transmit clock signal. When the EIA/TIA-232 interface is a DTE, the invert txclock command inverts the TxC signal the DTE receives from the remote DCE. When the EIA/TIA-232 interface is a DCE, the invert txclock command inverts the clock signal to the remote DTE port. The no form of this command changes the clock signal back to its original phase. Router(config-if)#clock rate bps Set standard clock rate, in bits per second: 1200, 2400, 4800,9600, 14400, 19200, 28800, 32000, 38400, 48000, 56000, 57600, 64000, 72000, 115200, 128000, 230400, 252000, 504000, 1008000, 2016000, 4032000, 8064000. Any nonstandard clock rates that are entered are rounded off to the nearest hardware supported clock rate. The actual clock rate is then displayed on console. The no form of this command removes a clock rate that has been set. Router(config-if)# invert data Invert the data signal. The no form of this command disables the inversion of the data signal. Command Purpose22-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks When the EIA/TIA-232 interface is a DTE, the invert-transmit-clock command inverts the TxC signal the DTE receives from the remote DCE. When the EIA/TIA-232 interface is a DCE, the invert-txclock command inverts the clock signal to the remote DTE port. Use the no invert-txclock command to change the clock signal back to its original phase. Use the following commands when inverting the clock signal: Configuring NRZI Format All EIA/TIA-232 interfaces on the SPA-4XT support non-return-to-zero (NRZ) and non-return-to-zero inverted (NRZI) formats. Both formats use two different voltage levels for transmission. NRZ signals maintain constant voltage levels with no signal transitions—no return to a zero voltage level—during a bit interval and are decoded using absolute values: 0 and 1. NRZI uses the same constant signal levels but interprets the absence of data—a space—at the beginning of a bit interval as a signal transition and the presence of data—a mark—as no signal transition. NRZI uses relational encoding to interpret signals rather than determining absolute values. Configuring Cyclic Redundancy Checks Cyclic redundancy checking (CRC) is an error-checking technique that uses a calculated numeric value to detect errors in transmitted data. All interfaces use a 16-bit CRC (CRC-CITT) by default but also support a 32-bit CRC. The sender of a data frame calculates the frame check sequence (FCS). Before it sends a frame, the sender appends the FCS value to the message. The receiver recalculates the FCS and Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the controller to configure and enters interface configuration mode. Router(config-if)# invert txclock Invert the transmit clock signal. When the EIA/TIA-232 interface is a DTE, the invert txclock command inverts the TxC signal the DTE receives from the remote DCE. When the EIA/TIA-232 interface is a DCE, the invert txclock command inverts the clock signal to the remote DTE port. The no version changes the clock signal back to its original phase. Router(config-if)# invert data Invert the data signal. The no version of this command disables inverting the data stream. Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the controller to configure and enters interface configuration mode. nrzi-encoding Enable NRZI encoding. no nrzi-encoding Disable NRZI encoding.22-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks compares its calculation to the FCS from the sender. If there is a difference between the two calculations, the receiver assumes that a transmission error occurred and sends a request to the sender to resend the frame. In the example that follows, the first serial port on a 4-Port Serial Interface SPA, installed on a versatile interface processor (VIP) in interface processor slot 3, is configured for 32-bit CRC: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface serial 3/1/0 Router(config-int)# crc 32 Ctrl-Z Router# The preceding command example applies to all systems in which the 4-Port Serial Interface SPA is supported. Use the no crc 32 command to disable CRC-32 and return the interface to the default CRC-16 (CRC-CITT) setting. Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the controller to configure and enters interface configuration mode. Router(config-if)# crc [16 | 32] Specifies the length of the CRC, where: • 16—Specifies a 16-bit length CRC. This is the default. • 32—Specifies a 32-bit length CRC. To set the CRC length to the default value, use the no form of this command. 22-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Configuring Encapsulation When traffic crosses a WAN link, the connection needs a Layer 2 protocol to encapsulate traffic. To set the encapsulation method, use the following commands: Verifying Encapsulation Use the show interface serial command to display the encapsulation method: Router# show interface serial3/1/1 Serial3/1/1 is up, line protocol is down Hardware is SPA-4XT-SERIAL MTU 1500 bytes, BW 2016 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY, crc 16, loopback not set Keepalive set (10 sec) LMI enq sent 13698, LMI stat recvd 0, LMI upd recvd 0, DTE LMI down LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE FR SVC disabled, LAPF state down Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0 Last input never, output 00:00:05, output hang never Last clearing of "show interface" counters 1d14h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 19344 packets output, 254168 bytes, 0 underruns 0 output errors, 0 collisions, 2283 interface resets 0 output buffer failures, 0 output buffers swapped out 4566 carrier transitions RTS up, CTS up, DTR up, DCD up, DSR up Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters interface configuration mode. slot/subslot/port—Specifies the location of the interface. Seethe “Specifying the Interface Address on a SPA” section on page 22-2. Router(config-if)# encapsulation {hdlc | ppp | frame-relay} Set the encapsulation method on the interface. • hdlc—High-Level Data Link Control (HDLC) protocol for serial interface. This is the default. • ppp—Point-to-Point Protocol (PPP) (for serial interface). • frame-relay—Frame Relay (for serial interface).22-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Configuring Distributed Multilink PPP The Distributed Multilink Point-to-Point Protocol (dMLPPP) feature allows you to combine serial lines into a bundle that has the combined bandwidth of the multiple lines. This is done by using a dMLPPP link. You choose the number of bundles and the number of serial lines in each bundle. This allows you to increase the bandwidth of your network links beyond that of a single serial line without having to purchase a bigger line. This section includes the following topics: • dMLPPP Configuration Guidelines, page 22-14 • dMLPPP Configuration Tasks, page 22-14 • Verifying dMLPPP, page 22-16 dMLPPP Configuration Guidelines dMLPPP is supported under the following conditions: • All links are on the same Cisco 7600 SIP-200. • Member links in a bundle are recommended to have the same bandwidth and clock rate. • Quality of Service (QoS) is implemented on the Cisco 7600 SIP-200 for dMLPPP. • Bundle links are configurable across the multilinkSPA. Note Because the bundles are done in software, performance is dependent on the line card CPU. • To enable fragmentation for software-based dMLPPP, you must configure the ppp multilink interleave command. • You must use the ppp chap hostname command when you have more than one bundle between two routers. When configuring dMLPPP on the Cisco 7600 SIP-200, consider the following restrictions: • Data compression is supported for RTP traffic only (dCRTP) . • Encryption is not supported. • The maximum differential delay is 100 ms when supported in software. dMLPPP Configuration Tasks The following sections describe how to configure dMLPPP: • Creating a dMLPPP Bundle, page 22-15 (required) • Assigning an Interface to a dMLPPP Bundle, page 22-15 (required) • Configuring LFI over dMLPPP, page 22-16 (optional)22-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Creating a dMLPPP Bundle To configure a dMLPPP bundle, use the following commands beginning in global configuration mode: Assigning an Interface to a dMLPPP Bundle To configure an interface PPP link and associate it as a member of a multilink bundle, use the following commands beginning in global configuration mode. Repeat these steps to assign multiple links to the dMLPPP bundle. Command Purpose Step 1 Router(config)# interface multilink group-number Creates a multilink interface and enters interface configuration mode, where: • group-number—Specifies the group number for the multilink bundle. Step 2 Router(config-if)# ip address ip-address mask Sets the IP address for the multilink group, where: • ip-address—Specifies the IP address for the interface. • mask—Specifies the mask for the associated IP subnet. Step 3 Router(config-if)# ppp multilink interleave (Optional—Software-basedng link fragmentation and interleaving [LFI]) Enables fragmentation for the interfaces assigned to the multilink bundle. Fragmentation is disabled by default in software-based LFI. Step 4 Router(config-if)# ppp multilink fragment-delay delay (Optional) Sets the fragmentation size satisfying the configured delay on the multilink bundle, where: • delay—Specifies the delay in milliseconds. Command Purpose Step 1 Router(config)# interface serial slot/subslot/port Specifies a serial interface and enters interface configuration mode, where: • slot—Specifies the chassis slot number where the SIP is installed. • subslot—Specifies the secondary slot number on a SIP where a SPA is installed. • port—Specifies the number of the interface port on the SPA. Note If you configure a fractional interface on the SPA using a channel group and specify that fractional channel group as part of this task, then software-based dMLPPP is implemented automatically by the Cisco 7600 SIP-200 when you assign the interface to the dMLPPP bundle. Step 2 Router(config-if)# encapsulation ppp Enables PPP encapsulation.22-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks The following example uses the ppp chap hostname command. Router(config)# interface Serial4/1/0 Router(config-if)# no ip address Router(config-if)# encapsulation ppp Router(config-if)# ppp chap hostname X1 Router(config-if)# ppp multilink group 1 end Router(config-if)# ppp chap host Router(config-if)# ppp chap hostname ? WORD Alternate CHAP hostname Router(config-if)# ppp chap hostname Configuring LFI over dMLPPP LFI over dMLPPP is supported in software on the Cisco 7600 SIP-200. This support is determined by your link configuration. Guidelines When configuring LFI over dMLPPP, consider the following guidelines for software-based LFI: • LFI over dMLPPP will be configured in software if there is more than one link assigned to the dMLPPP bundle. • LFI is disabled by default in software-based LFI. To enable LFI on the multilink interface, use the ppp multilink interleave command. • Fragmentation size is calculated from the delay configured and the member link bandwidth. • You must configure a policy map with a priority class under the multilink interface. • Compressed Real-Time Protocol (CRTP) should not be configured on a multilink interface when LFI is enabled on the multilink interface when the multilink bundle has more than one member link, or a QoS policy with a priority feature is enabled on the multilink interface. • Using the using the shut and no shut commands in interface configuration mode is required when configuring interleave on the multilink interface. Verifying dMLPPP To verify dMLPPP configuration, use the show ppp multilink command, as shown in the following example: Router# show ppp multilink Multilink1 Bundle name: X1 Remote Endpoint Discriminator: [1] X1 Local Endpoint Discriminator: [1] X1 Bundle up for 00:00:08, total bandwidth 4032, load 1/255 Receive buffer limit 24000 bytes, frag timeout 1000 ms Step 3 Router(config-if)# ppp multilink-group group-number Restricts a physical link to joining only a designated multilink group interface. • Enter the multilink group number. Step 4 Router(config-if)# ppp authentication chap (Optional) Enables Challenge Handshake Authentication Protocol (CHAP) authentication. Command Purpose22-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Bundle is Distributed 0/0 fragments/bytes in reassembly list 0 lost fragments, 0 reordered 0/0 discarded fragments/bytes, 0 lost received 0x2 received sequence, 0x2 sent sequence Member links: 2 active, 0 inactive (max not set, min not set) Se4/1/0, since 00:00:10 Se4/1/1, since 00:00:07 Configuring MLFR Multilink Frame Relay (MLFR) allows you to combine lines into a bundle that has the combined bandwidth of the multiple lines. You choose the number of bundles and the number of lines in each bundle. This allows you to increase the bandwidth of your network links beyond that of a single line. MLFR Configuration Guidelines MLFR will function in hardware if all of the following conditions are met: • All links in the bundle are member links. • All links are on the same SPA. Creating a Multilink Bundle To create a multilink bundle, use the following commands: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface mfr number Configures a MLFR bundle interface. • number—The number for the MLFR bundle. Router(config-if)# frame-relay multilink bid name (Optional) Assigns a bundle identification name to a multilink Frame Relay bundle. • name—The name for the MLFR bundle. Note The bundle identification (BID) will not go into effect until the interface has gone from the down state to the up state. One way to bring the interface down and back up again is by using the shut and no shut commands in interface configuration mode.22-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Assigning an Interface to a Multilink Bundle To assign an interface to a multilink bundle, use the following commands: Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# interface serial slot/subslot/port:channel-group Selects the interface to assign. • slot/subslot/port:channel-group—Specifies the location of the interface. See the “Specifying the Interface Address on a SPA” section on page 22-2. Router(config-if)# encapsulation frame-relay mfr number [name] Creates a MLFR bundle link and associates the link with a bundle. • number—The number for the MLFR bundle. • name—(Optional) The name for the MLFR bundle. Router(config-if)# frame-relay multilink lid name (Optional) Assigns a bundle link identification name with a multilink Frame Relay bundle link. • name—The name for the Frame Relay bundle. Note The bundle link identification (LID) will not go into effect until the interface has gone from the down state to the up state. One way to bring the interface down and back up again is by using the shut and no shut commands in interface configuration mode. Router(config-if)# frame-relay multilink hello seconds (Optional) Configures the interval at which a bundle link will send out hello messages. The default value is 10 seconds. • seconds—Number of seconds between hello messages sent out over the multilink bundle. Router(config-if)# frame-relay multilink ack seconds (Optional) Configures the number of seconds that a bundle link will wait for a hello message acknowledgment before resending the hello message. The default value is 4 seconds. • seconds—Number of seconds a bundle link will wait for a hello message acknowledgment before resending the hello message. Router(config-if)# frame-relay multilink retry number (Optional) Configures the maximum number of times a bundle link will resend a hello message while waiting for an acknowledgment. The default value is 2 tries. • number—Maximum number of times a bundle link will resend a hello message while waiting for an acknowledgment.22-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Verifying Multilink Frame Relay Use the show frame-relay multilink detailed command to verify the Frame Relay multilinks: Router# show frame-relay multilink detailed Bundle: MFR49, State = down, class = A, fragmentation disabled BID = MFR49 No. of bundle links = 1, Peer's bundle-id = Bundle links: Serial6/0/0, HW state = up, link state = Add_sent, LID = test Cause code = none, Ack timer = 4, Hello timer = 10, Max retry count = 2, Current count = 0, Peer LID = , RTT = 0 ms Statistics: Add_link sent = 21, Add_link rcv'd = 0, Add_link ack sent = 0, Add_link ack rcv'd = 0, Add_link rej sent = 0, Add_link rej rcv'd = 0, Remove_link sent = 0, Remove_link rcv'd = 0, Remove_link_ack sent = 0, Remove_link_ack rcv'd = 0, Hello sent = 0, Hello rcv'd = 0, Hello_ack sent = 0, Hello_ack rcv'd = 0, outgoing pak dropped = 0, incoming pak dropped = 0 Configuring Multipoint Bridging Multipoint bridging (MPB) enables the connection of multiple ATM permanent virtual circuist( PVCs), Frame Relay PVCs, Bridge Control Protocol (BCP) ports, and WAN Gigabit Ethernet subinterfaces into a single broadcast domain (virtual LAN), together with the LAN ports on that VLAN. This enables service providers to add support for Ethernet-based Layer 2 services to the proven technology of their existing ATM and Frame Relay legacy networks. Customers can then use their current VLAN-based networks over the ATM or Frame Relay cloud. This also allows service providers to gradually update their core networks to the latest Gigabit Ethernet optical technologies, while still supporting their existing customer base. For MPB configuration guidelines and restrictions and feature compatibility tables, see the “Configuring Multipoint Bridging” section on page 4-36 of Chapter 4, “Configuring the SIPs and SSC.” Configuring Bridging Control Protocol Support The Bridging Control Protocol (BCP) enables forwarding of Ethernet frames over SONET networks and provides a high-speed extension of enterprise LAN backbone traffic through a metropolitan area. The implementation of BCP on the SPAs includes support for IEEE 802.1D, IEEE 802.1Q Virtual LAN (VLAN), and high-speed switched LANs. For BCP configuration guidelines and restrictions and feature compatibility tables, see the “BCP Feature Compatibility” section on page 4-56 of Chapter 4, “Configuring the SIPs and SSC.” Configuring BCP on MLPPP BCP on MLPPP Configuration Guidelines • Only Distributed MLPPP is supported. • Only channelized interfaces are allowed, and member links must be from the same controller card. • Only trunk port BCP is supported on MLPPP. • Bridging can be configured only on the bundle interface.22-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Note BCP on MLPPP operates only in trunk mode. Configuring BCP on MLPPP Trunk Mode To configure BCP on MLPPP trunk mode, perform these steps: Command Purpose Step 1 Router(config)# interface multilink Selects the multilink interface. Step 2 Router(config-if)# switchport Puts an interface that is in Layer 3 mode into Layer 2 mode for Layer 2 configuration. Step 3 Router(config-if)# switchport trunk allowed vlan 100 By default, no VLANs are allowed. Use this command to explicitly allow VLANs; valid values for vlan-list are from 1 to 4094. Step 4 Router(config-if)# switchport mode trunk Configures the router port connected to the switch as a VLAN trunk port. Step 5 Router(config-if)# switchport nonegotiate Puts the LAN port into permanent trunking mode but prevents the port from generating DTP frames. Step 6 Router(config-if)# no ip address Unassigns the IP address. Step 7 Router(config-if)# switchport trunk allowed vlan vlan-list By default, no VLANs are allowed. Use this command to explicitly allow VLANs; valid values for vlan-list are from 1 to 4094. Step 8 Router(config-if)# ppp multilink Enables this interface to support MLP. Step 9 Router(config-if)# multilink-group group-number Assigns this interface to the multilink group. Step 10 Router(config-if)# shutdown Shuts down an interface. Step 11 Router(config-if)# no shutdown Reopens an interface. Step 12 Router(config-if)# interface serial slot/subslot/port Designates a serial interface as a multilink bundle. Step 13 Router(config-if)# no ip address Unassigns the IP address. Step 14 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 15 Router(config-if)# ppp multilink Enables this interface to support MLP. Step 16 Router(config-if)# multilink-group 1 Assigns this interface to the multilink group 1. Step 17 Router(config-if)#interface Serial slot/subslot/port Designates a serial interface as a multilink bundle. Step 18 Router(config-if)# no ip address Unassigns the IP address. Step 19 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 20 Router(config-if)# ppp multilink Enables this interface to support MLP. Step 21 Router(config-if)# multilink-group group-number Assigns this interface to a multilink group.22-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Verifying BCP on MLPPP Trunk Mode To display information about Multilink PPP, use the show ppp multilink command in EXEC mode. The following shows an example of show ppp multilink command: Router# show ppp multilink Multilink1, bundle name is group 1 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned, sequence 0x0/0x0 rcvd/sent 0 discarded, 0 lost received, 1/255 load Member links: 4 active, 0 inactive (max no set, min not set) Serial1/0/1 Serial1/0/2 Serial1/0/3 Serial1/0/4 FRF.12 Guidelines For FRF.12, note the following: • The fragmentation is configured at the main interface. • Any fragmentation size is available. For information on configuring FRF.12 on the Cisco SIP-200, see: • http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/76sipspa/sipspasw/76sipssc/76cfgsip .htm#wp1135593 • http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fvvfax_c/vvfvofr.htm. LFI Guidelines LFI can function intwo ways—using FRF.12 or MLPPP. FRF.12 LFI Guidelines For LFI using FRF.12, note the following: • The fragmentation is configured at the main interface. • Any fragmentation size is available. Command Purpose Router(config-if)# show ppp multilink Displays information on a multilink group.22-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Tasks Saving the Configuration To save your running configuration to nonvolatile random-access memory (NVRAM), use the following command in privileged EXEC configuration mode: For more information about managing configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. Verifying the Interface Configuration Besides using the show running-configuration command to display your Cisco 7600 series router configuration settings, you can use the show interfaces serial and the show controllers serial commands to get detailed information on a per-port basis for your 2-Port and 4-Port Channelized T3 SPA. Verifying Per-Port Interface Status To find detailed interface information on a per-port basis for the 2-Port and 4-Port Channelized T3 SPA, use the show interfaces serial command to display port-specific information. The following example provides sample output for the serial interface: Router# show interface serial4/0/0 Serial4/0/0 is down, line protocol is down Hardware is SPA-4T MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, Reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Restart-Delay is 0 secs Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions RTS down, CTS down, DTR down, DCD down, DSR down To find detailed status and statistical information on a per-port basis for the 4-Port Serial Interface SPA, use the show controller serial command. Command Purpose Router# copy running-config startup-config Writes the new configuration to NVRAM.22-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Examples The following example provides sample controller statistics: Router# show controller serial 2/0/0 Serial2/0/0 - (SPA-4XT-SERIAL) is down Encapsulation : HDLC Cable type: RS-232 DTE mtu 1500, max_buffer_size 1524, max_pak_size 1656 enc 132 loopback: Off, crc: 16, invert_data: Off nrzi: Off, idle char: Flag tx_invert_clk: Off, ignore_dcd: Off rx_clockrate: 0, rx_clock_threshold: 0 serial_restartdelay:60000, serial_restartdelay_def:60000 RTS up, CTS down, DTR up, DCD down, DSR down Router# Configuration Examples This section includes the following configuration examples: • Inverting the Clock Signal Configuration Example, page 22-23 • NRZI Format Configuration Example, page 22-23 • Cyclic Redundancy Checks Configuration Example, page 22-24 • Encapsulation Configuration Example, page 22-24 • Distributed Multilink PPP Configuration Example, page 22-24 • MLFR Configuration Example, page 22-24 • Bridging Control Protocol Support Configuration Example, page 22-24 • BCP on MLPPP Configuration Example, page 22-25 Inverting the Clock Signal Configuration Example Router(config-if)# interface serial3/0/0 Router(config-if)# invert txclock ? Router(config-if)# invert txclock Router(config-if)# invert ? data Invert data stream txclock Invert transmit clock Router(config-if)# invert data NRZI Format Configuration Example Router(config-if)# nrzi-encoding ? 22-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Examples Cyclic Redundancy Checks Configuration Example Router(config-if)# crc ? 16 crc word-size 32 crc word-size Router(config-if)# crc 32 Encapsulation Configuration Example Router(config-if)# interface 1 Router(config-if)# encapsulation ppp Distributed Multilink PPP Configuration Example Router(config)# interface multilink1 Router(config-if)# ip addr 10.0.0.1 255.255.255.0 Router(config)# interface serial3/2/0 Router(config-if)# encapsulation ppp Router(config-if)# ppp chap hostname X1 Router(config-if)# ppp multilink gr 1 Router(config-if)# MLFR Configuration Example Router(config)# interface MFR1 Router(config-if)# frame-relay intf dce Router(config-if)# frame-relay bid B1 Router(config-if)# interface MFR1.1 point-to-point Router(config-if)# frame-relay interface-dlci 16 Router(config-if)# ip addr 10.0.0.1 255.255.255.0 Router(config-if)# interface serial3/2/0 Router(config-if)# encapsulation frame-relay MFR1 Router(config-if)# frame-relay multilnk lid X1 Router(config-if)# Bridging Control Protocol Support Configuration Example Router(config-if)# Interface Serial3/2/0 Router(config-if)# switchport %Serial3/2/0 - Bridge Domain configuration precludes IP routing on this interface. %Bridging is enabled. The MTU should be at least 1524. %Please shut/no shut Serial3/2/0 to bring up BCP Router(config-if)# show Router(config-if)# no show Router(config-if)# switchport mode trunk ? Router(config-if)# switchport mode trunk Router(config-if)# sw Router(config-if)# switchport trunk allowed vlan 10022-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration Examples BCP on MLPPP Configuration Example Router(config)# interface multilink1 Router(config-if)# switchport %Multilink1 - Bridge Domain configuration precludes IP routing on this interface. %Bridging is enabled. The MTU should be at least 1524. %Please shut/no shut Multilink1 to bring up BCP Router(config-if)# show Router(config-if)# no show Router(config-if)# switchport mode trunk ? Router(config-if)# switchport mode trunk Router(config-if)# switchport trunk allowed vlan 10022-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 22 Configuring the 4-Port Serial Interface SPA Configuration ExamplesC H A P T E R 23-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 23 Troubleshooting the Serial SPAs This chapter describes techniques that you can use to troubleshoot the operation of your serial SPAs. It includes the following sections: • General Troubleshooting Information, page 23-1 • Performing Basic Interface Troubleshooting, page 23-2 • Using Bit Error Rate Tests, page 23-14 • Using loopback Commands, page 23-16 • Using the Cisco IOS Event Tracer to Troubleshoot Problems, page 23-18 • Preparing for Online Insertion and Removal of a SPA, page 23-18 The first section provides information about basic interface troubleshooting. If you are having a problem with your SPA, use the steps in the “General Troubleshooting Information” section on page 23-1 section to begin your investigation of a possible interface configuration problem. To perform more advanced troubleshooting, see the other sections in this chapter. For more information about troubleshooting serial lines, see the Internetwork Troubleshooting Handbook at http://www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/index.htm. General Troubleshooting Information This section describes general information for troubleshooting SIPs and SPAs. It includes the following sections: • Interpreting Console Error Messages, page 23-1 • Using debug Commands, page 23-2 • Using show Commands, page 23-2 Interpreting Console Error Messages To view the explanations and recommended actions for Cisco 7600 series router error messages, including messages related to Cisco 7600 series router SIPs and SPAs, refer to the following document: • Cisco 7600 Series Cisco IOS System Message Guide, 12.2SR • System Error Messages for Cisco IOS Release 12.2S (for error messages in Release 12.2S)23-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting System error messages are organized in the documentation according to the particular system facility that produces the messages. The SIP and SPA error messages use the following facility names: • Cisco 7600 SIP-200—C7600_SIP200 • 2-Port and 4-Port Channelized T3 SPA—SPA_CHOC_DSX Using debug Commands Along with the other debug commands supported on the Cisco 7600 series router, you can obtain specific debug information for SPAs on the Cisco 7600 series router using the debug hw-module subslot privileged EXEC command. The debug hw-module subslot command is intended for use by Cisco Systems technical support personnel. For more information about the debug hw-module subslot command, refer to the Cisco IOS Software Releases 12.2SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Caution Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use. For information about other debug commands supported on the Cisco 7600 series router, refer to the Cisco IOS Debug Command Reference, Release 12.2 and any related feature documents for Cisco IOS Release 12.2 SX. Using show Commands There are several show commands that you can use to monitor and troubleshoot the SIPs and SPAs on the Cisco 7600 series router. This chapter describes using the show interfaces and show controllers commands to perform troubleshooting of your SPA. For more information about show commands to verify and monitor SIPs and SPAs, see the following chapters of this guide: • Chapter 18, “Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs” • Chapter 17, “Configuring the 8-Port Channelized T1/E1 SPA” • Chapter 19, “Configuring the 2-Port and 4-Port Channelized T3 SPAs” Performing Basic Interface Troubleshooting You can perform most of the basic interface troubleshooting using the show interfaces serial command and examining several areas of the output to determine how the interface is operating. The output of the show interfaces serial EXEC command displays information specific to serial interfaces. 23-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting Note The output of the show interfaces serial command will vary depending on the type of serial SPA. This section describes how to use the show interfaces serial command to diagnose serial line connectivity problems in a wide-area network (WAN) environment. The following sections describe some of the important fields of the command output: • Serial Lines: show interfaces serial Status Line Conditions, page 23-3 • Serial Lines: Increasing Output Drops on Serial Link, page 23-7 • Serial Lines: Increasing Input Drops on Serial Link, page 23-8 • Serial Lines: Increasing Input Errors in Excess of 1 Percent of Total Interface Traffic, page 23-9 • Serial Lines: Troubleshooting Serial Line Input Errors, page 23-9 • Serial Lines: Increasing Interface Resets on Serial Link, page 23-12 • Serial Lines: Increasing Carrier Transitions Count on Serial Link, page 23-13 Serial Lines: show interfaces serial Status Line Conditions You can identify five possible problem states in the interface status line of the show interfaces serial display: • Serial x is down, line protocol is down • Serial x is up, line protocol is down • Serial x is up, line protocol is up (looped) • Serial x is up, line protocol is down (disabled) • Serial x is administratively down, line protocol is down The following example shows the interface statistics on the first port of a T3/E3 SPA installed in subslot 0 of the SIP located in chassis slot 5. Router# show interfaces serial Serial5/0/0 is up, line protocol is up Hardware is SPA-4T3E3 Internet address is 110.1.1.2/24 MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 255/255, txload 234/255, rxload 234/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input 00:00:05, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 40685000 bits/sec, 115624 packets/sec 5 minute output rate 40685000 bits/sec, 115627 packets/sec 4653081241 packets input, 204735493724 bytes, 0 no buffer Received 4044 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 4652915555 packets output, 204728203520 bytes, 0 underruns 0 output errors, 0 applique, 4 interface resets23-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting 0 output buffer failures, 0 output buffers swapped out 2 carrier transitions Table 23-1 shows the interface status conditions, possible problems associated with the conditions, and solutions to those problems. Table 23-1 Serial Lines: show interfaces serial Status Line Conditions Status Line Condition Possible Problem Solution Serial x is up, line protocol is up — This is the proper status line condition. No action is required. Serial x is down, line protocol is down The router is not sensing a carrier detect (CD) signal (that is, the CD is not active). The line is down or is not connected on the far end. Cabling is faulty or incorrect. Hardware failure has occurred in the channel service unit/data service uint (CSU/DSU). 1. Check the CD LEDs to see whether the CD is active, or insert a breakout box on the line to check for the CD signal. 2. Verify that you are using the proper cable (see your hardware installation documentation). 3. Insert a breakout box and check all control leads. 4. Contact your leased-line or other carrier service to see whether there is a problem. 5. Swap faulty parts. 6. If you suspect faulty router hardware, change the serial line to another port. If the connection comes up, the previously connected interface has a problem.23-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting Serial x is up, line protocol is down A local or remote router is misconfigured. Keepalives are not being sent by the remote router. A leased-line or other carrier service problem has occurred (noisy line or misconfigured or failed switch). A timing problem has occurred on the cable. A local or remote CSU/DSU has failed. Router hardware (local or remote) has failed. 1. Put the line in local loopback mode and use the show interfaces serial command to determine whether the line protocol comes up. Note If the line protocol comes up, a failed remote device is the likely problem. This solution will only work with High-Level Data Link Control (HDLC) encapsulation. For Frame Relay (FR) and Point-to-Point Protocol (PPP) encapsulation a looped interface will always have the line protocol down. In addition, you may need to change the encapsulation to HDLC to debug this issues. 2. If the problem appears to be on the remote end, repeat Step 1 on the remote interface. 3. Verify all cabling. Make certain that the cable is attached to the correct interface, the correct CSU/DSU, and the correct remote termination point. 4. Enable the debug serial interface EXEC command. Note First enable per interface debugging using the command ''debug interface serial x'', and depending on the encapsulation, enable the corresponding debug. • For HDLC: debug serial interface For PPP: debug ppp negotiation For FR: debug frame-relay lmi Caution Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use. Table 23-1 Serial Lines: show interfaces serial Status Line Conditions (continued) Status Line Condition Possible Problem Solution23-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting 5. If the line protocol does not come up in local loopback mode, and if the output of the debug serial interface EXEC command shows that the keepalive counter is not incrementing, a router hardware problem is likely. Swap router interface hardware. 6. If the line protocol comes up and the keepalive counter increments, the problem is not in the local router. 7. If you suspect faulty router hardware, change the serial line to an unused port. If the connection comes up, the previously connected interface has a problem. Serial x is up, line protocol is up (looped) A loop exists in the circuit. The sequence number in the keepalive packet changes to a random number when a loop is initially detected. If the same random number is returned over the link, a loop exists. 1. Use the show running-config privileged EXEC command to look for any loopback interface configuration command entries. 2. If you find a loopback interface configuration command entry, use the no loopback interface configuration command to remove the loop. 3. If you do not find the loopback interface configuration command, examine the CSU/DSU to determine whether they are configured in manual loopback mode. If they are, disable manual loopback. 4. Reset the CSU or DSU, and inspect the line status. If the line protocol comes up, no other action is needed. 5. If the CSU or DSU is not configured in manual loopback mode, contact the leased-line or other carrier service for line troubleshooting assistance. Table 23-1 Serial Lines: show interfaces serial Status Line Conditions (continued) Status Line Condition Possible Problem Solution23-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting Serial Lines: Increasing Output Drops on Serial Link Output drops appear in the output of the show interfaces serial command when the system is attempting to hand off a packet to a transmit buffer but no buffers are available. Symptom: Increasing output drops on serial link Table 23-2 outlines the possible problem that might cause this symptom and describes solutions to that problem. Serial x is up, line protocol is down (disabled) A high error rate has occurred due to a remote device problem. A CSU or DSU hardware problem has occurred. Router hardware (interface) is bad. 1. Troubleshoot the line with a serial analyzer and breakout box. Examine the output of show controller T1 or show controller T3 or show controller serial x depending on whether the SPA is a T1/E1, CT3, or T3/E3. 2. Loop CSU/DSU (DTE loop). If the problem continues, it is likely that there is a hardware problem. If the problem does not continue, it is likely that there is a telephone company problem. 3. Swap out bad hardware, as required (CSU, DSU, switch, local or remote router). Serial x is administratively down, line protocol is down The router configuration includes the shutdown interface configuration command. A duplicate IP address exists. 1. Check the router configuration for the shutdown command. 2. Use the no shutdown interface configuration command to remove the shutdown command. 3. Verify that there are no identical IP addresses using the show running-config privileged EXEC command or the show interfaces EXEC command. 4. If there are duplicate addresses, resolve the conflict by changing one of the IP addresses. Table 23-1 Serial Lines: show interfaces serial Status Line Conditions (continued) Status Line Condition Possible Problem Solution23-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting Serial Lines: Increasing Input Drops on Serial Link Input drops appear in the output of the show interfaces serial EXEC command when too many packets from that interface are still being processed in the system. Symptom: Increasing number of input drops on serial link Table 23-3 outlines the possible problem that might cause this symptom and describes solutions to that problem. Table 23-2 Serial Lines: Increasing Output Drops on Serial Link Possible Problem Solution Input rate to serial interface exceeds bandwidth available on serial link 1. Minimize periodic broadcast traffic, such as routing and Service Advertising Protocol (SAP) updates, by using access lists or by other means. For example, to increase the delay between SAP updates, use the ipx sap-interval interface configuration command. 2. Increase the output hold queue size in small increments (for instance, 25 percent), using the hold-queue out interface configuration command. 3. Implement priority queuing on slower serial links by configuring priority lists. For information on configuring priority lists, see the Cisco IOS configuration guides and command references. Note Output drops are acceptable under certain conditions. For instance, if a link is known to be overused (with no way to remedy the situation), it is often considered more preferable to drop packets than to hold them. This is true for protocols that support flow control and can retransmit data (such as TCP/IP and Novell Internetwork Packet Exchange [IPX]). However, some protocols, such as DECnet and local-area transport, are sensitive to dropped packets and accommodate retransmission poorly, if at all. Table 23-3 Serial Lines: Increasing Input Drops on Serial Link Possible Problem Solution Input rate exceeds the capacity of the router, or input queues exceed the size of output queues Note Input drop problems are typically seen when traffic is being routed between faster interfaces (such as Ethernet, Token Ring, and Fiber Distributed Data Interface [FDDI]) and serial interfaces. When traffic is light, there is no problem. As traffic rates increase, backups start occurring. Routers drop packets during these congested periods. 1. Increase the output queue size on common destination interfaces for the interface that is dropping packets. Use the hold-queue number out interface configuration command. Increase these queues by small increments (for instance, 25 percent) until you no longer see drops in the show interfaces command output. The default output hold queue limit is 40 packets. 2. Reduce the input queue size, using the hold-queue number in interface configuration command, to force input drops to become output drops. Output drops have less impact on the performance of the router than do input drops. The default input hold queue is 75 packets.23-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting Serial Lines: Increasing Input Errors in Excess of 1 Percent of Total Interface Traffic If input errors appear in the show interfaces serial command output, there are several possible sources of those errors. The most likely sources, along with possible solutions, are summarized in Table 23-4. Note Any input error value for cyclic redundancy check (CRC) errors, framing errors, or aborts above 1 percent of the total interface traffic suggests some kind of link problem that should be isolated and repaired. Symptom: Increasing number of input errors in excess of 1 percent of total interface traffic. Serial Lines: Troubleshooting Serial Line Input Errors Table 23-5 describes the various types of input errors displayed by the show interfaces serial command, possible problems that might be causing the errors, and solutions to those problems. Table 23-4 Serial Lines: Increasing Input Errors in Excess of 1 Percent of Total Interface Traffic Possible Problem Solution The following problems can result in this symptom: • Faulty telephone company equipment • Noisy serial line • Incorrect clocking configuration • Incorrect cable or cable that is too long • Bad cable or connection • Bad CSU or DSU • Bad router hardware • Data converter or other device being used between router and DSU Note Cisco strongly recommends against the use of data converters when you are connecting a router to a WAN or a serial network. 1. Use a serial analyzer to isolate the source of the input errors. If you detect errors, there likely is a hardware problem or a clock mismatch in a device that is external to the router. 2. Use the loopback and ping tests to isolate the specific problem source. 3. Look for patterns. For example, if errors occur at a consistent interval, they could be related to a periodic function, such as the sending of routing updates.23-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting Table 23-5 Serial Lines: Troubleshooting Serial Line Input Errors Input Error Type (Field Name) Possible Problem Solution CRC errors (CRC) CRC errors occur when the CRC calculation does not pass (indicating that data is corrupted) for one of the following reasons: • The serial line is noisy. • The serial cable is too long, or the cable from the CSU/DSU to the router is not shielded. • Serial clock transmit external (SCTE) mode is not enabled on DSU. • The CSU line clock is incorrectly configured. • A ones density problem has occurred on the T1 link (incorrect framing or coding specification). 1. Ensure that the line is clean enough for transmission requirements. Shield the cable, if necessary. 2. Make sure that the cable is within the recommended length (no more than 50 feet [15.24 meters], or 25 feet [7.62 meters] for a T1 link). 3. Ensure that all devices are properly configured for a common line clock. Set SCTE on the local and remote DSU. If your CSU/DSU does not support SCTE, see the section “Inverting the Transmit Clock,” later in this chapter. 4. Make certain that the local and remote CSU/DSU are configured for the same framing and coding scheme as that used by the leased-line or other carrier service (for example, Extended Superframe Format/binary eight-zero substitution [ESF/B8ZS]). 5. Contact your leased-line or other carrier service, and have it perform integrity tests on the line.23-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting Framing errors (frame) A framing error occurs when a packet does not end on an 8-bit byte boundary for one of the following reasons: • The serial line is noisy. • The cable is improperly designed, the serial cable is too long, or the cable from the CSU or DSU to the router is not shielded. • SCTE mode is not enabled on the DSU, the CSU line clock is incorrectly configured, or one of the clocks is configured for local clocking. • A ones density problem has occurred on the T1 link (incorrect framing or coding specification). 1. Ensure that the line is clean enough for transmission requirements. Shield the cable, if necessary. Make certain that you are using the correct cable. 2. Make sure that the cable is within the recommended length (no more than 50 feet [15.24 meters], or 25 feet [7.62 meters] for a T1 link). 3. Ensure that all devices are properly configured to use a common line clock. Set SCTE on the local and remote DSU. 4. Make certain that the local and remote CSU/DSU is configured for the same framing and coding scheme as that used by the leased-line or other carrier service (for example, ESF/B8ZS). 5. Contact your leased-line or other carrier service, and have it perform integrity tests on the line. Table 23-5 Serial Lines: Troubleshooting Serial Line Input Errors (continued) Input Error Type (Field Name) Possible Problem Solution23-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting Serial Lines: Increasing Interface Resets on Serial Link Interface resets that appear in the output of the show interfaces serial EXEC command are the result of missed keepalive packets. Symptom: Increasing interface resets on serial link Table 23-6 outlines the possible problems that might cause this symptom and describes solutions to those problems. Aborted transmission (abort) Aborts indicate an illegal sequence of 1 bit (more than seven in a row). The following are possible reasons for this to occur: • SCTE mode is not enabled on DSU. • The CSU line clock is incorrectly configured. • The serial cable is too long, or the cable from the CSU or DSU to the router is not shielded. • A ones density problem has occurred on the T1 link (incorrect framing or coding specification). • A packet was terminated in the middle of transmission (typical cause is an interface reset or a framing error or a buffer overrun). • A hardware problem has occurred (bad circuit, bad CSU/DSU, or bad sending interface on remote router). 1. Ensure that all devices are properly configured to use a common line clock. Set SCTE on the local and remote DSU. 2. Shield the cable, if necessary. Make certain that the cable is within the recommended length (no more than 50 feet [15.24 meters], or 25 feet [7.62 meters] for a T1 link). Ensure that all connections are good. 3. Check the hardware at both ends of the link. Swap faulty equipment, as necessary. 4. Lower data rates and determine whether aborts decrease. 5. Use local and remote loopback tests to determine where aborts are occurring. 6. Contact your leased-line or other carrier service, and have it perform integrity tests on the line. Table 23-5 Serial Lines: Troubleshooting Serial Line Input Errors (continued) Input Error Type (Field Name) Possible Problem Solution23-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Performing Basic Interface Troubleshooting Serial Lines: Increasing Carrier Transitions Count on Serial Link Carrier transitions appear in the output of the show interfaces serial EXEC command whenever there is an interruption in the carrier signal (such as an interface reset at the remote end of a link). Symptom: Increasing carrier transitions count on serial link Table 23-7 outlines the possible problems that might cause this symptom and describes solutions to those problems. Table 23-6 Serial Lines: Increasing Interface Resets on Serial Link Possible Problem Solution The following problems can result in this symptom: • Congestion on link (typically associated with output drops) • Bad line causing CD transitions • Possible hardware problem at the CSU, DSU, or switch When interface resets are occurring, examine other fields of the show interfaces serial command output to determine the source of the problem. Assuming that an increase in interface resets is being recorded, examine the following fields: 1. If there is a high number of output drops in the show interfaces serial output, see the “Serial Lines: Increasing Output Drops on Serial Link” section on page 23-7. 2. Check the Carrier Transitions field in the show interfaces serial command display. If carrier transitions are high while interface resets are being registered, the problem is likely to be a bad link or a bad CSU or DSU. Contact your leased-line or carrier service, and swap faulty equipment, as necessary. 3. Examine the Input Errors field in the show interfaces serial command display. If input errors are high while interface resets are increasing, the problem is probably a bad link or a bad CSU/DSU. Contact your leased-line or other carrier service, and swap faulty equipment, as necessary. Table 23-7 Serial Lines: Increasing Carrier Transitions Count on Serial Link Possible Problem Solution The following problems can result in this symptom: • Line interruptions due to an external source (such as physical separation of cabling, red or yellow T1 alarms, or lightning striking somewhere along the network) • Faulty switch, DSU, or router hardware 1. Check hardware at both ends of the link (attach a breakout box or a serial analyzer, and test to determine the source of problems). 2. If an analyzer or breakout box is incapable of identifying any external problems, check the router hardware. 3. Swap faulty equipment, as necessary.23-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Using Bit Error Rate Tests Using Bit Error Rate Tests BER test circuitry is built into most of the serial SPAs. With BER tests, you can test cables and signal problems in the field. You can configure individual T1 lines to run BER tests, but only one BER test circuit exists for all 28 T1 lines. Hence, only one BER test can be run on a single T3 port at any given time. There are two categories of test patterns that can be generated by the onboard BER test circuitry: pseudorandom and repetitive. Pseudorandom test patterns are exponential numbers and conform to the CCITT/ITU O.151 and O.153 specifications; repetitive test patterns are all zeros, all ones, or alternating zeros and ones. A description of the test patterns follows: • Pseudorandom test patterns: – 2^15 (per CCITT/ITU O.151) – 2^20 (per CCITT/ITU O.153) – 2^23 (per CCITT/ITU O.151) – QRSS (quasi-ramdom signal sequence) (per CCIT/ITU O.151) • Repetitive test patterns: – All zeros (0s) – All ones (1s) – Alternating zeros (0s) and ones (1s) Additional patterns are available as of Cisco IOS Release 12.2(SRC) on the 1-Port Channelized OC3/STM-1 and 2- and 4-Port Channelized T3 SPAs: • 1-in-8—1-in-8 test pattern • 3-in-24—3-in 24 test pattern • 2^15-inverted—2^15-1 (inverted) O.151 test pattern • 2^23-inverted—2^23-1 (inverted) O.151 test pattern • 2^9—2^9-1 test pattern • 2^11—2^11-1 test pattern • 2^20-O153—2^20-1 O.153 test pattern • 2^20-QRSS—2^20-1 QRSS O.151 test pattern • 55Octet—55 Octet pattern • 55Daly—55 Octet Daly pattern • DS0-1, DS0-2, DS0-3, DS0-4—DS0 1, DS0 2, DS0 3, DS0 4 test patterns Both the total number of error bits received and the total number of bits received are available for analysis. You can set the testing period from 1 minute to 14,400 minutes (240 hours), and you can also retrieve the error statistics anytime during the BER test. When running a BER test, your system expects to receive the same pattern that it is transmitting. To help ensure this: • Use a loopback at a location of your choice in the link or network. To see how to configure a loopback, go to the “Using loopback Commands” section on page 23-16. • Configure remote testing equipment to transmit the same BER test pattern at the same time.23-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Using Bit Error Rate Tests Configuring a BER Test To send a BER test pattern on an interface, see the bert pattern command description in the Cisco IOS Release 12.2SR command reference documents. Viewing a BER Test You can view the results of a BER test with the show controllers command. You can view the results of a BER test at the following times: • After you terminate the test using the no bert command. • After the test runs completely. • Anytime during the test (in real time). Router# show controllers serial T3 1/0/0 T3 1/0/0 is up. C2T3 H/W Version : 3, C2T3 ROM Version : 0.79, C2T3 F/W Version : 0.29.0 T3 1/0/0 T1 1 No alarms detected. Clock Source is internal. BERT test result (running) Test Pattern : 2^15, Status : Sync, Sync Detected : 1 Interval : 5 minute(s), Time Remain : 5 minute(s) Bit Errors(Since BERT Started): 6 bits, Bits Received(Since BERT start): 8113 Kbits Bit Errors(Since last sync): 6 bits Bits Received(Since last sync): 8113 Kbits Interpreting BER Test Results Table 23-8 explains the output of the preceding command. Table 23-8 Interpreting BER Test Results Field Description BERT test result (running) Indicates the current state of the test. In this case, “running” indicates that the BER test is still in progress. After a test is completed, “done” is displayed. Test Pattern : 2^15, Status : Sync, Sync Detected : 1 Indicates the test pattern you selected for the test (2^15), the current synchronization state (sync), and the number of times synchronization has been detected during this test (1). 23-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Using loopback Commands Using loopback Commands Loopback support is useful for testing the interface without connectivity to the network, or for diagnosing equipment malfunctions between the interface and a device. The 2-Port and 4-Port Clear Channel T3/E3 SPA supports both an internal and an external loopback mode. The external loopback mode requires the use of a loopback cable and implements a loopback through the transceiver on the SPA. You can also configure an internal loopback without the use of a loopback cable that implements a loopback at the PHY device internally. By default, loopback is disabled. Interval : 5 minute(s), Time Remain : 5 minute(s) Indicates the time the test takes to run and the time remaining for the test to run. If you terminate a BER test, you receive a message similar to the following: Interval : 5 minute(s), Time Remain : 2 minute(s) (unable to complete) "Interval: 5 minutes" indicates the configured run time for the test. "Time Remain : 2 minutes" indicates the time remaining in the test prior to termination. "(Unable to complete)" signifies that you interrupted the test. Bit Errors(Since BERT Started): 6 bits Bits Received(Since BERT start): 8113 Kbits Bit Errors(Since last sync): 6 bits Bits Received(Since last sync): 8113 Kbits These four lines show the bit errors that have been detected versus the total number of test bits that have been received since the test started and since the last synchronization was detected. Table 23-8 Interpreting BER Test Results (continued) Field Description23-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Using loopback Commands To configure local loopback, use the following commands: Verifying Loopback Mode Router# show interfaces serial 6/0/0 Serial6/0/0 is up, line protocol is up (looped) Hardware is SPA-4T3E3 MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 255/255, txload 225/255, rxload 221/255 Encapsulation FRAME-RELAY, crc 16, loopback set (local) Keepalive set (10 sec) LMI enq sent 13281, LMI stat recvd 13280, LMI upd recvd 0, DTE LMI up LMI enq recvd 1, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE FR SVC disabled, LAPF state down Broadcast queue 0/256, broadcasts sent/dropped 0/0, interface broadcasts 0 Last input 00:00:07, output 00:00:00, output hang never Last clearing of "show interface" counters 1d12h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 612756 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 38446000 bits/sec, 109217 packets/sec 5 minute output rate 39023000 bits/sec, 110854 packets/sec 14601577951 packets input, 642478074437 bytes, 0 no buffer Received 0 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort Command Purpose Router# configure terminal Enters global configuration mode. T3/E3 Router(config)# interface serial slot/subslot/port T1/E1 Router(config)# controller slot/subslot/port Selects the interface to configure. • slot/subslot/port—Specifies the location of the interface. • slot/subslot/port—Specifies the location of the T1/E1 controller. T3/E3 Router(config-if)# loopback {local | dte | network {line | payload} | remote} T1/E1 Router(config-controller)# loopback {local [line | payload] | diag} Specifies the loopback mode. • local—Loop back after going through the framer toward the terminal. • dte—Loop back after the LIU towards the terminal. • network—Loop back towards the network. • remote—Send FEAC to set remote in loopback. • line—Loop back toward network before going through framer. • payload—Loop back toward network after going through framer. • diag—Loop back after going through the HDLC controller towards the terminal.23-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 23 Troubleshooting the Serial SPAs Using the Cisco IOS Event Tracer to Troubleshoot Problems 14545044296 packets output, 639982568049 bytes, 0 underruns 0 output errors, 0 applique, 1 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions rxLOS inactive, rxLOF inactive, rxAIS inactive txAIS inactive, rxRAI inactive, txRAI inactive Using the Cisco IOS Event Tracer to Troubleshoot Problems Note This feature is intended for use as a software diagnostic tool and should be configured only under the direction of a Cisco Technical Assistance Center (TAC) representative. The Event Tracer feature provides a binary trace facility for troubleshooting Cisco IOS software. This feature gives Cisco service representatives additional insight into the operation of the Cisco IOS software and can be useful in helping to diagnose problems in the unlikely event of an operating system malfunction or, in the case of redundant systems, Route Processor switchover. Event tracing works by reading informational messages from specific Cisco IOS software subsystem components that have been preprogrammed to work with event tracing, and by logging messages from those components into system memory. Trace messages stored in memory can be displayed on the screen or saved to a file for later analysis. The SPAs currently support the “spa” component to trace SPA OIR-related events. Preparing for Online Insertion and Removal of a SPA The Cisco 7600 series router supports online insertion and removal (OIR) of the SIP, in addition to each of the SPAs. Therefore, you can remove a SIP with its SPAs still intact, or you can remove a SPA independently from the SIP, leaving the SIP installed in the router. This means that a SIP can remain installed in the router with one SPA remaining active, while you remove another SPA from one of the SIP subslots. If you are not planning to immediately replace a SPA into the SIP, then be sure to install a blank filler plate in the subslot. The SIP should always be fully installed with either functional SPAs or blank filler plates. For more information about activating and deactivating SPAs in preparation for OIR, see the “Preparing for Online Insertion and Removal of SIPs and SPAs” topic in the “Troubleshooting a SIP” chapter in this guide.P A R T 8 IPSec VPN Shared Port AdapterC H A P T E R 24-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 24 Overview of the IPSec VPN SPA This chapter provides an overview of the release history, feature, and Management Information Base (MIB) support for the IPSec VPN SPAs. This chapter includes the following sections: • Release History, page 24-1 • Overview of the IPSec VPN SPAs, page 24-4 • Overview of Basic IPSec and IKE Configuration Concepts, page 24-5 • Configuring VPNs with the IPSec VPN SPAs, page 24-7 • IPSec Feature Support, page 24-8 • Restrictions, page 24-23 • Supported MIBs, page 24-24 • IPSec VPN SPA Hardware Configuration Guidelines, page 24-25 • Displaying the SPA Hardware Type, page 24-25 Release History Release Modification Cisco IOS Release 15.1(3)S1 Support for WS-IPSEC-3 SPA was added on the WS-SSC-600 line card on Cisco 7600 series router.24-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA Release History Cisco IOS Release 12.2(33)SRA For the IPSec VPN SPA, SPA-IPSEC-2G, the following changes were introduced: • The following features were newly introduced : – Front-side VRF – IPSec Virtual Tunnel Interface (VTI) – Certificate to ISAKMP Profile Mapping – Call Admission Control – Periodic Message Option (now supported in Dead Peer Detection) – Reverse Route Injection (RRI) – IPSec Anti-replay window size – IPSec Preferred Peer – Local Certificate Storage Location – Persistent Self-signed Certificates – Easy VPN Remote RSA Signature Storage – IPSec and IKE MIB support for Cisco VRF-Aware IPSec • Tunnel capacity has been increased to 16,000 tunnels. • Support has been added for the following commands: – clear crypto engine accelerator counter command—To clear platform and network interface controller statistics. – show crypto engine accelerator statistic command—To display platform and network interface controller statistics. – show crypto eli command— To display how many IKE-SAs and IPSec sessions are active and how many Diffie-Hellman keys are in use for each IPSec VPN SPA. • Cisco IOS Release 12.2(33)SRA is only supported on Supervisor Engine 32 and Supervisor Engine 720. • Unlike previous releases, support is not included for IPSec stateful failover using HSRP and SSP. • The crypto engine subslot command has been replaced by the crypto engine slot command. • The one large configuration chapter has been restructured into several smaller chapters, and a table has been added that describes release-dependent features. • The “IPSec Feature Support in VRF Mode for SPA-IPSEC-2G IPSEC VPN SPA” has been expanded to include tables that differentiate Supervisor and line card support by release. Cisco IOS Release 12.2(18)SXF6 For the SPA-IPSEC-2G IPSec VPN SPA, support was introduced for the IPSec anti-replay window size feature in the SX release train. Cisco IOS Release 12.2(18)SXF2 For the SPA-IPSEC-2G IPSec VPN SPA , support was introduced for Supervisor Engine 2, Supervisor Engine 32, and the configuration of IP multicast over a GRE tunnel.24-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA Release History Cisco IOS Release 12.2(18)SXE5 For the SPA-IPSEC-2G IPSec VPN SPA, support was introduced for two new GRE takeover commands: • crypto engine gre supervisor command—To configure the router to process Generic Routing Encapsulation (GRE) using the Supervisor Engine hardware or the Route Processor (RP). • crypto engine gre vpnblade command—To configure the router to process Generic Routing Encapsulation (GRE) using the IPSec VPN SPA. Cisco IOS Release 12.2(18)SXE2 For the SPA-IPSEC-2G IPSec VPN SPA, support was introduced on the Cisco 7600 SSC-400 on the Cisco 7600 series router.24-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA Overview of the IPSec VPN SPAs Overview of the IPSec VPN SPAs The IPSec VPN SPAs are Gigabit Ethernet IP Security (IPSec) cryptographic SPAs that you can install in a Cisco 7600 series router to provide hardware acceleration for IPSec encryption and decryption, generic routing encapsulation (GRE), and Internet Key Exchange (IKE) key generation. The IPSec SPAs come in the following models: • SPA-IPSEC-2G • WS-IPSEC-3 The SPA-IPSEC-2G SPA was introduced in Cisco IOS release 12.2(18)SXE2 and supported on the Cisco SSC 400 line card. It is a 2 Gbps IPSec VPN SPA. The WS-IPSEC-3 SPA is a 5 Gbps VPN Service Port Adapter (VSPA) introduced in Cisco IOS release 15.1(3)S1, on the Cisco 7600 platform. This SPA should be installed on a WS-SSC-600 line card before it can be used on the Cisco 7600 series router. Note Software-based IPSec features are not supported in any Cisco IOS releases that support the IPSec VPN SPA. The traditional software-based implementation of IPSec in Cisco IOS supports the entire suite of security protocols including Authentication Header (AH), Encapsulating Security Payload (ESP), and IKE. The resources consumed by these activities are significant and make it difficult to achieve line-rate transmission speeds over secure virtual private networks (VPNs). To address this problem, certain platforms with large VPN bandwidth requirements support bump-in-the-wire (BITW) IPSec hardware modules in conjunction with the hardware forwarding engines. These modules off-load policy enforcement, as well as bulk encryption and forwarding, from the route processor (RP) so that it is not required to look at each packet coming through the router. This frees up resources that can be used for session establishment, key management, and other features. The IPSec VPN SPA provides a bump-in-the-wire (BITW) IPSec implementation using virtual LANs (VLANs) for a Cisco 7600 series router. Note BITW is an IPSec implementation that starts egress packet processing after the IP stack has finished with the packet and completes ingress packet processing before the IP stack receives the packet. The IPSec VPN SPA can use multiple Fast Ethernet or Gigabit Ethernet ports on other Cisco 7600 series router modules to connect to the Internet through WAN routers. The physical ports may be attached to the IPSec VPN SPA through a VLAN called the port-VLAN (or pvlan). Packets that are received from the WAN routers pass through the IPSec VPN SPA for IPSec processing. The packets are output on a dedicated VLAN called the interface or inside VLAN (or ivlan). Depending on the configuration mode (VRF mode or crypto-connect mode), the ivlan or pvlan may be configured explicitly or may be allocated implicitly by the system. On the LAN side, traffic between the LAN ports can be routed or bridged on multiple Fast Ethernet or Gigabit Ethernet ports. Because the LAN traffic is not encrypted or decrypted, it does not pass through the IPSec VPN SPA. The IPSec VPN SPA does not maintain routing information, route, or change the MAC header of a packet (except for the VLAN ID from one VLAN to another). 24-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA Overview of Basic IPSec and IKE Configuration Concepts Note GRE over IPSec over MPLS (GREoIPSecoMPLS ) through a loopback cable is not supported on the Cisco 7600 series router. Overview of Basic IPSec and IKE Configuration Concepts This subsection reviews some basic IPSec and IKE concepts that are used throughout the configuration of the IPSec VPN SPA, such as security associations (SAs), access lists (ACLs), crypto maps, transform sets, and IKE policies. The information presented here is introductory and should not be considered complete. Note For more detailed information on IPSec and IKE concepts and procedures, refer to the Cisco IOS Security Configuration Guide. Information About IPSec Configuration IPSec provides secure tunnels between two peers, such as two routers. More accurately, these tunnels are sets of security associations (SAs) that are established between two IPSec peers. The SAs define which protocols and algorithms should be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol (Authentication Header (AH) or Encapsulating Security Payload (ESP)). Multiple IPSec tunnels can exist between two peers to secure different data streams, with each tunnel using a separate set of SAs. For example, some data streams might be authenticated only while other data streams must both be encrypted and authenticated. Note The use of the term “tunnel” in this subsection does not refer to using IPSec in tunnel mode. With IPSec, you define what traffic should be protected between two IPSec peers by configuring ACLs and applying these ACLs to interfaces by way of crypto maps. (The ACLs used for IPSec are used only to determine which traffic should be protected by IPSec, not which traffic should be blocked or permitted through the interface. Separate ACLs define blocking and permitting at the interface.) If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you must create two different crypto ACLs to define the two different types of traffic. These different ACLs are then used in different crypto map entries, which specify different IPSec policies. Crypto ACLs associated with IPSec crypto map entries have four primary functions: • Select outbound traffic to be protected by IPSec (permit = protect). • Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when initiating negotiations for IPSec security associations. • Process inbound traffic in order to filter out and discard traffic that should have been protected by IPSec. 24-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA Overview of Basic IPSec and IKE Configuration Concepts • Determine whether or not to accept requests for IPSec security associations on behalf of the requested data flows when processing IKE negotiation from the IPSec peer. Negotiation is performed only for ipsec-isakmp crypto map entries. In order to be accepted, if the peer initiates the IPSec negotiation, it must specify a data flow that is “permitted” by a crypto ACL associated with an ipsec-isakmp crypto map entry. Note ACLs applied to a crypto map also known as crypto ACLs are different from normal extended ip access-lists and do NOT provide or support logging. Crypto map entries created for IPSec combine the various parts used to set up IPSec SAs, including: • Which traffic should be protected by IPSec (per a crypto ACL) • The granularity of the flow to be protected by a set of SAs • Where IPSec-protected traffic should be sent (the name of the remote IPSec peer) • The local address to be used for the IPSec traffic • What IPSec SA should be applied to this traffic (selecting from a list of one or more transform sets) • Whether SAs are manually established or are established via IKE • Other parameters that might be necessary to define an IPSec SA Crypto map entries are searched in order—the router attempts to match the packet to the access list specified in that entry. Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec-protected traffic. You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peers’ IPSec SAs. (With manually established SAs, there is no negotiation with the peer, so both sides must specify the same transform set.) Note To minimize the possibility of packet loss during rekeying, we recommend using time-based rather than volume-based IPSec SA expiration. By setting the lifetime volume to the maximum value using the set security-association lifetime kilobytes 536870912 command, you can usually force time-based SA expiration. Information About IKE Configuration IKE is a key management protocol standard that is used in conjunction with the IPSec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.) In Cisco IOS Release 12.2(33)SXF and earlier releases, IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE is enabled by default. You configure IKE by creating IKE policies at each peer using the crypto isakmp policy command. An IKE policy defines a combination of security parameters to be used during the IKE negotiation and mandates how the peers are authenticated.24-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA Configuring VPNs with the IPSec VPN SPAs You can create multiple IKE policies, each with a different combination of parameter values, but at least one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman parameter values as one of the policies on the remote peer. For each policy that you create, you assign a unique priority (1 through 10,000, with 1 being the highest priority). If you do not configure any policies, your router uses the default policy, which is always set to the lowest priority, and which contains each parameter’s default value. There are five parameters to define in each IKE policy: • Encryption algorithm • Hash algorithm • Authentication method • Diffie-Hellman group identifier • Security association lifetime For more information about IKE, see the “Overview of IKE” section on page 28-2. Configuring VPNs with the IPSec VPN SPAs To configure a VPN using the IPSec VPN SPA, you have two basic options: crypto-connect mode or Virtual Routing and Forwarding (VRF) mode. In either mode, you may also configure GRE tunneling to encapsulate a wide variety of protocol packet types, including multicast packets, inside the VPN tunnel. Note Switching between crypto-connect mode and VRF mode requires a reload. Note We recommend that you do not make changes to the VPN configuration while VPN sessions are active. To avoid system disruption, we recommend that you plan a scheduled maintenance time and clear all VPN sessions using the clear crypto sessions command before making VPN configuration changes. Crypto-Connect Mode Traditionally, VPNs are configured on the IPSec VPN SPA by attaching crypto maps to interface VLANs and then crypto-connecting a physical port to the interface VLAN. This method, known as crypto-connect mode, is similar to the method used to configure VPNs on routers running Cisco IOS software. When you configure VPNs on the IPSec VPN SPA using crypto-connect mode, you attach crypto maps to VLANs (using interface VLANs); when you configure VPNs on routers running Cisco IOS software, you configure individual interfaces. Note With the IPSec VPN SPA, crypto maps are attached to individual interfaces but the set of interfaces allowed is restricted to interface VLANs. Crypto-connect mode VPN configuration is described in Chapter 25, “Configuring VPNs in Crypto-Connect Mode.”24-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support VRF Mode VRF mode, also known as VRF-aware IPSec, allows you to map IPSec tunnels to VPN routing and forwarding instances (VRFs) using a single public-facing address. A VRF instance is a per-VPN routing information repository that defines the VPN membership of a customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included in the routing table. A separate set of routing and CEF tables is maintained for each VPN customer. When you configure a VPN on the IPSec VPN SPA using VRF mode, the model of interface VLANs is preserved, but the crypto connect vlan command is not used. Instead, a route must be installed so that packets destined for that particular subnet in that particular VRF are directed to that interface VLAN. When configuring a VPN using VRF mode, you have these additional tunneling options: tunnel protection (TP) using GRE, and Virtual Tunnel Interface (VTI). With either of these options, you can terminate tunnels in VRFs (normal VRF mode) or in the global context. VRF mode VPN configuration is described in Chapter 26, “Configuring VPNs in VRF Mode.” IPSec Feature Support The tables in the following sections display supported and unsupported IPSec features of the IPsec VPN Module in each VPN mode according to the software release: • IPSec Features Common To All VPN Modes, page 24-9 • IPSec Features in Crypto-Connect Mode, page 24-17 • IPSec Features in VRF Mode, page 24-18 Note This document describes IPSec VPN SPA features and applications that have been tested and are supported. Features and applications that do not explicitly appear in this table and in the following chapters should be considered unsupported. Contact your Cisco account team before implementing a configuration that is not described in this document.24-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support IPSec Features Common To All VPN Modes Table 24-1 lists the supported and unsupported IPSec features common to all VPN modes for IPSec VPN SPA, SPA-IPSEC-2G. Table 24-1 IPSec Feature Support By Release in All VPN Modes for SPA-IPSEC-2G Feature Name Cisco IOS Software Release 12.2 SXE SXF SRA SRB, SRC, SRD,SR E SXH 1 IPSec tunnels using software crypto N N N N N Enhanced GRE takeover (if the supervisor engine cannot process) Y Y Y Y Y Multicast over GRE N Y Y Y Y Multicast over multipoint GRE (mGRE) / DMVPN N N N N N Multicast Scalability Enhancement (single SPA mode) N Y Y Y Y Advanced Encryption Standard (AES) Y Y Y Y Y ISAKMP keyring Y Y Y Y Y SafeNet Client support Y Y Y Y Y Peer filtering (SafeNet Client support) N N N N N Certificate to ISAKMP profile mapping Y Y Y Y Y Encrypted preshared key Y Y Y Y Y IKE Aggressive Mode Initiation N N N N N Call Admission Control (CAC) for IKE N N Y Y Y Dead Peer Detection (DPD) on-demand Y Y Y Y Y DPD periodic message option N N Y Y Y IPSec prefragmentation (Look-Ahead Fragmentation, or LAF) Y Y Y Y Y Reverse Route Injection (RRI) Y Y Y Y Y Reverse route with optional parameters N N N N N Adjustable IPSec anti-replay window size N Y Y Y Y IPSec preferred peer Y Y Y Y Y Per-crypto map (and global) IPSec security association (SA) idle timers Y Y Y Y Y Distinguished name-based crypto maps Y Y Y Y Y Sequenced access control lists (ACLs) (crypto ACLs) Y Y Y Y Y Deny policy configuration enhancements (drop, jump, clear) Y Y Y Y Y24-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support Disable volume lifetime per interface N N N N N IPSec VPN SPA quality of service (QoS) queueing Y Y Y Y Y Multiple RSA key pair support N N Y Y Y Protected private key storage N N Y Y Y Trustpoint CLI N N Y Y Y Query mode per trustpoint N N N N N Local certificate storage location N N Y Y Y Direct HTTP enroll with CA servers Y Y Y Y Y Manual certificate enrollment (TFTP and cut-and-paste) N N Y Y Y Certificate autoenrollment N N Y Y Y Key rollover for Certificate Authority (CA) renewal N N N N N Public-key infrastructure (PKI) query multiple servers N N N N N Online Certificate Status Protocol (OCSP) N N N N N Optional OCSP nonces N N N N N Certificate security attribute-based access control N N N N N PKI AAA authorization using entire subject name N N N N N PKI local authentication using subject name N N Y Y Y Source interface selection for outgoing traffic with certificate authority N N N N N Persistent self-signed certificates as Cisco IOS CA server N N N N N Certificate chain verification N N N N N Multi-tier certificate support Y Y Y Y Y Easy VPN Server enhanced features N N N N N Easy VPN Server basic features Y Y Y Y Y Interoperate with Easy VPN Remote using preshared key Y Y Y Y Y Table 24-1 IPSec Feature Support By Release in All VPN Modes for SPA-IPSEC-2G (continued) Feature Name Cisco IOS Software Release 12.2 SXE SXF SRA SRB, SRC, SRD,SR E SXH 124-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support Interoperate with Easy VPN Remote using RSA signature N N Y Y Y Stateless failover using the Hot Standby Router Protocol (HSRP) Y Y Y Y Y Chassis-to-chassis stateful failover using HSRP and SSP in site-to-site IPSec using preshared keys with crypto maps Y Y N N N Chassis-to-chassis failover (IPSec stateful failover) with DMVPN, GRE/TP, VTI, Easy VPN, or PKI N N N N N Blade-to-Blade stateful failover Y Y Y Y Y IPSec VPN Monitoring (IPSec Flow MIB) Y Y Y Y Y IPSec VPN Accounting (start / stop / interim records) Y Y Y Y Y Crypto Conditional Debug support N Y Y Y Y show crypto engine accelerator statistic command N N Y Y Y Other show crypto engine commands N N N N N clear crypto engine accelerator counter command N N Y Y Y Crypto commands applied to a loopback interface N N N N N Policy Based Routing (PBR) on tunnel interface or interface VLAN N N N N N ACL on tunnel interface N N N N N MQC QoS on tunnel interface (service policy) N N N N N mls qos command on all tunnel interfaces: IPSec, GRE, mGRE N N N N N QoS pre-classify CLI N N N N N NAT on crypto VLAN or crypto protected tunnel interface N N N N N 16 K tunnels (IKE and IPSec tunnels) N N Y Y Y Switching between VRF and crypto-connect modes requires reboot Y Y Y Y Y Table 24-1 IPSec Feature Support By Release in All VPN Modes for SPA-IPSEC-2G (continued) Feature Name Cisco IOS Software Release 12.2 SXE SXF SRA SRB, SRC, SRD,SR E SXH 124-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support GRE keepalives on tunnel protection (TP) tunnels N N N N N GRE keepalives on mGRE/DMVPN tunnels N N N N N IPSec Network Address Translation Transparency (NAT-T) (transport mode, ESP only) Y Y Y Y Y Dynamic Multipoint VPN Phase 2 (DMVPN) (mGRE; TP & NHRP) Y Y Y Y Y DMVPN Phase 3 N N N N N DMVPN hub router behind a NAT gateway—tunnel mode N N N N N DMVPN hub router behind a NAT gateway—transport mode (not spoke-to-spoke) N N N N Y DMVPN spoke router behind a NAT gateway—tunnel mode N N N N N DMVPN spoke router behind a NAT gateway—transport mode (not spoke-to-spoke) Y Y Y Y Y Multicast transit traffic over DMVPN tunnels N N N N N Non-IP traffic over TP (DMVPN, point-to-point GRE, sVTI) tunnels N N N N N Support for the VPNSM Y Y N N N All serial PPP interfaces with crypto-connect mode must have ip unnumber null 0 command N N N Y Y Manual key N Y N N N Tunnel Endpoint Discovery Y Y N N N Transport adjacency and nested tunnels N N N N N Transit IPSec packets N Y N N Y IPSec VPN SPA supported with virtual switching system (VSS) N N N N N IP header options through IPSec tunnels N N N N N Invalid SPI recovery N N Y Y Y IPSec compression N N N N N Table 24-1 IPSec Feature Support By Release in All VPN Modes for SPA-IPSEC-2G (continued) Feature Name Cisco IOS Software Release 12.2 SXE SXF SRA SRB, SRC, SRD,SR E SXH 124-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support Table 24-2 lists the supported and unsupported IPSec features common to all VPN modes for WS-IPSEC-3 IPSEC VSPA. Multilink or dialer interfaces N N N N N Group Encrypted Transport VPN (GETVPN) N N N N N IPSec Passive Mode N N N N N 1. The SXH software release is for the Catalyst 6500 series switch. This release does not apply to the Cisco 7600 series router. Table 24-1 IPSec Feature Support By Release in All VPN Modes for SPA-IPSEC-2G (continued) Feature Name Cisco IOS Software Release 12.2 SXE SXF SRA SRB, SRC, SRD,SR E SXH 1 Table 24-2 IPSec Feature Support in All VPN Modes for WS-IPSEC-3 SPA Feature Name Cisco IOS Release 15.1(3)S1 IPSec tunnels using software crypto N Enhanced GRE takeover (if the supervisor engine cannot process) Y Multicast over GRE Y Multicast over multipoint GRE (mGRE) / DMVPN N Multicast Scalability Enhancement (single SPA mode) Y Advanced Encryption Standard (AES) Y Internet Security Association and Key Management Protocol (ISAKMP) keyring Y SafeNet Client support Y Peer filtering (SafeNet Client support) N Certificate to ISAKMP profile mapping Y Encrypted preshared key Y IKE Aggressive Mode Initiation N Call Admission Control (CAC) for IKE Y Dead Peer Detection (DPD) on-demand Y DPD periodic message option Y IPSec prefragmentation (Look-Ahead Fragmentation, or LAF) Y Reverse Route Injection (RRI) Y Reverse route with optional parameters N Adjustable IPSec anti-replay window size Y24-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support IPSec preferred peer Y Per-crypto map (and global) IPSec security association (SA) idle timers Y Distinguished name-based crypto maps Y Sequenced access control lists (ACLs) or crypto ACLs Y Deny policy configuration enhancements (drop, jump, clear) Y Disable volume lifetime per interface N IPSec VPN SPA quality of service (QoS) queueing Y Multiple RSA key pair support Y Protected private key storage Y Trustpoint CLI Y Query mode per trustpoint N Local certificate storage location Y Direct HTTP enroll with CA servers Y Manual certificate enrollment (TFTP and cut-and-paste) Y Certificate autoenrollment Y Key rollover for Certificate Authority (CA) renewal N Public-key infrastructure (PKI) query multiple servers N Online Certificate Status Protocol (OCSP) N Optional OCSP nonces N Certificate security attribute-based access control N PKI AAA authorization using entire subject name N PKI local authentication using subject name Y Source interface selection for outgoing traffic with certificate authority N Persistent self-signed certificates as Cisco IOS CA server N Certificate chain verification N Multi-tier certificate support Y Easy VPN Server enhanced features N Easy VPN Server basic features Y Interoperate with Easy VPN Remote using preshared key Y Interoperate with Easy VPN Remote using RSA signature Y Stateless failover using the Hot Standby Router Protocol (HSRP) Y Table 24-2 IPSec Feature Support in All VPN Modes for WS-IPSEC-3 (continued) SPA Feature Name Cisco IOS Release 15.1(3)S124-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support Chassis-to-chassis stateful failover using HSRP and SSP in site-to-site IPSec using preshared keys with crypto maps N Chassis-to-chassis failover (IPSec stateful failover) with DMVPN, GRE/TP, VTI, Easy VPN, or PKI N Blade-to-Blade stateful failover Y IPSec VPN Monitoring (IPSec Flow MIB) Y IPSec VPN Accounting (start / stop / interim records) Y Crypto Conditional Debug support Y show crypto engine accelerator statistic command Y clear crypto engine accelerator counter command Y Crypto commands applied to a loopback interface N Policy Based Routing (PBR) on tunnel interface or interface VLAN N ACL on tunnel interface N MQC QoS on tunnel interface (service policy) N mls qos command on all tunnel interfaces: IPSec, GRE, mGRE N QoS pre-classify CLI N NAT on crypto VLAN or crypto protected tunnel interface N 16000 tunnels (IKE and IPSec tunnels) Y Switching between VRF and crypto-connect modes requires reboot Y GRE keepalives on tunnel protection (TP) tunnels N GRE keepalives on mGRE/DMVPN tunnels N IPSec Network Address Translation Transparency (NAT-T) (transport mode, ESP only) Y DMVPN Phase 2 (mGRE; TP & NHRP) Y DMVPN Phase 3 N DMVPN hub router behind a NAT gateway—tunnel mode N DMVPN hub router behind a NAT gateway—transport mode (not spoke-to-spoke) N DMVPN spoke router behind a NAT gateway—tunnel mode N DMVPN spoke router behind a NAT gateway—transport mode (not spoke-to-spoke) Y Table 24-2 IPSec Feature Support in All VPN Modes for WS-IPSEC-3 (continued) SPA Feature Name Cisco IOS Release 15.1(3)S124-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support Multicast transit traffic over DMVPN tunnels N Non-IP traffic over TP (DMVPN, point-to-point GRE, sVTI) tunnels N Support for the VPNSM N All serial PPP interfaces with crypto-connect mode must have ip unnumber null 0 command Y Manual key N Tunnel Endpoint Discovery N Transport adjacency and nested tunnels N Transit IPSec packets N IPSec VPN SPA supported with virtual switching system (VSS) N IP header options through IPSec tunnels N Invalid Security Parameter Index (SPI) recovery Y IPSec compression N Multilink or dialer interfaces N Group Encrypted Transport VPN (GETVPN) N IPSec Passive Mode N Table 24-2 IPSec Feature Support in All VPN Modes for WS-IPSEC-3 (continued) SPA Feature Name Cisco IOS Release 15.1(3)S124-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support IPSec Features in Crypto-Connect Mode Table 24-3 lists the supported and unsupported IPSec features in crypto-connect mode for SPA-IPSEC-2G. Table 24-4 Supported and Unsupported IPSec Features in Crypto-Connect Mode for WS-IPSEC-3 SPA Table 24-3 IPSec Feature Support By Release in Crypto-Connect Mode for SPA-IPSEC-2G Feature Name Cisco IOS Software Release 12.2 SXE SXF SRA SRB, SRC, SRD,SR E SXH 1 1. The SXH software release is for the Catalyst 6500 series switch. This release does not apply to the Cisco 7600 series router. Table 24-4 lists the supported and unsupported IPSec features in crypto-connect mode for the WS-IPSEC-3 SPA. Point-to-point GRE with tunnel protection and VTI N N N N N Path MTU discovery (PMTUD) N N Y Y Y PMTUD with NAT-T N N N N N IPSec static virtual tunnel interface (sVTI) N N N N N The use of VRFs in conjunction with crypto features N N N N N IPX and Appletalk over point-to-point GRE Y Y Y Y Y ip tcp adjust-mss command in GRE when taken over N N N N N Feature Name Cisco IOS Software Release 15.1(3)S1 Point-to-point GRE with tunnel protection N Path MTU discovery (PMTUD) Y PMTUD with NAT-T N IPSec static virtual tunnel interface (sVTI) N The use of VRFs in conjunction with crypto features N IPX and Appletalk over point-to-point GRE Y ip tcp adjust-mss command in GRE when taken over N24-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support IPSec Features in VRF Mode Table 24-5 lists the supported and unsupported IPSec features in VRF mode for SPA-IPSEC-2G IPSEC VPN SPA. Table 24-5 IPSec Feature Support in VRF Mode for SPA-IPSEC-2G IPSEC VPN SPA Feature Name Cisco IOS Software Release 12.2 SXE SXF SRA SRB, SRC, SRD,SR E SXH 1 Global VRF Y Y Y Y Y Front-door VRF (FVRF) N N Y Y Y FVRF on an mGRE tunnel configured on a DMVPN hub N N Y Y Y FVRF on an mGRE tunnel configured on a DMVPN spoke N N N N N Overlapping IP address space in VRFs Y Y Y Y Y Secondary IP addresses on interfaces N N N N N MPLS over GRE/IPSec (tag switching on tunnel interfaces) N N N N N PE-PE encryption (IPSec only) over MPLS N N N N N PE-PE encryption (tunnel protection) over MPLS N N N N N MPLS PE-CE encryption (Tag2IP) with GRE/TP N N N Y Y MPLS PE-CE encryption (Tag2IP) with sVTI N N N N N MPLS PE-CE encryption (Tag2IP) with crypto map N N N N N Crypto maps in VRF-lite Y Y Y Y Y Per-VRF AAA with RADIUS N N N Y Y Per-VRF AAA with TACACS N N N Y N IPSec static virtual tunnel interface (sVTI) N N Y Y Y Multicast over sVTI N N N N N ip tcp adjust-mss command on sVTI or GRE N N N N N Ingress and egress features (ACL, QOS) on sVTI, GRE/TP, and mGRE tunnel N N N N N Ingress features (ACL, PBR, inbound service policy) on the outside interface N N N N N24-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support Table 24-6 Supported and Unsupported IPSec Features in VRF Mode for WS-IPSEC-3 IPSEC VSPA Outbound service policy on the outside interface Y Y Y Y Y TP support in the global context N N Y Y Y IPSec SA using crypto map created in transport mode N N N N N Path MTU discovery (PMTUD) N N N N N Non-IP version 4 traffic over TP tunnels N N N N N IPv6 IPSec sVTI IPv6-in-IPv6 N N N N N 1. The SXH software release is for the Catalyst 6500 series switch. This release does not apply to the Cisco 7600 series router. Table 24-6 lists the supported and unsupported IPSec features in VRF mode for WS-IPSEC-3 IPSEC VSPA. Table 24-5 IPSec Feature Support in VRF Mode (continued)for SPA-IPSEC-2G IPSEC VPN SPA Feature Name Cisco IOS Software Release 12.2 SXE SXF SRA SRB, SRC, SRD,SR E SXH 1 Feature Name Cisco IOS Software Release 15.1(3)S1 Global VRF Y Front-door VRF (FVRF) Y FVRF on an mGRE tunnel configured on a DMVPN hub Y FVRF on an mGRE tunnel configured on a DMVPN spoke N Overlapping IP address space in VRFs Y Secondary IP addresses on interfaces N MPLS over GRE/IPSec (tag switching on tunnel interfaces) N PE-PE encryption (IPSec only) over MPLS N PE-PE encryption (tunnel protection) over MPLS N MPLS PE-CE encryption (Tag2IP) with GRE/TP Y MPLS PE-CE encryption (Tag2IP) with sVTI N MPLS PE-CE encryption (Tag2IP) with crypto map N Crypto maps in VRF-lite Y Per-VRF AAA with RADIUS Y24-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support Interoperability for SPA-IPSEC-2G IPSEC VPN SPA Supervisor Engine support varies based on the release. Table 24-7 lists the supported Supervisor Engines for each release for the SPA-IPSEC-2G IPSec VPN SPA. Line card module support varies based on the release. Per-VRF AAA with Terminal Access Controller Access-Control System (TACACS) Y IPSec static virtual tunnel interface (sVTI) Y Multicast over sVTI N ip tcp adjust-mss command on sVTI or GRE N Ingress and egress features (ACL, QOS) on sVTI, GRE/TP, and mGRE tunnel N Ingress features (ACL, PBR, inbound service policy) on the outside interface N Outbound service policy on the outside interface Y TP support in the global context Y IPSec SA using crypto map created in transport mode N Path MTU discovery (PMTUD) N Non-IP version 4 traffic over TP tunnels N IPv6 IPSec sVTI IPv6-in-IPv6 N Feature Name Cisco IOS Software Release 15.1(3)S1 Table 24-7 Supervisor Engine Support for the SPA-IPSEC-2G IPSec VPN SPA by Release Release Supervisor Supported Cisco IOS Release 12.2(33)SRE Supervisor Engine RSP720-10GE Cisco IOS Release 12.2(33)SRC Supervisor Engine RSP720-1GE Supervisor Engine 720 Supervisor Engine 32 Cisco IOS Release 12.2(33)SRA Supervisor Engine 720 Supervisor Engine 32 Cisco IOS Release 12.2(18)SXF2 Supervisor Engine 720 Supervisor Engine 32 Supervisor Engine 2 Cisco IOS Release 12.2(18)SXE5 Supervisor Engine 720 Cisco IOS Release 12.2(18)SXE2 Supervisor Engine 72024-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support The IPSec VPN SPA supports the following interoperability features: • You may have an IPSec VPN SPA in the same chassis with the following service modules: – Firewall Services Module (WS-SVC-FWM-1-K9) – Network Analysis Module 2 (WS-SVC-NAM-2) Table 24-8 lists the known supported line card modules for each release. Note the following guidelines when using this table: • An “X” in the Qualified column indicates the module was tested; an “X” in the Supported column indicates that the module is supported. • If the module has a footnote beside the “X” in the Supported column, although the module is supported, some restrictions apply. See the footnote below the table for details of the restriction. • If the module has an “X” in the Supported column but not in the Qualified column, although the module was not specifically tested, it is supported. Any line card modules not specifically listed in the table are not supported by TAC/BU. Table 24-8 Line Card Module Support for the SPA-IPSEC-2G IPSec VPN SPA by Release Line Card Module Cisco IOS Release 12.2(18)SX Cisco IOS Release 12.2(33)SR Qualified Supported Qualified Supported 7600-SIP-200 With the following SPAs: SPA-2XOC3-ATM= SPA-2XOC3-POS= SPA-2XT3/E3 X X X X 7600-SIP-400 With the following SPAs: SPA-1XOC12-ATM= SPA-2X0C3-ATM= SPA-2X1GE X 1 X 2 X 7600-SIP-600 With the following SPAs: SPA-1X10GE SPA-10X1GE X 3 X 7600-SSC-400 X X X X OSM-2OC48/1DPT-SI X X OSM-2OC48/1DPT-SL X X OSM-2OC48/1DPT-SS X X X OSM-8OC3-POS-MM X X X X OSM-8OC3-POS-SI X X OSM-8OC3-POS-SI+ X X OSM-8OC3-POS-SL X X OSM-16OC3-POS-MM+ X X X X OSM-16OC3-POS-SI X X OSM-16OC3-POS-SI+ X X24-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec Feature Support OSM-16OC3-POS-SL X X OSM-2+4GE-WAN+ X X X WS-6182-2PA X X X X WS-6582-2PA X X X X WS-6802-2PA With the following PAs: PA- A3- OC3MM PA- A3- T3 PA- MC- T3 X X X WS-SVC-FWM-1 X X X WS-SVC-IDSM2 X X WS-SVC-IDSUPG X X WS-SVC-NAM2 X X WS-SVC-WEBVPN-K9 X X X WS-X6148-GE-TX X X X X WS-X6408A-GBIC X X X WS-X6416-GBIC X X X WS-X6416-GE-MT X X WS-X6502-10GE X X X X WS-X6516-GBIC X X X X WS-X6516-GE-TX X X X X WS-X6516A-GBIC X X X X WS-X6548-GE-TX X X X X WS-X6548V-GE-TX X X WS-X6548-RJ-21 X X WS-X6548-RJ-45 X X X X WS-X6704-10GE X X X X WS-X6724-SFP X X X X WS-X6748-GE-TX X X X X WS-X6748-SFP X X X X 1. Cisco IOS Release 12.2(18)SXF2: Switch port configurations are not supported when a Cisco 7600 SIP-400 is present in the chassis. 2. Cisco IOS Release 12.2(33)SRA: Switch port configurations are not supported when a Cisco 7600 SIP-400 is present in the chassis. 3. Cisco IOS Release 12.2(33)SRA: MPLS tunnel recirculation must be enabled when a Cisco 7600 SIP-600 is installed and VRF is to be enabled. That is, you must add the mls mpls tunnel-recir command before entering the crypto engine mode vrf command if a Cisco 7600 SIP-600 is present in the chassis. Table 24-8 Line Card Module Support for the SPA-IPSEC-2G IPSec VPN SPA by Release (continued) Line Card Module Cisco IOS Release 12.2(18)SX Cisco IOS Release 12.2(33)SR24-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA Restrictions Restrictions Note For other SSC-specific features and restrictions see also Chapter 3, “Overview of the SIPs and SSC”in this guide. The IPSec VPN SPAs are subject to the following restrictions: Restrictions for SPA-IPSEC-2G IPSEC VPN SPA • The SPA-IPSEC-2G IPSec VPN SPA requires Cisco IOS Release 12.2(18)SXE2 or later releases. • The SPA-IPSEC-2G IPSec VPN SPA is supported only on the Cisco 7600 SSC-400. • The Cisco 7600 SSC-400 is not Route Processor Redundancy Plus (RPR+) or Stateful Switchover (SSO) aware. As a result, the Cisco 7600 SSC-400 will reset if RPR+ or SSO is configured. • As of Cisco IOS Release 12.2(33)SRA, the SPA-IPSEC-2G IPSec VPN SPA is only supported on a Cisco 7600 series router using a Supervisor Engine 720 (MSFC3 and PFC3) with a minimum of 512 MB memory or a Supervisor Engine 32. For a list of the Supervisor Engine support for each release, see Table 24-7 on page 24-20. Note The IPSec VPN SPA MSFC DRAM requirements are as follows: – Up to 8,000 tunnels with 512-MB DRAM – Up to 16,000 tunnels with 1-GB DRAM These numbers are chosen to leave some memory available for routing protocols and other applications. However, your particular use of the MSFC may demand more memory than the quantities that are listed above. In an extreme case, you could have one tunnel but still require 512-MB DRAM for other protocols and applications running on the MSFC. • Only the following Cisco 7600 series routers are supported: – 7603 router (CISCO7603) – 7604 router (CISCO7604) – 7606 router (CISCO7606) – 7609 router (CISCO7609) – 7609 router (OSR-7609) – 7613 router (CISCO7613) Note Supervisor Engine RSP720-10GE is supported only on 7606 S-Chasis (CISCO7606-S) and is not supported on (CISCO7606). • A maximum of 10 IPSec VPN SPAs per chassis are supported. • As of Cisco IOS Release 12.2(33)SRA, a maximum number of 2000 IPSec tunnels is supported when PKI is configured with the SPA-IPSEC-2G IPSec VPN SPA. • TCP ADJUST-MSS is NOT supported on VTI tunnel in Cisco 7600 Release 12.2(33) SRB.24-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA Supported MIBs • GRE keepalives are not supported if crypto engine gre vpnblade is configured. Note In Cisco IOS Release 12.2(18)SXF2 and later releases, the crypto engine subslot command used in previous releases has been replaced with the crypto engine slot command (of the form crypto engine slot slot/subslot {inside | outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that this command has been modified in your start-up configuration to avoid extended maintenance time. • Applying the crypto engine slot outside command on Port-Channel interface is not supported. Restrictions for WS-IPSEC-3 IPSEC VSPA Following restrictions apply for WS-IPSEC-3 IPSec VSPA with Cisco 7600: • The WS-IPSEC-3 IPSec VSPA is supported only on the Cisco 7600 SSC-600 line card. • The WS-IPSEC-3 IPSec VSPA is available on Cisco IOS Release 15.1(3)S1 or later releases. • The WS-IPSEC-3 IPSec VSPA is supported only on the SUP 720 3BXL and RSP 720 line cards on the Cisco 7600 platform. Supported MIBs The following MIBs are supported as of Cisco IOS Release 12.2(18)SXE2 for the Cisco 7600 SSC-400 and the SPA-IPSEC-2G IPSec VPN SPA on a Cisco 7600 series router: • CISCO-IPSEC-FLOW-MONITOR-MIB Note Gigabit Ethernet port SNMP statistics (for example, ifHCOutOctets and ifHCInOctets) are not provided for the internal IPSec VPN SPA trunk ports because these ports are not externally operational ports and are used only for configuration. For more information about MIB support on a Cisco 7600 series router, refer to the Cisco 7600 Series Router MIB Specifications Guide, at the following URL: http://www.cisco.com/en/US/docs/routers/7600/technical_references/7600_mib_guides/MIB_Guide_v er_6/mibgde6.html To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://tools.cisco.com/ITDIT/MIBS/servlet/index If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml24-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA IPSec VPN SPA Hardware Configuration Guidelines To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. IPSec VPN SPA Hardware Configuration Guidelines The configuration guidelines for IPSec VPN SPA hardware are as follows: • For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. • Some CLI commands require you to specify the inside and outside ports of the IPsec VPN Module in the format slot/subslot/port. Although the IPsec VPN Module ports are not actual Gigabit Ethernet ports, and do not share all properties of external Gigabit Ethernet interfaces, they can be addressed for configuration as Gigabit Ethernet trunk ports, using port numbers as follows: – Port 1—Inside port, attached to interface VLAN – Port 2—Outside port, attached to port VLAN For example, to configure the outside port of a IPsec VPN Module in the first subslot (subslot 0) of an Cisco 7600 SSC-400 in slot 6 of a Cisco 7600 series router, enter the following command: Router(config)# interface GigabitEthernet6/0/2 • The show crypto engine configuration command does not show the IPSec VPN SPA subslot number when there is no crypto connection even if the adapter is installed in the chassis. • When you remove an IPSec VPN SPA that has some ports participating in crypto connections, the crypto configuration remains intact. When you reinsert the same type of IPSec VPN SPA into the same slot, the crypto connections will be reestablished. To move the IPSec VPN SPA to a different slot, you must first manually remove the crypto connections before removing the IPSec VPN SPA. You can enter the no crypto connect vlan command from any interface when the associated physical port is removed. • When you reboot an IPSec VPN SPA that has crypto connections, the existing crypto configuration remains intact. The crypto connections will be reestablished after the IPSec VPN SPA reboots. When a crypto connection exists but the associated interface VLAN is missing from the IPSec VPN SPA inside port, the crypto connection is removed after the IPSec VPN SPA reboots. • When you remove a port VLAN or an interface VLAN with the no interface vlan command, the associated crypto connection is also removed. Displaying the SPA Hardware Type There are several commands on the Cisco 7600 series router that provide IPSec VPN SPA hardware information. • To verify the SPA hardware type that is installed in your router, use the show module command. • To display hardware information for the IPSec VPN SPA, use the show crypto eli command. For more information about these commands, see the Cisco 7600 Series Router Command Reference, 12.2SR.24-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA Displaying the SPA Hardware Type Example of the show module Command The following example shows output from the show module command on a Cisco 7600 series router with an IPSec VPN SPA installed in subslot 0 of a Cisco 7600 SSC-400 that is installed in slot 4: Router# show module 4 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 4 0 2-subslot Services SPA Carrier-400 7600-SSC-400 JAB1104013N Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 4 001a.a1aa.95f0 to 001a.a1aa.962f 2.0 12.2(33)SXH 12.2(33)SXH Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 4/0 2 Gbps IPSec SPA SPA-IPSEC-2G JAB1048075L 1.0 Ok Mod Online Diag Status ---- ------------------- 4 Pass 4/0 Pass The following is a sample output from the show module command on a Cisco 7600 series router with a WS-IPSEC-3 IPSec VSPA installed in subslot 1 of a Cisco 7600 SSC-600 that is installed in slot 2: Router# show module 2 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 0 2-subslot Services SPA Carrier-600 WS-SSC-600 SAL144705A5 Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ----- ------------- ------------ ------- 2 e05f.b9a1.5b50 to e05f.b9a1.5b57 1.0 15.1(NTLYIND_ 15.1(NTLYIND Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 2/1 IPSec Accelerator 3 WS-IPSEC-3 SAL150353Y7 1.1 Ok Mod Online Diag Status ---- ------------------- 2 Pass 2/1 Pass Example of the show crypto eli Command The following example shows output from the show crypto eli command on a Cisco 7600 series router with IPSec VPN SPAs installed in subslots 0 and 1 of a Cisco 7600 SSC-400 that is installed in slot 3. The output displays how many IKE-SAs and IPSec sessions are active and how many Diffie-Hellman keys are in use for each IPSec VPN SPA. Router# show crypto eli Hardware Encryption : ACTIVE Number of hardware crypto engines = 2 CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active Capability : IPSEC: DES, 3DES, AES, RSA IKE-Session : 0 active, 16383 max, 0 failed24-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA Displaying the SPA Hardware Type DH : 0 active, 9999 max, 0 failed IPSec-Session : 0 active, 65534 max, 0 failed CryptoEngine SPA-IPSEC-2G[3/1] details: state = Active Capability : IPSEC: DES, 3DES, AES, RSA IKE-Session : 1 active, 16383 max, 0 failed DH : 0 active, 9999 max, 0 failed IPSec-Session : 2 active, 65534 max, 0 failed Router# The following is a sample output from the show crypto eli command on a Cisco 7600 series router with IPSec VSPA installed in subslot 1 of a Cisco 7600-SSC-600 that is installed in slot 2. The output displays how many IKE-SAs and IPSec sessions are active and how many Diffie-Hellman keys are in use for each IPSec VSPA. Router# show crypto eli Hardware Encryption : ACTIVE Number of hardware crypto engines = 1 CryptoEngine WS-IPSEC-3[2/1] details: state = Active Capability : DES, 3DES, AES, RSA IKE-Session : 0 active, 16383 max, 0 failed DH : 0 active, 9999 max, 0 failed IPSec-Session : 0 active, 65534 max, 0 failed24-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 24 Overview of the IPSec VPN SPA Displaying the SPA Hardware TypeC H A P T E R 25-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 25 Configuring VPNs in Crypto-Connect Mode This chapter provides information about configuring IPSec VPNs in crypto-connect mode, one of the two VPN configuration modes supported by the IPSec VPN SPA. For information on the other VPN mode, Virtual Routing and Forwarding (VRF) mode, see Chapter 26, “Configuring VPNs in VRF Mode.” This chapter includes the following topics: • Configuring Ports in Crypto-Connect Mode, page 25-2 • Configuring GRE Tunneling in Crypto-Connect Mode, page 25-21 • Configuration Examples, page 25-28 For general information on configuring IPSec VPNs with the IPSec VPN SPA, see the “Overview of Basic IPSec and IKE Configuration Concepts” section on page 24-5. Note The procedures in this chapter assume you have familiarity with security configuration concepts, such as VLANs, ISAKMP policies, preshared keys, transform sets, access control lists, and crypto maps. For detailed information on configuring these features, refer to the following Cisco IOS documentation: Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html Cisco IOS Security Command Reference, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html For additional information about the commands used in this chapter, see the Cisco IOS Software Releases 12.2SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information about accessing these publications, see the “Related Documentation” section on page xlvii. Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the configuration summaries and guidelines before you perform any configuration tasks. 25-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Before beginning your crypto-connect mode port configurations, you should read the following subsections: • Understanding Port Types in Crypto-Connect Mode, page 25-2 • Crypto-Connect Mode Configuration Guidelines and Restrictions, page 25-5 Then perform the procedures in the following subsections: • Configuring the IPSec VPN SPA Inside Port and Outside Port, page 25-7 • Configuring an Access Port, page 25-8 • Configuring a Routed Port, page 25-11 • Configuring a Trunk Port, page 25-15 • Configuring IPSec VPN SPA Connections to WAN Interfaces, page 25-20 • Displaying the VPN Running State, page 25-21 Note The configuration procedures in this section do not provide GRE tunneling support. For information on how to configure GRE tunneling support in crypto-connect mode, see the “Configuring GRE Tunneling in Crypto-Connect Mode” section on page 25-21. Note The procedures in this section do not provide detailed information on configuring the following Cisco IOS features: IKE policies, preshared key entries, Cisco IOS ACLs, and crypto maps. For detailed information on configuring these features, refer to the following Cisco IOS documentation: Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html Cisco IOS Security Command Reference, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html Understanding Port Types in Crypto-Connect Mode To configure IPSec VPNs in crypto-connect mode, you should understand the following concepts: • Router Outside Ports and Inside Ports, page 25-3 • IPSec VPN SPA Outside Port and Inside Port, page 25-3 • Port VLAN and Interface VLAN, page 25-3 • Access Ports, Trunk Ports, and Routed Ports, page 25-4 25-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Router Outside Ports and Inside Ports The Fast Ethernet or Gigabit Ethernet ports on the Cisco 7600 series router that connect to the WAN routers are referred to as router outside ports. These ports connect the LAN to the Internet or to remote sites. Cryptographic policies are applied to the router outside ports. The Fast Ethernet or Gigabit Ethernet ports on the Cisco 7600 series router that connect to the LAN are referred to as router inside ports. The IPSec VPN SPA sends encrypted packets to the router outside ports and decrypted packets to the Policy Feature Card (PFC) for Layer 3 forwarding to the router inside ports. IPSec VPN SPA Outside Port and Inside Port The IPSec VPN SPA appears to the CLI as a SPA with two Gigabit Ethernet ports. The IPSec VPN SPA has no external connectors; the Gigabit Ethernet ports connect the IPSec VPN SPA to the router backplane and Switch Fabric Module (SFM) (if installed). One Gigabit Ethernet port handles all the traffic going to and coming from the router outside ports. This port is referred to as the IPSec VPN SPA outside port. The other Gigabit Ethernet port handles all traffic going to and coming from the LAN or router inside ports. This port is referred to as the IPSec VPN SPA inside port. Port VLAN and Interface VLAN Your VPN configuration can have one or more router outside ports. To handle the packets from multiple router outside ports, you must direct the packets from multiple router outside ports to the IPSec VPN SPA outside port by placing the router outside ports in a VLAN with the outside port of the IPSec VPN SPA. This VLAN is referred to as the port VLAN. The port VLAN is a Layer 2-only VLAN. You do not configure Layer 3 addresses or features on this VLAN; the packets within the port VLAN are bridged by the PFC. Before the router can forward the packets using the correct routing table entries, the router needs to know which interface a packet was received on. For each port VLAN, you must create another VLAN so that the packets from every router outside port are presented to the router with the corresponding VLAN ID. This VLAN contains only the IPSec VPN SPA inside port and is referred to as the interface VLAN. The interface VLAN is a Layer 3-only VLAN. You configure the Layer 3 address and Layer 3 features, such as ACLs and the crypto map, to the interface VLAN. You associate the port VLAN and the interface VLAN together using the crypto engine slot command on the interface VLAN followed by the crypto connect vlan command on the port VLAN. Figure 25-1 shows an example of the port VLAN and interface VLAN configurations. 25-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Figure 25-1 Port VLAN and Interface VLAN Configuration Example Port VLAN 502 and port VLAN 503 are the port VLANs that are associated with two router outside ports. Interface VLAN 2 and interface VLAN 3 are the interface VLANs that correspond to port VLAN 502 and port VLAN 503, respectively. You configure the IP address, ACLs, and crypto map that apply to one router outside port on interface VLAN 2. You configure the features that apply to another router outside port on interface VLAN 3. Packets coming from the WAN through the router outside port belonging to VLAN 502 are directed by the PFC to the IPSec VPN SPA outside port. The IPSec VPN SPA decrypts the packets and changes the VLAN to interface VLAN 2 and then presents the packet to the router through the IPSec VPN SPA inside port. The PFC then routes the packet to the proper destination. Packets going from the LAN to the outside ports are first routed by the PFC. Based on the route, the PFC routes the packets to one of the interface VLANs and directs the packet to the IPSec VPN SPA inside port. The IPSec VPN SPA applies the cryptographic policies that are configured on the corresponding interface VLAN, encrypts the packet, changes the VLAN ID to the corresponding port VLAN, and sends the packet to the router outside port through the IPSec VPN SPA outside port. Access Ports, Trunk Ports, and Routed Ports When you configure VPNs on the IPSec VPN SPA using crypto-connect mode, you attach crypto maps to interface VLANs. Using the crypto connect vlan command, you then attach an interface VLAN either to a Layer 2 port VLAN associated with one or more physical ports, or directly to a physical port. The physical ports can be ATM, POS, serial, or Ethernet ports. When you crypto-connect an interface VLAN to a port VLAN that is attached to one or more Ethernet ports configured in switchport mode, the Ethernet ports can be configured as either access ports or trunk ports: • Access ports—Access ports are switch ports that have an external or VLAN Trunk Protocol (VTP) VLAN associated with them. You can associate more than one port to a defined VLAN. Outside Port Inside Port Interface VLAN 2 Interface VLAN 3 IPSec VPN SPA MSFC/PFC Outside Port Outside Port Port VLAN 502 Port VLAN 503 186140 25-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode • Trunk ports—Trunk ports are switch ports that carry many external or VTP VLANs, on which all packets are encapsulated with an 802.1Q header. When you crypto-connect an interface VLAN to a physical Ethernet port without defining a port VLAN, a hidden port VLAN is automatically created and associated with the port. In this configuration, the Ethernet port is a routed port: • Routed ports—By default, every Ethernet port is a routed port until it is configured as a switch port. A routed port may or may not have an IP address assigned to it, but its configuration does not include the switchport command. Crypto-Connect Mode Configuration Guidelines and Restrictions Follow these guidelines and restrictions to prevent IPSec VPN SPA misconfigurations when configuring VPN ports in crypto-connect mode: • Ethernet ports installed in a Cisco 7600 SIP-400 in the chassis cannot be configured as switch ports. • When attaching a crypto VLAN to an outside port VLAN or to a physical interface with the crypto connect vlan command, do not apply Layer 3 configurations to that physical interface or port VLAN. Note Layer 3 configurations (for example, IP address, PIM, et alia), are supported only on the crypto VLAN interface. For WAN PPP & MLPPP interfaces the ip unnumbered Null0 command is added automatically to the interface configuration for internal Cisco purposes. • Removing a line in a crypto ACL causes all crypto maps using that ACL to be removed and reattached to the IPSec VPN SPA. This action causes intermittent connectivity problems for all the security associations (SAs) derived from the crypto maps that reference that ACL. • Do not attach a crypto map set to a loopback interface. However, you can maintain an IPSec security association database independent of physical ingress and egress interfaces with the IPSec VPN SPA by entering the crypto map local-address command. If you apply the same crypto map set to each secure interface and enter the crypto map local-address command with the interface as a loopback interface, you will have a single security association database for the set of secure interfaces. If you do not enter the crypto map local-address command, the number of IKE security associations is equal to the number of interfaces attached. • You can attach the same crypto map to multiple interfaces only if the interfaces are all bound to the same crypto engine. • If you configure a crypto map with an empty ACL (an ACL that is defined but has no lines) and attach the crypto map to an interface, all traffic goes out of the interface in the clear (unencrypted) state. • Do not convert existing crypto-connected port characteristics. When the characteristics of a crypto-connected access port or a routed port change (switch port to routed port or vice versa), the associated crypto connection is deleted. • Do not remove the interface VLAN or port VLAN from the VLAN database. All interface VLANs and port VLANs must be in the VLAN database. When you remove these VLANs from the VLAN database, the running traffic stops. When you enter the crypto connect vlan command and the interface VLAN or port VLAN is not in the VLAN database, this warning message is displayed: 25-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode VLAN id 2 not found in current VLAN database. It may not function correctly unless VLAN 2 is added to VLAN database. • When replacing a crypto map on an interface, always enter the no crypto map command before reapplying a crypto map on the interface. • Inbound and outbound traffic for the same tunnel must use the same outside interface. Asymmetric routing, in which encrypted traffic uses a different outside interface than decrypted traffic for the same tunnel, is not supported. • After a supervisor engine switchover, the installed SPAs reboot and come back online. During this period, the IPSec VPN SPA’s established security associations (SAs) are temporarily lost and are reconstructed after the SPA comes back online. The reconstruction is through IKE (it is not instantaneous). • Crypto ACLs support only the EQ operator. Other operators, such as GT, LT, and NEQ, are not supported. • Noncontiguous subnets in a crypto ACL, as in the following example, are not supported: deny ip 10.0.5.0 0.255.0.255 10.0.175.0 0.255.0.255 deny ip 10.0.5.0 0.255.0.255 10.0.176.0 0.255.0.255 • ACL counters are not supported for crypto ACLs. • An egress ACL is not applied to packets generated by the route processor. An ingress ACL is not applied to packets destined for the route processor. • Do not apply an IP ACL to the crypto-connect interface or port VLAN. Instead, you can apply IP ACLs to the interface VLAN, as in the following example: interface GigabitEthernet1/2 ! switch outside port switchport switchport access vlan 502 switchport mode access ip access-group TEST_INBOUND in <--- do not apply IP ACL here ! interface Vlan2 ! interface VLAN ip address 11.0.0.2 255.255.255.0 crypto map testtag crypto engine slot 4/0 ip access-group TEST_INBOUND in <--- apply IP ACL here ! interface Vlan502 ! port VLAN no ip address crypto connect vlan 2 ip access-group TEST_INBOUND in <--- do not apply IP ACL here ! Note An IP ACL on the interface VLAN will not block inbound encrypted traffic from reaching the VSPA, but can prevent traffic from being routed further after decryption. • In Cisco IOS Release 12.2(33)SXF and earlier releases, IPsec can be configured with manual keying instead of IKE. If you configure manual keying, you must configure SPI to be greater than 4096. 25-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Supported and Unsupported Features in Crypto-Connect Mode A list of the supported and unsupported features in crypto-connect mode can be found in the “IPSec Feature Support” section on page 24-8. Configuring the IPSec VPN SPA Inside Port and Outside Port In most cases, you do not explicitly configure the IPSec VPN SPA inside and outside ports. Cisco IOS software configures these ports automatically. IPSec VPN SPA Inside and Outside Port Configuration Guidelines and Restrictions When configuring the IPSec VPN SPA inside and outside ports, follow these guidelines: • Do not change the port characteristics of the IPSec VPN SPA inside or outside port unless it is necessary to set the trusted state. Cisco IOS software configures the ports automatically. Note Although the default trust state of the inside port is trusted, certain global settings may cause the state to change. To preserve the ToS bytes for VPN traffic in both directions, configure the mls qos trust command on both the inside and outside ports to set the interface to the trusted state. For information on the mls qos trust command, see the “Configuring QoS on the SPA-IPSEC-2G IPSEC VPN SPA” section on page 29-15. If you accidentally change the inside port characteristics, enter the following commands to return the port characteristics to the defaults: Router(config-if)# switchport Router(config-if)# no switchport access vlan Router(config-if)# switchport trunk allowed vlan 1,1002-1005 Router(config-if)# switchport trunk encapsulation dot1q Router(config-if)# switchport mode trunk Router(config-if)# mtu 9216 Router(config-if)# flow control receive on Router(config-if)# flow control send off Router(config-if)# span portfast trunk • Do not configure allowed VLANs on the inside trunk port. Cisco IOS software configures the VLAN list on the inside port automatically based on the crypto engine slot command. These VLANs are visible in the port configuration using the show run command. • Do not configure allowed VLANs on the outside trunk port. Cisco IOS software configures these VLANs automatically as hidden VLANs. These VLANs are not visible in the port configuration using the show run command. • Do not remove a VLAN from the IPSec VPN SPA inside port. The running traffic stops when you remove an interface VLAN from the IPSec VPN SPA inside port while the crypto connection to the interface VLAN exists. The crypto connection is not removed and the crypto connect vlan command still shows up in the show running-config command display. If you enter the write memory command with this running configuration, your startup-configuration file would be misconfigured. 25-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Note It is not possible to remove an interface VLAN from the IPSec VPN SPA inside port while the crypto connection to the interface VLAN exists. You must first remove the crypto connection. • Do not remove a VLAN from the IPSec VPN SPA outside port. The running traffic stops when you remove a port VLAN from the IPSec VPN SPA outside port while the crypto connection to the interface VLAN exists. The crypto connection is not removed and the crypto connect vlan command still shows up in the show running-config command display. Removing a VLAN from the IPSec VPN SPA outside port does not affect anything in the startup-configuration file because the port VLAN is automatically added to the IPSec VPN SPA outside port when the crypto connect vlan command is entered. Configuring an Access Port This section describes how to configure the IPSec VPN SPA with an access port connection to the WAN router (see Figure 25-2). Figure 25-2 Access Port Configuration Example Note Ethernet ports installed in a Cisco 7600 SIP-400 in the chassis cannot be configured as switch ports. GigabitEthernet 1/2 WAN interface access port Port VLAN 502 Crypto-connect VLAN 2 Interface VLAN 2 192.168.100.254 MSFC/PFC Outside port Gi4/0/2 IPSec VPN SPA in slot 4 subslot 0 Inside port Gi4/0/1 186141 25-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode To configure an access port connection to the WAN router, perform the following task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto isakmp policy priority ... Router(config-isakmp) # exit Defines an ISAKMP policy and enters ISAKMP policy configuration mode. • priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest. For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide. Step 2 Router(config)# crypto isakmp key keystring address peer-address Configures a preshared authentication key. • keystring—Preshared key. • peer-address—IP address of the remote peer. For details on configuring a preshared key, see the Cisco IOS Security Configuration Guide. Step 3 Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]] ... Router(config-crypto-tran)# exit Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode. • transform-set-name—Name of the transform set. • transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms. For accepted transformx values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference. Step 4 Router(config)# access list access-list-number {deny | permit} ip source source-wildcard destination destination-wildcard Defines an extended IP access list. • access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699. • {deny | permit}—Denies or permits access if the conditions are met. • source—Address of the host from which the packet is being sent. • source-wildcard—Wildcard bits to be applied to the source address. • destination—Address of the host to which the packet is being sent. • destination-wildcard—Wildcard bits to be applied to the destination address. For details on configuring an access list, see the Cisco IOS Security Configuration Guide. 25-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Step 5 Router(config)# crypto map map-name seq-number ipsec-isakmp ... Router(config-crypto-map)# exit Creates or modifies a crypto map entry and enters the crypto map configuration mode. • map-name—Name that identifies the crypto map set. • seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations. For details on configuring a crypto map, see the Cisco IOS Security Configuration Guide. Step 6 Router(config)# vlan inside-vlan-id Adds the VLAN ID into the VLAN database. • inside-vlan-id—VLAN identifier. Step 7 Router(config)# vlan outside-vlan-id Adds the VLAN ID into the VLAN database. • outside-vlan-id—VLAN identifier. Step 8 Router(config)# interface vlan inside-vlan-id Enters interface configuration mode for the specified VLAN interface. • inside-vlan-id—VLAN identifier. Step 9 Router(config-if)# description inside_interface_vlan_for_crypto_map (Optional) Adds a comment to help identify the interface. Step 10 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the interface. • address—IP address. • mask—Subnet mask. Step 11 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to the interface. • map-name—Name that identifies the crypto map set. Enter the map-name value you created in Step 5. Step 12 Router(config-if)# no shutdown Enables the interface as a Layer 3 inside interface VLAN. Step 13 Router(config-if)# crypto engine slot slot/subslot Assigns the crypto engine to the crypto interface VLAN. • slot/subslot—Enter the slot and subslot where the IPSec VPN SPA is located. Step 14 Router(config)# interface vlan outside-vlan-id Enters interface configuration mode for the specified VLAN interface. • outside-vlan-id—VLAN identifier. Step 15 Router(config-if)# description outside_access_vlan (Optional) Adds a comment to help identify the interface. Step 16 Router(config-if)# no shutdown Enables the interface as an outside access port VLAN. Command Purpose 25-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode For access port configuration examples, see the “Access Port in Crypto-Connect Mode Configuration Example” section on page 25-29. Verifying the Access Port Configuration To verify an access port configuration, enter the show crypto vlan command. Router# show crypto vlan Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to VLAN 502 with crypto map set MyMap Configuring a Routed Port This section describes how to configure the IPSec VPN SPA with a routed port connection to the WAN router (see Figure 25-3). Note When a routed port without an IP address is crypto-connected to an interface VLAN, a hidden port VLAN is created automatically. This port VLAN is not explicitly configured by the user and does not appear in the running configuration. Step 17 Router(config-if)# crypto connect vlan inside-vlan-id Connects the outside access port VLAN to the inside interface VLAN and enters crypto-connect mode. • inside-vlan-id—VLAN identifier. Step 18 Router(config-if)# interface gigabitethernet slot/subslot/port Enters interface configuration mode for the secure port. Step 19 Router(config-if)# description outside_secure_port (Optional) Adds a comment to help identify the interface. Step 20 Router(config-if)# switchport Configures the interface for Layer 2 switching. Step 21 Router(config-if)# switchport access vlan outside-vlan-id Specifies the default VLAN for the interface. • outside-vlan-id—VLAN identifier. Step 22 Router(config-if)# exit Exits interface configuration mode. Command Purpose 25-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Figure 25-3 Routed Port Configuration Example Routed Port Configuration Guidelines When configuring a routed port using the IPSec VPN SPA, follow these configuration guidelines: • When a routed port has a crypto connection, IP ACLs cannot be attached to the routed port. Instead, you can apply IP ACLs to the attached interface VLAN. • Unlike an access port or trunk port, the routed port does not use the switchport command in its configuration. GigabitEthernet 1/2 WAN interface routed port Crypto-connect VLAN 2 Port VLAN Interface VLAN 2 192.168.100.254 MSFC/PFC Outside port Gi4/0/2 IPSec VPN SPA in slot 4 subslot 0 Inside port Gi4/0/1 186142 25-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode To configure a routed port connection to the WAN router, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto isakmp policy priority ... Router(config-isakmp) # exit Defines an ISAKMP policy and enters ISAKMP policy configuration mode. • priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest. For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide. Step 2 Router(config)# crypto isakmp key keystring address peer-address Configures a preshared authentication key. • keystring—Preshared key. • peer-address—IP address of the remote peer. For details on configuring a preshared key, see the Cisco IOS Security Configuration Guide. Step 3 Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]] ... Router(config-crypto-tran)# exit Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode. • transform-set-name—Name of the transform set. • transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms. For accepted transformx values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference. Step 4 Router(config)# access list access-list-number {deny | permit} ip source source-wildcard destination destination-wildcard Defines an extended IP access list. • access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699. • {deny | permit}—Denies or permits access if the conditions are met. • source—Address of the host from which the packet is being sent. • source-wildcard—Wildcard bits to be applied to the source address. • destination—Address of the host to which the packet is being sent. • destination-wildcard—Wildcard bits to be applied to the destination address. For details on configuring an access list, see the Cisco IOS Security Configuration Guide. 25-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Step 5 Router(config)# crypto map map-name seq-number ipsec-isakmp ... Router(config-crypto-map)# exit Creates or modifies a crypto map entry and enters the crypto map configuration mode. • map-name—Name that identifies the crypto map set. • seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority. • ipsec-isakmp— Indicates that IKE will be used to establish the IPSec security associations. For details on configuring a crypto map, see the Cisco IOS Security Configuration Guide. Step 6 Router(config)# vlan inside-vlan-id Adds the VLAN ID into the VLAN database. • inside-vlan-id—VLAN identifier. Step 7 Router(config)# interface vlan inside-vlan-id Enters interface configuration mode for the specified VLAN interface. • inside-vlan-id—VLAN identifier. Step 8 Router(config-if)# description inside_interface_vlan_for_crypto_map (Optional) Adds a comment to help identify the interface. Step 9 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the interface. • address—IP address. • mask—Subnet mask. Step 10 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to the interface. • map-name—Name that identifies the crypto map set. Enter the map-name value you created in Step 5. Step 11 Router(config-if)# no shutdown Enables the interface as a Layer 3 crypto interface VLAN. Step 12 Router(config-if)# crypto engine slot slot/subslot Assigns the crypto engine to the crypto interface VLAN. • slot/subslot—Enter the slot and subslot where the IPSec VPN SPA is located. Step 13 Router(config-if)# interface gigabitethernet slot/subslot/port Enters interface configuration mode for the secure port. Step 14 Router(config-if)# description outside_secure_port (Optional) Adds a comment to help identify the interface. Step 15 Router(config-if)# crypto connect vlan inside-vlan-id Connects the routed port to the crypto interface VLAN and enters crypto-connect mode. • inside-vlan-id—VLAN identifier. Step 16 Router(config-if)# exit Exits interface configuration mode. Command Purpose 25-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode For routed port configuration examples, see the “Routed Port in Crypto-Connect Mode Configuration Example” section on page 25-31. Verifying a Routed Port Configuration To verify a route port configuration, enter the show crypto vlan command. In the following example, Gi 1/2 is the crypto-connected port: Router# show crypto vlan Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to Gi1/2 with crypto map set MyMap Configuring a Trunk Port Caution When you configure an Ethernet port as a trunk port, all the VLANs are allowed on the trunk port by default. This default configuration does not work well with the IPSec VPN SPA and causes network loops. To avoid this problem, you must explicitly specify only the desirable VLANs. This section describes how to configure the IPSec VPN SPA with a trunk port connection to the WAN router (see Figure 25-4). Figure 25-4 Trunk Port Configuration Example Note Ethernet ports installed in a Cisco 7600 SIP-400 in the chassis cannot be configured as switch ports. GigabitEthernet 1/2 WAN interface trunk port Port VLAN 502 Crypto-connect VLAN 2 Interface VLAN 2 192.168.100.254 MSFC/PFC Outside port Gi4/0/2 IPSec VPN SPA in slot 4 subslot 0 Inside port Gi4/0/1 186143 25-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Trunk Port Configuration Guidelines When configuring a trunk port using the IPSec VPN SPA, follow these configuration guidelines: • When you configure a trunk port for cryptographic connection, do not use the “all VLANs allowed” default. You must explicitly specify all the desirable VLANs using the switchport trunk allowed vlan command. • Due to an incorrect startup configuration or through the default trunk port configuration, an interface VLAN might be associated with a trunk port. When you try to remove the interface VLAN from the VLAN list, you might receive an error message similar to the following: Command rejected:VLAN 2 is crypto connected to V502. To remove the interface VLAN from the VLAN list, enter the following commands: Router# configure terminal Router(config)# interface g1gabitethernet1/2 Router(config-if)# no switchport mode trunk Router(config-if)# switchport trunk allowed vlan 1 Router(config-if)# switchport mode trunk Router(config-if)# switchport trunk allowed vlan 1,502,1002-1005 Note VLANs in the VLAN list must not include any interface VLANs. • To ensure that no interface VLANs are associated when you put an Ethernet port into the trunk mode, enter the following commands in the exact order given: Router# configure terminal Router(config)# interface g1gabitethernet1/2 Router(config)# no shut Router(config-if)# switchport Router(config-if)# switchport trunk allowed vlan 1 Router(config-if)# switchport trunk encapsulation dot1q Router(config-if)# switchport mode trunk Router(config-if)# switchport trunk allowed vlan 1,502,1002-1005 Note VLANs in the VLAN list must not include any interface VLANs. • A common mistake when configuring a trunk port occurs when you use the add option as follows: Router(config-if)# switchport trunk allowed vlan add 502 If the switchport trunk allowed vlan command has not already been used, the add option does not make VLAN 502 the only allowed VLAN on the trunk port; all VLANs are still allowed after entering the command because all the VLANs are allowed by default. After you use the switchport trunk allowed vlan command to add a VLAN, you can then use the switchport trunk allowed vlan add command to add additional VLANs. • To remove unwanted VLANs from a trunk port, use the switchport trunk allowed vlan remove command. Caution Do not enter the switchport trunk allowed vlan all command on a secured trunk port. In addition, do not set the IPSec VPN SPA inside and outside ports to “all VLANs allowed.” 25-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode To configure a trunk port connection to the WAN router, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto isakmp policy priority ... Router(config-isakmp) # exit Defines an ISAKMP policy and enters ISAKMP policy configuration mode. • priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest. For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide. Step 2 Router(config)# crypto isakmp key keystring address peer-address Configures a preshared authentication key. • keystring—Preshared key. • peer-address—IP address of the remote peer. For details on configuring a preshared key, see the Cisco IOS Security Configuration Guide. Step 3 Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]] ... Router(config-crypto-tran)# exit Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode. • transform-set-name—Name of the transform set. • transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms. For accepted transformx values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference. Step 4 Router(config)# access list access-list-number {deny | permit} ip source source-wildcard destination destination-wildcard Defines an extended IP access list. • access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699. • {deny | permit}—Denies or permits access if the conditions are met. • source—Address of the host from which the packet is being sent. • source-wildcard—Wildcard bits to be applied to the source address. • destination—Address of the host to which the packet is being sent. • destination-wildcard—Wildcard bits to be applied to the destination address. For details on configuring an access list, see the Cisco IOS Security Configuration Guide. 25-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Step 5 Router(config)# crypto map map-name seq-number ipsec-isakmp ... Router(config-crypto-map)# exit Creates or modifies a crypto map entry and enters the crypto map configuration mode. • map-name—Name that identifies the crypto map set. • seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations. For details on configuring a crypto map, see the Cisco IOS Security Configuration Guide. Step 6 Router(config)# vlan inside-vlan-id Adds the VLAN ID into the VLAN database. • inside-vlan-id—VLAN identifier. Step 7 Router(config)# vlan outside-vlan-id Adds the VLAN ID into the VLAN database. • outside-vlan-id—VLAN identifier. Step 8 Router(config)# interface vlan inside-vlan-id Enters interface configuration mode for the specified VLAN interface. • inside-vlan-id—VLAN identifier. Step 9 Router(config-if)# description inside_interface_vlan_for_crypto_map (Optional) Adds a comment to help identify the interface. Step 10 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the interface. • address—IP address. • mask—Subnet mask. Step 11 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to the interface. • map-name—Name that identifies the crypto map set. Enter the map-name value you created in Step 5. Step 12 Router(config-if)# no shutdown Enables the interface as a Layer 3 crypto interface VLAN. Step 13 Router(config-if)# crypto engine slot slot/subslot Assigns the crypto engine to the crypto interface VLAN. • slot/subslot—Enter the slot and subslot where the IPSec VPN SPA is located. Step 14 Router(config)# interface vlan outside-vlan-id Adds the specified VLAN interface as an outside trunk port VLAN and enters interface configuration mode for the specified VLAN interface. • outside-vlan-id—VLAN identifier. Step 15 Router(config-if)# description outside_trunk_port_vlan (Optional) Adds a comment to help identify the interface. Command Purpose 25-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode For trunk port configuration examples, see the “Trunk Port in Crypto-Connect Mode Configuration Example” section on page 25-34. Verifying the Trunk Port Configuration To verify the VLANs allowed by a trunk port, enter the show interfaces trunk command. The following display shows that all VLANs are allowed: Router# show interfaces GigabitEthernet 1/2 trunk Port Mode Encapsulation Status Native vlan Gi1/2 on 802.1q trunking 1 Port Vlans allowed on trunk Gi1/2 1-4094 Port Vlans allowed and active in management domain Gi1/2 1-4,7-8,513,1002-1005 Port Vlans in spanning tree forwarding state and not pruned Gi1/2 1-4,7-8,513,1002-1005 Step 16 Router(config-if)# crypto connect vlan inside-vlan-id Connects the outside trunk port VLAN to the inside (crypto) interface VLAN and enters crypto-connect mode. • inside-vlan-id—VLAN identifier. Step 17 Router(config-if)# no shutdown Enables the interface as a Layer 3 crypto interface VLAN. Step 18 Router(config-if)# interface gigabitethernet slot/subslot/port Enters interface configuration mode for the secure port. Step 19 Router(config-if)# description outside_secure_port (Optional) Adds a comment to help identify the interface. Step 20 Router(config-if)# switchport Configures the interface for Layer 2 switching. Step 21 Router(config-if)# no switchport access vlan Resets the access VLAN to the appropriate default VLAN for the device. Step 22 Router(config-if)# switchport trunk encapsulation dot1q Sets the trunk encapsulation to 802.1Q. Step 23 Router(config-if)# switchport mode trunk Specifies a trunk VLAN Layer 2 interface. Step 24 Router(config-if)# switchport trunk allowed vlan remove vlan-list Removes the specified list of VLANs from those currently set to transmit from this interface. vlan-list—List of VLANs that transmit the interface in tagged format when in trunking mode. Valid values are from 1 to 4094. Step 25 Router(config-if)# switchport trunk allowed vlan add outside-vlan-id Adds the specified VLAN to the list of VLANs currently set to transmit from this interface. outside-vlan-id—VLAN identifier from Step 14. Step 26 Router(config-if)# exit Exits interface configuration mode. Command Purpose 25-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring Ports in Crypto-Connect Mode Configuring IPSec VPN SPA Connections to WAN Interfaces The configuration of IPSec VPN SPA connections to WAN interfaces is similar to the configuration of Ethernet-routed interfaces. IPSec VPN SPA Connections to WAN Interfaces Configuration Guidelines and Restrictions When configuring a connection to a WAN interface using an IPSec VPN SPA, follow these guidelines and note these restrictions: • To configure an IPSec VPN SPA connection to a WAN interface, make a crypto connection from the WAN subinterface to the interface VLAN as follows: Router(config)# interface Vlan101 Router(config-if)# ip address 192.168.101.1 255.255.255.0 Router(config-if)# no mop enabled Router(config-if)# crypto map cwan Router(config-if)# crypto engine slot 4/0 Router(config)# interface ATM6/0/0.101 point-to-point Router(config-subif)# pvc 0/101 Router(config-subif)# crypto connect vlan 101 • You must configure a crypto connection on subinterfaces for ATM and Frame Relay. • For ATM, there is no SVC support, no RFC-1483 bridging, and no point-to-multipoint support. • For Frame Relay, there is no SVC support, no RFC-1490 bridging, and no point-to-multipoint support. • For Point-to-Point Protocol (PPP) and Multilink PPP (MLPPP), you must make the physical interface passive for routing protocols, as follows: Router(config)# router ospf 10 Router(config-router)# passive-interface multilink1 • For PPP and MLPPP, when the crypto connect vlan command is configured on an interface, an ip unnumbered Null0 command is automatically added to the port configuration to support IPCP negotiation. If you configure a no ip address command on the WAN port in the startup configuration, the no ip address command will be automatically removed in the running configuration so that it does not conflict with the automatic configuration. • For PPP and MLPPP, there is no Bridging Control Protocol (BCP) support. • When enabled on an inside VLAN, OSPF will be configured in broadcast network mode by default, even when a point-to-point interface (such as T1, POS, serial, or ATM) is crypto-connected to the inside VLAN. In addition, if OSPF is configured in point-to-point network mode on the peer router (for example, a transit router with no crypto card), OSPF will not establish full adjacency. In this case, you can manually configure OSPF network point-to-point mode in the inside VLAN: Router(config)# interface vlan inside-vlan Router(config-if)# ip ospf network point-to-point For IPSec VPN SPA connections to WAN interfaces configuration examples, see the “IPSec VPN SPA Connections to WAN Interfaces Configuration Examples” section on page 25-36 25-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring GRE Tunneling in Crypto-Connect Mode Displaying the VPN Running State Use the show crypto vlan command to display the VPN running state. The following examples show the show crypto vlan command output for a variety of IPSec VPN SPA configurations. In the following example, the interface VLAN belongs to the IPSec VPN SPA inside port: Router# show crypto vlan Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to Fa8/3 In the following example, VLAN 2 is the interface VLAN and VLAN 2022 is the hidden VLAN: Router# show crypto vlan Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to VLAN 2022 with crypto map set coral2 In the following example, the interface VLAN is missing on the IPSec VPN SPA inside port, the IPSec VPN SPA is removed from the chassis, or the IPSec VPN SPA was moved to a different subslot: Router# show crypto vlan Interface VLAN 2 connected to VLAN 502 (no IPSec Service Module attached) Configuring GRE Tunneling in Crypto-Connect Mode This section contains the following GRE configuration topics: • Understanding GRE Tunneling in Crypto-Connect Mode, page 25-21 • Configuring the GRE Takeover Criteria, page 25-23 • Configuring IP Multicast over a GRE Tunnel, page 25-26 Understanding GRE Tunneling in Crypto-Connect Mode Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to routers at remote points over an IP network. Note The IPSec VPN SPA is able to accelerate packet processing for up to 2048 GRE tunnels per chassis. Any tunnels not taken over by the IPSec VPN SPA, or any tunnels in excess of 2048, are handled in platform hardware or by the route processor. The router supports any number of GRE tunnels, but adding more IPSec VPN SPAs does not increase the 2048 tunnels per-chassis maximum that will be handled by IPSec VPN SPAs. If you configure more than 2048 tunnels per chassis, you could overload the route processor. Monitor the route processor CPU utilization when configuring more than 2048 tunnels per chassis. Note Beginning with Cisco IOS Release 12.2(18)SXF, the GRE fragmentation behavior of the VPN module is changed to be consistent with the fragmentation behavior of the route processor. If GRE encapsulation is performed by the VPN module, prefragmentation of outbound packets will be based on the IP MTU 25-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring GRE Tunneling in Crypto-Connect Mode of the tunnel interface. After GRE encapsulation is performed by the VPN module, depending on the IPSec prefragmentation settings, further fragmentation may occur. The IPSec fragmentation behavior is unchanged in this release, and is based on the IPSec MTU configuration of the egress interface. GRE Tunneling Configuration Guidelines and Restrictions When configuring point-to-point GRE tunneling in crypto-connect mode using the IPSec VPN SPA, follow these guidelines: • In a Cisco 7600 series router, GRE encapsulation and decapsulation is traditionally performed by the route processor or the supervisor engine hardware. When routing indicates that encapsulated packets for a GRE tunnel will egress through an interface VLAN that is attached to an IPSec VPN SPA inside port, the IPSec VPN SPA attempts to take over the GRE tunnel interface only if the supervisor engine is unable to process the GRE tunnel interface in hardware. If the supervisor engine cannot process the GRE tunnel interface in hardware, the IPSec VPN SPA will determine if it can take over the interface. By seizing the tunnel, the IPSec VPN SPA takes the GRE encapsulation and decapsulation duty from the route processor. No explicit configuration changes are required to use this feature; configure GRE as you normally would. As long as routing sends the GRE-encapsulated packets over an interface VLAN, the IPSec VPN SPA will seize the GRE tunnel. • If the same source address is used for more than one GRE tunnel, the supervisor engine hardware will not take over the tunnel. The IPSec VPN SPA will take over the tunnel if it meets the criteria discussed in the previous bullet item. • Point-to-point GRE with tunnel protection is not supported in crypto-connect mode, but DMVPN is supported. • If routing information changes and the GRE-encapsulated packets no longer egress through an interface VLAN, the IPSec VPN SPA yields the GRE tunnel. After the IPSec VPN SPA yields the tunnel, the route processor resumes encapsulation and decapsulation, which increases CPU utilization on the route processor. Caution Ensure that your GRE tunnel configuration does not overload the route processor. • A delay of up to 10 seconds occurs between routing changes and the IPSec VPN SPA seizing the GRE tunnel. • The crypto map must only be applied to the interface VLAN and not to the tunnel interface. • The following options are supported on the tunnel interface: ACLs, service policy, TTL, and ToS. • The following options arenot supported on the tunnel interface: checksum enabled, sequence check enabled, tunnel key, IP security options, policy-based routing (PBR), traffic shaping (can be applied to the crypto engine configuration within the tunnel interface configuration), QoS preclassification, and NAT. • In crypto-connect mode, to avoid fragmentation after encryption, set the tunnel IP MTU to be equal to or less than the egress interface MTU minus the GRE and IPSec overheads. • When applied to the GRE tunnel interface, the ip tcp adjust-mss command is ignored. Apply the command to the ingress LAN interface instead. 25-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring GRE Tunneling in Crypto-Connect Mode To configure a GRE tunnel, perform this task beginning in global configuration mode: Verifying the GRE Tunneling Configuration To verify that the IPSec VPN SPA has seized the GRE tunnel, enter the show crypto vlan command: Router# show crypto vlan Interface VLAN 101 on IPSec Service Module port 7/1/1 connected to AT4/0/0.101 Tunnel101 is accelerated via IPSec SM in subslot 7/1 Router# For complete configuration information about GRE tunneling, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html For GRE tunneling configuration examples, see the “GRE Tunneling in Crypto-Connect Mode Configuration Example” section on page 25-40. Configuring the GRE Takeover Criteria You can configure the takeover criteria for Generic Routing Encapsulation (GRE) processing by using the crypto engine gre supervisor or crypto engine gre vpnblade commands. These two commands allow you to specify whether the GRE processing should be done by the supervisor engine hardware or the route processor or the IPSec VPN SPA. Command Purpose Step 1 Router(config)# interface tunnel number Creates the tunnel interface if it does not exist and enters interface configuration mode. • number—Number of the tunnel interface to be configured. Step 2 Router(config-if)# ip address address Sets the IP address of the tunnel interface. • address—IP address. Step 3 Router(config-if)# tunnel source {ip-address | type number} Configures the tunnel source. The source is the router where traffic is received from the customer network. • ip-address—IP address to use as the source address for packets in the tunnel. • type number—Interface type and number; for example, VLAN1. Step 4 Router(config-if)# tunnel destination {hostname | ip-address} Sets the IP address of the destination of the tunnel interface. The destination address is the router that transfers packets into the receiving customer network. • hostname—Name of the host destination. • ip-address—IP address of the host destination expressed in decimal in four-part, dotted notation. Step 5 Router(config-if)# exit Exits interface configuration mode. 25-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring GRE Tunneling in Crypto-Connect Mode Note The GRE takeover criteria commands are supported only in Cisco IOS Release 12.2(18)SXE5 and later. In releases prior to Cisco IOS Release 12.2SXE1, the crypto-related GRE tunnels are always taken over by the VPN SPA. In Cisco IOS Release 12.2SXE1, the GRE tunnels are taken over by the VPN SPA only if the supervisor engine hardware cannot do the processing. To configure a router to process GRE using the supervisor engine hardware or the route processor (RP), use the crypto engine gre supervisor command. When this command is specified, GRE processing by the supervisor engine hardware takes precedence over processing by the route processor (unless the tunnels are from duplicate sources); the RP only takes over GRE processing if the supervisor engine hardware cannot do the processing. If this command is configured, duplicate source GREs will be processed by the route processor. To configure a router to process GRE using the IPSec VPN SPA, use the crypto engine gre vpnblade command. If the IPSec VPN SPA cannot take over the GRE processing, the GRE processing will be handled either by supervisor engine hardware (which has precedence) or the route processor. Both of these commands can be configured globally or at an individual tunnel. Individual tunnel configuration takes precedence over the global configuration. For example, when the crypto engine gre supervisor command is configured at the global configuration level, the command will apply to all tunnels except those tunnels that have been configured individually using either a crypto engine gre supervisor command or a crypto engine gre vpnblade command. At any time, only one of the two commands (crypto engine gre supervisor or crypto engine gre vpnblade) can be configured globally or individually at a tunnel. If either command is already configured, configuring the second command will overwrite the first command, and only the configuration applied by the second command will be used. GRE Takeover Configuration Guidelines and Restrictions When configuring GRE takeover on the IPSec VPN SPA, follow these guidelines and restrictions: • For a GRE tunnel to be taken over by the IPSec VPN SPA, it must first satisfy the following criteria: – The GRE tunnel interface must be up. – The route to the tunnel destination must go through the IPSec VPN SPA. – The Address Resolution Protocol (ARP) entry for the next hop must exist. – The tunnel mode must be GRE. – The only supported options are tunnel ttl and tunnel tos. If any of the following command options are configured, then the tunnel will not be taken over: • tunnel key • tunnel sequence-datagrams • tunnel checksum All other options configured are ignored. • If the GRE tunnels have the same source and destination addresses, then the IPSec VPN SPA will, at most, take over only one of them, and the determination of which specific tunnel is taken over is random. • The IPSec VPN SPA will not take over GRE processing if any of the following features are configured on the tunnel interface: – DMVPN 25-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring GRE Tunneling in Crypto-Connect Mode – NAT • In crypto-connect mode, the IPSec VPN SPA will not take over GRE processing when the interface VLAN has no crypto map attached. The crypto map must be applied to the interface VLAN and not to the tunnel interface. • If the IPSec VPN SPA cannot take over the GRE processing, the GRE processing will be handled either by the supervisor engine hardware (which has precedence) or the route processor. • When neither the crypto engine gre supervisor command nor the crypto engine gre vpnblade command is specified globally or individually for a tunnel, the IPSec VPN SPA will only attempt to take over GRE processing if the following conditions apply: – The supervisor engine hardware does not take over GRE processing. – Protocol Independent Multicast (PIM) is configured on the tunnel. – Multiple tunnels share the same tunnel source interface and more than one tunnel is up. (If only one tunnel is up, the supervisor engine hardware can still perform the GRE processing.) • When a new configuration file is copied to the running configuration, the new configuration will overwrite the old configuration for the crypto engine gre vpnblade and crypto engine gre supervisor commands. If the new configuration does not specify a GRE takeover criteria globally or for an individual tunnel, the existing old configuration will be used. • GRE keepalives are not supported if crypto engine gre vpnblade is configured. Configuring the GRE Takeover Criteria Globally To configure the GRE takeover criteria globally (so that it affects all tunnels except those tunnels that have been configured individually using either a crypto engine gre supervisor command or a crypto engine gre vpnblade command), perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto engine gre supervisor or Router(config)# crypto engine gre vpnblade Configures a router to process GRE using the supervisor engine hardware or the route processor. Configures a router to process GRE using the IPSec VPN SPA. 25-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring GRE Tunneling in Crypto-Connect Mode Configuring the GRE Takeover Criteria at an Individual Tunnel To configure the GRE takeover criteria at an individual tunnel (so that it affects only a specific tunnel), perform this task beginning in global configuration mode: For GRE takeover criteria configuration examples, see the “GRE Takeover Criteria Configuration Examples” section on page 25-42. Configuring IP Multicast over a GRE Tunnel IP multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to multiple recipients. GRE is a tunneling protocol developed by Cisco and commonly used with IPSec that encapsulates a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP network. In some network scenarios, you might want to configure your network to use GRE tunnels to send Protocol Independent Multicast (PIM) and multicast traffic between routers. Typically, this occurs when the multicast source and receiver are separated by an IP cloud that is not configured for IP multicast routing. In such network scenarios, configuring a tunnel across an IP cloud with PIM-enabled transports multicast packets toward the receiver. The configuration of IP multicast over a GRE tunnel using the IPSec VPN SPA involves three key steps: • Configuring single-SPA mode (if supported) for multicast traffic • Configuring multicast globally • Configuring PIM at the tunnel interfaces IP Multicast over a GRE Tunnel Configuration Guidelines and Restrictions When configuring IP multicast over a GRE tunnel, follow these guidelines: • When the hw-module slot subslot only command is executed, it automatically resets the Cisco 7600 SSC-400 card and displays the following prompt on the console: Module n will be reset? Confirm [n]: The prompt will default to N (no). You must type Y (yes) to activate the reset action. Command Purpose Step 1 Router(config)# interface tunnel number Creates the tunnel interface if it does not exist and enters interface configuration mode. • number—Number of the tunnel interface to be configured. Step 2 Router(config-if)# crypto engine gre supervisor or Router(config-if)# crypto engine gre vpnblade Configures a router to process GRE using the supervisor engine hardware or the route processor. or Configures a router to process GRE using the IPSec VPN SPA. 25-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuring GRE Tunneling in Crypto-Connect Mode • When in single-SPA mode, if you manually plug in a second SPA, or if you attempt to reset the SPA (by entering a no hw-module subslot shutdown command, for example), a message is displayed on the router console that refers you to the customer documentation. • If PIM is configured, and the GRE tunnel interface satisfies the rest of the tunnel takeover criteria, the GRE processing of the multicast packets will be taken over by the IPSec VPN SPA. • GRE processing of IP multicast packets will be taken over by the IPSec VPN SPA if the GRE tunnel interface satisfies the following tunnel takeover criteria: – The tunnel is up. – There are no other tunnels with the same source destination pair. – The tunnel is not an mGRE tunnel. – PIM is configured on the tunnel. – None of the following features are configured on the tunnel: tunnel key, tunnel sequence-datagrams, tunnel checksum, tunnel udlr address-resolution, tunnel udlr receive-only, tunnel udlr send-only, ip proxy-mobile tunnel reverse, or NAT. If any of these options are specified, the IPSec VPN SPA will not seize the GRE tunnel. • When a tunnel is configured for multicast traffic, the crypto engine gre supervisor command should not be applied to the tunnel. Configuring Single-SPA Mode for IP Multicast Traffic Before you configure IP multicast on the IPSec VPN SPA, you should change the mode of the Cisco 7600 SSC-400 card to allocate full buffers to the specified subslot using the Before you configure IP multicast on the IPSec VPN SPA, you should change the mode of the Cisco 7600 SSC-400 card to allocate full buffers to the specified subslot using the hw-module slot subslot only command. If this command is not used, the total amount of buffers available is divided between the two subslots on the Cisco 7600 SSC-400 card. To allocate full buffers to the specified subslot, use the hw-module slot subslot only command as follows: Router(config)# hw-module slot slot subslot subslot only slot specifies the slot where the Cisco 7600 SSC-400 card is located. subslot specifies the subslot where the IPSec VPN SPA is located. If the hw-module slot subslot only command is not used, the total amount of buffers available is divided between the two subslots on the Cisco 7600 SSC-400 card. Configuring IP Multicast Globally You must enable IP multicast routing globally before you can enable PIM on the router interfaces. To enable IP multicast routing globally, use the ip multicast-routing command. Configuring PIM at the Tunnel Interfaces You must enable PIM on all participating router interfaces before IP multicast will function. To enable PIM, use the ip pim command as follows: Router(config-if)# ip pim {dense-mode | sparse-mode | sparse-dense-mode} 25-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples dense-mode enables dense mode of operation. sparse-mode enables sparse mode of operation. sparse-dense-mode enables the interface in either sparse mode or dense mode of operation, depending on which mode the multicast group operates in. For IP multicast over GRE tunnels configuration examples, see the “IP Multicast over a GRE Tunnel Configuration Example” section on page 25-43. Verifying the IP Multicast over a GRE Tunnel Configuration To verify the IP multicast over a GRE tunnel configuration, enter the show crypto vlan and show ip mroute commands. To verify that the tunnel has been taken over by the IPSec VPN SPA, enter the show crypto vlan command: Router(config)# show crypto vlan Interface VLAN 100 on IPSec Service Module port Gi7/0/1 connected to Po1 with crypto map set map_t3 Tunnel15 is accelerated via IPSec SM in subslot 7/0 To verify that the IP multicast traffic is hardware-switched, enter the show ip mroute command and look for the H flag: Router# show ip mroute 230.1.1.5 IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel Y - Joined MDT-data group, y - Sending to MDT-data group Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 230.1.1.5), 01:23:45/00:03:16, RP 15.15.1.1, flags: SJC Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16 (120.1.0.3, 230.1.1.5), 01:23:46/00:03:25, flags: T Incoming interface: GigabitEthernet8/1, RPF nbr 0.0.0.0, RPF-MFD Outgoing interface list: Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16, H For IP multicast over GRE tunnels configuration examples, see the “IP Multicast over a GRE Tunnel Configuration Example” section on page 25-43. Configuration Examples This section provides examples of the following configurations: • Access Port in Crypto-Connect Mode Configuration Example, page 25-29 • Routed Port in Crypto-Connect Mode Configuration Example, page 25-31 • Trunk Port in Crypto-Connect Mode Configuration Example, page 25-34 25-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples • IPSec VPN SPA Connections to WAN Interfaces Configuration Examples, page 25-36 • GRE Tunneling in Crypto-Connect Mode Configuration Example, page 25-40 • GRE Takeover Criteria Configuration Examples, page 25-42 • IP Multicast over a GRE Tunnel Configuration Example, page 25-43 Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA. As of Cisco IOS Release 12.2(33)SRA, the crypto engine subslot command used in previous releases has been replaced with the crypto engine slot command (of the form crypto engine slot slot/subslot {inside | outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that this command has been modified in your start-up configuration to avoid extended maintenance time. Access Port in Crypto-Connect Mode Configuration Example This section provides an example of the access port configuration with router 1 shown in Figure 25-2 on page 25-8: Router 1 (Access Port) ! hostname router-1 ! vlan 2,502 ! crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key 12345 address 11.0.0.1 ! ! crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac ! crypto map testtag 10 ipsec-isakmp set peer 11.0.0.1 set transform-set proposal1 match address 101 ! ! interface GigabitEthernet1/1 !switch inside port ip address 13.0.0.1 255.255.255.0 ! interface GigabitEthernet1/2 !switch outside port switchport switchport access vlan 502 switchport mode access ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 25-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk interface Vlan2 !interface vlan ip address 11.0.0.2 255.255.255.0 crypto map testtag crypto engine slot 4/0 ! interface Vlan502 !port vlan no ip address crypto connect vlan 2 ! ip classless ip route 12.0.0.0 255.0.0.0 11.0.0.1 ! access-list 101 permit ip host 13.0.0.2 host 12.0.0.2 ! end Router 2 (Access Port) ! hostname router-2 ! vlan 2,502 ! crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key 12345 address 11.0.0.2 ! ! crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac ! crypto map testtag 10 ipsec-isakmp set peer 11.0.0.2 set transform-set proposal1 match address 101 ! ! interface GigabitEthernet1/1 !switch inside port ip address 12.0.0.1 255.255.255.0 ! interface GigabitEthernet1/2 !switch outside port switchport switchport access vlan 502 switchport mode access 25-31 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 !interface vlan ip address 11.0.0.1 255.255.255.0 crypto map testtag crypto engine slot 4/0 ! interface Vlan502 !port vlan no ip address crypto connect vlan 2 ! ip classless ip route 13.0.0.0 255.0.0.0 11.0.0.2 ! access-list 101 permit ip host 12.0.0.2 host 13.0.0.2 ! end Routed Port in Crypto-Connect Mode Configuration Example This section provides an example of the routed port configuration with router 1 shown in Figure 25-3 on page 25-12: Router 1 (Routed Port) ! hostname router-1 ! vlan 2 ! crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key 12345 address 11.0.0.2 ! ! crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac 25-32 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples ! crypto map testtag 10 ipsec-isakmp set peer 11.0.0.2 set transform-set proposal1 match address 101 ! ! interface GigabitEthernet1/1 !switch inside port ip address 12.0.0.1 255.255.255.0 ! interface GigabitEthernet1/2 !switch outside port no ip address crypto connect vlan 2 ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 !interface vlan ip address 11.0.0.1 255.255.255.0 no mop enabled crypto map testtag crypto engine slot 4/0 ! ip classless ip route 13.0.0.0 255.0.0.0 11.0.0.2 ! access-list 101 permit ip host 12.0.0.2 host 13.0.0.2 ! end Router 2 (Routed Port) ! hostname router-2 ! vlan 2 ! ! crypto isakmp policy 1 encr 3des authentication pre-share 25-33 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples crypto isakmp key 12345 address 11.0.0.1 ! ! crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac ! crypto map testtag 10 ipsec-isakmp set peer 11.0.0.1 set transform-set proposal1 match address 101 ! ! interface GigabitEthernet1/1 !switch inside port ip address 13.0.0.1 255.255.255.0 ! interface GigabitEthernet1/2 !switch outside port no ip address crypto connect vlan 2 ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 !interface vlan ip address 11.0.0.2 255.255.255.0 no mop enabled crypto map testtag crypto engine slot 4/0 ! ip classless ip route 12.0.0.0 255.0.0.0 11.0.0.1 ! access-list 101 permit ip host 13.0.0.2 host 12.0.0.2 ! end 25-34 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples Trunk Port in Crypto-Connect Mode Configuration Example This section provides an example of the trunk port configuration with router 1 shown in Figure 25-4 on page 25-15: Router 1 (Trunk Port) ! hostname router-1 ! vlan 2,502 ! crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key 12345 address 11.0.0.2 ! ! crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac ! crypto map testtag 10 ipsec-isakmp set peer 11.0.0.2 set transform-set proposal1 match address 101 ! ! interface GigabitEthernet1/1 !switch inside port ip address 12.0.0.1 255.255.255.0 ! interface GigabitEthernet1/2 !switch outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 502 switchport mode trunk ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 !interface vlan ip address 11.0.0.1 255.255.255.0 crypto map testtag 25-35 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples crypto engine slot 4/0 ! interface Vlan 502 !port vlan no ip address crypto connect vlan 2 ! ip classless ip route 13.0.0.0 255.0.0.0 11.0.0.2 ! access-list 101 permit ip host 12.0.0.2 host 13.0.0.2 ! end Router 2 (Trunk Port) ! hostname router-2 ! vlan 2,502 ! crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key 12345 address 11.0.0.1 ! ! crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac ! crypto map testtag 10 ipsec-isakmp set peer 11.0.0.1 set transform-set proposal1 match address 101 ! ! interface GigabitEthernet1/1 !switch inside port ip address 13.0.0.1 255.255.255.0 ! interface GigabitEthernet1/2 !switch outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 502 switchport mode trunk ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,1002-1005 switchport mode trunk 25-36 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk interface Vlan2 !interface vlan ip address 11.0.0.2 255.255.255.0 crypto map testtag crypto engine slot 4/0 ! interface Vlan502 !port vlan no ip address crypto connect vlan 2 ! ip classless ip route 12.0.0.0 255.0.0.0 11.0.0.1 ! access-list 101 permit ip host 13.0.0.2 host 12.0.0.2 ! end IPSec VPN SPA Connections to WAN Interfaces Configuration Examples The following are configuration examples of IPSec VPN SPA connections to WAN interfaces: • IPSec VPN SPA Connection to an ATM Port Adapter Configuration Example, page 25-36 • IPSec VPN SPA Connection to a POS Port Adapter Configuration Example, page 25-37 • IPSec VPN SPA Connection to a Serial Port Adapter Configuration Example, page 25-38 IPSec VPN SPA Connection to an ATM Port Adapter Configuration Example The following example shows the configuration of an IPSec VPN SPA connection to an ATM port adapter: ! hostname router-1 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp key 12345 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set proposal esp-3des esp-sha-hmac ! crypto map testtag_1 10 ipsec-isakmp set peer 11.0.0.2 set transform-set proposal match address acl_1 ! interface GigabitEthernet1/1 ip address 12.0.0.2 255.255.255.0 ! interface ATM2/0/0 no ip address 25-37 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples atm clock INTERNAL no atm enable-ilmi-trap no atm ilmi-keepalive ! interface ATM2/0/0.1 point-to-point atm pvc 20 0 20 aal5snap no atm enable-ilmi-trap crypto connect vlan 2 ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 ip address 11.0.0.1 255.255.255.0 crypto map testtag_1 crypto engine slot 4/0 ! ip classless ip route 13.0.0.1 255.255.255.255 11.0.0.2 ! ip access-list extended acl_1 permit ip host 12.0.0.1 host 13.0.0.1 ! IPSec VPN SPA Connection to a POS Port Adapter Configuration Example The following example shows the configuration of an IPSec VPN SPA connection to a POS port adapter: ! hostname router-1 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp key 12345 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set proposal esp-3des esp-sha-hmac ! crypto map testtag_1 10 ipsec-isakmp set peer 11.0.0.2 25-38 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples set transform-set proposal match address acl_1 ! interface GigabitEthernet1/1 !switch inside port ip address 12.0.0.2 255.255.255.0 ! interface POS2/0/0 no ip address encapsulation frame-relay clock source internal ! interface POS2/0/0.1 point-to-point frame-relay interface-dlci 16 crypto connect vlan 2 ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 ip address 11.0.0.1 255.255.255.0 crypto map testtag_1 crypto engine slot 4/0 ! ip classless ip route 13.0.0.1 255.255.255.255 11.0.0.2 ! ip access-list extended acl_1 permit ip host 12.0.0.1 host 13.0.0.1 IPSec VPN SPA Connection to a Serial Port Adapter Configuration Example The following example shows the configuration of an IPSec VPN SPA connection to a serial port adapter: ! hostname router-1 ! controller T3 2/1/0 t1 1 channel-group 0 timeslots 1 t1 2 channel-group 0 timeslots 1 t1 3 channel-group 0 timeslots 1 25-39 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples t1 4 channel-group 0 timeslots 1 t1 5 channel-group 0 timeslots 1 t1 6 channel-group 0 timeslots 1 t1 7 channel-group 0 timeslots 1 t1 8 channel-group 0 timeslots 1 t1 9 channel-group 0 timeslots 1 t1 10 channel-group 0 timeslots 1 t1 11 channel-group 0 timeslots 1 t1 12 channel-group 0 timeslots 1 t1 13 channel-group 0 timeslots 1 t1 14 channel-group 0 timeslots 1 t1 15 channel-group 0 timeslots 1 t1 16 channel-group 0 timeslots 1 t1 17 channel-group 0 timeslots 1 t1 18 channel-group 0 timeslots 1 t1 19 channel-group 0 timeslots 1 t1 20 channel-group 0 timeslots 1 t1 21 channel-group 0 timeslots 1 t1 22 channel-group 0 timeslots 1 t1 23 channel-group 0 timeslots 1 t1 24 channel-group 0 timeslots 1 t1 25 channel-group 0 timeslots 1 t1 26 channel-group 0 timeslots 1 t1 27 channel-group 0 timeslots 1 t1 28 channel-group 0 timeslots 1 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp key 12345 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set proposal esp-3des esp-sha-hmac ! crypto map testtag_1 10 ipsec-isakmp set peer 11.0.0.2 set transform-set proposal match address acl_1 ! interface GigabitEthernet1/1 !switch inside port ip address 12.0.0.2 255.255.255.0 ! interface Serial2/1/0/1:0 ip unnumbered Null0 encapsulation ppp no fair-queue no cdp enable crypto connect vlan 2 ! ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 25-40 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 ip address 11.0.0.1 255.255.255.0 crypto map testtag_1 crypto engine slot 4/0 ! ip classless ip route 13.0.0.1 255.255.255.255 11.0.0.2 ! ip access-list extended acl_1 permit ip host 12.0.0.1 host 13.0.0.1 GRE Tunneling in Crypto-Connect Mode Configuration Example This section provides an example of GRE tunneling configurations: Router 1 (GRE Tunneling) The following example shows the configuration of GRE tunneling for router 1: ! hostname router-1 ! vlan 2,502 ! crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key 12345 address 11.0.0.2 ! ! crypto ipsec transform-set proposal1 ah-md5-hmac ! crypto map testtag 10 ipsec-isakmp set peer 11.0.0.2 set transform-set proposal1 match address 101 ! ! ! ! interface Tunnel1 ip address 1.0.0.1 255.255.255.0 tunnel source Vlan2 tunnel destination 11.0.0.2 ! interface GigabitEthernet1/1 !switch inside port ip address 12.0.0.1 255.255.255.0 ! interface GigabitEthernet1/2 !switch outside port 25-41 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples switchport switchport access vlan 502 switchport mode access ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 ip address 11.0.0.1 255.255.255.0 no mop enabled crypto map testtag crypto engine slot 4/0 ! interface Vlan502 no ip address crypto connect vlan 2 ! ! ip classless ip route 13.0.0.0 255.0.0.0 Tunnel1 ! ! access-list 101 permit gre host 11.0.0.1 host 11.0.0.2 ! Router 2 (GRE Tunneling) ! hostname router-2 ! vlan 2,502 ! crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key 12345 address 11.0.0.1 ! ! crypto ipsec transform-set proposal1 ah-md5-hmac ! crypto map testtag 10 ipsec-isakmp set peer 11.0.0.1 set transform-set proposal1 match address 101 ! 25-42 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples ! ! ! interface Tunnel1 ip address 1.0.0.2 255.255.255.0 tunnel source Vlan2 tunnel destination 11.0.0.1 ! interface GigabitEthernet1/1 !switch inside port ip address 13.0.0.1 255.255.255.0 ! interface GigabitEthernet1/2 !switch outside port switchport switchport access vlan 502 switchport mode access ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 ip address 11.0.0.2 255.255.255.0 no mop enabled crypto map testtag crypto engine slot 4/0 ! interface Vlan502 no ip address crypto connect vlan 2 ! ip classless ip route 12.0.0.0 255.0.0.0 Tunnel1 ! access-list 101 permit gre host 11.0.0.2 host 11.0.0.1 ! GRE Takeover Criteria Configuration Examples The following examples show how to configure the GRE takeover criteria: • GRE Takeover Criteria Global Configuration Example, page 25-43 25-43 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples • GRE Takeover Criteria Tunnel Configuration Example, page 25-43 • GRE Takeover Verification Example, page 25-43 GRE Takeover Criteria Global Configuration Example The following example shows that the GRE takeover criteria has been set globally and the supervisor engine hardware or RP always does the GRE processing: Router(config)# crypto engine gre supervisor GRE Takeover Criteria Tunnel Configuration Example The following example shows that the GRE takeover criteria has been set individually for tunnel interface 3 and the IPSec VPN SPA always does the GRE processing for this tunnel: Router(config)# interface tunnel 3 Router(config-if)# crypto engine gre vpnblade GRE Takeover Verification Example The following example shows how to verify that the tunnel has been taken over by the IPSec VPN SPA: Router(config)# show crypto vlan 100 Interface VLAN 100 on IPSec Service Module port GigabitEthernet4/0/1 connected to POS8/0/0 with crypto map set MAP_TO_R2 Tunnel1 is accelerated via IPSec SM in subslot 4/0 The following example shows that the tunnel has not been taken over by the IPSec VPN SPA: Router(config)# show crypto vlan 100 Interface VLAN 100 on IPSec Service Module port GigabitEthernet4/0/1 connected to POS8/0/0 with crypto map set MAP_TO_R2 IP Multicast over a GRE Tunnel Configuration Example The following example shows how to configure IP multicast over GRE: hostname router-1 ! vlan 2-1001 ip multicast-routing ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp key 12345 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set proposal esp-3des ! ! crypto map cm_spoke1_1 10 ipsec-isakmp 25-44 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples set peer 11.1.1.1 set transform-set proposal match address spoke1_acl_1 ! ! interface Tunnel1 ip address 20.1.1.1 255.255.255.0 ip mtu 9216 ip pim sparse-mode ip hold-time eigrp 1 3600 tunnel source 1.0.1.1 tunnel destination 11.1.1.1 crypto engine slot 4/0 ! interface GigabitEthernet1/1 !switch inside port mtu 9216 ip address 50.1.1.1 255.0.0.0 ip pim sparse-mode ! interface GigabitEthernet1/2 !switch outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,252,1002-1005 switchport mode trunk mtu 9216 ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,252,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 mtu 9216 ip address 1.0.1.1 255.255.255.0 crypto map cm_spoke1_1 crypto engine slot 4/0 ! interface Vlan252 mtu 9216 no ip address crypto connect vlan 2 ! router eigrp 1 network 20.1.1.0 0.0.0.255 network 50.1.1.0 0.0.0.255 25-45 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration Examples no auto-summary no eigrp log-neighbor-changes ! ip classless ip route 11.1.1.0 255.255.255.0 1.0.1.2 ! ip pim bidir-enable ip pim rp-address 50.1.1.1 ! ip access-list extended spoke1_acl_1 permit gre host 1.0.1.1 host 11.1.1.1 ! 25-46 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 25 Configuring VPNs in Crypto-Connect Mode Configuration ExamplesC H A P T E R 26-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 26 Configuring VPNs in VRF Mode This chapter provides information about configuring IPSec VPNs in Virtual Routing and Forwarding (VRF) mode, one of the two VPN configuration modes supported by the IPSec VPN SPA. For information on the other VPN mode, crypto-connect mode, see Chapter 25, “Configuring VPNs in Crypto-Connect Mode.” This chapter includes the following topics: • Configuring VPNs in VRF Mode, page 26-1 • Configuring an IPSec Virtual Tunnel Interface, page 26-16 • Configuration Examples, page 26-21 For general information on configuring IPSec VPNs with the IPSec VPN SPA, see the “Overview of Basic IPSec and IKE Configuration Concepts” section on page 24-5. Note The procedures in this chapter assume you have familiarity with security configuration concepts, such as VLANs, ISAKMP policies, preshared keys, transform sets, access control lists, and crypto maps. For detailed information on configuring these features, refer to the following Cisco IOS documentation: Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html Cisco IOS Security Command Reference, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html For additional information about the commands used in this chapter, see the Cisco 7600 Series Router Command Reference, 12.2SR, the related Cisco IOS Release 12.2 software configuration guide and master index publications. For more information about accessing these publications, see the “Related Documentation” section on page xlvii. Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the configuration summaries and guidelines before you perform any configuration tasks. Configuring VPNs in VRF Mode VRF mode, also known as VRF-Aware IPSec, allows you to map IPSec tunnels to VPN routing and forwarding instances (VRFs) using a single public-facing address. 26-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode A VRF instance is a per-VPN routing information repository that defines the VPN membership of a customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included in the routing table. A separate set of routing and CEF tables is maintained for each VPN customer. Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, called the front door VRF (FVRF), while the inner, protected IP packet belongs to another domain called the Inside VRF (IVRF). Stated another way, the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF, the unprotected (LAN) side. Note Front door VRF (FVRF) is only supported as of Cisco IOS Release 12.2(33)SRA and later. One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the ISAKMP profile that is attached to a crypto map entry. With VRF mode, packets belonging to a specific VRF are routed through the IPSec VPN SPA for IPSec processing. Through the CLI, you associate a VRF with an interface VLAN that has been configured to point to the IPSec VPN SPA. An interface VLAN must be created for each VRF. Packets traveling from an MPLS cloud to the Internet that are received from an inside VRF are routed to an interface VLAN, and then to the IPSec VPN SPA for IPSec processing. The IPSec VPN SPA modifies the packets so that they are placed on a special Layer 3 VLAN for routing to the WAN-side port after they leave the IPSec VPN SPA. Packets traveling in the inbound direction from a protected port on which the crypto engine slot command has been entered are redirected by a special ACL to the IPSec VPN SPA, where they are processed according to the Security Parameter Index (SPI) contained in the packet’s IPSec header. Processing on the IPSec VPN SPA ensures that the decapsulated packet is mapped to the appropriate interface VLAN corresponding to the inside VRF. This interface VLAN has been associated with a specific VRF, so packets are routed within the VRF to the correct inside interface. Note Tunnel protection is supported in VRF mode. For information on configuring tunnel protection, see the “Configuring VPNs in VRF Mode with Tunnel Protection (GRE)” section on page 26-11 and the “VRF Mode Tunnel Protection Configuration Example” section on page 26-32. When configuring a VPN using VRF mode, you have these additional tunneling options: tunnel protection (TP) using GRE, and Virtual Tunnel Interface (VTI). With either of these options, you can terminate tunnels in VRFs (normal VRF mode) or in the global context. The following subsections describe how to configure a VPN in VRF mode on the IPSec VPN SPA: • Understanding VPN Configuration in VRF Mode, page 26-3 • VRF Mode Configuration Guidelines and Restrictions, page 26-4 • Configuring VPNs in VRF Mode without Tunnel Protection, page 26-6 • Configuring VPNs in VRF Mode with Tunnel Protection (GRE), page 26-11 26-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode Understanding VPN Configuration in VRF Mode In the traditional crypto-connect mode, a VPN is configured by attaching crypto maps to interface VLANs and then crypto-connecting a physical port to the interface VLAN. When configuring a VPN in VRF mode using the IPSec VPN SPA, the model of interface VLANs is preserved, but the crypto connect vlan CLI command is not used. When a packet comes into an interface on a specific VRF, the packet must get to the proper interface VLAN. A route must be installed so that packets destined for that particular subnet in that particular VRF are directed to that interface VLAN. This function can be achieved through the following configuration options: • Configuring an IP address on the interface VLAN that is in the same subnet as the packets’ destination IP address. For example, packets are trying to reach subnet 10.1.1.x and their destination IP address is 10.1.1.1 as follows: int vlan 100 ip vrf forwarding coke ip address 10.1.1.254 255.255.255.0 <-- same subnet as 10.1.1.x that we are trying to reach. crypto map mymap crypto engine slot 4/1 • Configuring a static route as follows: ip route vrf coke 10.1.1.0 255.255.255.0 vlan 100 • Configuring routing protocols. You configure BGP, OSPF, or other routing protocols so that remote routers broadcast their routes. Note Do not configure routing protocols unless you are using tunnel protection. • Configuring Reverse Route Injection (RRI). You configure RRI so that a route gets installed when the remote end initiates an IPSec session (as in remote access situations). With VRF mode, the router sees the interface VLAN as a point-to-point connection; the packets are placed directly onto the interface VLAN. Each VRF has its own interface VLAN. When a crypto map is attached to an interface VLAN and the ip vrf forwarding command has associated that VLAN with a particular VRF, the software creates a point-to-point connection so that all routes pointing to the interface VLAN do not attempt to run the Address Resolution Protocol (ARP). Through normal routing within the VRF, packets to be processed by the IPSec VPN SPA are sent to the interface VLAN. You may configure features on the interface VLAN. The IP address of the interface VLAN must be on the same subnet as the desired destination subnet for packets to be properly routed. When you enter the ip vrf forwarding command on an inside interface, all packets coming in on that interface are routed correctly within that VRF. When you enable the crypto engine mode vrf command and enter the crypto engine slot outside command on an interface, a special ACL is installed that forces all incoming Encapsulating Security Payload (ESP)/Authentication Header (AH) IPSec packets addressed to a system IP address to be sent to the IPSec VPN SPA WAN-side port. NAT Traversal (NAT-T) packets are also directed to the IPSec VPN SPA by the special ACL. Note You must enter the vrf vrf_name command from within the context of an ISAKMP profile. This command does not apply to the VRF-aware crypto infrastructure; it applies only to generic crypto processing. When the ISAKMP profile is added to a crypto map set, the VRF becomes the default VRF for all of the crypto maps in the list. Individual crypto maps may override this default VRF by specifying 26-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode another policy profile that contains a different VRF. If no profile is applied to a crypto map tag, it inherits the VRF from the interface if you have configured the interface with the ip vrf forwarding command. All packets destined for a protected outside interface received in this VRF context are placed on the associated interface VLAN. Similarly, all decapsulated ingress packets associated with this VRF are placed on the appropriate interface VLAN so that they may be routed in the proper VRF context. VRF Mode Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring a VPN for the IPSec VPN SPA using VRF mode: Note After enabling or disabling VRF mode using the [no] crypto engine mode vrf command, you must reload the supervisor engine. In addition, MPLS tunnel recirculation must be enabled for VRF mode. That is, you must add the mls mpls tunnel-recir command before entering the crypto engine mode vrf command. • The procedure for configuring a VPN in VRF mode varies based on whether you are using tunnel protection or not. • Unlike IPSec VPN SPA crypto-connect mode configurations, when configuring VPNs in VRF mode, you do not use the crypto connect vlan command. • In Cisco IOS Release 12.2(33)SRA and later releases, the crypto engine subslot command used in previous releases has been replaced with the crypto engine slot command (of the form crypto engine slot slot/subslot {inside | outside}). The crypto engine subslot command is no longer supported. In Cisco IOS Release 12.2(33)SRA and later releases, it is not necessary to specify the slot slot/subslot information with the outside keyword. When upgrading, ensure that the crypto engine command has been modified in your start-up configuration to avoid extended maintenance time. • As of Cisco IOS Release 12.2(33)SRA, the ip vrf forwarding command is no longer required when configuring GRE with tunnel protection. • Crypto ACLs support only the EQ operator. Other operators, such as GT, LT, and NEQ, are not supported. • Noncontiguous subnets in a crypto ACL, as in the following example, are not supported: deny ip 10.0.5.0 0.255.0.255 10.0.175.0 0.255.0.255 deny ip 10.0.5.0 0.255.0.255 10.0.176.0 0.255.0.255 • ACL counters are not supported for crypto ACLs. • An egress ACL is not applied to packets generated by the route processor. An ingress ACL is not applied to packets destined for the route processor. • When you create an ISAKMP profile, note the following guidelines regarding the use of the vrf command: – You must use the vrf command if you are using the ISAKMP profile with a crypto map. – You are not required to use the vrf command if you are using the ISAKMP profile with tunnel protection. – You should not use the vrf command if you are using the ISAKMP profile with DMVPN. 26-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode • When the ip vrf forwarding command is applied to a VLAN, any previously existing IP address assigned to that VLAN is removed. To assign an IP address to the VLAN, enter the ip address command after the ip vrf forwarding command, not preceding it. • Although more than one IPSec VPN SPA in a chassis is supported beginning with Cisco IOS Release 12.2(18) SXE, in VRF mode, there is no configuration difference between multiple IPSec VPN SPA operation and single IPSec VPN SPA operation. For multiple IPSec VPN SPA operation, the only change is to the output of the show crypto vlan command. The following is an example: Interface Tu1 on IPSec Service Module port Gi7/1/1 connected to VRF vrf1 Interface VLAN 2 on IPSec Service Module port Gi7/1/1 connected to VRF vrf2 • Applying an ACL to the ingress interface will interfere with the packet flow. Note Do not apply an ACL during the configuration of VRF mode. • The number of outside interfaces supported by the IPSec VPN SPA is determined by your system resources. • Inbound and outbound traffic for the same tunnel must use the same outside interface. Asymmetric routing, in which encrypted traffic uses a different outside interface than decrypted traffic for the same tunnel, is not supported. • In VRF mode, crypto map interfaces that share the same local address must be bound to the same crypto engine. • When two tunnels share the same tunnel source address, they will be taken over by the IPSec VPN SPA only if one of the following two conditions are met: – Both tunnels share the same FVRF. – The crypto engine gre vpnblade command is entered. • You can configure the FVRF to be the same as the IVRF. • In VRF mode, ingress ACLs are installed on crypto engine outside interfaces. In combination with other configured ACLs, these ACLs may cause the ACL-TCAM usage to become excessive. To reduce the TCAM usage, share the TCAM resources by entering the mls acl tcam share-global command in the configuration. You can view the ACL usage using the show tcam counts command. Supported and Unsupported Features in VRF Mode A list of the supported and unsupported features in VRF mode can be found in the “IPSec Feature Support” section on page 24-8. Additional details are as follows: • Remote access into a VRF (provider edge [PE]) is supported with the following: – Reverse Route Injection (RRI) only with crypto maps – Proxy AAA (one VRF is proxied to a dedicated AAA) • Customer edge-provider edge (CE-PE) encryption using tunnel protection is supported with the following: – Routing update propagation between CEs – IGP/eBGP routing update propagation between the PE and CEs 26-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode without Tunnel Protection To configure a VPN in VRF mode with crypto maps and without tunnel protection, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# mls mpls tunnel-recir Enables tunnel-MPLS recirculation. Step 2 Router(config)# crypto engine mode vrf Enables VRF mode for the IPSec VPN SPA. Note After enabling or disabling VRF mode using the crypto engine mode vrf command, you must reload the supervisor engine. Step 3 Router(config)# ip vrf vrf-name Configures a VRF routing table and enters VRF configuration mode. • vrf-name—Name assigned to the VRF. Step 4 Router(config-vrf)# rd route-distinguisher Creates routing and forwarding tables for a VRF. • route-distinguisher—Specifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Step 5 Router(config-vrf)# route-target export route-target-ext-community Creates lists of export route-target extended communities for the specified VRF. • route-target-ext-community—Specifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Enter the route-distinguisher value specified in Step 4. Step 6 Router(config-vrf)# route-target import route-target-ext-community Creates lists of import route-target extended communities for the specified VRF. • route-target-ext-community—Specifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Enter the route-distinguisher value specified in Step 4. Step 7 Router(config-vrf)# exit Exits VRF configuration mode. 26-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode Step 8 Router(config)# crypto keyring keyring-name [vrf fvrf-name] Defines a crypto keyring to be used during IKE authentication and enters keyring configuration mode. • keyring-name—Name of the crypto keyring. • fvrf-name—(Optional) Front door virtual routing and forwarding (FVRF) name to which the keyring will be referenced. fvrf-name must match the FVRF name that was defined during virtual routing and forwarding (VRF) configuration Step 9 Router(config-keyring)# pre-shared-key {address address [mask] | hostname hostname} key key Defines a preshared key to be used for IKE authentication. • address [mask]—IP address of the remote peer or a subnet and mask. • hostname—Fully qualified domain name of the peer. • key—Specifies the secret key. Step 10 Router(config-keyring)# exit Exits keyring configuration mode. Step 11 Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]] Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode. • transform-set-name—Name of the transform set. • transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms. Accepted values are described in the Cisco IOS Security Command Reference. Step 12 Router(config-crypto-trans)# exit Exits crypto transform configuration mode Step 13 Router(config)# crypto isakmp policy priority Defines an IKE policy and enters ISAKMP policy configuration mode. • priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest. Step 14 Router(config-isakmp)# authentication pre-share Specifies the authentication method with an IKE policy. • pre-share—Specifies preshared keys as the authentication method. Step 15 Router(config-isakmp)# lifetime seconds Specifies the lifetime of an IKE SA. • seconds—Number of seconds each SA should exist before expiring. Use an integer from 60 to 86,400 seconds. Default is 86,400 (one day). Step 16 Router(config-isakmp)# exit Exits ISAKMP policy configuration mode. Command Purpose 26-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode Step 17 Router(config)# crypto isakmp profile profile-name Defines an ISAKMP profile and enters ISAKMP profile configuration mode. • profile-name—Name of the user profile. Step 18 Router(config-isa-prof)# vrf ivrf Defines the VRF to which the IPSec tunnel will be mapped. • ivrf—Name of the VRF to which the IPSec tunnel will be mapped. Enter the same value specified in Step 3. Step 19 Router(config-isa-prof)# keyring keyring-name Configures a keyring within an ISAKMP profile. • keyring-name—Keyring name. This name must match the keyring name that was defined in global configuration. Enter the value specified in Step 8. Step 20 Router(config-isa-prof)# match identity address address [mask] [vrf] Matches an identity from a peer in an ISAKMP profile. • address [mask]—IP address of the remote peer or a subnet and mask. • [vrf]—(Optional) This argument is only required when configuring a front door VRF (FVRF). This argument specifies that the address is an FVRF instance. Step 21 Router(config-isa-prof)# exit Exits ISAKMP profile configuration mode. Step 22 Router(config)# access list access-list-number {deny | permit} ip host source host destination Defines an extended IP access list. • access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699. • {deny | permit}—Denies or permits access if the conditions are met. • source—Number of the host from which the packet is being sent. • destination—Number of the host to which the packet is being sent. Step 23 Router(config)# crypto map map-name seq-number ipsec-isakmp Creates or modifies a crypto map entry and enters the crypto map configuration mode. • map-name—Name that identifies the crypto map set. • seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations. Command Purpose 26-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode Step 24 Router(config-crypto-map)# set peer {hostname | ip-address} Specifies an IPSec peer in a crypto map entry. • {hostname | ip-address}—IPSec peer host name or IP address. Enter the value specified in Step 20. Step 25 Router(config-crypto-map)# set transform-set transform-set-name Specifies which transform sets can be used with the crypto map entry. • transform-set-name—Name of the transform set. Enter the value specified in Step 11. Step 26 Router(config-crypto-map)# set isakmp-profile profile-name Sets the ISAKMP profile name. • profile-name—Name of the ISAKMP profile. Enter the value entered in Step 17. Step 27 Router(config-crypto-map)# match address [access-list-id | name] Specifies an extended access list for the crypto map entry. • access-list-id—Identifies the extended access list by its name or number. Enter the value specified in Step 22. • name—(Optional) Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched. Step 28 Router(config-crypto-map)# exit Exits crypto map configuration mode. Step 29 Router(config)# crypto map map-name local-address interface-id Specifies and names an identifying interface to be used by the crypto map for IPSec traffic. • map-name—Name that identifies the crypto map set. Enter the value specified in Step 23. • local-address interface-id—Name of interface that has the local address of the router. Note The local address must belong to the FVRF. Note In VRF mode, the VPN feature supports up to 1024 local addresses. This limit is across the chassis (not per VPN module). Step 30 Router(config)# interface fastethernet slot/port Configures a Fast Ethernet interface and enters interface configuration mode. Step 31 Router(config-if)# ip vrf forwarding vrf-name Associates a VRF with an interface or subinterface. • vrf-name—Name assigned to the VRF. Enter the value specified in Step 3. Step 32 Router(config-if)# ip address address mask Sets a primary or secondary IP address for the interface. • address—IP address. • mask—Subnet mask. Step 33 Router(config-if)# no shutdown Enables the interface. Command Purpose 26-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode Step 34 Router(config-if)# interface gigabitethernet slot/subslot/port Configures a Gigabit Ethernet interface. Match the value specified as the interface-id in Step 29. Step 35 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or subinterface. • vrf-name—Name assigned to the VRF. Step 36 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an interface. • address—IP address. • mask—Subnet mask. Step 37 Router(config-if)# crypto engine slot slot/subslot outside Assigns the specified crypto engine to the interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Step 38 Router(config-if)# no shutdown Enables the interface. Step 39 Router(config-if)# exit Exits interface configuration mode. Step 40 Router(config)# interface vlan-id Configures a VLAN interface and enters interface configuration mode. • vlan-id—VLAN identifier. Step 41 Router(config-if)# ip vrf forwarding vrf-name Associates a VRF with an interface or subinterface. • vrf-name—Name assigned to the VRF. Enter the value specified in Step 3. Step 42 Router(config-if)# ip address address mask Sets a primary or secondary IP address for the interface. • address—IP address. • mask—Subnet mask. Step 43 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to an interface. • map-name—Name that identifies the crypto map set. Enter the value specified in Step 23. Step 44 Router(config-if)# crypto engine slot slot/subslot inside Assigns the specified crypto engine to the interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Step 45 Router(config-if)# exit Exits interface configuration mode. Command Purpose 26-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode For complete configuration information for VRF-Aware IPSec, refer to this URL: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ips ec_ps10591_TSD_Products_Configuration_Guide_Chapter.html For a configuration example, see the “VRF Mode Basic Configuration Example” section on page 26-22. Configuring VPNs in VRF Mode with Tunnel Protection (GRE) This section describes how to configure a VPN in VRF mode with tunnel protection (TP). Tunnel protection is GRE tunneling in VRF mode. When you configure IPSec, a crypto map is attached to an interface to enable IPSec. With tunnel protection, there is no need for a crypto map or ACL to be attached to the interface. A crypto policy is attached directly to the tunnel interface. Any traffic routed by the interface is encapsulated in GRE and then encrypted using IPSec. The tunnel protection feature can be applied to point-to-point GRE. VRF Mode Using Tunnel Protection Configuration Guidelines and Restrictions When configuring tunnel protection on theIPSec VPN SPA follow these guidelines and restrictions: • Do not configure any options (such as sequence numbers or tunnel keys) that prevent the IPSec VPN SPA from seizing the GRE tunnel. • Do not configure the GRE tunnel keepalive feature. • When applied to the GRE tunnel interface, the ip tcp adjust-mss command is ignored. Apply the command to the ingress LAN interface instead. (CSCsl27876) • Do not use crypto maps to protect GRE traffic in VRF mode. • When a crypto map interface and a tunnel protection interface (either VTI or GRE/TP) share the same outside interface, they cannot share the same local source address. • To avoid fragmentation after encryption, set the tunnel IP MTU to be equal to or less than the egress interface MTU minus the GRE and IPSec overheads. The egress interface MTU must be the smallest MTU of all the active crypto outside interfaces. Step 46 Router(config)# ip route vrf vrf-name prefix mask interface-number Establishes static routes for a VRF. • vrf-name—Name of the VRF for the static route. Enter the value specified in Step 3. • prefix—IP route prefix for the destination, in dotted-decimal format. • mask—Prefix mask for the destination, in dotted decimal format. • interface-number—Number identifying the network interface to use. Enter the vlan-id value specified in Step 40. Step 47 Router(config)# end Returns to privileged EXEC mode. Command Purpose 26-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode To configure a VPN in VRF mode using tunnel protection, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# mls mpls tunnel-recir Enables tunnel-MPLS recirculation. Step 2 Router(config)# crypto engine mode vrf Enables VRF mode for the IPSec VPN SPA. Note After enabling or disabling VRF mode using the crypto engine mode vrf command, you must reload the supervisor engine. Step 3 Router(config)# ip vrf vrf-name Configures a VRF routing table and enters VRF configuration mode. • vrf-name—Name assigned to the VRF. Step 4 Router(config-vrf)# rd route-distinguisher Creates routing and forwarding tables for a VRF. • route-distinguisher—Specifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Step 5 Router(config-vrf)# route-target export route-target-ext-community Creates lists of export route-target extended communities for the specified VRF. • route-target-ext-community—Specifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Enter the route-distinguisher value specified in Step 4. Step 6 Router(config-vrf)# route-target import route-target-ext-community Creates lists of import route-target extended communities for the specified VRF. • route-target-ext-community—Specifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Enter the route-distinguisher value specified in Step 4. Step 7 Router(config-vrf)# exit Exits VRF configuration mode. Step 8 Router(config)# crypto keyring keyring-name [vrf fvrf-name] Defines a crypto keyring to be used during IKE authentication and enters keyring configuration mode. • keyring-name—Name of the crypto keyring. • fvrf-name—(Optional) Front door virtual routing and forwarding (FVRF) name to which the keyring will be referenced. fvrf-name must match the FVRF name that was defined during virtual routing and forwarding (VRF) configuration. 26-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode Step 9 Router(config-keyring)# pre-shared-key {address address [mask] | hostname hostname} key key Defines a preshared key to be used for IKE authentication. • address [mask]—IP address of the remote peer or a subnet and mask. • hostname—Fully qualified domain name of the peer. • key—Specifies the secret key. Step 10 Router(config-keyring)# exit Exits keyring configuration mode. Step 11 Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]] Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode. • transform-set-name—Name of the transform set. • transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms. Accepted values are described in the Cisco IOS Security Command Reference. Step 12 Router(config-crypto-trans)# exit Exits crypto transform configuration mode Step 13 Router(config)# crypto isakmp policy priority Defines an IKE policy and enters ISAKMP policy configuration mode. • priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest. Step 14 Router(config-isakmp)# authentication pre-share Specifies the authentication method with an IKE policy. • pre-share—Specifies preshared keys as the authentication method. Step 15 Router(config-isakmp)# lifetime seconds Specifies the lifetime of an IKE SA. • seconds—Number of seconds each SA should exist before expiring. Use an integer from 60 to 86,400 seconds. Default is 86,400 (one day.) Step 16 Router(config-isakmp)# exit Exits ISAKMP policy configuration mode. Step 17 Router(config)# crypto isakmp profile profile-name Defines an ISAKMP profile and enters ISAKMP profile configuration mode • profile-name—Name of the user profile. Step 18 Router(config-isa-prof)# keyring keyring-name Configures a keyring within an ISAKMP profile. • keyring-name—Keyring name. This name must match the keyring name that was defined in global configuration. Enter the value specified in Step 8. Command Purpose 26-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode Step 19 Router(config-isa-prof)# match identity address address [mask] Matches an identity from a peer in an ISAKMP profile. • address [mask]—IP address of the remote peer or a subnet and mask. Step 20 Router(config-isa-prof)# exit Exits ISAKMP profile configuration mode. Step 21 Router(config)# access list access-list-number {deny | permit} ip host source host destination Defines an extended IP access list. • access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699. • {deny | permit}—Denies or permits access if the conditions are met. • source—Number of the host from which the packet is being sent. • destination—Number of the host to which the packet is being sent. Step 22 Router(config)# crypto ipsec profile profile-name Defines an IPSec profile and enters IPSec profile configuration mode. • profile-name—Name of the user profile. Step 23 Router(config-ipsec-profile)# set transform-set transform-set-name Specifies which transform sets can be used with the crypto map entry. • transform-set-name—Name of the transform set. Enter the value specified in Step 11. Step 24 Router(config-ipsec-profile)# set isakmp-profile profile-name Sets the ISAKMP profile name. • profile-name—Name of the ISAKMP profile. Enter the value entered in Step 17. Step 25 Router(config-ipsec-profile)# exit Exits IPSec profile configuration mode. Step 26 Router(config)# interface tunnel-number Configures a tunnel interface and enters interface configuration mode. • tunnel-number—Name assigned to the tunnel interface. Step 27 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or subinterface. • vrf-name—Name assigned to the VRF. Enter the value specified in Step 3. Step 28 Router(config-if)# ip address address mask Sets a primary or secondary IP address for the interface. • address—IP address. • mask—Subnet mask. Step 29 Router(config-if)# tunnel source ip-address Sets the source address of a tunnel interface. • ip-address—IP address to use as the source address for packets in the tunnel. Command Purpose 26-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring VPNs in VRF Mode Step 30 Router(config-if)# tunnel vrf vrf-name (Optional) Associates a VPN routing and forwarding instance (VRF) with a specific tunnel destination, interface or subinterface. This step is only required when configuring a front door VRF (FVRF). • vrf-name—Name assigned to the VRF. Step 31 Router(config-if)# tunnel destination ip-address Sets the destination address of a tunnel interface. • ip-address—IP address to use as the destination address for packets in the tunnel. Step 32 Router(config-if)# tunnel protection ipsec crypto-policy-name Associates a tunnel interface with an IPSec profile. • crypto-policy-name—The value as specified in Step 22. Step 33 Router(config-if)# crypto engine slot slot/subslot inside Assigns the specified crypto engine to the interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Step 34 Router(config-if)# interface fastethernet slot/subslot Configures a Fast Ethernet interface. Step 35 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or subinterface. • vrf-name—Name assigned to the VRF. Step 36 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an interface. • address—IP address. • mask—Subnet mask. Step 37 Router(config-if)# no shutdown Enables the interface. Step 38 Router(config-if)# interface type slot/subslot/port Configures the physical egress interface. Step 39 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or subinterface. • vrf-name—Name assigned to the VRF. Step 40 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an interface. • address—IP address. Enter the value specified in Step 29. • mask—Subnet mask. Step 41 Router(config-if)# crypto engine slot slot/subslot outside Assigns the crypto engine to the interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Step 42 Router(config-if)# no shutdown Enables the interface. Step 43 Router(config-if)# exit Exits interface configuration mode. Command Purpose 26-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring an IPSec Virtual Tunnel Interface For a configuration example, see the “VRF Mode Tunnel Protection Configuration Example” section on page 26-32. Configuring an IPSec Virtual Tunnel Interface The IPSec Virtual Tunnel Interface (VTI) provides a routable interface type for terminating IPSec tunnels that greatly simplifies the configuration process when you need to provide protection for remote access, and provides a simpler alternative to using GRE tunnels and crypto maps with IPSec. In addition, the IPSec VTI simplifies network management and load balancing. Note IPSec VTI is supported in Cisco IOS Release 12.2(33)SRA and later releases, and is not supported in crypto-connect mode. Note the following details about IPSec VTI routing and traffic encryption: • You can enable routing protocols on the tunnel interface so that routing information can be propagated over the virtual tunnel. The router can establish neighbor relationships over the virtual tunnel interface. Interoperability with standard-based IPSec installations is possible through the use of the IP ANY ANY proxy. The static IPSec interface will negotiate and accept IP ANY ANY proxies. • The IPSec VTI supports native IPSec tunneling and exhibits most of the properties of a physical interface. • In the IPSec VTI, encryption occurs in the tunnel. Traffic is encrypted when it is forwarded to the tunnel interface. Traffic forwarding is handled by the IP routing table, and dynamic or static IP routing can be used to route the traffic to the virtual tunnel interface. Using IP routing to forward the traffic to encryption simplifies the IPSec VPN configuration because the use of ACLs with a crypto map in native IPSec configurations is not required. When IPSec VTIs are used, you can separate applications of NAT, ACLs, and QoS, and apply them to clear text or encrypted text, or both. When crypto maps are used, there is no easy way to specify forced encryption features. IPSec Virtual Tunnel Interface Configuration Guidelines and Restrictions When configuring IPSec VTI, follow these guidelines and restrictions: • A VTI tunnel can terminate either in a VRF (normal VRF mode) or in the global context (with no ip vrf forwarding command on the tunnel interface). • Only static VTI is supported. • Only strict IP ANY ANY proxy is supported. • The IPSec transform set must be configured only in tunnel mode. • The IKE security association (SA) is bound to the virtual tunnel interface. Because it is bound to the virtual tunnel interface, the same IKE SA cannot be used for a crypto map. • When the mls mpls tunnel-recir command is applied in a VTI configuration, one reserved VLAN is allocated to each tunnel. As a result, there will be a maximum limit of 1000 VTI tunnels. • In releases earlier than Cisco IOS Release 12.2(33)SRE, the following guidelines apply: – The IPSec virtual tunnel interface is limited to IP unicast, as opposed to GRE tunnels, which have a wider application for IPSec implementation. 26-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring an IPSec Virtual Tunnel Interface – Multicast over VTI is not supported except for control plane traffic such as routing protocol updates. • In Cisco IOS Release 12.2(33)SRE and later releases, the following guidelines apply: – A static VTI tunnel interface supports multicast traffic. – ACLs can be applied to GRE and static VTI tunnel interfaces participating in multicast traffic. – Platform QoS features can be applied to GRE and static VTI tunnel interfaces participating in multicast traffic. Configuring an IPSec Static Tunnel To configure a static IPSec virtual tunnel interface, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# mls mpls tunnel-recir Enables tunnel-MPLS recirculation. Step 2 Router(config)# crypto engine mode vrf Enables VRF mode for the IPSec VPN SPA. Note After enabling or disabling VRF mode using the crypto engine mode vrf command, you must reload the supervisor engine. Step 3 Router(config)# ip vrf vrf-name Configures a VRF routing table and enters VRF configuration mode. • vrf-name—Name assigned to the VRF. Step 4 Router(config-vrf)# rd route-distinguisher Creates routing and forwarding tables for a VRF. • route-distinguisher—Specifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Step 5 Router(config-vrf)# route-target export route-target-ext-community Creates lists of export route-target extended communities for the specified VRF. • route-target-ext-community—Specifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Enter the route-distinguisher value specified in Step 4. Step 6 Router(config-vrf)# route-target import route-target-ext-community Creates lists of import route-target extended communities for the specified VRF. • route-target-ext-community—Specifies an autonomous system number (ASN) and an arbitrary number (for example, 101:3) or an IP address and an arbitrary number (for example, 192.168.122.15:1). Enter the route-distinguisher value specified in Step 4. 26-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring an IPSec Virtual Tunnel Interface Step 7 Router(config-vrf)# exit Exits VRF configuration mode. Step 8 Router(config)# crypto keyring keyring-name [vrf fvrf-name] Defines a crypto keyring to be used during IKE authentication and enters keyring configuration mode. • keyring-name—Name of the crypto keyring. • fvrf-name—(Optional) Front door virtual routing and forwarding (FVRF) name to which the keyring will be referenced. fvrf-name must match the FVRF name that was defined during virtual routing and forwarding (VRF) configuration. Step 9 Router(config-keyring)# pre-shared-key {address address [mask] | hostname hostname} key key Defines a preshared key to be used for IKE authentication. • address [mask]—IP address of the remote peer or a subnet and mask. • hostname—Fully qualified domain name of the peer. • key—Specifies the secret key. Step 10 Router(config-keyring)# exit Exits keyring configuration mode. Step 11 Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]] Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode. • transform-set-name—Name of the transform set. • transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms. Accepted values are described in the Cisco IOS Security Command Reference. Step 12 Router(config-crypto-trans)# exit Exits crypto transform configuration mode Step 13 Router(config)# crypto isakmp policy priority Defines an IKE policy and enters ISAKMP policy configuration mode. • priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest. Step 14 Router(config-isakmp)# authentication pre-share Specifies the authentication method with an IKE policy. • pre-share—Specifies preshared keys as the authentication method. Step 15 Router(config-isakmp)# lifetime seconds Specifies the lifetime of an IKE SA. • seconds—Number of seconds each SA should exist before expiring. Use an integer from 60 to 86,400 seconds. Default is 86,400 (one day.) Command Purpose 26-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring an IPSec Virtual Tunnel Interface Step 16 Router(config-isakmp)# exit Exits ISAKMP policy configuration mode. Step 17 Router(config)# crypto ipsec profile profile-name Defines an IPSec profile and enters IPSec profile configuration mode. The IPSec profile defines the IP Security (IPSec) parameters that are to be used for IPSec encryption between two IPSec routers. • profile-name—Name of the user profile. Step 18 Router(config-ipsec-profile)# set transform-set transform-set-name [transform-set-name2 ...transform-set-name6] Specifies which transform sets can be used with the crypto map entry. • transform-set-name—Name of the transform set. Step 19 Router(config)# interface type slot/[subslot]/port Configures an interface type. • type—Type of interface being configured. • slot/[subslot]/ port—Number of the slot, subslot (optional), and port to be configured. Step 20 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or subinterface. • vrf-name—Name assigned to the VRF. Step 21 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an interface. • address—IP address. • mask—Subnet mask. Step 22 Router(config-if)# tunnel mode ipsec ipv4 Defines the mode for the tunnel as IPSec and the transport as IPv4. Step 23 Router(config-if)# tunnel source ip-address Sets the source address of a tunnel interface. • ip-address—IP address to use as the source address for packets in the tunnel. Step 24 Router(config-if)# tunnel destination ip-address Sets the destination address of a tunnel interface. • ip-address—IP address to use as the destination address for packets in the tunnel. Step 25 Router(config-if)# tunnel vrf vrf-name (Optional) Associates a VPN routing and forwarding instance (VRF) with a specific tunnel destination. This step is only required when configuring a front door VRF (FVRF). • vrf-name—Name assigned to the VRF. Step 26 Router(config-if)# tunnel protection ipsec profile name Associates a tunnel interface with an IPSec profile. • name—Name of the IPSec profile; this value must match the name specified in the crypto ipsec profile command in Step 1. Step 27 Router(config-if)# crypto engine slot slot/subslot inside Assigns the specified crypto engine to the interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Step 28 Router(config-if)# interface type slot/subslot/port Configures the physical egress interface. Command Purpose 26-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuring an IPSec Virtual Tunnel Interface Verifying the IPSec Virtual Tunnel Interface Configuration To confirm that your IPSec virtual tunnel interface configuration is working properly, enter the show interfaces tunnel, show crypto session, and show ip route commands. The show interfaces tunnel command displays tunnel interface information, the show crypto session command displays status information for active crypto sessions, and the show ip route command displays the current state of the routing table. In this display the Tunnel 0 is up and the line protocol is up. If the line protocol is down, the session is not active. Router1# show interfaces tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.0.51.203/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 103/255, rxload 110/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 10.0.149.203, destination 10.0.149.217 Tunnel protocol/transport IPSEC/IP, key disabled, sequencing disabled Tunnel TTL 255 Checksumming of packets disabled, fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "P1") Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 30 second input rate 13000 bits/sec, 34 packets/sec 30 second output rate 36000 bits/sec, 34 packets/sec 191320 packets input, 30129126 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 59968 packets output, 15369696 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Step 29 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or subinterface. • vrf-name—Name assigned to the VRF. Step 30 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an interface. • address—IP address. Enter the value specified in Step 23. • mask—Subnet mask. Step 31 Router(config-if)# crypto engine outside Assigns the crypto engine to the interface. Step 32 Router(config-if)# no shutdown Enables the interface. Step 33 Router(config-if)# exit Exits interface configuration mode. Command Purpose 26-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples Router1# show crypto session Crypto session current status Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10.0.149.217 port 500 IKE SA: local 10.0.149.203/500 remote 10.0.149.217/500 Active IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 4, origin: crypto map Router1# show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.0.35.0/24 is directly connected, Ethernet3/3 S 10.0.36.0/24 is directly connected, Tunnel0 C 10.0.51.0/24 is directly connected, Tunnel0 C 10.0.149.0/24 is directly connected, Ethernet3/0 For more complete information about IPSec Virtual Tunnel Interface, refer to the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html For IPSec Virtual Tunnel Interface configuration examples, see the “IPSec Virtual Tunnel Interfaces Configuration Examples” section on page 26-35. Configuring VTI in the Global Context With Cisco IOS Release 12.2(33)SRA and later releases, you can configure IPSec VTI without having to configure VRFs. Although VRF mode must be configured globally using the crypto engine mode vrf command, tunnels can be terminated in the global context rather than in VRFs. The configuration steps for VTI in the global context are similar to the steps for IPSec VTI shown in the “Configuring an IPSec Static Tunnel” section on page 26-17 with the exception that the ip vrf forwarding vrf-name command and the tunnel vrf vrf-name command are not required. For a configuration example of IPSec VTI in the global context, see the “IPSec Virtual Tunnel Interfaces Configuration Examples” section on page 26-35. Configuration Examples The following sections provide examples of VRF mode configurations: • VRF Mode Basic Configuration Example, page 26-22 • VRF Mode Remote Access Using Easy VPN Configuration Example, page 26-25 • VRF Mode PE Configuration Example, page 26-27 • VRF Mode CE Configuration Example, page 26-30 • VRF Mode Tunnel Protection Configuration Example, page 26-32 • IP Multicast in VRF Mode Configuration Example, page 26-33 26-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples • IPSec Virtual Tunnel Interfaces Configuration Examples, page 26-35 Note When the ip vrf forwarding command is applied to a VLAN, any previously existing IP address assigned to that VLAN is removed. To assign an IP address to the VLAN, enter the ip address command after the ip vrf forwarding command, not preceding it. Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA. In Cisco IOS Release 12.2(33)SRA and later releases, the crypto engine subslot command used in previous releases has been replaced with the crypto engine slot command (of the form crypto engine slot slot/subslot {inside | outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that this command has been modified in your start-up configuration to avoid extended maintenance time. VRF Mode Basic Configuration Example The following example shows a basic IPSec VPN SPA configuration using VRF mode: Router 1 Configuration hostname router-1 ! ip vrf ivrf rd 1000:1 route-target export 1000:1 route-target import 1000:1 ! crypto engine mode vrf ! vlan 2,3 ! crypto keyring key0 pre-shared-key address 11.0.0.2 key 12345 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share ! crypto isakmp profile prof1 vrf ivrf keyring key0 match identity address 11.0.0.2 255.255.255.255 ! ! crypto ipsec transform-set proposal1 esp-3des esp-sha-hmac ! crypto map testtag local-address Vlan3 crypto map testtag 10 ipsec-isakmp set peer 11.0.0.2 set transform-set proposal1 set isakmp-profile prof1 match address 101 ! interface GigabitEthernet1/1 26-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples !switch inside port ip vrf forwarding ivrf ip address 12.0.0.1 255.255.255.0 ! ! interface GigabitEthernet1/2 !switch outside port switchport switchport access vlan 3 switchport mode access ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 ip vrf forwarding ivrf ip address 13.0.0.252 255.255.255.0 crypto map testtag crypto engine slot 4/0 inside ! interface Vlan3 ip address 11.0.0.1 255.255.255.0 crypto engine slot 4/0 outside ! access-list 101 permit ip host 12.0.0.2 host 13.0.0.2 Router 2 Configuration hostname router-2 ! ip vrf ivrf rd 1000:1 route-target export 1000:1 route-target import 1000:1 ! crypto engine mode vrf ! vlan 2,3 ! crypto keyring key0 pre-shared-key address 11.0.0.1 key 12345 ! crypto isakmp policy 1 26-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples encr 3des hash md5 authentication pre-share ! crypto isakmp profile prof1 vrf ivrf keyring key0 match identity address 11.0.0.1 255.255.255.255 ! ! crypto ipsec transform-set proposal1 esp-3des esp-sha-hmac ! crypto map testtag local-address Vlan3 crypto map testtag 10 ipsec-isakmp set peer 11.0.0.1 set transform-set proposal1 set isakmp-profile prof1 match address 101 ! interface GigabitEthernet1/1 !switch inside port ip vrf forwarding ivrf ip address 13.0.0.1 255.255.255.0 ! interface GigabitEthernet1/2 !switch outside port switchport switchport access vlan 3 switchport mode access ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 ip vrf forwarding ivrf ip address 12.0.0.252 255.255.255.0 crypto map testtag crypto engine slot 4/0 inside ! interface Vlan3 ip address 11.0.0.2 255.255.255.0 crypto engine slot 4/0 outside ! access-list 101 permit ip host 13.0.0.2 host 12.0.0.2 26-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples VRF Mode Remote Access Using Easy VPN Configuration Example The following examples show VRF mode configurations for remote access using Easy VPN, first using RADIUS authentication, then using local authentication: Using RADIUS Authentication aaa group server radius acs-vrf1 server-private 192.1.1.251 auth-port 1812 acct-port 1813 key allegro ip vrf forwarding vrf1 ! aaa authentication login test_list group acs-vrf1 aaa authorization network test_list group acs-vrf1 aaa accounting network test_list start-stop group acs-vrf1 ! ip vrf ivrf rd 1:1 route-target export 1:1 route-target import 1:1 ! ! crypto isakmp policy 5 encr 3des authentication pre-share group 2 crypto isakmp client configuration group test key world pool pool1 ! crypto isakmp profile test_pro vrf ivrf match identity group test client authentication list test_list isakmp authorization list test_list client configuration address respond accounting test_list crypto ipsec transform-set t3 esp-3des esp-sha-hmac ! crypto dynamic-map remote 1 set transform-set t3 set isakmp-profile test_pro reverse-route ! ! crypto map map-ra local-address GigabitEthernet2/1 crypto map map-ra 10 ipsec-isakmp dynamic remote ! interface GigabitEthernet2/1 mtu 9216 ip address 120.0.0.254 255.255.255.0 ip flow ingress logging event link-status mls qos trust ip-precedence crypto engine slot 1/0 outside ! interface GigabitEthernet1/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,100,1002-1005 switchport mode trunk mtu 9216 26-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples mls qos trust ip-precedence flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet1/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 mls qos trust ip-precedence flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan100 ip vrf forwarding vrf1 ip address 120.0.0.100 255.255.255.0 no mop enabled crypto map map-ra crypto engine slot 1/0 inside ip local pool pool1 100.0.1.1 100.0.5.250 Using Local Authentication username t1 password 0 cisco aaa new-model ! aaa authentication login test_list local aaa authorization network test_list local ! aaa session-id common ! ip vrf ivrf rd 1:2 route-target export 1:2 route-target import 1:2 ! crypto isakmp policy 5 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group test key world pool pool1 crypto isakmp profile test_pro vrf ivrf match identity group test client authentication list test_list isakmp authorization list test_list client configuration address respond accounting test_list crypto ipsec transform-set t3 esp-3des esp-sha-hmac ! crypto dynamic-map remote 10 set transform-set t3 26-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples set isakmp-profile test_pro reverse-route ! ! crypto map map-ra local-address GigabitEthernet2/1 crypto map map-ra 11 ipsec-isakmp dynamic remote ! ! ! interface GigabitEthernet2/1 mtu 9216 ip address 120.0.0.254 255.255.255.0 ip flow ingress logging event link-status mls qos trust ip-precedence crypto engine slot 1/0 outside ! ! interface GigabitEthernet1/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,100,1002-1005 switchport mode trunk mtu 9216 mls qos trust ip-precedence flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet1/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 mls qos trust ip-precedence flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan100 ip vrf forwarding ivrf ip address 120.0.0.100 255.255.255.0 ip flow ingress crypto map map-ra crypto engine slot 1/0 inside ! ! ip local pool pool1 100.0.1.1 100.0.5.250 VRF Mode PE Configuration Example The following example shows a VRF mode configuration for a provider edge (PE): ! version 12.2 ! hostname EXAMPLE-PE ! 26-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples no aaa new-model ip subnet-zero ! ip vrf vrf1 rd 1000:1 route-target export 1000:1 route-target import 1000:1 ! crypto engine mode vrf ! redundancy mode sso main-cpu auto-sync running-config auto-sync standard spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! power redundancy-mode combined ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! crypto keyring key0 pre-shared-key address 11.0.0.1 key mykey ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share lifetime 500 crypto isakmp profile prof1 vrf vrf1 keyring key0 self-identity user-fqdn a@example.com match identity address 11.0.0.1 255.255.255.255 ! crypto ipsec transform-set proposal1 ah-sha-hmac esp-3des esp-sha-hmac ! crypto map testtag local-address Vlan3 crypto map testtag 10 ipsec-isakmp set peer 11.0.0.1 set security-association lifetime seconds 1000 set transform-set proposal1 set pfs group2 set isakmp-profile prof1 match address 101 ! interface GigabitEthernet1/1 no ip address shutdown ! interface GigabitEthernet1/2 switchport switchport access vlan 3 switchport mode access no ip address ! interface GigabitEthernet1/14 ip vrf forwarding vrf1 ip address 13.0.0.1 255.255.255.0 ! interface GigabitEthernet6/0/1 26-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 2 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet6/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan none switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet7/1 no ip address shutdown ! interface GigabitEthernet7/2 ip address 17.1.5.4 255.255.0.0 media-type rj45 ! interface Vlan1 no ip address shutdown ! interface Vlan2 ip vrf forwarding vrf1 ip address 12.0.0.252 255.255.255.0 crypto map testtag crypto engine subslot 6/0 ! interface Vlan3 ip address 11.0.0.2 255.255.255.0 crypto engine subslot 6/0 ! ip classless ip route 223.255.254.0 255.255.255.0 17.1.0.1 ! no ip http server ! access-list 101 permit ip host 13.0.0.2 host 12.0.0.2 ! control-plane ! dial-peer cor custom ! line con 0 exec-timeout 0 0 line vty 0 4 login ! end 26-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples VRF Mode CE Configuration Example The following example shows a VRF mode configuration for a customer edge (CE): ! version 12.2 ! hostname EXAMPLE-CE ! no aaa new-model ip subnet-zero ! redundancy mode sso main-cpu auto-sync running-config auto-sync standard spanning-tree mode pvst ! power redundancy-mode combined ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share lifetime 500 crypto isakmp key mykey address 11.0.0.2 ! crypto ipsec transform-set proposal1 ah-sha-hmac esp-3des esp-sha-hmac ! crypto map testtag 10 ipsec-isakmp set peer 11.0.0.2 set security-association lifetime seconds 1000 set transform-set proposal1 set pfs group2 match address 101 ! interface GigabitEthernet1/1 ip address 12.0.0.1 255.255.255.0 load-interval 30 no keepalive ! interface GigabitEthernet1/2 switchport switchport access vlan 3 switchport mode access no ip address ! interface GigabitEthernet5/2 ip address 17.1.5.3 255.255.0.0 media-type rj45 ! interface GigabitEthernet6/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 2 switchport mode trunk mtu 9216 no ip address flowcontrol receive on 26-31 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet6/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 3 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet6/1/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan none switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet6/1/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan none switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan1 no ip address shutdown ! interface Vlan2 ip address 11.0.0.1 255.255.255.0 no mop enabled crypto map testtag crypto engine subslot 6/0 ! interface Vlan3 no ip address crypto connect vlan 2 ! ip classless ip route 13.0.0.0 255.0.0.0 11.0.0.2 ip route 223.255.254.0 255.255.255.0 17.1.0.1 ! no ip http server ! access-list 101 permit ip host 12.0.0.2 host 13.0.0.2 ! control-plane ! dial-peer cor custom ! line con 0 exec-timeout 0 0 26-32 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples line vty 0 4 login ! end VRF Mode Tunnel Protection Configuration Example The following example shows a VRF mode configuration with tunnel protection: ip vrf coke rd 1000:1 route-target export 1000:1 route-target import 1000:1 ! crypto keyring key1 pre-shared-key address 100.1.1.1 key happy-eddie ! crypto isakmp policy 1 authentication pre-share crypto isakmp profile prof1 keyring key1 match identity address 100.1.1.1 255.255.255.255 ! crypto ipsec transform-set TR esp-des esp-md5-hmac mode transport ! crypto ipsec profile tp set transform-set TR set isakmp-profile prof1 ! ! crypto engine mode vrf ! interface Tunnel1 ip vrf forwarding coke ip address 10.1.1.254 255.255.255.0 tunnel source 172.1.1.1 tunnel destination 100.1.1.1 tunnel protection ipsec profile tp crypto engine slot 4/0 inside ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port flowcontrol receive on flowcontrol send off switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk cdp enable spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port no ip address flowcontrol receive on flowcontrol send off switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 26-33 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples switchport mode trunk cdp enable spanning-tree portfast trunk ! interface GigabitEthernet6/1 ip address 172.1.1.1 255.255.255.0 crypto engine slot 4/0 outside ! interface FastEthernet7/13 ip vrf forwarding coke ip address 13.1.1.2 255.255.255.0 ! ip route 100.1.1.1 255.255.255.255 Tunnel1 IP Multicast in VRF Mode Configuration Example Note If two IPSec VPN SPAs are present in the Cisco 7600 SSC-400, one will be shut down if the hw-module slot X subslot Y only command is in the configuration. In this case, the IPSec VPN SPA in subslot Y will be active, and the IPSec VPN SPA in the other subslot will be disabled. The following example shows how to configure IP multicast over GRE: hostname router-1 ! ip vrf ivrf rd 1000:1 route-target export 1000:1 route-target import 1000:1 ! ! ! ip multicast-routing vrf ivrf ! crypto engine mode vrf ! ! hw-module slot 4 subslot 0 only ! crypto keyring key1 pre-shared-key address 11.0.0.0 255.0.0.0 key 12345 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp profile isa_prof keyring key1 match identity address 11.0.0.0 255.0.0.0 ! crypto ipsec transform-set proposal esp-3des mode transport ! crypto ipsec profile vpnprof set transform-set proposal set isakmp-profile isa_prof ! ! 26-34 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples ! interface Tunnel1 ip vrf forwarding ivrf ip address 20.1.1.1 255.255.255.0 ip mtu 9216 ip hold-time eigrp 1 3600 ip pim sparse-mode tunnel source 1.0.1.1 tunnel destination 11.1.1.1 tunnel protection ipsec profile vpnprof crypto engine slot 4/0 inside ! interface Loopback1 ip address 1.0.1.1 255.255.255.0 ! interface GigabitEthernet1/1 mtu 9216 ip vrf forwarding ivrf ip address 50.1.1.1 255.0.0.0 ip pim sparse-mode ! interface GigabitEthernet1/2 mtu 9216 ip address 9.1.1.1 255.255.255.0 crypto engine slot 4/0 outside ! ! interface GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! router eigrp 1 ! address-family ipv4 vrf ivrf autonomous-system 1 network 20.1.1.0 0.0.0.255 network 50.1.1.0 0.0.0.255 no auto-summary no eigrp log-neighbor-changes exit-address-family ! router ospf 1 log-adjacency-changes network 1.0.0.0 0.255.255.255 area 0 network 9.0.0.0 0.255.255.255 area 0 ! ip pim vrf ivrf rp-address 50.1.1.1 ! 26-35 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples IPSec Virtual Tunnel Interfaces Configuration Examples The following examples show VRF mode configurations that use VTI: • IPSec Virtual Tunnel Interface FVRF Configuration Example, page 26-35 • IPSec Virtual Tunnel Interface in the Global Context Configuration Example, page 26-36 • IPsec Virtual Tunnel Interface Multicast Configuration Example, page 26-37 IPSec Virtual Tunnel Interface FVRF Configuration Example The following example configuration shows an FVRF VTI configuration: hostname router-1 ! ! ip vrf fvrf rd 2000:1 route-target export 2000:1 route-target import 2000:1 ! ip vrf ivrf rd 1000:1 route-target export 1000:1 route-target import 1000:1 ! crypto engine mode vrf ! crypto keyring key1 vrf fvrf pre-shared-key address 11.1.1.1 key cisco47 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share ! crypto isakmp profile isa_prof keyring key1 match identity address 11.1.1.1 255.255.255.255 fvrf crypto ipsec transform-set proposal esp-3des esp-sha-hmac ! ! crypto ipsec profile vpnprof set transform-set proposal set isakmp-profile isa_prof ! ! ! ! ! interface Tunnel1 ip vrf forwarding ivrf ip address 20.1.1.1 255.255.255.0 ip pim sparse-mode ip ospf network broadcast ip ospf priority 2 tunnel source 1.0.0.1 26-36 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples tunnel destination 11.1.1.1 tunnel mode ipsec ipv4 tunnel vrf fvrf tunnel protection ipsec profile vpnprof crypto engine slot 4/0 inside ! interface Loopback1 ip vrf forwarding fvrf ip address 1.0.0.1 255.255.255.0 ! interface GigabitEthernet1/1 !switch inside port ip vrf forwarding ivrf ip address 50.0.0.1 255.255.255.0 ! interface GigabitEthernet1/2 !switch outside port ip vrf forwarding fvrf ip address 9.1.1.1 255.255.255.0 crypto engine slot 4/0 outside ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! router ospf 1 vrf ivrf log-adjacency-changes network 20.1.1.0 0.0.0.255 area 0 network 21.1.1.0 0.0.0.255 area 0 network 50.0.0.0 0.0.0.255 area 0 ! ip classless ip route vrf fvrf 11.1.1.0 255.255.255.0 9.1.1.254 IPSec Virtual Tunnel Interface in the Global Context Configuration Example The following example configuration shows IPSec VTI configuration in the global context: ! crypto engine mode vrf ! crypto keyring key1 pre-shared-key address 14.0.0.2 key 12345 ! 26-37 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples crypto isakmp policy 1 encr 3des hash md5 authentication pre-share ! crypto isakmp profile prof1 keyring key1 match identity address 14.0.0.2 255.255.255.255 ! crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac ! crypto ipsec profile prof1 set transform-set t-set1 set isakmp-profile prof1 ! ! interface Tunnel1 ip address 122.0.0.2 255.255.255.0 tunnel source 15.0.0.2 tunnel destination 14.0.0.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile prof1 crypto engine slot 2/0 inside ! interface Loopback2 ip address 15.0.0.2 255.255.255.0 ! interface GigabitEthernet1/3 ip address 172.2.1.1 255.255.255.0 crypto engine slot 2/0 outside ! interface GigabitEthernet2/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet2/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! ! ip route 14.0.0.0 255.0.0.0 172.2.1.2 ip route 172.0.0.0 255.0.0.0 172.2.1.2 IPsec Virtual Tunnel Interface Multicast Configuration Example The following example shows how to configure multicast over VTI: 26-38 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples hostname router-1 ! ip vrf ivrf rd 1000:1 route-target export 1000:1 route-target import 1000:1 ! ! ! ip multicast-routing vrf ivrf ! crypto engine mode vrf ! ! ! crypto keyring key1 pre-shared-key address 11.0.0.0 255.0.0.0 key 12345 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp profile isa_prof keyring key1 match identity address 11.0.0.0 255.0.0.0 ! crypto ipsec transform-set proposal esp-3des ! crypto ipsec profile vpnprof set transform-set proposal set isakmp-profile isa_prof ! ! ! interface Tunnel1 ip vrf forwarding ivrf ip address 20.1.1.1 255.255.255.0 ip mtu 9216 ip hold-time eigrp 1 3600 ip pim sparse-mode tunnel source 1.0.1.1 tunnel destination 11.1.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile vpnprof crypto engine slot 4/0 inside ! interface Loopback1 ip address 1.0.1.1 255.255.255.0 ! interface GigabitEthernet1/1 mtu 9216 ip vrf forwarding ivrf ip address 50.1.1.1 255.0.0.0 ip pim sparse-mode ! interface GigabitEthernet1/2 mtu 9216 ip address 9.1.1.1 255.255.255.0 crypto engine slot 4/0 outside ! ! interface GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q 26-39 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration Examples switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! router eigrp 1 ! address-family ipv4 vrf ivrf autonomous-system 1 network 20.1.1.0 0.0.0.255 network 50.1.1.0 0.0.0.255 no auto-summary no eigrp log-neighbor-changes exit-address-family ! router ospf 1 log-adjacency-changes network 1.0.0.0 0.255.255.255 area 0 network 9.0.0.0 0.255.255.255 area 0 ! ip pim vrf ivrf rp-address 50.1.1.1 ! 26-40 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 26 Configuring VPNs in VRF Mode Configuration ExamplesC H A P T E R 27-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 27 Configuring IPSec VPN Fragmentation and MTU This chapter provides information about configuring IPSec VPN fragmentation and the maximum transmission unit (MTU). It includes the following sections: • Understanding IPSec VPN Fragmentation and MTU, page 27-1 • Configuring IPSec Prefragmentation, page 27-9 • Configuring MTU Settings, page 27-12 For more information about the commands used in this chapter, see the Cisco 7600 Series Cisco IOS Command Reference, 12.2 SR publication. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information about accessing these publications, see the “Related Documentation” section on page xlvii. Understanding IPSec VPN Fragmentation and MTU This section includes the following topics: • Overview of Fragmentation and MTU, page 27-1 • IPSec Prefragmentation, page 27-3 • Fragmentation in Different Modes, page 27-3 Overview of Fragmentation and MTU When a packet is nearly the size of the maximum transmission unit (MTU) of the physical egress port of the encrypting router, and it is encapsulated with IPSec headers, it probably will exceed the MTU of the egress port. This condition causes the packet to be fragmented after encryption (post-fragmentation), which requires the IPSec peer to perform reassembly before decryption, degrading its performance. To minimize post-fragmentation, you can set the MTU in the upstream data path to ensure that most fragmentation occurs before encryption (prefragmentation). Prefragmentation for IPSec VPNs avoids performance degradation by shifting the reassembly task from the receiving IPSec peer to the receiving end hosts. Note In this document, prefragmentation refers to fragmentation prior to any type of encapsulation, such as IPSec or GRE. IPSec prefragmentation refers to fragmentation prior to IPSec encryption. 27-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Understanding IPSec VPN Fragmentation and MTU To ensure prefragmentation in most cases, we recommend the following MTU settings: • The crypto interface VLAN MTU associated with the IPSec VPN SPA should be set to be equal or less than the egress interface MTU. • For GRE over IPSec, the IP MTU of the GRE tunnel interface should be set below the egress interface MTU by at least the overhead of IPSec encryption and the 24-byte GRE+IP header (20-byte IP header plus 4-byte GRE header). Because options such as tunnel key (RFC 2890) are not supported, the GRE+IP IP header will always be 24 bytes. Note The crypto interface VLAN MTU, the egress interface MTU, and the IP MTU of the GRE tunnel interface are all Layer 3 parameters. The following are additional guidelines for IPSec prefragmentation and MTU in crypto-connect mode: • If a packet’s DF (Don’t Fragment) bit is set and the packet exceeds the MTU at any point in the data path, the packet will be dropped. To prevent a packet drop, clear the DF bit by using either policy-based routing (PBR) or the crypto df-bit clear command. • In Cisco IOS Release and 12(33)SRA, SRB, and SRC, and earlier releases, the IPSec VPN SPA does not support path MTU discovery (PMTUD) on GRE tunnels using the tunnel path-mtu-discovery command. In Cisco IOS Release SXI and later releases, PMTUD is supported on GRE tunnels. • If GRE encapsulation is not taken over by the IPSec VPN SPA, and if the packets exceed the IP MTU of the GRE tunnel interface, the route processor will fragment and encapsulate the packets. Note If the supervisor engine performs GRE encapsulation, the encapsulated packets will have the DF bit set. The IPSec and GRE prefragmentation feature differs based on the Cisco IOS release, as described in Table 27-1. Table 27-1 IPSec and GRE Prefragmentation based on Cisco IOS Release Cisco IOS Release Prefragmentation Feature 12.2(18)SXE A single prefragmentation process occurs for both IPSec and GRE, based on the smaller of the IP MTU and the egress interface MTU. To prevent fragmentation or packet loss, configure the VLAN MTU as the largest predicted GRE packet size (IP length plus GRE overhead), and the egress interface MTU as the largest predicted GRE/IPSec packet size (IP length plus GRE overhead plus IPSec overhead). 12.2(18)SXF GRE fragmentation and IPSec fragmentation are separate processes. If GRE encapsulation is performed by the IPSec VPN SPA, prefragmentation of outbound packets will be based on the IP MTU of the tunnel interface. After GRE encapsulation is performed by the IPSec VPN SPA, depending on the IPSec prefragmentation settings, further fragmentation may occur. The IPSec fragmentation behavior is unchanged from Cisco IOS Release 12.2(18)SXE, and is based on the IPSec MTU configuration of the egress interface. 12.2SRA Path MTU discovery (PMTUD) is supported in crypto-connect mode. 27-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Understanding IPSec VPN Fragmentation and MTU For general information on fragmentation and MTU issues, see “Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSec” at this URL: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml IPSec Prefragmentation In the IPSec prefragmentation process (also called Look-Ahead Fragmentation, or LAF), the encrypting router can predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). IPSec prefragmentation avoids reassembly by the receiving router before decryption and helps improve overall IPSec traffic throughput by shifting the reassembly task to the end hosts. A packet will be fragmented before encryption if it is predetermined that the encrypted packet will exceed the MTU of the output interface. Fragmentation in Different Modes The fragmentation process differs depending on the IPSec VPN mode and whether GRE or VTI are used, as described in the following sections: • Fragmentation in Crypto-Connect Mode, page 27-3 • Fragmentation of IPSec (Using Crypto Maps) Packets in VRF Mode, page 27-5 • Fragmentation of GRE Packets with Tunnel Protection in VRF Mode, page 27-6 • Fragmentation in VTIs, page 27-8 In the following fragmentation descriptions, we assume that the DF (Don’t Fragment) bit is not set for packets entering the flowchart. If a packet requires fragmentation and the DF bit is set, the packet will be dropped. Fragmentation in Crypto-Connect Mode The following are the relevant MTU settings for fragmentation of packets in crypto-connect mode: • The MTU of the interface VLAN. Prefragmentation of non-GRE traffic by the RP will be based on this MTU. • The IP MTU of the GRE tunnel. Prefragmentation of GRE traffic will be based on this MTU. • The MTU of the physical egress interface. Pre- and post-fragmentation by the IPSec VPN SPA will be based on this MTU. Fragmentation will be performed as follows: • If any packets to be sent to the IPSec VPN SPA exceed the MTU of the interface VLAN, the RP will perform prefragmentation before sending the packets to the IPSec VPN SPA. • If packets to be GRE encapsulated exceed the IP MTU of the GRE tunnel: – The RP will perform prefragmentation when the tunnel is not taken over by the IPSec VPN SPA. – The IPSec VPN SPA will perform prefragmentation when the tunnel is taken over by the IPSec VPN SPA. 27-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Understanding IPSec VPN Fragmentation and MTU • If packets to be encrypted will exceed the MTU of the physical egress interface: – If IPSec prefragmentation is enabled, the IPSec VPN SPA will perform prefragmentation of the packets. The IPSec VPN SPA will not perform post-fragmentation. – If IPSec prefragmentation is disabled, the IPSec VPN SPA will perform post-fragmentation of the encrypted packets. The IPSec VPN SPA will not perform prefragmentation. • If unencrypted egress packets will exceed the MTU of the physical egress interface, the IPSec VPN SPA will perform fragmentation of the packets. Figure 27-1 shows the fragmentation process for packets in crypto-connect mode. Figure 27-1 Fragmentation of Packets in Crypto-Connect Mode PS > e_MTU (VPN SPA) Fragment By VPN SPA RP Generated PFC Accelerated Prefrag enabled To be GRE encapsulated ? Cleartext Packet L3 size = PS Requires encryption ? RP Encapsulated DF=0 Y Y Y Y N PS > iv_MTU N N N N VPN SPA Accelerated (no mGRE) N PFC Encapsulated DF=1* Y PS > t_MTU N Y N Y PS > t_MTU VPN SPA Encapsulated DF=0 PS > e_MTU (VPN SPA) RP Fragmented if DF=0; else drop Encrypt Prefrag By VPN SPA Encrypt Postfrag By VPN SPA Y N Y Prefrag By VPN SPA RP Encapsulated DF=0 N N Y Packet Sent Y PS = layer 3 packet size iv_MTU = interface VLAN MTU t_MTU = tunnel IP MPU e_MTU = egress physical interface MTU 281048 *3B/3BXL behavior 27-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Understanding IPSec VPN Fragmentation and MTU Fragmentation of IPSec (Using Crypto Maps) Packets in VRF Mode The following are the relevant MTU settings for fragmentation of IPSec traffic in VRF mode: • The MTU of the interface VLAN. Prefragmentation by the RP will be based on this MTU. • The MTU of the physical egress interface. Pre- and post-fragmentation by the IPSec VPN SPA will be based on this MTU. Fragmentation will be performed as follows: • If packets exceed the MTU of the interface VLAN, the RP will perform prefragmentation. • If encrypted egress packets will exceed the lowest MTU of any physical egress interface on the FVRF: – If IPSec prefragmentation is enabled, the IPSec VPN SPA will perform prefragmentation of the packets. The IPSec VPN SPA will not perform post-fragmentation. – If IPSec prefragmentation is disabled, the IPSec VPN SPA will perform post-fragmentation of the encrypted packets. The IPSec VPN SPA will not perform prefragmentation. 27-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Understanding IPSec VPN Fragmentation and MTU The fragmentation process for IPSec packets in VRF mode is shown in Figure 27-2. Figure 27-2 Fragmentation of IPSec Packets in VRF Mode Fragmentation of GRE Packets with Tunnel Protection in VRF Mode The following are the relevant MTU settings for fragmentation of GRE traffic with tunnel protection in VRF mode: • The IP MTU of the GRE tunnel. Prefragmentation will be based on this MTU. • The lowest MTU of any physical egress interface on the FVRF. Pre- and post-fragmentation by the IPSec VPN SPA will be based on this MTU. Fragmentation will be performed as follows: • If packets to be encapsulated exceed the IP MTU of the GRE tunnel: – The RP will perform prefragmentation when the tunnel is not taken over by the IPSec VPN SPA. Cleartext Packet L3 size = PS To be encrypted ? Y PS > iv_MTU N N RP Fragmented if DF=0; Else drop Drop by VPN SPA PS = layer 3 packet size iv_MTU = interface VLAN MTU e_MTU = egress physical interface MTU 281050 Encrypt Prefrag By VPN SPA Encrypt Postfrag By VPN SPA Y N Y N Packet Sent PS > lowest e_MTU (of FVRF) Prefrag enabled 27-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Understanding IPSec VPN Fragmentation and MTU – The IPSec VPN SPA will perform prefragmentation when the tunnel is taken over by the IPSec VPN SPA. • If encrypted GRE-encapsulated packets will exceed the lowest MTU of any physical egress interface on the FVRF: – If IPSec prefragmentation is enabled, the IPSec VPN SPA will perform prefragmentation of the GRE-encapsulated packets. The IPSec VPN SPA will not perform post-fragmentation. – If IPSec prefragmentation is disabled, the IPSec VPN SPA will perform post-fragmentation of the encrypted GRE-encapsulated packets. The IPSec VPN SPA will not perform prefragmentation. The fragmentation process for GRE packets with tunnel protection in VRF mode is shown in Figure 27-3. Figure 27-3 Fragmentation of GRE Packets with Tunnel Protection in VRF Mode RP Generated PFC Accelerated Cleartext Packet L3 size = PS RP Encapsulated DF=0 N VPN SPA Accelerated (no mGRE) N PFC Encapsulated DF=1* Y PS > t_MTU N Y N Y PS > t_MTU VPN SPA Encapsulated DF=0 PS > e_MTU (VPN SPA) Encrypt Prefrag By VPN SPA Encrypt Postfrag By VPN SPA Y N Y Prefrag By VPN SPA RP Encapsulated DF=0 N N Y Packet Sent Y PS = layer 3 packet size t_MTU = tunnel IP MPU e_MTU = egress physical interface MTU 281049 *3B/3BXL behavior Prefrag enabled 27-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Understanding IPSec VPN Fragmentation and MTU Fragmentation in VTIs The following are the relevant MTU settings for fragmentation of VTI packets: • The IP MTU of the VTI tunnel interface. Prefragmentation will be based on this MTU. Note We recommend that the IP MTU of the VTI tunnel interface be left at its default value. If you change it, be sure that it does not exceed the MTU of the physical egress interface minus the IPSec overhead. • The MTU of the physical egress interface. Post-fragmentation by the IPSec VPN SPA will be based on this MTU. Fragmentation will be performed as follows: • If IPSec prefragmentation is enabled, the IPSec VPN SPA will perform prefragmentation of packets that exceed the IP MTU of the VTI tunnel interface. The IPSec VPN SPA will not perform post-fragmentation. Note The RP will perform post-fragmentation of packets that exceed the MTU of the egress interface. This is considered a misconfiguration. • If IPSec prefragmentation is disabled, the IPSec VPN SPA will perform post-fragmentation of packets that exceed the MTU of the egress interface. The IPSec VPN SPA will not perform prefragmentation. 27-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Configuring IPSec Prefragmentation The fragmentation process for VTI packets is shown in Figure 27-4. Figure 27-4 Fragmentation of VTI Packets Configuring IPSec Prefragmentation IPSec prefragmentation can be configured globally or at the interface level. By default, IPSec prefragmentation is enabled globally. Enabling or disabling IPSec prefragmentation at the interface will override the global configuration. IPSec Prefragmentation Configuration Guidelines When configuring IPSec prefragmentation, follow these guidelines: • To configure IPSec prefragmentation at the interface level, apply it on the interface to which the crypto map is applied. • If an IPSec peer is experiencing high CPU utilization with large packet flows, verify that IPSec prefragmentation is enabled (the peer may be reassembling large packets). • IPSec prefragmentation for IPSec VPNs operates in IPSec tunnel mode. It does not apply in IPSec transport mode. Cleartext Packet L3 size = PS vti_MTU = VTI tunnel interface IP MTU e_MTU = egress physical interface MTU 281051 Encrypt Prefrag By VPN SPA on vti_MTU Encrypt N Packet Sent Y Postfrag By VPN SPA on e_MTU Prefrag enabled? 27-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Configuring IPSec Prefragmentation • IPSec prefragmentation for IPSec VPNs functionality depends on the crypto ipsec df-bit configuration of the interface to which the crypto map is applied, and on the incoming packet “do not fragment” (DF) bit state. For general information about prefragmentation, see the following URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprefrg.html • The GRE fragmentation behavior differs according to the software release as follows: – In Cisco IOS Release 12.2(18)SXE, the GRE fragmentation behavior of the IPSec VPN SPA is determined by the lower of the IP MTU of the GRE interface and the Layer 2 MTU of the egress interface. In order to prevent fragmentation or packet loss, the VLAN MTU should be configured as the largest predicted GRE packet size (IP length plus GRE overhead), and the egress interface MTU should be configured as the largest predicted GRE/IPSec packet size (IP length plus GRE overhead plus IPSec overhead). – In Cisco IOS Releases 12.2(18)SXF and 12(33)SRA and later releases, GRE fragmentation and IPSec fragmentation are separate processes. If GRE encapsulation is performed by the IPSec VPN SPA, prefragmentation of outbound packets will be based on the IP MTU of the tunnel interface. After GRE encapsulation is performed by the IPSec VPN SPA, depending on the IPSec LAF (look ahead fragmentation) settings, further fragmentation may occur. The IPSec fragmentation behavior is unchanged from Cisco IOS Release 12.2(18)SXE, and is based on the IPSec MTU configuration of the egress interface. GRE+IP encapsulation adds 24 bytes to the packet size. When configuring for prefragmentation based on anticipated GRE overhead, use this value. • GRE+IP encapsulation adds 24 bytes to the packet size. When configuring for prefragmentation based on anticipated GRE overhead, use this value. • IPSec encryption adds a number of bytes to the packet size depending on the configured IPSec transform set. When configuring for prefragmentation based on anticipated IPSec overhead, use the following table of worst-case IPSec overhead bytes for various IPSec transform sets: Configuring IPSec Prefragmentation Globally IPSec prefragmentation is globally enabled by default. To enable or disable prefragmentation for IPSec VPNs at the global level, perform this task beginning in global configuration mode: IPSec Transform Set IPSec Overhead, Maximum Bytes esp-aes-(256 or 192 or 128) esp-sha-hmac or md5 73 esp-aes (256 or 192 or 128) 61 esp-3des, esp-des 45 esp-(des or 3des) esp-sha-hmac or md5 57 esp-null esp-sha-hmac or md5 45 ah-sha-hmac or md5 44 Command Purpose Step 1 Router(config)# crypto ipsec fragmentation before-encryption Enables prefragmentation for IPSec VPNs globally. Step 2 Router(config)# crypto ipsec fragmentation after-encryption Disables prefragmentation for IPSec VPNs globally. 27-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Configuring IPSec Prefragmentation Configuring IPSec Prefragmentation at the Interface IPSec prefragmentation is globally enabled by default. To enable or disable prefragmentation for IPSec VPNs at the interface level, perform this task beginning in interface configuration mode for the interface to which the crypto map is attached: Note Enabling or disabling IPSec prefragmentation at the interface will override the global configuration. Verifying the IPSec Prefragmentation Configuration To verify that IPSec prefragmentation is enabled, consult the interface statistics on the encrypting router and the decrypting router. If fragmentation occurs on the encrypting router, and no reassembly occurs on the decrypting router, fragmentation is occurring before encryption, which means that the packets are not being reassembled before decryption and the feature is enabled. To verify that the IPSec prefragmentation feature is enabled, enter the show running-configuration command on the encrypting router. If the feature is enabled, no fragmentation feature will appear in the command output: Router# show running-configuration crypto isakmp policy 10 authentication pre-share crypto isakmp key abcd123 address 25.0.0.7 crypto ipsec transform-set fooprime esp-3des esp-sha-hmac !!! the postfragmentation feature appears here if IPSec prefragmentation is disabled crypto map bar 10 ipsec-isakmp set peer 25.0.0.7 set transform-set fooprime match address 102 If IPSec prefragmentation has been disabled, the postfragmentation feature will appear in the command output: Router# show running-configuration crypto isakmp policy 10 authentication pre-share crypto isakmp key abcd123 address 25.0.0.7 crypto ipsec transform-set fooprime esp-3des esp-sha-hmac crypto ipsec fragmentation after-encryption crypto map bar 10 ipsec-isakmp set peer 25.0.0.7 set transform-set fooprime match address 102 Command Purpose Step 1 Router(config-if)# crypto ipsec fragmentation before-encryption Enables prefragmentation for IPSec VPNs on the interface. Step 2 Router(config-if)# crypto ipsec fragmentation after-encryption Disables prefragmentation for IPSec VPNs on the interface. 27-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Configuring MTU Settings To display the configuration of the encrypting router interface VLAN, enter the show running-configuration interface command. If the IPSec prefragmentation feature is enabled, a prefragmentation statement will appear in the command output: Router# show running-configuration interface vlan2 interface Vlan2 ip address 15.0.0.2 255.255.255.0 crypto map testtag crypto engine slot 1/0 crypto ipsec fragmentation before-encryption If the IPSec prefragmentation feature has been disabled at the interface VLAN, a postfragmentation statement will appear in the command output: Router# show running-configuration interface vlan2 interface Vlan2 ip address 15.0.0.2 255.255.255.0 crypto map testtag crypto engine slot 1/0 crypto ipsec fragmentation after-encryption end Configuring MTU Settings The Cisco IOS software allows the configuration of the Layer 3 maximum transmission unit (MTU) of interfaces and VLANs. You should ensure that all MTU values are consistent to avoid unnecessary fragmentation of packets. Note When configuring MTU, note that the ip mtu command applies only to IP protocol traffic. Other Layer 3 protocol traffic will observe the MTU configured by the mtu command. MTU Settings Configuration Guidelines and Restrictions When configuring MTU settings for an IPSec VPN SPA, follow these guidelines and note these restrictions: • The MTU value used by the IPSec VPN SPA for fragmentation decisions is based on the MTU value of the secure port as follows: – Routed ports—Use the MTU value of their associated secure port. – Access ports—Use the MTU value of the secure port associated with their interface VLAN. – Trunk ports—Use the MTU value of the secure port associated with their interface VLAN. • If you have GRE tunneling configured, see the “IPSec Prefragmentation” section on page 27-3 for information on the recommended MTU settings. Note For additional information on fragmentation of packets, see the “Configuring IPSec Prefragmentation” section on page 27-9. 27-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Configuring MTU Settings Changing the Physical Egress Interface MTU You can configure either the Layer 3 MTU or the IP MTU of the physical egress interface. To change the MTU value on a physical egress interface, perform this task beginning in global configuration mode: Changing the Tunnel Interface MTU You can configure the IP MTU of the tunnel interface, but you cannot configure the Layer 3 MTU. To change the IP MTU value on a tunnel, perform this task beginning in global configuration mode: Changing the Interface VLAN MTU You can configure the Layer 3 MTU of the interface VLAN. To change the MTU value on an interface VLAN, perform this task beginning in global configuration mode: Verifying the MTU Size To verify the MTU size for an interface, enter the show interface command or the show ip interface command, as shown in the following examples: To display the MTU value for a secure port, enter the show interface command: Router# show interface g1/1 Command Purpose Step 1 Router(config)# interface type 1 slot/port 1. type = fastethernet, gigabitethernet, or tengigabitethernet Enters interface configuration mode for the interface. Step 2 Router(config-if)# mtu bytes Configures the maximum transmission unit (MTU) size for the interface. • bytes—The range is 1500 to 9216; the default is 1500. Command Purpose Step 1 Router(config)# interface tunnel_name Enters interface configuration mode for the tunnel. Step 2 Router(config-if)# ip mtu bytes Configures the IP MTU size for the tunnel. • bytes—The minimum is 68; the maximum and the default depend on the interface medium. Command Purpose Step 1 Router(config)# interface vlan_ID Enters interface configuration mode for the VLAN. Step 2 Router(config-if)# mtu bytes Configures the MTU size for the interface VLAN. • bytes—The range is 64 to 9216; the default is 1500. 27-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 27 Configuring IPSec VPN Fragmentation and MTU Configuring MTU Settings GigabitEthernet1/1 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 000a.8ad8.1c4a (bia 000a.8ad8.1c4a) MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 ... To display the MTU size for an interface VLAN, enter the show interface command. Router# show interface vlan2 Vlan2 is up, line protocol is up Hardware is EtherSVI, address is 000e.39ad.e700 (bia 000e.39ad.e700) Internet address is 192.168.1.1/16 MTU 1000 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ... To display the IP MTU value for a GRE tunnel, enter the show ip interface command: Router# show ip interface tunnel 2 Tunnel2 is up, line protocol is up Internet address is 11.1.0.2/16 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1450 bytes ...C H A P T E R 28-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 28 Configuring IKE Features Using the IPSec VPN SPA This chapter provides information about configuring Internet Key Exchange (IKE) related features using the IPSec VPN SPA on the Cisco 7600 series router. It includes the following sections: • Overview of IKE, page 28-2 • Configuring Advanced Encryption Standard in an IKE Policy Map, page 28-2 • Configuring ISAKMP Keyrings, page 28-4 • Configuring Certificate to ISAKMP Profile Mapping, page 28-6 • Configuring an Encrypted Preshared Key, page 28-13 • Configuring Call Admission Control for IKE, page 28-15 • Configuring Dead Peer Detection, page 28-17 • Understanding IPSec NAT Transparency, page 28-19 • Configuration Examples, page 28-22 Note For detailed information on Internet Key Exchange (IKE), refer to the following Cisco IOS documentation: Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html Cisco IOS Security Command Reference, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals Command Reference publications. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the configuration summaries and guidelines before you perform any configuration tasks. 28-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Overview of IKE Overview of IKE Internet Key Exchange (IKE) is a key management protocol standard that is used in conjunction with the IPSec standard. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. Note For more detailed information on IKE, refer to the Cisco IOS Security Configuration Guide. IKE automatically negotiates IPSec security associations (SAs) and enables IPSec secure communications without costly manual preconfiguration. Specifically, IKE provides the following benefits: • Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both peers. Note Beginning in Cisco IOS Release 12.2SRA, manual keying is no longer supported. • Allows you to specify a lifetime for the IPSec security association (SA). • Allows encryption keys to change during IPSec sessions. • Allows IPSec to provide anti-replay services. • Permits certification authority (CA) support for a manageable, scalable IPSec implementation. • Allows dynamic authentication of peers. Because IKE negotiations must be protected, each IKE negotiation begins by agreement of both peers on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations and mandates how the peers are authenticated. You must create an IKE policy at each peer participating in the IKE negotiation. If you do not configure any IKE policies, your router will use the default policy, which is always set to the lowest priority and contains the default value of each parameter. After the two peers agree upon a policy, the security parameters of the policy are identified by an SA established at each peer, and these SAs apply to all subsequent IKE traffic during the negotiation. You can configure multiple, prioritized policies on each peer, each with a different combination of parameter values. However, at least one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman parameter values as one of the policies on the remote peer. For each policy that you create, you assign a unique priority (1 through 10,000, with 1 being the highest priority). Configuring Advanced Encryption Standard in an IKE Policy Map The Advanced Encryption Standard (AES) is a privacy transform for IPSec and Internet Key Exchange (IKE) that has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES. AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. AES has a variable key length. The algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. 28-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Advanced Encryption Standard in an IKE Policy Map To configure the AES encryption algorithm within an IKE policy map, perform this task beginning in global configuration mode: Verifying the AES IKE Policy To verify the configuration of the AES IKE policy, enter the show crypto isakmp policy command: Router# show crypto isakmp policy Protection suite of priority 1 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 3600 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit For an AES configuration example, see the “Advanced Encryption Standard Configuration Example” section on page 28-22. Command Purpose Step 1 Router(config)# crypto isakmp policy priority Defines an ISAKMP policy and enters ISAKMP policy configuration mode. • priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest. Step 2 Router(config-isakmp)# encryption {aes | aes 192 | aes 256} Specifies the encryption algorithm within an IKE policy. • aes—Specifies 128-bit AES as the encryption algorithm. • aes 192—Specifies 192-bit AES as the encryption algorithm. • aes 256—Specifies 256-bit AES as the encryption algorithm. Step 3 ... Router(config-isakmp)# exit Specifies any other policy values appropriate to your configuration, and then exits ISAKMP policy configuration mode. For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide. 28-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring ISAKMP Keyrings Configuring ISAKMP Keyrings A crypto keyring is a collection of preshared and RSA public keys. You can configure a keyring and then associate it with the Internet Security Association and Key Management Protocol (ISAKMP) profile. The crypto ISAKMP profile may contain zero, one, or more than one keyring. The ISAKMP keyrings feature (also known as the SafeNet IPSec VPN Client Support feature) allows you to use the local-address command to limit the scope of an ISAKMP profile or ISAKMP keyring configuration to a local termination address or interface. The benefit of this feature is that different customers can use the same peer identities and ISAKMP keys by using different local termination addresses. ISAKMP Keyrings Configuration Guidelines and Restrictions When configuring ISAKMP keyrings, follow these guidelines and restrictions: • The local address option works only for the primary address of an interface. • If an IP address is provided, the administrator must ensure that the connection of the peer terminates to the address that is provided. • If the IP address does not exist on the device, or if the interface does not have an IP address, the ISAKMP profile or ISAKMP keyring will be effectively disabled. Limiting an ISAKMP Profile to a Local Termination Address or Interface To configure an ISAKMP profile and limit it to a local termination address or interface, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto isakmp profile profile-name Defines an ISAKMP profile and enters ISAKMP profile configuration mode. • profile-name—Name of the ISAKMP profile. Step 2 Router(conf-isa-profile)# keyring keyring-name (Optional) Configures a keyring with an ISAKMP profile. • keyring-name—Name of the crypto keyring. Note A keyring is not needed inside an ISAKMP profile for local termination to work. Local termination works even if Rivest, Shamir, and Adelman (RSA) certificates are used. 28-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring ISAKMP Keyrings Limiting a Keyring to a Local Termination Address or Interface To configure an ISAKMP keyring and limit its scope to a local termination address or interface, perform this task beginning in global configuration mode: For complete configuration information for SafeNet IPSec VPN Client Support, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_scse.html For ISAKMP keyrings configuration examples, see the “ISAKMP Keyrings Configuration Examples” section on page 28-22. Step 3 Router(conf-isa-profile)# match identity address address Matches an identity from a peer in an ISAKMP profile. • address—IP address of the remote peer. Step 4 Router(conf-isa-profile)# local-address {interface-name | ip-address [vrf-tag]} Limits the scope of an ISAKMP profile or an ISAKMP keyring configuration to a local termination address or interface. • interface-name—Name of the local interface. • ip-address—Local termination address. • vrf-tag—(Optional) Scope of the IP address will be limited to the VRF. Command Purpose Command Purpose Step 1 Router(config)# keyring keyring-name Defines a crypto keyring to be used during IKE authentication and enters keyring configuration mode. • keyring-name—Name of the crypto keyring. Step 2 Router(conf-keyring)# local-address {interface-name | ip-address [vrf-tag]} Limits the scope of an ISAKMP profile or an ISAKMP keyring configuration to a local termination address or interface. • interface-name—Name of the local interface. • ip-address—Local termination address. • vrf-tag—(Optional) Scope of the IP address will be limited to the VRF. Step 3 Router(conf-keyring)# pre-shared-key address address Defines a preshared key to be used for IKE authentication. • address—IP address. 28-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Certificate to ISAKMP Profile Mapping Configuring Certificate to ISAKMP Profile Mapping The Certificate to ISAKMP Profile Mapping feature enables you to assign an Internet Security Association and Key Management Protocol (ISAKMP) profile to a peer on the basis of the contents of arbitrary fields in the certificate. In addition, this feature allows you to assign a group name to those peers that are assigned an ISAKMP profile. Note Certificate to ISAKMP Profile Mapping is only supported as of Cisco IOS Release 12.2(33)SRA. Certificate to ISAKMP Profile Mapping Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring Certificate to ISAKMP Profile Mapping: • This feature will not be applicable if you use Rivest, Shamir, and Adelman (RSA)- signature or RSA-encryption authentication without certificate exchange. ISAKMP peers must be configured to do RSA-signature or RSA-encryption authentication using certificates. Mapping the Certificate to the ISAKMP Profile To map the certificate to the ISAKMP profile, perform the following task beginning in global configuration mode: Verifying the Certificate to ISAKMP Profile Mapping Configuration To verify that the subject name of the certificate map has been properly configured, enter the show crypto pki certificates and the debug crypto isakmp commands. The show crypto pki certificates command displays all current IKE security associations (SAs) at a peer. The debug crypto isakmp command displays messages about IKE events. The following examples show that a certificate has been mapped to an ISAKMP profile. The examples include the configurations for the responder and initiator, the show crypto pki certificates command output verifying that the subject name of the certificate map has been configured, and the debug crypto isakmp command output showing that the certificate has gone through certificate map matching and been matched to the ISAKMP profile. Responder Configuration crypto pki certificate map cert_map 10 ! The above line is the certificate map definition. Command Purpose Step 1 Router(config)# crypto isakmp profile profile-name Defines an ISAKMP profile and enters ISAKMP profile configuration mode • profile-name—Name of the user profile. Step 2 Router(config-isa-prof)# match certificate certificate-map Accepts the name of a certificate map. • certificate-map—Name of the certificate map. 28-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Certificate to ISAKMP Profile Mapping subject-name co ou = green ! The above line shows that the subject name must have "ou = green." ! crypto isakmp profile certpro ! The above line shows that this is the ISAKMP profile that will match if the certificate of the peer matches cert_map (shown on third line below). ca trust-point 2315 ca trust-point LaBcA match certificate cert_map Initiator Configuration crypto ca trustpoint LaBcA enrollment url http://10.76.82.20:80/cgi-bin/openscep subject-name ou=green,c=IN ! The above line ensures that the subject name "ou = green" is set. revocation-check none Command Output for show crypto pki certificates for the Initiator Router# show crypto pki certificates Certificate Status: Available Certificate Serial Number: 21 Certificate Usage: General Purpose Issuer: cn=blue-lab CA o=CISCO c=IN Subject: Name: Router.cisco.com c=IN ou=green ! The above line is a double check that "ou = green" has been set as the subject name. hostname=Router.cisco.com Validity Date: start date: 14:34:30 UTC Mar 31 2004 end date: 14:34:30 UTC Apr 1 2009 renew date: 00:00:00 UTC Jan 1 1970 Associated Trustpoints: LaBcA Command Output for debug crypto isakmp for the Responder Router# debug crypto isakmp *Nov 6 19:31:25.010: ISAKMP:(0): SA request profile is prof2 *Nov 6 19:31:25.010: ISAKMP: Found a peer struct for 14.0.0.2, peer port 500 *Nov 6 19:31:25.010: ISAKMP: Locking peer struct 0x13884FB8, refcount 349 for isakmp_initiator *Nov 6 19:31:25.010: ISAKMP[I]: sa->swdb: Vlan3 *Nov 6 19:31:25.010: ISAKMP: local port 500, remote port 500 *Nov 6 19:31:25.010: ISAKMP: set new node 0 to QM_IDLE *Nov 6 19:31:25.010: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 13C041E8 *Nov 6 19:31:25.010: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Nov 6 19:31:25.010: ISAKMP:(0):Profile has no keyring, aborting key search *Nov 6 19:31:25.010: ISAKMP:(0): constructed NAT-T vendor-07 ID *Nov 6 19:31:25.010: ISAKMP:(0): constructed NAT-T vendor-03 ID *Nov 6 19:31:25.010: ISAKMP:(0): constructed NAT-T vendor-02 ID *Nov 6 19:31:25.010: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Nov 6 19:31:25.010: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 28-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Certificate to ISAKMP Profile Mapping *Nov 6 19:31:25.010: ISAKMP:(0): beginning Main Mode exchange *Nov 6 19:31:25.010: ISAKMP:(0): sending packet to 14.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE *Nov 6 19:31:25.018: ISAKMP (0): received packet from 14.0.0.2 dport 500 sport 500 fvrf (N) NEW SA *Nov 6 19:31:25.018: ISAKMP: Found a peer struct for 14.0.0.2, peer port 500 *Nov 6 19:31:25.018: ISAKMP: Locking peer struct 0x13884FB8, refcount 350 for crypto_isakmp_process_block *Nov 6 19:31:25.018: ISAKMP[R]: sa->swdb: Vlan2 *Nov 6 19:31:25.018: ISAKMP: local port 500, remote port 500 *Nov 6 19:31:25.018: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 148C68D8 *Nov 6 19:31:25.018: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Nov 6 19:31:25.018: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 *Nov 6 19:31:25.018: ISAKMP:(0): processing SA payload. message ID = 0 *Nov 6 19:31:25.018: ISAKMP:(0): processing vendor id payload *Nov 6 19:31:25.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch *Nov 6 19:31:25.018: ISAKMP (0): vendor ID is NAT-T v7 *Nov 6 19:31:25.018: ISAKMP:(0): processing vendor id payload *Nov 6 19:31:25.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch *Nov 6 19:31:25.018: ISAKMP:(0): vendor ID is NAT-T v3 *Nov 6 19:31:25.018: ISAKMP:(0): processing vendor id payload *Nov 6 19:31:25.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Nov 6 19:31:25.018: ISAKMP:(0): vendor ID is NAT-T v2 *Nov 6 19:31:25.038: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy *Nov 6 19:31:25.038: ISAKMP: encryption 3DES-CBC *Nov 6 19:31:25.038: ISAKMP: hash MD5 *Nov 6 19:31:25.038: ISAKMP: default group 1 *Nov 6 19:31:25.038: ISAKMP: auth RSA sig *Nov 6 19:31:25.038: ISAKMP: life type in seconds *Nov 6 19:31:25.038: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Nov 6 19:31:25.042: ISAKMP:(0):atts are acceptable. Next payload is 3 *Nov 6 19:31:25.042: ISAKMP:(0): processing vendor id payload *Nov 6 19:31:25.042: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch *Nov 6 19:31:25.042: ISAKMP (0): vendor ID is NAT-T v7 *Nov 6 19:31:25.042: ISAKMP:(0): processing vendor id payload *Nov 6 19:31:25.042: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch *Nov 6 19:31:25.042: ISAKMP:(0): vendor ID is NAT-T v3 *Nov 6 19:31:25.042: ISAKMP:(0): processing vendor id payload *Nov 6 19:31:25.042: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Nov 6 19:31:25.042: ISAKMP:(0): vendor ID is NAT-T v2 *Nov 6 19:31:25.042: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Nov 6 19:31:25.042: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 *Nov 6 19:31:25.046: ISAKMP:(0): constructed NAT-T vendor-07 ID *Nov 6 19:31:25.046: ISAKMP:(0): sending packet to 14.0.0.2 my_port 500 peer_port 500 (R) MM_SA_SETUP *Nov 6 19:31:25.046: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Nov 6 19:31:25.046: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 *Nov 6 19:31:25.046: ISAKMP (0): received packet from 14.0.0.2 dport 500 sport 500 fvrf (I) MM_NO_STATE *Nov 6 19:31:25.046: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Nov 6 19:31:25.046: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 *Nov 6 19:31:25.046: ISAKMP:(0): processing SA payload. message ID = 0 *Nov 6 19:31:25.046: ISAKMP:(0): processing vendor id payload *Nov 6 19:31:25.046: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch *Nov 6 19:31:25.046: ISAKMP (0): vendor ID is NAT-T v7 *Nov 6 19:31:25.046: ISAKMP : Looking for xauth in profile prof2 *Nov 6 19:31:25.046: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy *Nov 6 19:31:25.046: ISAKMP: encryption 3DES-CBC 28-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Certificate to ISAKMP Profile Mapping *Nov 6 19:31:25.046: ISAKMP: hash MD5 *Nov 6 19:31:25.046: ISAKMP: default group 1 *Nov 6 19:31:25.046: ISAKMP: auth RSA sig *Nov 6 19:31:25.050: ISAKMP: life type in seconds *Nov 6 19:31:25.050: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Nov 6 19:31:25.050: ISAKMP:(0):atts are acceptable. Next payload is 0 *Nov 6 19:31:25.050: ISAKMP:(0): processing vendor id payload *Nov 6 19:31:25.050: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch *Nov 6 19:31:25.050: ISAKMP (0): vendor ID is NAT-T v7 *Nov 6 19:31:25.050: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Nov 6 19:31:25.050: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 *Nov 6 19:31:25.050: ISAKMP (0): constructing CERT_REQ for issuer cn=mscavpn1,ou=isbu,o=cisco *Nov 6 19:31:25.054: ISAKMP:(0): sending packet to 14.0.0.2 my_port 500 peer_port 500 (I) MM_SA_SETUP *Nov 6 19:31:25.054: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Nov 6 19:31:25.054: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Nov 6 19:31:25.058: ISAKMP (0): received packet from 14.0.0.2 dport 500 sport 500 fvrf (R) MM_SA_SETUP *Nov 6 19:31:25.062: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Nov 6 19:31:25.062: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 *Nov 6 19:31:25.062: ISAKMP:(0): processing KE payload. message ID = 0 *Nov 6 19:31:25.062: ISAKMP:(0): processing NONCE payload. message ID = 0 *Nov 6 19:31:25.062: ISAKMP:(83727): processing CERT_REQ payload. message ID = 0 *Nov 6 19:31:25.062: ISAKMP:(83727): peer wants a CT_X509_SIGNATURE cert *Nov 6 19:31:25.066: ISAKMP:(83727): peer want cert issued by cn=mscavpn1,ou=isbu,o=cisco *Nov 6 19:31:25.066: ISAKMP:(83727): Choosing trustpoint MSCA as issuer *Nov 6 19:31:25.066: ISAKMP:(83727): processing vendor id payload *Nov 6 19:31:25.066: ISAKMP:(83727): vendor ID is DPD *Nov 6 19:31:25.066: ISAKMP:(83727): processing vendor id payload *Nov 6 19:31:25.066: ISAKMP:(83727): speaking to another IOS box! *Nov 6 19:31:25.066: ISAKMP:(83727): processing vendor id payload *Nov 6 19:31:25.066: ISAKMP:(83727): vendor ID seems Unity/DPD but major 230 mismatch *Nov 6 19:31:25.066: ISAKMP:(83727): vendor ID is XAUTH *Nov 6 19:31:25.066: ISAKMP (83727): His hash no match - this node outside NAT *Nov 6 19:31:25.066: ISAKMP (83727): No NAT Found for self or peer *Nov 6 19:31:25.066: ISAKMP:(83727):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Nov 6 19:31:25.066: ISAKMP:(83727):Old State = IKE_R_MM3 New State = IKE_R_MM3 *Nov 6 19:31:25.066: ISAKMP (83727): constructing CERT_REQ for issuer cn=mscavpn1,ou=isbu,o=cisco *Nov 6 19:31:25.066: ISAKMP:(83727): sending packet to 14.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Nov 6 19:31:25.070: ISAKMP:(83727):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Nov 6 19:31:25.070: ISAKMP:(83727):Old State = IKE_R_MM3 New State = IKE_R_MM4 *Nov 6 19:31:25.070: ISAKMP (0): received packet from 14.0.0.2 dport 500 sport 500 fvrf (I) MM_SA_SETUP *Nov 6 19:31:25.070: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Nov 6 19:31:25.070: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 *Nov 6 19:31:25.070: ISAKMP:(0): processing KE payload. message ID = 0 *Nov 6 19:31:25.074: ISAKMP:(0): processing NONCE payload. message ID = 0 *Nov 6 19:31:25.098: ISKAMP: growing send buffer from 1024 to 3072 *Nov 6 19:31:25.118: ISAKMP (83727): received packet from 14.0.0.2 dport 500 sport 500 fvrf (R) MM_KEY_EXCH *Nov 6 19:31:25.122: ISAKMP:(83727):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Nov 6 19:31:25.122: ISAKMP:(83727):Old State = IKE_R_MM4 New State = IKE_R_MM5 *Nov 6 19:31:25.122: ISAKMP:(83727): processing ID payload. message ID = 0 28-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Certificate to ISAKMP Profile Mapping *Nov 6 19:31:25.122: ISAKMP (83727): ID payload next-payload : 6 type : 3 USER FQDN : a@vrf2.com protocol : 17 port : 500 length : 18 *Nov 6 19:31:25.134: ISAKMP:(83727):: peer matches prof2 profile *Nov 6 19:31:25.134: ISAKMP:(83727): processing CERT payload. message ID = 0 *Nov 6 19:31:25.134: ISAKMP:(83727): processing a CT_X509_SIGNATURE cert *Nov 6 19:31:25.142: ISAKMP:(83727): peer's pubkey isn't cached *Nov 6 19:31:25.158: %CRYPTO-6-IKMP_NO_ID_CERT_USER_FQDN_MATCH: ID of a@vrf2.com (type 3) and certificate user fqdn with empty *Nov 6 19:31:25.158: ISAKMP (83727): adding peer's pubkey to cache *Nov 6 19:31:25.158: ISAKMP:(83727): processing SIG payload. message ID = 0 *Nov 6 19:31:25.162: ISAKMP:(83727):SA authentication status: authenticated *Nov 6 19:31:25.162: ISAKMP:(83727):SA has been authenticated with 14.0.0.2 *Nov 6 19:31:25.162: ISAKMP:(83727):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Nov 6 19:31:25.162: ISAKMP:(83727):Old State = IKE_R_MM5 New State = IKE_R_MM5 *Nov 6 19:31:25.170: ISAKMP:(83727):SA is doing RSA signature authentication using id type ID_USER_FQDN *Nov 6 19:31:25.170: ISAKMP (83727): ID payload next-payload : 6 type : 3 USER FQDN : a@vrf2.com protocol : 17 port : 500 length : 18 *Nov 6 19:31:25.170: ISAKMP:(83727):Total payload length: 18 *Nov 6 19:31:25.182: ISAKMP (83727): constructing CERT payload for cn=HUB,ou=isbu,o=cisco,hostname=HUB.cisco.com,serialNumber=1234D *Nov 6 19:31:25.182: ISKAMP: growing send buffer from 1024 to 3072 *Nov 6 19:31:25.186: ISAKMP:(83727): using the MSCA trustpoint's keypair to sign *Nov 6 19:31:25.194: ISAKMP:(83727): sending packet to 14.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Nov 6 19:31:25.198: ISAKMP:(83727):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Nov 6 19:31:25.198: ISAKMP:(83727):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE *Nov 6 19:31:25.198: ISAKMP:(83727):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Nov 6 19:31:25.198: ISAKMP:(83727):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Nov 6 19:31:25.238: ISAKMP (83727): received packet from 14.0.0.2 dport 500 sport 500 fvrf (R) QM_IDLE *Nov 6 19:31:25.238: ISAKMP: set new node -134314170 to QM_IDLE *Nov 6 19:31:25.242: ISAKMP:(83727): processing HASH payload. message ID = -134314170 *Nov 6 19:31:25.242: ISAKMP:(83727): processing SA payload. message ID = -134314170 *Nov 6 19:31:25.242: ISAKMP:(83727):Checking IPSec proposal 1 *Nov 6 19:31:25.242: ISAKMP: transform 1, ESP_3DES *Nov 6 19:31:25.242: ISAKMP: attributes in transform: *Nov 6 19:31:25.242: ISAKMP: encaps is 1 (Tunnel) *Nov 6 19:31:25.242: ISAKMP: SA life type in seconds *Nov 6 19:31:25.242: ISAKMP: SA life duration (basic) of 3600 *Nov 6 19:31:25.242: ISAKMP: SA life type in kilobytes *Nov 6 19:31:25.242: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Nov 6 19:31:25.242: ISAKMP: authenticator is HMAC-SHA *Nov 6 19:31:25.242: ISAKMP:(83727):atts are acceptable. *Nov 6 19:31:25.242: ISAKMP:(83727): processing NONCE payload. message ID = -134314170 *Nov 6 19:31:25.242: ISAKMP:(83727): processing ID payload. message ID = -134314170 *Nov 6 19:31:25.242: ISAKMP:(83727): processing ID payload. message ID = -134314170 *Nov 6 19:31:25.242: ISAKMP:(83727):QM Responder gets spi 28-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Certificate to ISAKMP Profile Mapping *Nov 6 19:31:25.242: ISAKMP:(83727):Node -134314170, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Nov 6 19:31:25.242: ISAKMP:(83727):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE *Nov 6 19:31:25.242: ISAKMP:(83727): Creating IPSec SAs *Nov 6 19:31:25.246: inbound SA from 14.0.0.2 to 15.0.0.2 (f/i) 1/714 (proxy 12.0.0.2 to 13.0.0.2) *Nov 6 19:31:25.246: has spi 0x917AD879 and conn_id 0 *Nov 6 19:31:25.246: lifetime of 3600 seconds *Nov 6 19:31:25.246: lifetime of 4608000 kilobytes *Nov 6 19:31:25.246: outbound SA from 15.0.0.2 to 14.0.0.2 (f/i) 1/714 (proxy 13.0.0.2 to 12.0.0.2) *Nov 6 19:31:25.246: has spi 0xC54A5A05 and conn_id 0 *Nov 6 19:31:25.246: lifetime of 3600 seconds *Nov 6 19:31:25.246: lifetime of 4608000 kilobytes *Nov 6 19:31:25.246: ISAKMP: Failed to find peer index node to update peer_info_list *Nov 6 19:31:25.250: ISAKMP:(83727): sending packet to 14.0.0.2 my_port 500 peer_port 500 (R) QM_IDLE *Nov 6 19:31:25.250: ISAKMP:(83727):Node -134314170, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI *Nov 6 19:31:25.250: ISAKMP:(83727):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 *Nov 6 19:31:25.270: ISAKMP (83727): received packet from 14.0.0.2 dport 500 sport 500 fvrf (R) QM_IDLE *Nov 6 19:31:25.274: ISAKMP:(83727):deleting node -134314170 error FALSE reason "QM done (await)" *Nov 6 19:31:25.274: ISAKMP:(83727):Node -134314170, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Nov 6 19:31:25.274: ISAKMP:(83727):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE *Nov 6 19:32:15.282: ISAKMP:(83727):purging node -134314170 Command Output for show crypto isakmp sa [detail] for the Responder Router# show crypto isakmp sa vrf vrf2 IPv4 Crypto ISAKMP SA dst src state conn-id slot status 15.0.0.2 14.0.0.2 QM_IDLE 83727 ACTIVE prof2 IPv6 Crypto ISAKMP SA Router# show crypto isakmp sa detail vrf vrf2 Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 83727 15.0.0.2 14.0.0.2 vrf2 ACTIVE 3des md5 rsig 1 23:59:15 Engine-id:Conn-id = :15727 IPv6 Crypto ISAKMP SA 28-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Certificate to ISAKMP Profile Mapping Assigning the Group Name to the Peer To associate a group name with an ISAKMP profile that will be assigned to a peer, perform the following steps beginning in global configuration mode: Verifying the Group Name to Peer Assignation Configuration To verify that a group has been assigned to a peer, enter the debug crypto isakmp command. The debug crypto isakmp command displays messages about IKE events. The following debug crypto isakmp output shows that the peer has been matched to the ISAKMP profile named “certpro” and that it has been assigned a group named “new_group.” Initiator Configuration crypto isakmp profile certpro ca trust-point 2315 ca trust-point LaBcA match certificate cert_map client configuration group new_group ! The statement on the above line will assign the group "new_group" to any peer that matches the ISAKMP profile "certpro." initiate mode aggressive Command Output for debug crypto isakmp for the Responder Router# debug crypto isakmp 6d23h: ISAKMP (0:268435461): received packet from 192.0.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH 6d23h: ISAKMP: Main Mode packet contents (flags 1, len 892): 6d23h: ID payload 6d23h: FQDN port 500 protocol 17 6d23h: CERT payload 6d23h: SIG payload 6d23h: KEEPALIVE payload 6d23h: NOTIFY payload 6d23h: ISAKMP:(0:5:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 6d23h: ISAKMP:(0:5:HW:2):Old State = IKE_R_MM4 New State = IKE_R_MM5 6d23h: ISAKMP:(0:5:HW:2): processing ID payload. message ID = 0 6d23h: ISAKMP (0:268435461): ID payload next-payload : 6 type : 2 FQDN name : Router1.cisco.com protocol : 17 port : 500 Command Purpose Step 1 Router(config)# crypto isakmp profile profile-name Defines an ISAKMP profile and enters ISAKMP profile configuration mode • profile-name—Name of the user profile. Step 2 Router (conf-isa-prof)# client configuration group group-name Accepts the name of a group that will be assigned to a peer when the peer is assigned this crypto ISAKMP profile. • group-name—Name of the group to be associated with the peer. 28-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring an Encrypted Preshared Key length : 28 6d23h: ISAKMP:(0:5:HW:2):: peer matches *none* of the profiles 6d23h: ISAKMP:(0:5:HW:2): processing CERT payload. message ID = 0 6d23h: ISAKMP:(0:5:HW:2): processing a CT_X509_SIGNATURE cert 6d23h: ISAKMP:(0:5:HW:2): peer's pubkey isn't cached 6d23h: ISAKMP:(0:5:HW:2): OU = green 6d23h: ISAKMP:(0:5:HW:2): certificate map matches certpro profile 6d23h: ISAKMP:(0:5:HW:2): Trying to re-validate CERT using new profile 6d23h: ISAKMP:(0:5:HW:2): Creating CERT validation list: 2315, LaBcA, 6d23h: ISAKMP:(0:5:HW:2): CERT validity confirmed. 6d23h: ISAKMP:(0:5:HW:2):Profile has no keyring, aborting key search 6d23h: ISAKMP:(0:5:HW:2): Profile certpro assigned peer the group named new_group For complete configuration information for certificate to ISAKMP profile mapping, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_isakp.html For certificate to ISAKMP profile mapping configuration examples, see the “Certificate to ISAKMP Profile Mapping Configuration Examples” section on page 28-23. Configuring an Encrypted Preshared Key The Encrypted Preshared Key feature allows you to securely store plain text passwords in type 6 (encrypted) format in NVRAM. Encrypted Preshared Key Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring an encrypted preshared key: • Old ROM monitors (ROMMONs) and boot images cannot recognize the new type 6 passwords. If you boot from an old ROMMON, you can expect errors. • If the password (master key) is changed, or reencrypted, using the key config-key password-encryption command, the list registry passes the old key and the new key to the application modules that are using type 6 encryption. • If the master key that was configured using the key config-key password-encryption command is deleted from the system, a warning is printed (and a confirm prompt is issued) that states that all type 6 passwords will become useless. As a security measure, after the passwords have been encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be reencrypted. Caution If the password configured using the key config-key password-encryption command is lost, it cannot be recovered. The password should be stored in a safe location. • If you later unconfigure password encryption using the no password encryption aes command, all existing type 6 passwords are left unchanged, and as long as the password (master key) that was configured using the key config-key password-encryption command exists, the type 6 passwords will be decrypted as and when required by the application. • Because no one can “read” the password (configured using the key config-key password-encryption command), there is no way that the password can be retrieved from the router. Existing management stations cannot “know” what it is unless the stations are enhanced to include this key somewhere, in which case the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, 28-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring an Encrypted Preshared Key meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto a router, the password must be manually added (using the key config-key password-encryption command). The password can be manually added to the stored configuration but is not recommended because adding the password manually allows anyone to decrypt all passwords in that configuration. • If you enter or cut and paste cipher text that does not match the master key, or if there is no master key, the cipher text is accepted or saved, but the following alert message is printed: ciphertext>[for username bar>] is incompatible with the configured master key • If a new master key is configured, all the plain keys are encrypted and made type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is. • If the old master key is lost or unknown, you have the option of deleting the master key using the no key config-key password-encryption command. Deleting the master key using the no key config-key password-encryption command causes the existing encrypted passwords to remain encrypted in the router configuration. The passwords will not be decrypted. Configuring an Encrypted Preshared Key To configure an encrypted preshared key, perform the following task beginning global configuration mode: Verifying the Encrypted Preshared Key Configuration To verify that a new master key has been configured and that the keys have been encrypted with the new master key, enter the password logging command. The following is an example of its output: Router(config)# password logging Command Purpose Step 1 Router(config)# key config-key password-encryption Stores a type 6 encryption key in private NVRAM. Note the following: • If you are entering the key interactively (using the Enter key) and an encrypted key already exists, you will be prompted for the following: Old key, New key, and Confirm key • If you are entering the key interactively but an encryption key is not present, you will be prompted for the following: New key and Confirm key • If you are removing a password that is already encrypted, you will see the following prompt: WARNING: All type 6 encrypted keys will become unusable. Continue with master key deletion? [yes/no]: Step 2 Router(config)# password-encryption aes Enables the encrypted preshared key. 28-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Call Admission Control for IKE Router(config)# key config-key password-encrypt New key: Confirm key: Router(config)# 01:40:57: TYPE6_PASS: New Master key configured, encrypting the keys with the new master keypas Router(config)# key config-key password-encrypt Old key: New key: Confirm key: Router (config)# 01:42:11: TYPE6_PASS: Master key change heralded, re-encrypting the keys with the new master key 01:42:11: TYPE6_PASS: Mac verification successful 01:42:11: TYPE6_PASS: Mac verification successful 01:42:11: TYPE6_PASS: Mac verification successful For complete configuration information for the Encrypted Preshared Key feature, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_epsk.html For an encrypted preshared key configuration example, see the “Encrypted Preshared Key Configuration Example” section on page 28-23. Configuring Call Admission Control for IKE Call Admission Control (CAC) for IKE allows you to limit the number of simultaneous IKE security associations (SAs) that a router can establish. Note Call Admission Control is supported in Cisco IOS Release 12.2(33)SRA and later releases. There are two ways to limit the number of IKE SAs that a router can establish to or from another router: • Configure an absolute IKE SA limit by entering the crypto call admission limit command. When an IKE SA limit is defined, the router no longer accepts or initiates new IKE SA requests when this value has been reached as follows: When there is a new SA request from a peer router, IKE determines if the number of active IKE SAs plus the number of SAs being negotiated meets or exceeds the configured SA limit. If the number is greater than or equal to the limit, the new SA request is rejected and a syslog is generated. This log contains the source destination IP address of the SA request. • Configure a system resource limit by entering the call admission limit command. When a system resource limit is defined, the router no longer accepts or initiates new IKE SA requests when the specified level of system resources is being used as follows: Call Admission Control (CAC) polls a global resource monitor so that IKE knows when the router is running short of CPU cycles or memory buffers. You can configure a resource limit, from 1 to 100000, that represents a level of system resources. When that level of the system resources is being used, IKE no longer accepts or initiates new IKE SA requests. CAC is applied to new SAs (that is, when an SA does not already exist between the peers) and rekeying SAs. Every effort is made to preserve existing SAs. Only new SA requests will ever be denied due to a lack of system resources or because the configured IKE SA limit has been reached. 28-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Call Admission Control for IKE Configuring the IKE Security Association Limit To configure an IKE Security Association limit, perform the following steps beginning in global configuration mode. When an IKE SA limit is defined, the router no longer accepts or initiates new IKE SA requests when the limit has been reached: Configuring a System Resource Limit To configure a system resource limit, perform the following steps beginning in global configuration mode. When an IKE SA limit is defined, the router no longer accepts or initiates new IKE SA requests when the specified level of system resources is being used. Clearing Call Admission Statistics To clear the Call Admission Control counters that track the number of accepted and rejected Internet Key Exchange (IKE) requests, use the clear crypto call admission statistics command in global configuration mode: Router(config)# clear crypto call admission statistics Command Purpose Step 1 Router(config)# crypto call admission limit {ike {sa number | in-negotiation-sa number}} Specifies the maximum number of IKE SAs that the router can establish before IKE no longer accepts or initiates new SA requests. • sa number—Number of active IKE SAs allowed on the router. The range is 0 to 99999. • in-negotiation-sa number—Number of in-negotiation IKE SAs allowed on the router. The range is 10 to 99999. Note An ISAKMP connection needs to be built in two directions. If you have 500 spokes in your network, you should set this value at a minimum of 1000 (500 x 2). Step 2 Router(config)# exit Returns to privileged EXEC mode. Command Purpose Step 1 Router(config)# call admission limit charge Instructs IKE to stop initiating or accepting new SA requests (that is, calls for CAC) when the specified level of system resources is being used. • charge—Level of the system resources that, when used, causes IKE to stop accepting new SA requests. Valid values are 1 to 100000. Step 2 Router(config)# exit Returns to privileged EXEC mode. 28-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Dead Peer Detection Verifying the Call Admission Control for IKE Configuration To verify that Call Admission Control has been configured, enter the show call admission statistics and the show crypto call admission statistics commands. The show call admission statistics command monitors the global CAC configuration parameters and the behavior of CAC. Router# show call admission statistics Total Call admission charges: 0, limit 25 Total calls rejected 12, accepted 51 Load metric: charge 0, unscaled 0 The show crypto call admission statistics command monitors crypto CAC statistics. Router# show crypto call admission statistics ----------------------------------------------------------- Crypto Call Admission Control Statistics ----------------------------------------------------------- System Resource Limit: 0 Max IKE SAs 0 Total IKE SA Count: 0 active: 0 negotiating: 0 Incoming IKE Requests: 0 accepted: 0 rejected: 0 Outgoing IKE Requests: 0 accepted: 0 rejected: 0 Rejected IKE Requests: 0 rsrc low: 0 SA limit: 0 For more complete configuration information for Call Admission Control for IKE, refer to the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gtcallik.html For Call Admission Control for IKE configuration examples, see the “Call Admission Control for IKE Configuration Examples” section on page 28-24. Configuring Dead Peer Detection Dead Peer Detection (DPD), defined in RFC 3706, is a mechanism used to detect dead IPSec peers. IPSec is a peer-to-peer type of technology. It is possible that IP connectivity may be lost between peers due to routing problems, peer reloading, or some other situation. This lost connectivity can result in black holes where traffic is lost. DPD, based on a traffic-detection method, is one possible mechanism to remedy this situation. Note The periodic option of the crypto isakmp keepalive command is only supported as of Cisco IOS Release 12.2(33)SRA; the on-demand option is supported in all releases. DPD supports two options: on-demand or periodic. The on-demand approach is the default. With on-demand DPD, messages are sent on the basis of traffic patterns. For example, if a router must send outbound traffic and the liveliness of the peer is questionable, the router sends a DPD message to query the status of the peer. If a router has no traffic to send, it never sends a DPD message. If a peer is dead, and the router never has any traffic to send to the peer, the router will not find out until the IKE or IPSec security association (SA) has to be rekeyed (the liveliness of the peer is unimportant if the router is not trying to communicate with the peer). On the other hand, if the router has traffic to send to the peer, and the peer does not respond, the router will initiate a DPD message to determine the state of the peer. 28-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuring Dead Peer Detection With the periodic option, you can configure your router so that DPD messages are “forced” at regular intervals. This forced approach results in earlier detection of dead peers. For example, if a router has no traffic to send, a DPD message is still sent at regular intervals, and if a peer is dead, the router does not have to wait until the IKE SA times out to find out. DPD is configured using the crypto isakmp keepalive command. DPD and Cisco IOS keepalives function on the basis of a timer. If the timer is set for 10 seconds, the router will send a “hello” message every 10 seconds (unless, of course, the router receives a “hello” message from the peer). The benefit of Cisco IOS keepalives and periodic DPD is earlier detection of dead peers. However, Cisco IOS keepalives and periodic DPD rely on periodic messages that have to be sent with considerable frequency. The result of sending frequent messages is that the communicating peers must encrypt and decrypt more packets. DPD and Cisco IOS keepalive features can be used in conjunction with multiple peers in the crypto map to allow for stateless failover. DPD allows the router to detect a dead IKE peer, and when the router detects the dead state, the router deletes the IPSec and IKE SAs to the peer. If you configure multiple peers, the router will switch over to the next listed peer for a stateless failover. DPD Configuration Guidelines and Restrictions When configuring DPD, follow these guidelines and restrictions: • When the crypto isakmp keepalive command is configured, the Cisco IOS software negotiates the use of Cisco IOS keepalives or DPD, depending on which protocol the peer supports. • If you do not configure the periodic option using the crypto isakmp keepalive command, the router defaults to the on-demand approach. • Before configuring periodic DPD, you should ensure that your IKE peer supports DPD. Implementations that support DPD include the Cisco VPN 3000 concentrator, Cisco PIX Firewall, Cisco VPN Client, and Cisco IOS software in all modes of operation—site-to-site, Easy VPN remote, and Easy VPN server. • Using periodic DPD potentially allows the router to detect an unresponsive IKE peer with better response time when compared to on-demand DPD. However, use of periodic DPD incurs extra overhead. When communicating to large numbers of IKE peers, you should consider using on-demand DPD instead. • When you configure DPD using the crypto isakmp keepalive seconds command, the seconds argument specifies the interval between DPD messages. In the case of on-demand DPD, the actual interval may be up to twice the configured value. 28-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Understanding IPSec NAT Transparency Configuring a Dead Peer Detection Message To allow the router to send DPD messages to the peer, perform the following task: Note Because the on-demand option is the default, the on-demand keyword does not appear in configuration output. Verifying the DPD Configuration To verify that DPD is enabled, use the show crypto isakmp sa detail command in global mode: Router# show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption C-id Local Remote I-VRF Encr Hash Auth DH Lifetime Cap. 273 11.0.0.2 11.0.0.1 ivrf21 3des sha psk 2 01:59:35 D Connection-id:Engine-id = 273:2(hardware) For more complete configuration information for Cisco IOS Dead Peer Detection (DPD) support, refer to the Cisco IOS Security Command Reference, Release 12.3. For DPD configuration examples, see the “Dead Peer Detection Configuration Examples” section on page 28-24. Understanding IPSec NAT Transparency The IPSec NAT transparency feature introduces support for IP Security (IPSec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities between NAT and IPSec. Command Purpose Router# crypto isakmp keepalive seconds [retries] [periodic | on-demand] Converts Switch 1 to standalone mode. • seconds—Specifies the number of seconds between DPD messages; the range is from 10 to 3600 seconds. • retries—(Optional) Specifies the number of seconds between DPD retries if the DPD message fails; the range is from 2 to 60 seconds. If unspecified, the default is 2 seconds. • periodic—(Optional) Specifies that the DPD messages are sent at regular intervals. • on-demand—(Optional) Specifies that DPD retries are sent on demand. This is the default behavior. 28-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Understanding IPSec NAT Transparency Before the introduction of this feature, a standard IPSec virtual private network (VPN) tunnel would not work if there were one or more NAT or PAT points in the delivery path of the IPSec packet. This feature allows IPSec to operate through a NAT/PAT device. For detailed information on NAT Transparency, refer to the following URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html IPSec NAT Transparency Configuration Guidelines and Restrictions When configuring IPSec NAT transparency, follow these guidelines and restrictions: • For non-GRE over IPSec configurations, NAT transparency is supported in both tunnel and transport modes. • For point-to-point GRE over IPSec configurations, NAT transparency is supported only in tunnel mode. • For DMVPN configurations, NAT transparency is supported only in transport mode. Configuring NAT Transparency NAT transparency is a feature that is auto-detected by the IPSec VPN SPA. There are no configuration steps. If both VPN devices are NAT transparency-capable, NAT transparency is auto-detected and auto-negotiated. Disabling NAT Transparency You might want to disable NAT transparency if you already know that your network uses IPSec-awareness NAT (SPI-matching scheme). To disable NAT transparency, use the following command in global configuration mode: Router(config)# no crypto ipsec nat-transparency udp-encapsulation Configuring NAT Keepalives By default, the NAT keepalive feature is disabled. To configure your router to send NAT keepalive packets, enter the crypto isakmp nat keepalive command in global configuration mode: Router(config)# crypto isakmp nat keepalive seconds In this command, seconds specifies the number of seconds between keepalive packets; range is between 5 to 3,600 seconds. For a NAT keepalives configuration example, see the “ISAKMP NAT Keepalive Configuration Example” section on page 28-24. 28-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Understanding IPSec NAT Transparency Verifying the NAT Configuration To verify the NAT configuration, enter the show crypto ipsec sa command: Note When you first enter the show crypto ipsec sa command, the packet counters may not show the correct values. Repeat the command to show the updated values. Router# show crypto ipsec sa interface:GigabitEthernet5/0/1 Crypto map tag:testtag, local addr. 10.2.80.161 local ident (addr/mask/prot/port):(10.2.80.161/255.255.255.255/0/0) remote ident (addr/mask/prot/port):(100.0.0.1/255.255.255.255/0/0) current_peer:100.0.0.1:4500 PERMIT, flags={origin_is_acl,} #pkts encaps:109, #pkts encrypt:109, #pkts digest 109 #pkts decaps:109, #pkts decrypt:109, #pkts verify 109 #pkts compressed:0, #pkts decompressed:0 #pkts not compressed:0, #pkts compr. failed:0, #pkts decompress failed:0 #send errors 90, #recv errors 0 local crypto endpt.:10.2.80.161, remote crypto endpt.:100.0.0.1:4500 path mtu 1500, media mtu 1500 current outbound spi:23945537 inbound esp sas: spi:0xF423E273(4095992435) transform:esp-des esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } slot:0, conn id:200, flow_id:1, crypto map:testtag sa timing:remaining key lifetime (k/sec):(4607996/2546) IV size:8 bytes replay detection support:Y inbound ah sas: inbound pcp sas: outbound esp sas: spi:0x23945537(596923703) transform:esp-des esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } slot:0, conn id:201, flow_id:2, crypto map:testtag sa timing:remaining key lifetime (k/sec):(4607998/2519) IV size:8 bytes replay detection support:Y outbound ah sas: outbound pcp sas: For complete configuration information for Cisco IOS IPSec NAT transparency support, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html 28-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuration Examples Configuration Examples This section provides examples of the following configurations: • Advanced Encryption Standard Configuration Example, page 28-22 • ISAKMP Keyrings Configuration Examples, page 28-22 • Certificate to ISAKMP Profile Mapping Configuration Examples, page 28-23 • Encrypted Preshared Key Configuration Example, page 28-23 • Call Admission Control for IKE Configuration Examples, page 28-24 • Dead Peer Detection Configuration Examples, page 28-24 • ISAKMP NAT Keepalive Configuration Example, page 28-24 Advanced Encryption Standard Configuration Example The following example configures the Advanced Encryption Standard (AES) 256-bit key: crypto isakmp policy 10 encr aes 256 authentication pre-share ISAKMP Keyrings Configuration Examples The following examples show how to limit the scope of an Internet Security Association and Key Management Protocol (ISAKMP) profile or ISAKMP keyring configuration to a local termination address or interface: • ISAKMP Profile Bound to a Local Interface Configuration Example, page 28-22 • ISAKMP Keyring Bound to a Local Interface Configuration Example, page 28-22 • ISAKMP Keyring Bound to a Local IP Address Configuration Example, page 28-23 ISAKMP Profile Bound to a Local Interface Configuration Example The following example configures an ISAKMP profile bound to a local interface: crypto isakmp profile prof1 keyring key0 match identity address 11.0.0.2 255.255.255.255 local-address serial2/0 ISAKMP Keyring Bound to a Local Interface Configuration Example The following example configures an ISAKMP keyring bound only to interface serial2/0: crypto keyring key0 local-address serial2/0 pre-shared-key address 11.0.0.2 key 12345 28-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuration Examples ISAKMP Keyring Bound to a Local IP Address Configuration Example The following example configures an ISAKMP keyring bound only to IP address 10.0.0.2: crypto keyring key0 local-address 11.0.0.1 pre-shared-key address 11.0.0.2 key 12345 Certificate to ISAKMP Profile Mapping Configuration Examples The following examples show how to configure Certificate to ISAKMP Profile Mapping: • Certificates Mapped to the ISAKMP Profile on the Basis of Arbitrary Fields Configuration Example, page 28-23 • Group Name Assigned to a Peer Associated with an ISAKMP Profile Configuration Example, page 28-23 Certificates Mapped to the ISAKMP Profile on the Basis of Arbitrary Fields Configuration Example The following example shows that whenever a certificate contains “ou = green,” the ISAKMP profile “cert_pro” will be assigned to the peer: crypto pki certificate map cert_map 10 subject-name co ou = green ! crypto isakmp identity dn crypto isakmp profile cert_pro ca trust-point 2315 ca trust-point LaBcA match certificate cert_map Group Name Assigned to a Peer Associated with an ISAKMP Profile Configuration Example The following example shows that the group “some_group” is to be associated with a peer that has been assigned an ISAKMP profile: crypto isakmp profile id_profile ca trust-point 2315 match identity host domain cisco.com client configuration group some_group Encrypted Preshared Key Configuration Example The following example shows a configuration for which a type 6 preshared key has been encrypted: Router(config)# password encryption aes Router(config)# key config-key password-encrypt New key: Confirm key: Router(config)# 0:46:40: TYPE6_PASS: New Master key configured, encrypting the keys with the new master key Router(config)# exit 28-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuration Examples Call Admission Control for IKE Configuration Examples The following examples show how to configure Call Admission Control (CAC) for IKE: • IKE Security Association Limit Configuration Example, page 28-24 • System Resource Limit Configuration Example, page 28-24 IKE Security Association Limit Configuration Example The following example shows how to specify that there can be a maximum of 25 SAs before IKE starts rejecting new SA requests: Router(config)# crypto call admission limit ike sa 25 System Resource Limit Configuration Example The following example shows how to specify that IKE should drop SA requests when a given level of system resources are being used: Router(config)# call admission limit 50000 Dead Peer Detection Configuration Examples The following examples show how to configure Dead Peer Detection (DPD): • On-Demand DPD Configuration Example, page 28-24 • Periodic DPD Configuration Example, page 28-24 On-Demand DPD Configuration Example The following example shows how to configure on-demand DPD messages. In this example, DPD messages will be sent every 60 seconds and every 5 seconds between retries if the peer does not respond: Router(config)# crypto isakmp keepalive 60 5 Periodic DPD Configuration Example The following example shows how to configure periodic DPD messages. In this example, DPD messages are to be sent at intervals of 10 seconds: Router(config)# crypto isakmp keepalive 10 periodic ISAKMP NAT Keepalive Configuration Example The following example shows how to enable NAT keepalives to be sent every 20 seconds: crypto isakmp policy 1 authentication pre-share crypto isakmp key 1234 address 56.0.0.1 crypto isakmp nat keepalive 20 ! ! crypto ipsec transform-set t2 esp-des esp-sha-hmac 28-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuration Examples ! crypto map test2 10 ipsec-isakmp set peer 56.0.0.1 set transform-set t2 match address 101 28-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 28 Configuring IKE Features Using the IPSec VPN SPA Configuration ExamplesC H A P T E R 29-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA This chapter provides information about configuring enhanced IPSec features using the IPSec VPN SPA on the Cisco 7600 series router. It includes the following sections: • Overview of Enhanced IPSec Features, page 29-2 • Configuring Advanced Encryption Standard in a Transform Set, page 29-2 • Configuring Reverse Route Injection, page 29-3 • Configuring the IPSec Anti-Replay Window Size, page 29-6 • Configuring an IPSec Preferred Peer, page 29-8 • Configuring IPSec Security Association Idle Timers, page 29-12 • Configuring Distinguished Name-Based Crypto Maps, page 29-13 • Configuring QoS on the SPA-IPSEC-2G IPSEC VPN SPA, page 29-15 • Configuring QoS on the WS-IPSEC-3 IPSEC VSPA, page 29-17 • Configuring Sequenced Crypto ACLs, page 29-33 • Configuring Deny Policy Enhancements for Crypto ACLs, page 29-33 • Configuration Examples, page 29-34 Note For detailed information on Cisco IOS IPSec cryptographic operations and policies, refer to the Cisco IOS Security Configuration Guide, Release 12.2 and Cisco IOS Security Command Reference, Release 12.2. For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals Command Reference publications. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the configuration summaries and guidelines before you perform any configuration tasks. 29-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Overview of Enhanced IPSec Features Overview of Enhanced IPSec Features IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF). It provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as Cisco routers. This chapter describes the advanced IPSec features that can be used to improve scalability and performance of your IPSec VPN. Configuring Advanced Encryption Standard in a Transform Set The Advanced Encryption Standard (AES) is a privacy transform for IPSec and Internet Key Exchange (IKE) that has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES. AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. AES has a variable key length. The algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. To configure the AES encryption algorithm within a transform set, perform this task beginning in global configuration mode: transform-set-name specifies the name of the transform set. transform1[transform2[transform3]] defines IPSec security protocols and algorithms. To configure AES, you must choose from the following AES Encapsulating Security Payload (ESP) encryption transforms: • esp-aes specifies ESP with the 128-bit AES encryption algorithm. • esp-aes 192 specifies ESP with the 192-bit AES encryption algorithm. • esp-aes 256 specifies ESP with the 256-bit AES encryption algorithm. For other accepted transform values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference. Verifying the AES Transform Set To verify the configuration of the transform set, enter the show crypto ipsec transform-set command: Router# show crypto ipsec transform-set Transform set transform-1:{esp-256-aes esp-md5-hmac} will negotiate = {Tunnel, } For more complete configuration information about AES support, refer to this URL: Command Purpose Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]] ... Specifies a transform set and IPSec security profiles and algorithms. 29-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring Reverse Route Injection http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_aes.html For an AES configuration example, see the “Advanced Encryption Standard Configuration Example” section on page 29-34. Configuring Reverse Route Injection Reverse Route Injection (RRI) provides the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities. Note RRI is supported in Cisco IOS Release 12.2(33)SRA and later releases. Each route is created on the basis of the remote proxy network and mask, with the next hop to this network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as the next hop, the traffic is forced through the crypto process to be encrypted. After the static route is created on the VPN router, this information is propagated to upstream devices, allowing them to determine the appropriate VPN router to which to send returning traffic in order to maintain IPSec state flows. Being able to determine the appropriate VPN router is particularly useful if multiple VPN routers are used at a site to provide load balancing or failover or if the remote VPN devices are not accessible via a default route. Routes are created in either the global routing table or the appropriate virtual routing and forwarding (VRF) table. RRI is applied on a per-crypto map basis, whether this is via a static crypto map or a dynamic crypto map template. For both dynamic and static maps, routes are created only at the time of IPSec SA creation. Routes are removed when the SAs are deleted. The static keyword can be added to the reverse-route command if routes are created on the basis of the content of the crypto ACLs that are permanently attached to the static crypto map. RRI Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring RRI: Note When RRI is enabled, do not make changes to the crypto configuration while VPN sessions are active. Enter the clear crypto session command before making changes. • IP routing should be enabled and static routes should be redistributed if dynamic routing protocols are to be used to propagate RRI-generated static routes. • You can specify an interface or address as the explicit next hop to the remote VPN device. This functionality allows the overriding of a default route to properly direct outgoing encrypted packets. • You can add a route tag value to any routes that are created using RRI. This route tag allows redistribution of groups of routes using route maps, allowing you to be selective about which routes enter your global routing table. • RRI can be configured on the same crypto map that is applied to multiple router interfaces. 29-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring Reverse Route Injection • The reverse-route remote-peer [static] command creates two routes. One route is the standard remote proxy ID and the next hop is the remote VPN client tunnel address. The second route is the actual route to that remote tunnel endpoint and is used when a recursive lookup requires that the remote endpoint be reachable by the next hop. Creation of the second route for the actual next hop is important in the VRF case in which a default route must be overridden by a more explicit route. To reduce the number of routes created and support some platforms that do not readily facilitate route recursion, the reverse-route {ip-address} [static] keyword can be used to create one route only. • For devices using an IPSec VPN SPA, reverse route specifies the next hop to be the interface, subinterface, or virtual LAN (VLAN) with the crypto map applied to it. Configuring RRI Under a Static Crypto Map To configure RRI under a static crypto map, perform the following steps beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto map map-name seq-name ipsec-isakmp Creates or modifies a crypto map entry and enters crypto map configuration mode. • map-name—Name that identifies the map set. • seq-num—Sequence number assigned to the crypto map entry. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec SAs for protecting the traffic specified by this crypto map entry. Step 2 Router(config-crypto-map)# reverse-route [[static] | tag tag-id [static] | remote-peer [static] | remote-peer ip-address [static]] Creates source proxy information for a crypto map entry. • static—(Optional) Creates permanent routes based on static ACLs. • tag tag-id—(Optional) Tag value that can be used as a match value for controlling redistribution via route maps. • remote-peer [static]—(Optional) Two routes are created, one for the remote endpoint and one for route recursion to the remote endpoint via the interface to which the crypto map is applied. The static keyword is optional. • remote-peer ip-address [static]—(Optional) One route is created to a remote proxy by way of a user-defined next hop. This next hop can be used to override a default route. The ip-address argument is required. The static keyword is optional. 29-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring Reverse Route Injection Configuring RRI Under a Dynamic Crypto Map To configure RRI under a dynamic crypto map, perform the following steps beginning in global configuration mode: For more complete configuration information for RRI, refer to the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_rrie.html For RRI configuration examples, see the “Reverse Route Injection Configuration Examples” section on page 29-34. Command Purpose Step 1 Router(config)# crypto dynamic-map {dynamic-map-name} {dynamic-seq-name} Creates a dynamic crypto map entry and enters crypto map configuration mode. • dynamic-map-name—Name that identifies the map set. • dynamic-seq-num—Sequence number assigned to the crypto map entry. Step 2 Router(config-crypto-map)# reverse-route [tag tag-id | remote-peer | remote-peer ip-address] Creates source proxy information for a crypto map entry. • tag tag-id—(Optional) Tag value that can be used as a match value for controlling redistribution via route maps. • remote-peer—(Optional) Two routes are created, one for the remote endpoint and one for route recursion to the remote endpoint via the interface to which the crypto map is applied. • remote-peer ip-address—(Optional) One route is created to a remote proxy by way of a user-defined next hop. This next hop can be used to override a default route. The ip-address argument is required. 29-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring the IPSec Anti-Replay Window Size Configuring the IPSec Anti-Replay Window Size Cisco IPSec authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. (Security association (SA) anti-replay is a security service in which the receiver can reject old or duplicate packets to protect itself against replay attacks.) The decryptor checks off the sequence numbers that it has seen before. The encryptor assigns sequence numbers in an increasing order. The decryptor remembers the value (X) of the highest sequence number that it has already seen. N is the window size of the decryptor. Any packet with a sequence number less than X minus N is discarded. Currently, N is set at 64. Note The IPSec anti-replay window size feature is supported in Cisco IOS Release 12.2(18)SXF6 and later releases. At times, the 64-packet window size is not sufficient. For example, Cisco quality of service (QoS) gives priority to high-priority packets, which could cause some low-priority packets to be discarded even though they are not replayed packets. The IPSec anti-replay window size feature allows you to expand the window size so that sequence number information can be kept for more than 64 packets. Note A change in the anti-replay window size will not take effect until after the next rekeying. Expanding the IPSec Anti-Replay Window Size Globally To expand the IPSec anti-replay window globally so that it affects all SAs that are created (except for those that are specifically overridden on a per-crypto map basis), perform this task beginning in global configuration mode: Command Purpose Router(config)# crypto ipsec security-association replay window size [size] Expands the IPSec anti-replay window globally to the specified size. • size—(Optional) Size of the window. Values can be 64, 128, 256, 512, or 1024. This value becomes the default value. 29-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring the IPSec Anti-Replay Window Size Expanding the IPSec Anti-Replay Window at the Crypto Map Level To expand the IPSec anti-replay window on a crypto map basis so that it affects those SAs that have been created using a specific crypto map or profile, perform this task beginning in global configuration mode: Verifying the IPSec Anti-Replay Window Size Configuration at the Crypto Map Level To verify that IPSec anti-replay window size is enabled at a crypto map, enter the show crypto map command for that particular map. If anti-replay window size is enabled, the display will indicate that it is enabled and indicate the configured window size. If anti-replay window size is disabled, the results will indicate that also. The following example indicates that IPSec anti-replay window size is enabled: Router# show crypto map tag TESTMAP Crypto Map "TESTMAP" 10 ipsec-isakmp WARNING: This crypto map is in an incomplete state! (missing peer or access-list definitions) No matching address list set. Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ } Antireplay window size = 128 Interfaces using crypto map TESTMAP: For more complete configuration information for IPSec anti-replay window size, refer to the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_iarwe.html For IPSec anti-replay window size configuration examples, see the “IPSec Anti-Replay Window Size Configuration Examples” section on page 29-36. Command Purpose Step 1 Router(config)# crypto map map-name seq-num ipsec-isakmp Enters crypto map configuration mode and creates a crypto profile that provides a template for configuration of dynamically created crypto maps. • map-name—Name that identifies the map set. • seq-num—Sequence number assigned to the crypto map entry. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec SAs for protecting the traffic specified by this crypto map entry. Step 2 Router(config-crypto-map)# crypto ipsec security-association replay window size [size] Controls the SAs that are created using the policy specified by a particular crypto map, dynamic crypto map, or crypto profile. • size—(Optional) Size of the window. Values can be 64, 128, 256, 512, or 1024. This value becomes the default value. 29-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring an IPSec Preferred Peer Note Anti-replay failures detected by the IPSec VPN SPA can be caused by reordering, requeueing, or fragmentation elsewhere in the network. As a defense against man-in-the-middle attacks, the IPSec VPN SPA will drop these packets. This is the expected behavior. Disabling the IPSec Anti-Replay Checking To disable the IPSec anti-replay checking, enter the crypto ipsec security-association replay disable command in global configuration mode as follows: To disable the IPSec anti-replay checking on a particular crypto map, enter the set security-association replay disable command in crypto map configuration mode as follows: Configuring an IPSec Preferred Peer The IP Security (IPSec) Preferred Peer feature allows you to control the circumstances by which multiple peers on a crypto map are tried in a failover scenario. If there is a default peer, the next time a connection is initiated, the connection is directed to the default peer instead of to the next peer in the peer list. If all connections to the current peer time out, the next time a connection is initiated, it is directed to the default peer. Note The IPSec Preferred Peer feature is supported in Cisco IOS Release 12.2(33)SRA and later releases. This feature includes the following capabilities: • Default peer configuration Command Purpose Router(config)# crypto ipsec security-association replay disable Disables the IPSec anti-replay checking. Command Purpose Step 1 Router(config)# crypto map map-name seq-num ipsec-isakmp Enters crypto map configuration mode and creates a crypto profile that provides a template for configuration of dynamically created crypto maps. • map-name—Name that identifies the map set. • seq-num—Sequence number assigned to the crypto map entry. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec SAs for protecting the traffic specified by this crypto map entry. Step 2 Router(config-crypto-map)# set security-association replay disable Disables IPSec anti-replay checking by a particular crypto map, dynamic crypto map, or crypto profile. 29-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring an IPSec Preferred Peer If a connection timeout occurs, the connection to the current peer is closed. The set peer command allows you to configure the first peer as the default peer. If there is a default peer, the next time a connection is initiated, the connection is directed to the default peer instead of to the next peer in the peer list. If the default peer is unresponsive, the next peer in the peer list becomes the current peer and future connections through the crypto map try that peer. This capability is useful when traffic on a physical link stops due to the failure of a remote peer. DPD indicates that the remote peer is unavailable, but that peer remains the current peer. A default peer facilitates the failover to a preferred peer that was previously unavailable, but has returned to service. Users can give preference to certain peers in the event of a failover. This is useful if the original failure was due to a network connectivity problem rather than failure of the remote peer. To configure a default peer, see the “Configuring a Default Peer” section on page 29-10. • IPSec idle timer with default peer configuration When a router running Cisco IOS software creates an IPSec security association (SA) for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the router could be prevented from creating new SAs with other peers. IPSec SA idle timers increase the availability of resources by deleting SAs associated with idle peers. Because IPSec SA idle timers prevent the wasting of resources by idle peers, more resources are available to create new SAs when required. (If IPSec SA idle timers are not configured, only the global lifetimes for IPSec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.) When both an IPSec SA idle timer and a default peer are configured and all connections to the current peer time out, the next time a connection is initiated it is directed to the default peer configured in the set peer command. If a default peer is not configured and there is a connection timeout, the current peer remains the one that timed out. This enhancement helps facilitate a failover to a preferred peer that was previously unavailable but is in service now. To configure an IPSec idle timer, see the “Configuring the IPSec Idle Timer with a Default Peer” section on page 29-11. IPSec Preferred Peer Configuration Guidelines and Restrictions When configuring an IPSec preferred peer, follow these guidelines and restrictions: • When configuring a default peer, follow these guidelines and restrictions: – Only one peer can be designated as the default peer in a crypto map. – The default peer must be the first peer in the peer list. Note The default peer feature must be used in conjunction with Dead Peer Detection (DPD). It is most effective on a remote site running DPD in periodic mode. DPD detects the failure of a device quickly and resets the peer list so that the default peer is tried for the next attempted connection. • When configuring IPSec idle timer usage with a default peer, follow these guidelines and restrictions: 29-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring an IPSec Preferred Peer – The IPSec idle timer usage with a default peer feature works only on the crypto map for which it is configured. You cannot configure the capability globally for all crypto maps. – If there is a global idle timer, the crypto map idle timer value must be different from the global value; otherwise, the idle timer is not added to the crypto map. Configuring a Default Peer To configure a default peer, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name] Enters crypto map configuration mode and creates a crypto profile that provides a template for configuration of dynamically created crypto maps. • map-name—Name that identifies the map set. • seq-num—Sequence number assigned to the crypto map entry. • ipsec-isakmp—(Optional) Indicates that IKE will be used to establish the IPSec SAs for protecting the traffic specified by this crypto map entry. • dynamic dynamic-map-name—(Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template. • discover—(Optional) Enables peer discovery. By default, peer discovery is not enabled. • profile profile-name—(Optional) Name of the crypto profile being created. Step 2 Router(config-crypto-map)# set peer {host-name [dynamic] [default] | ip-address [default]} Specifies an IPSec peer in a crypto map entry. Ensures that the first peer specified is defined as the default peer. • host-name—Specifies the IPSec peer by its host name. This is the peer’s host name concatenated with its domain name (for example, myhost.example.com). • dynamic—(Optional) The host name of the IPSec peer will be resolved via a domain name server (DNS) lookup right before the router establishes the IPSec tunnel. • default—(Optional) If there are multiple IPSec peers, designates that the first peer is the default peer. • ip-address—Specifies the IPSec peer by its IP address. Step 3 Router(config-crypto-map)# exit Exits crypto map configuration mode and returns to global configuration mode. 29-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring an IPSec Preferred Peer Configuring the IPSec Idle Timer with a Default Peer To configure the IPSec idle timer with a default peer, perform this task beginning in global configuration mode: For complete configuration information for IPSec preferred peer, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_ipspp.html For IPSec preferred peer configuration examples, see the “IPSec Preferred Peer Configuration Examples” section on page 29-38. Command Purpose Step 1 Router(config)# crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name] Enters crypto map configuration mode and creates a crypto profile that provides a template for configuration of dynamically created crypto maps. • map-name—Name that identifies the map set. • seq-num—Sequence number assigned to the crypto map entry. • ipsec-isakmp—(Optional) Indicates that IKE will be used to establish the IPSec SAs for protecting the traffic specified by this crypto map entry. • dynamic dynamic-map-name—(Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template. • discover—(Optional) Enables peer discovery. By default, peer discovery is not enabled. • profile profile-name—(Optional) Name of the crypto profile being created. Step 2 Router(config-crypto-map)# set security-association idle-time seconds [default] Specifies the maximum amount of time for which the current peer can be idle before the default peer is used. • seconds—Number of seconds for which the current peer can be idle before the default peer is used. Valid values are 600 to 86400. • default—(Optional) Specifies that the next connection is directed to the default peer. Step 3 Router(config-crypto-map)# exit Exits crypto map configuration mode and returns to global configuration mode. 29-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring IPSec Security Association Idle Timers Configuring IPSec Security Association Idle Timers When a router running Cisco IOS software creates an IPSec SA for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the router could be prevented from creating new SAs with other peers. The IPSec security association idle timers feature introduces a configurable idle timer to monitor SAs for activity, allowing SAs for idle peers to be deleted. The idle timers can be configured either globally, on a per-crypto map basis, or through an ISAKMP profile. The benefits of this feature include the following: • Increased availability of resources • Improved scalability of Cisco IOS IPSec deployments IPSec Security Association Idle Timer Configuration Guidelines When configuring idle timers on a per-crypto map basis, follow these guidelines: • The IPSec VPN SPA rounds up the CLI-configured interval to the nearest 10-minute interval. For example, if you configure 12 minutes for idle timeout, the IPSec VPN SPA uses a value of 20 minutes for idle timeout. If you configure 5 minutes, the IPSec VPN SPA uses a value of 10 minutes for idle timeout. • Because of the way the IPSec VPN SPA does idle timeout detection, it can take anywhere between one to three (ten-minute) intervals for idle timeout detection. For example, if you configured 12 minutes for idle timeout, idle timeout could happen anywhere between 20 to 60 minutes. • When the idle timer is configured globally, the idle timer configuration will be applied to all SAs. • When the idle timer is configured for a crypto map, the idle timer configuration will be applied to all SAs under the specified crypto map. Configuring the IPSec SA Idle Timer Globally To configure the IPSec SA idle timer globally, enter the crypto ipsec security-association idle-time command in global configuration mode as follows: Command Purpose Router(config)# crypto ipsec security-association idle-time seconds Specifies the time, in seconds, that the idle timer will allow an inactive peer to maintain an SA. The range is from 60 to 86400 seconds. 29-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring Distinguished Name-Based Crypto Maps Configuring the IPSec SA Idle Timer per Crypto Map To configure the IPSec SA idle timer for a specified crypto map, use the set security-association idle-time command within a crypto map configuration: For detailed information on configuring IPSec SA idle timers, refer to the following Cisco IOS documentation: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle.html For IPSec SA idle timer configuration examples, see the “IPSec Security Association Idle Timer Configuration Examples” section on page 29-38. Configuring Distinguished Name-Based Crypto Maps The distinguished name-based crypto maps feature allows you to configure the router to restrict access to selected encrypted interfaces for those peers with specific certificates, especially certificates with particular distinguished names (DNs). Previously, if the router accepted a certificate or a shared secret from the encrypting peer, Cisco IOS did not have a method of preventing the peer from communicating with any encrypted interface other than the restrictions on the IP address of the encrypting peer. This feature allows you to configure which crypto maps are usable to a peer based on the DN that a peer used to authenticate itself, which enables you to control which encrypted interfaces a peer with a specified DN can access. You can configure a DN-based crypto map that can be used only by peers that have been authenticated by a DN or one that can be used only by peers that have been authenticated by a hostname. Command Purpose Step 1 Router(config)# crypto map map-name seq-number ipsec-isakmp Creates or modifies a crypto map entry and enters crypto map configuration mode. • map-name—Name that identifies the crypto map set. • seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations. Step 2 Router(config-crypto-map)# set security-association idle-time seconds Specifies the time, in seconds, that the idle timer will allow an inactive peer to maintain an SA. The range is from 60 to 86400 seconds. 29-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring Distinguished Name-Based Crypto Maps Distinguished Name-Based Crypto Map Configuration Guidelines and Restrictions When configuring a distinguished name-based crypto map, follow these guidelines and restrictions: • If you restrict access to a large number of DNs, we recommend that you specify a few number of crypto maps referring to large identity sections instead of specifying a large number of crypto maps referring to small identity sections. To configure a DN-based crypto map that can be used only by peers that have been authenticated by a DN, or one that can be used only by peers that have been authenticated by a hostname, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto isakmp policy priority ... Router(config-isakmp)# exit Defines an ISAKMP policy and enters ISAKMP policy configuration mode. • priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest. Creates an ISAKMP policy at each peer. For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide. Step 2 Router(config)# crypto map map-name seq-number ipsec-isakmp Creates or modifies a crypto map entry and enters the crypto map configuration mode. • map-name—Name that identifies the crypto map set. • seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations. 29-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the SPA-IPSEC-2G IPSEC VPN SPA For complete configuration information for Distinguished Name-Based Crypto Maps, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftdnacl.html For a distinguished name based crypto map configuration example, see the “Distinguished Name-Based Crypto Maps Configuration Example” section on page 29-39. Configuring QoS on the SPA-IPSEC-2G IPSEC VPN SPA The IPSec VPN SPA uses the Quality of Service (QoS) capabilities of the Cisco 7600 series router software to implement a two-level, strict-priority QoS. Before configuring QoS for the IPSec VPN SPA, refer to this URL: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008014a29f. shtml Step 3 Router(config-crypto-map)# set identity name ... Router(config-crypto-map)# exit Applies the identity to the crypto map. • name—Identity of the router, which is associated with the given list of DNs. When this command is applied, only the hosts that match a configuration listed within the identity name can use the specified crypto map. Note If the set identity command does not appear within the crypto map, the encrypted connection does not have any restrictions other than the IP address of the encrypting peer. Specify any other policy values appropriate to your configuration. For details on configuring a crypto map, see the Cisco IOS Security Configuration Guide. Step 4 Router(config)# crypto identity name Configures the identity of a router with the given list of DNs in the certificate of the router and enters crypto identity configuration mode. • name—The name value specified in Step 3. Step 5 Router(crypto-identity)# dn name=string [,name=string]| fqdn name Associates the identity of the router with either a DN or hostname (FQDN) to restrict access to peers with specific certificates. • name=string—The DN in the certificate of the router. Optionally, you can associate more than one DN. • fqdn name—The hostname that the peer used to authenticate itself (FQDN) or the DN in the certificate of the router. The identity of the peer must match the identity in the exchanged certificate. Command Purpose 29-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the SPA-IPSEC-2G IPSEC VPN SPA The IPSec VPN SPA implements a two-level, strict-priority QoS. The Cisco 7600 SSC-400 and the IPSec VPN SPA together implement two queues for each direction, inbound and outbound. Packets are dequeued in a two-to-one ratio, meaning that two packets are dequeued from the high-priority low-latency queue (LLQ) before one packet is dequeued from the low-priority queue. Packets are enqueued based on your priority-queue configuration settings. To take advantage of the IPSec VPN SPA’s QoS capability, you must use standard QoS commands to ensure that the class of service (CoS) of packets is marked on ingress. You must configure the CoS map for the inside and outside ports and you must also enable QoS globally for the IPSec VPN SPA to acknowledge the CoS mapping. QoS Configuration Guidelines and Restrictions When configuring QoS settings for an IPSec VPN SPA, follow these guidelines and note these restrictions: • In VRF mode, service policies should not be applied on GRE and VTI tunnel interfaces. In crypto-connect mode, service policies should not be applied on GRE tunnel interfaces if the tunnel will be taken over by the IPSec VPN SPA. • Packets are enqueued based on the mls qos command and the priority-queue configuration settings as follows: – When the mls qos command is not configured, all data packets are enqueued into the high-priority queue. – When the mls qos command is configured and no explicit priority-queue configuration is present on the IPSec VPN SPA Ethernet interfaces, only packets with a CoS value of 5 are enqueued into the high-priority queue; all other packets are enqueued into the low-priority queue. – When the mls qos command is configured and priority-queue configuration is present on the IPSec VPN SPA Ethernet interfaces, traffic is enqueued based on the priority-queue configuration. • A maximum of three CoS map values can be sent to the high-priority queue. Because the CoS value of 5 is preconfigured as high-priority, you can choose only two other values for high-priority queueing. Note Do not configure more than three CoS map values, because any additional values will overwrite previously configured values. If you overwrite the CoS value of 5, the system will restore it, overwriting one of your other configured values. To restore an overwritten CoS map value, you must first delete the new value and then reconfigure the earlier value. • When the mls qos command is configured, you must also configure the mls qos trust command on the IPSec VPN SPA Ethernet interfaces, as in the following example: ! Interface GigabitEthernet4/0/1 mls qos trust cos priority-queue cos-map 1 0 1 5 ! Interface GigabitEthernet4/0/2 mls qos trust cos priority-queue cos-map 1 0 1 5 ! In this example, the CoS values of 0, 1, and 5 are sent to the high-priority queue. • In a blade failover group, both IPSec VPN SPAs must have matching platform QoS configurations. 29-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA • If the mls qos trust command is not configured, the QoS fields in all traffic will be cleared to the default level. If the mls qos trust command is configured, the QoS fields will be preserved. For a QoS configuration example, see the “QoS Configuration Example” section on page 29-40. Configuring QoS on the WS-IPSEC-3 IPSEC VSPA Typical applications of quality of service (QoS) for VPN are the use of traffic policing to prevent a hub from overwhelming a lower-capacity spoke, and the prioritization over VPN of delay-sensitive traffic such as voice over IP (VoIP). In a system including the WS-IPSEC-3 IPSEC VSPA, QoS features for VPN traffic are provided by the WS-IPSEC-3 IPSEC VSPA module and its carrier card (SSC-600). • Module QoS—The WS-IPSEC-3 IPSEC VSPA provides traffic shaping, queuing, and bandwidth reservation services before encryption. Policies are attached to a crypto engine within the interface configuration. • Carrier QoS—For each crypto engine, the SSC-600 provides a dual-priority queue for module traffic. Policies are attached to a crypto engine. To activate the QoS capabilities of the module and carrier, you must enable QoS globally by entering the mls qos command. When QoS is disabled globally, the system behavior is as follows: • All QoS fields are left intact in packets. • Packets flow through only one queue in the carrier card. When QoS is enabled globally, the default system behavior is as follows: • The default state of all ports and VLANs is the untrusted state, causing ports to clear the QoS fields in all traffic to zero unless a QoS policy is configured on the port. • Packets flow through two queues in the carrier card. Packets with a CoS value of 5 will use the higher priority queue, while all other packets will use the lower priority queue. Before configuring QoS for VPN, see the additional information provided in the following URLs: Configuring QoS on the Cisco 7600 series router: http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/qos.html Configuring QoS Features on a SIP: http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76cfgsip.ht ml#wp1162382 Configuring QoS on the FlexWAN Modules: http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexqos.html QoS Policing on the Cisco 7600 series router: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801c8c4b.shtml QoS Output Scheduling on the Cisco 7600 series router: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bf98.shtml QoS Troubleshooting: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008074d6b1.shtml 29-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA Using the Module QoS Features of the WS-IPSEC-3 IPSEC VSPA In VRF mode configurations using Virtual Tunnel Interface (VTI) or GRE with tunnel protection (TP), the WS-IPSEC-3 IPSEC VSPA can provide traffic shaping, queuing, and bandwidth reservation of outbound traffic before encryption, allowing you to prioritize traffic on a per-tunnel basis as well as to configure a shape rate for each tunnel. This section contains the following topics: • Classifying, Marking, and Policing Traffic, page 29-18 • Setting Priority, page 29-18 • Shaping Traffic, page 29-18 • Reserving Bandwidth, page 29-19 • Setting the Queue Limit, page 29-19 • Failover, page 29-19 • Configuring Module QoS, page 29-19 Classifying, Marking, and Policing Traffic To apply the WS-IPSEC-3 IPSEC VSPA’s QoS features, you must first ensure that the class of service (CoS) of packets is marked on ingress and that any necessary policing is performed before the packets are passed to the WS-IPSEC-3 IPSEC VSPA. The Cisco 7600 series router performs classification, marking, and policing of traffic to the WS-IPSEC-3 IPSEC VSPA. These functions are configured using the following commands: • Use the class-map command to classify types of traffic. • Use the set command to mark the CoS or DSCP bits for a traffic class. • Use the police command to limit the rate of a traffic class. Setting Priority For each tunnel, the WS-IPSEC-3 IPSEC VSPA provides one high-priority low-latency queue (LLQ) for latency-sensitive outbound traffic, such as VoIP. The high priority queue is served ahead of other queues in that tunnel. The priority policy-map class configuration command gives priority to a class of traffic belonging to a policy map, causing that traffic to be diverted to the high-priority queue. Only one priority level per tunnel is supported. When the priority command is used in a class map, no form of the bandwidth command is allowed in the same class map. Shaping Traffic The shape average policy-map class configuration command specifies a maximum data rate for a class of outbound traffic. While policing enforces a maximum rate by dropping or marking down excess packets, shaping queues the excess packets for sending at a later time. Packets exceeding the maximum rate will be delayed but will not be dropped unless excess traffic is sustained at rates higher than the configured shape rate for long periods of time, causing shape buffers to overflow. When shaping is applied to a tunnel, all traffic in the tunnel must be included in the default class. Any additional classes must be defined in a child policy. 29-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA To configure traffic shaping in the WS-IPSEC-3 IPSEC VSPA, use the shape average rate bc be command, where the rate argument specifies the maximum average bit rate and the optional be argument is the allowed excess burst level. The optional bc argument (the committed burst size) is ignored, but if be is specified, then bc must be configured to a value of at least the number of bits transferred during 4 milliseconds of traffic at the shape rate. The shape average command can be configured only for the tunnel top-level policy. It cannot be used in a child policy. Reserving Bandwidth The bandwidth policy-map class configuration command reserves a minimum bandwidth for a class of traffic. You can configure the bandwidth command in a child policy to reserve either an absolute rate or a percentage of the tunnel shape rate. If the priority command is configured on another class map within the same policy map, only the bandwidth remaining form of the bandwidth command (which is bandwidth remaining percent) can be used, since the higher priority traffic overrules any bandwidth guarantees. When you configure bandwidth reservation for a class, your settings are checked for capacity and oversubscription relative to the maximum shape rate. If a tunnel aggregate shaper is not configured, any configuration of bandwidth reservation will be rejected. Setting the Queue Limit The queue-limit policy-map class configuration command specifies the maximum number of packets the queue can hold for a class policy configured in a policy map. The WS-IPSEC-3 IPSEC VSPA supports only a packet-based queue limiting, and supports queue-limit configuration only on a class map. Failover If you deploy two WS-IPSEC-3 IPSEC VSPAs for intrachassis stateful failover using a blade failure group (BFG), the QoS configuration on the active WS-IPSEC-3 IPSEC VSPA is automatically reflected on the standby module. During a failover, packets in the queue are lost. The standby WS-IPSEC-3 IPSEC VSPA takes over, scheduling newly-received packets according to the QoS configuration. Interchassis failover is not supported. Configuring Module QoS Module QoS configuration in the WS-IPSEC-3 IPSEC VSPA uses the Cisco Modular QoS CLI (MQC) framework. You can define traffic classes, associate policies and actions to each traffic class, and attach these policies to interfaces by following these steps: Step 1 Define traffic classes using match statements with the class-map command. Step 2 Configure policies using the defined traffic classes with the policy-map command. Step 3 Within the interface configuration, attach policies to a crypto engine with the service-policy command. For the module QoS, attach the service policy to the tunnel interface in the config-crypto-engine configuration mode after entering the crypto-engine interface level command. The WS-IPSEC-3 IPSEC VSPA supports a hierarchical policy using two service policy levels: 29-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA • A parent policy, supporting only a single default class, to apply a QoS mechanism to a traffic aggregate. • A child policy to apply a QoS mechanism to a flow or subset of the aggregate. Logical interfaces, such as subinterfaces and tunnel interfaces, require a hierarchical policy with the traffic-shaping feature at the parent level and queuing at lower levels. While the traffic-shaping feature regulates the output rate, queuing may introduce additional latency or cause packet drops when the ingress traffic rate surpasses the configured queuing capacity. For each tunnel, the WS-IPSEC-3 IPSEC VSPA supports a child policy with up to 8 classes, including the default-class. Only one of the 8 traffic classes can be configured as a priority class on a tunnel interface. You can configure bandwidth reservation on any class that is not configured as the priority class. You cannot configure shaping on a traffic class (a child shaper); a single aggregate shaper can be configured in the parent policy. Module QoS Configuration Guidelines and Restrictions When configuring QoS settings for the WS-IPSEC-3 IPSEC VSPA, follow these guidelines and note these restrictions: • To use the QoS features of the WS-IPSEC-3 IPSEC VSPA, you must enable QoS globally by entering the mls qos command. • Because the WS-IPSEC-3 IPSEC VSPA performs QoS functions only on tunnel interfaces associated with the WS-IPSEC-3 IPSEC VSPA, configuring module QoS on a tunnel interface will always result in the tunnel being taken over. • When module QoS is configured on a GRE/TP tunnel, the GRE processing is taken over by the WS-IPSEC-3 IPSEC VSPA. • The WS-IPSEC-3 IPSEC VSPA performs QoS functions only on VTI or GRE/TP interfaces in VRF mode. The QoS functions are not supported with crypto connect mode or DMVPN. • The QoS functions operate only on IPv4 traffic. • QoS is supported for up to 2000 VTI tunnels or 1000 GRE/TP tunnels. • The WS-IPSEC-3 IPSEC VSPA supports a maximum of 8 traffic classes per tunnel, including the default class. – We recommend that you configure one class as class-default. – One traffic class can be configured as priority, to be processed ahead of all other classes. This class is typically used for voice or other latency-sensitive traffic. – Each class can be configured separately for bandwidth reservation and a queue limit. – You cannot configure priority setting and bandwidth reservation within the same class map. • When configuring bandwidth reservation, note the following guidelines: – Bandwidth reservation means a minimum bandwidth guarantee when 100 percent of the configured shape rate is utilized. If less than 100 percent is used, any class may use the available bandwidth above its configured reservation. – If no bandwidth is reserved for the default class, then 1 percent of the shape rate will be automatically reserved for the default class. • The WS-IPSEC-3 IPSEC VSPA supports one aggregate shaper per tunnel, to be defined at the tunnel (parent) level. All traffic within the tunnel must be included in the shaper. If a shaper is defined, only the class-default class should be defined at the tunnel level, with the shaper applied to it. All other traffic classes must be defined in child policies. 29-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA • Any tunnel that uses module QoS functions must have a shaping policy. • Because the WS-IPSEC-3 IPSEC VSPA relies on the ToS/CoS bits to classify and queue the packets properly, you should ensure that packets arriving at the WS-IPSEC-3 IPSEC VSPA have already been properly classified and marked. • The dropping policy is Random Early Detection (RED), and the RED parameters are not configurable. You cannot configure fair queueing. • Bandwidth is reserved per class for each tunnel independently. The minimum bandwidth guarantee on a class level will not propagate to the tunnel level. There is no bandwidth guarantee on a tunnel. You cannot configure an explicit minimum rate at the tunnel level. • You should avoid any policy that causes the reordering or dropping of post-encrypted packets. • The configuration of priority applies only within the tunnel in which it is configured, and does not affect other tunnels. • Increasing the queue limit increases latency. Configuring a Child and Parent Policy To configure a child and parent policy, perform these steps: Command Purpose Step 1 Router(config)# policy-map child_policy_name Enters the policy map configuration for the specified child policy map. Step 2 Router(config-pmap)# class [child_policy_name | class-default] Enters the policy map class configuration for the default class map. Step 3 Router(config-pmap-c)# priority (Optional) Enables strict-priority (low latency queuing) on the class. Step 4 Router(config-pmap-c)# bandwidth {kbps | bandwidth percent percentage | bandwidth remaining percent percentage} (Optional) Enables minimum bandwidth reservation on a traffic class. • bandwidth kbps — Specifies the reserved bandwidth as an absolute value in kbps that cannot exceed the configured tunnel shape rate. • bandwidth percent percentage — Specifies the reserved bandwidth as a percentage of the configured tunnel shape rate. • bandwidth remaining percent percentage — Specifies the reserved bandwidth as a percentage of the remaining tunnel bandwidth up to the configured tunnel shape rate after all LLQ packets have been served. Step 5 Router(config-pmap-c)# queue-limit number_of_packets (Optional) Sets the maximum size (in packets) of the traffic queue for the class. Step 6 Router(config-pmap-c)# exit Exits the policy map class configuration. Step 7 Router(config-pmap)# exit Exits the policy map configuration. Step 8 Router(config)# policy-map parent_policy_name Enters the policy map configuration for the specified parent policy map. 29-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA • The bandwidth and bandwidth percent commands cannot be configured in conjunction with the priority command. The bandwidth remaining percent command can be configured in conjunction with the priority command. • By default, the queue limit is 1000 for all non-LLQ traffic classes; for LLQ classes, the default is the number of packets that can be transferred in 4 milliseconds at the configured shape rate. • The shape rate can range from 128 Kbps to 1 Gbps. If a tunnel has a low shape rate, we recommend that you also configure a small excess burst size (be). • The default excess burst size (be) is the number of bits transferred during 4 milliseconds of traffic at the shape rate. For example, for a 256000 bps shape rate, the default excess burst size will be 1024 bits. • If you configure be, then you must configure bc (the committed burst size) to a value of at least the number of bits transferred during 4 milliseconds of traffic at the shape rate. Note We recommend that you allow the system to determine settings for bc and be. For QoS configuration examples, see the “QoS Configuration Examples” section on page 29-24. Using the Carrier QoS Features of the SSC-600 The SSC-600 implements a two-level, strict-priority QoS with two queues for each direction, inbound and outbound. Packets are dequeued in a two-to-one ratio, meaning that two packets are dequeued from the high-priority low-latency queue (LLQ) before one packet is dequeued from the low-priority queue. Packets are enqueued based on your priority-queue configuration settings. To take advantage of the Step 9 Router(config-pmap)# class class-default Enters the policy map class configuration for the default class map. Step 10 Router(config-pmap-c)# shape average rate [bc be] Enables average rate traffic shaping. • rate—Specifies the committed information rate (CIR), in bits per second (bps). • bc—(Optional) Specifies the committed burst size, in bits. This field will be ignored, but must be set to a legal value if be is specified. • be—(Optional) Specifies the excess burst size, in bits. Step 11 Router(config-pmap-c)# service-policy child_policy_name (Optional) Attaches a child policy map with up to seven additional class maps. Including the class-default class map, there can be a total of up to eight class maps. Step 12 Router(config-pmap-c)# exit Exits the policy map class configuration. Step 13 Router(config-pmap)# exit Exits the policy map configuration. Command Purpose 29-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA SSC-600’s QoS capability, you must use standard QoS commands to ensure that the class of service (CoS) of packets is marked on ingress. You must configure the CoS map for the inside and outside ports and you must also enable QoS globally for the SSC-600 to acknowledge the CoS mapping. Carrier QoS Configuration Guidelines and Restrictions When configuring QoS settings for an SSC-600, follow these guidelines and note these restrictions: • Packets are enqueued based on the mls qos command and the priority-queue configuration settings as follows: – When the mls qos command is not configured, all data packets are enqueued into the high-priority queue. – When the mls qos command is configured and no explicit priority-queue configuration is present on the WS-IPSEC-3 IPSEC VSPA ethernet interfaces, only packets with a CoS value of 5 are enqueued into the high-priority queue; all other packets are enqueued into the low-priority queue. – When the mls qos command is configured and priority-queue configuration is present on the WS-IPSEC-3 IPSEC VSPA ethernet interfaces, traffic is enqueued based on the priority-queue configuration. • A maximum of three CoS map values can be sent to the high-priority queue. Because the CoS value of 5 is preconfigured as high-priority, you can choose only two other values for high-priority queueing. Note Do not configure more than three CoS map values because any additional values will overwrite previously configured values. If you overwrite the CoS value of 5, the system will restore it, overwriting one of your other configured values. To restore an overwritten CoS map value, you must first delete the new value and then reconfigure the earlier value. • When the mls qos command is configured, you must also configure the mls qos trust command on the WS-IPSEC-3 IPSEC VSPA ethernet interfaces, as in the following example: Interface GigabitEthernet4/0/1 mls qos trust cos priority-queue cos-map 1 0 1 5 ! Interface GigabitEthernet4/0/2 mls qos trust cos priority-queue cos-map 1 0 1 5 In this example, the CoS values of 0, 1, and 5 are sent to the high-priority queue. • In a blade failover group, both WS-IPSEC-3 IPSEC VSPAs must have matching carrier QoS configurations. • If the mls qos trust command is not configured, the QoS fields in all traffic will be cleared to the default level. If the mls qos trust command is configured, the QoS fields will be preserved. For a configuration example of module QoS, see the “Module QoS Configuration Example” section on page 29-24. 29-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA QoS Configuration Examples This section provides examples of the following configurations: • Carrier QoS Configuration Example, page 29-24 • Module QoS Configuration Example, page 29-24 Carrier QoS Configuration Example The following example shows how to configure carrier QoS: mls qos ! Interface GigabitEthernet4/0/1 mls qos trust cos priority-queue cos-map 1 0 1 5 ! Interface GigabitEthernet4/0/2 mls qos trust cos priority-queue cos-map 1 0 1 5 Module QoS Configuration Example The following example shows how to configure module QoS: upgrade fpd auto version service timestamps debug datetime service timestamps log datetime no service password-encryption service internal service counters max age 10 ! hostname HUB2 ! boot-start-marker boot system disk0: boot-end-marker ! logging buffered 1000000 ! no aaa new-model clock timezone PST -8 ip subnet-zero ! ! no ip domain-lookup ip domain-name cisco.com ! vtp domain same_domain vtp mode off mls qos mls netflow interface no mls flow ip no mls flow ipv6 mls ip slb purge global no mls acl tcam share-global mls cef error action reset mls mpls tunnel-recir 29-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA call admission limit 90 ! crypto pki trustpoint MSCA enrollment mode ra enrollment url http://43.0.111.111:80/certsrv/mscep/mscep.dll serial-number ip-address none subject-name cn=HUB2,ou=isbu,o=cisco revocation-check none ! ! crypto pki certificate chain MSCA certificate 1C67C77C0000000004C4 certificate ca 7C0299B7C394F789436EBEFCCEAED66D crypto engine mode vrf crypto engine gre vpnblade ! ! ! ! ! fabric timer 15 ! power redundancy-mode combined diagnostic bootup level minimal diagnostic monitor syslog diagnostic cns publish cisco.cns.device.diag_results diagnostic cns subscribe cisco.cns.device.diag_commands ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id no spanning-tree vlan 2-7 ! ! ! redundancy main-cpu auto-sync running-config mode sso ! vlan internal allocation policy descending vlan access-log ratelimit 2000 ! vlan 1 tb-vlan1 1002 tb-vlan2 1003 ! vlan 2-1001 ! vlan 1002 tb-vlan1 1 tb-vlan2 1003 ! vlan 1003 tb-vlan1 1 tb-vlan2 1002 parent 1005 backupcrf enable ! vlan 1004 bridge 1 stp type ibm ! 29-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA vlan 1005 bridge 1 ! class-map match-any class7 match dscp cs7 class-map match-any class6 match dscp cs6 class-map match-any class5 match dscp cs5 class-map match-any class4 match dscp cs4 class-map match-any class3 match dscp cs3 class-map match-any class2 match dscp cs2 class-map match-any class1 match dscp cs1 class-map match-any class567 match dscp cs5 cs6 cs7 class-map match-any class34 match dscp cs3 cs4 class-map match-any class12 match dscp cs1 cs2 ! ! policy-map Tunnel0ChildPolicy class class567 priority queue-limit 100 packets class class34 bandwidth remaining percent 40 class class12 bandwidth remaining percent 40 class class-default bandwidth remaining percent 20 ! policy-map Tunnel0ParentPolicy class class-default shape average 1544000 service-policy Tunnel0ChildPolicy ! policy-map Tunnel1ChildPolicy class class7 bandwidth percent 20 queue-limit 100 packets class class6 bandwidth percent 20 queue-limit 100 packets class class5 bandwidth percent 10 queue-limit 100 packets class class4 bandwidth percent 10 class class3 bandwidth percent 10 class class2 bandwidth percent 10 class class1 bandwidth percent 10 class class-default bandwidth percent 10 ! policy-map Tunnel1ParentPolicy class class-default 29-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA shape average 34000000 136000 0 service-policy Tunnel1ChildPolicy ! policy-map Tunnel2ChildPolicy class class7 bandwidth 20000 class class6 bandwidth 20000 class class5 bandwidth 10000 class class4 bandwidth 10000 class class3 bandwidth 10000 class class2 bandwidth 10000 class class1 bandwidth 10000 class class-default bandwidth 10000 ! policy-map Tunnel2ParentPolicy class class-default shape average 100000000 service-policy Tunnel2ChildPolicy ! policy-map Tunnel3ChildPolicy class class567 bandwidth percent 30 class class34 bandwidth percent 30 class class12 bandwidth percent 20 class class-default bandwidth percent 20 ! policy-map Tunnel3ParentPolicy class class-default shape average 1000000000 service-policy Tunnel3ChildPolicy ! policy-map Tunnel4ChildPolicy class class7 priority class class6 bandwidth remaining percent 20 class class5 bandwidth remaining percent 20 class class4 bandwidth remaining percent 20 class class3 bandwidth remaining percent 10 class class2 bandwidth remaining percent 10 class class1 bandwidth remaining percent 10 class class-default bandwidth remaining percent 10 ! policy-map Tunnel4ParentPolicy class class-default shape average 256000 service-policy Tunnel4ChildPolicy ! 29-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA policy-map Tunnel5ParentPolicy class class-default shape average 128000 512 0 ! ! ! ! crypto isakmp policy 10 encr aes group 2 lifetime 7200 crypto isakmp invalid-spi-recovery ! ! crypto ipsec transform-set MyTranSet esp-aes 256 esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto ipsec profile MyIpsecProf set transform-set MyTranSet ! ! buffers small permanent 1024 buffers small max-free 1500 buffers small min-free 500 buffers middle permanent 512 buffers middle max-free 3000 buffers middle min-free 100 buffers big permanent 1000 buffers big max-free 1000 buffers big min-free 300 ! ! interface Tunnel0 bandwidth 10000000 ip address 3.0.0.1 255.255.255.0 ip hello-interval eigrp 10 60 ip hold-time eigrp 10 180 tunnel source Loopback0 tunnel destination 5.0.0.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MyIpsecProf crypto engine slot 4/0 inside crypto-engine service-policy output Tunnel0ParentPolicy ! interface Tunnel1 bandwidth 10000000 ip address 3.0.1.1 255.255.255.0 ip hello-interval eigrp 10 60 ip hold-time eigrp 10 180 tunnel source Loopback1 tunnel destination 5.0.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MyIpsecProf crypto engine slot 4/0 inside crypto-engine service-policy output Tunnel1ParentPolicy ! interface Tunnel2 bandwidth 10000000 ip address 3.0.2.1 255.255.255.0 ip hello-interval eigrp 10 60 ip hold-time eigrp 10 180 tunnel source Loopback2 29-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA tunnel destination 5.0.2.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MyIpsecProf crypto engine slot 4/0 inside crypto-engine service-policy output Tunnel2ParentPolicy ! interface Tunnel3 bandwidth 10000000 ip address 3.0.3.1 255.255.255.0 ip hello-interval eigrp 10 60 ip hold-time eigrp 10 180 tunnel source Loopback3 tunnel destination 5.0.3.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MyIpsecProf crypto engine slot 4/0 inside crypto-engine service-policy output Tunnel3ParentPolicy ! interface Tunnel4 bandwidth 10000000 ip address 3.0.4.1 255.255.255.0 ip hello-interval eigrp 10 60 ip hold-time eigrp 10 180 tunnel source Loopback4 tunnel destination 5.0.4.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MyIpsecProf crypto engine slot 4/0 inside crypto-engine service-policy output Tunnel4ParentPolicy ! interface Tunnel5 bandwidth 10000000 ip address 3.0.5.1 255.255.255.0 ip hello-interval eigrp 10 60 ip hold-time eigrp 10 180 tunnel source Loopback5 tunnel destination 5.0.5.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MyIpsecProf crypto engine slot 4/0 inside crypto-engine service-policy output Tunnel5ParentPolicy ! interface Loopback0 ip address 4.0.0.1 255.255.255.255 ! interface Loopback1 ip address 4.0.1.1 255.255.255.255 ! interface Loopback2 ip address 4.0.2.1 255.255.255.255 ! interface Loopback3 ip address 4.0.3.1 255.255.255.255 ! interface Loopback4 ip address 4.0.4.1 255.255.255.255 ! interface Loopback5 ip address 4.0.5.1 255.255.255.255 ! 29-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA interface TenGigabitEthernet2/1 description EGRESS INTERFACE mtu 9216 ip address 6.0.0.1 255.255.255.0 load-interval 30 shutdown mls qos trust dscp crypto engine slot 4/0 outside hold-queue 4096 in ! interface TenGigabitEthernet2/2 no ip address shutdown ! interface TenGigabitEthernet2/3 description INGRESS INTERFACE switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 2-7 switchport mode trunk mtu 9216 load-interval 30 mls qos trust dscp hold-queue 4096 in ! interface TenGigabitEthernet2/4 description TO TESTCENTER PORT 2/2 (NOT IN USE) mtu 9216 no ip address load-interval 30 shutdown ! interface TenGigabitEthernet2/5 no ip address shutdown ! interface TenGigabitEthernet2/6 no ip address shutdown ! interface TenGigabitEthernet2/7 no ip address shutdown ! interface TenGigabitEthernet2/8 no ip address shutdown ! interface GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan none switchport mode trunk mtu 9216 wrr-queue cos-map 2 1 4 priority-queue cos-map 1 5 6 7 rcv-queue cos-map 1 3 4 mls qos trust dscp flowcontrol receive on flowcontrol send off spanning-tree portfast edge trunk ! interface GigabitEthernet4/0/2 switchport 29-31 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA switchport trunk encapsulation dot1q switchport trunk allowed vlan none switchport mode trunk mtu 9216 wrr-queue cos-map 2 1 4 priority-queue cos-map 1 5 6 7 rcv-queue cos-map 1 3 4 mls qos trust dscp flowcontrol receive on flowcontrol send off spanning-tree portfast edge trunk ! interface GigabitEthernet5/1 no ip address shutdown ! interface GigabitEthernet5/2 description LABNET ip address 44.0.111.118 255.0.0.0 media-type rj45 ! interface Vlan1 no ip address shutdown ! interface Vlan2 mtu 9216 ip address 1.0.0.1 255.255.255.0 ! interface Vlan3 mtu 9216 ip address 1.0.1.1 255.255.255.0 ! interface Vlan4 mtu 9216 ip address 1.0.2.1 255.255.255.0 ! interface Vlan5 mtu 9216 ip address 1.0.3.1 255.255.255.0 ! interface Vlan6 mtu 9216 ip address 1.0.4.1 255.255.255.0 ! interface Vlan7 mtu 9216 ip address 1.0.5.1 255.255.255.0 ! router eigrp 10 network 3.0.0.0 no auto-summary distribute-list T0000 out Tunnel0 distribute-list T0001 out Tunnel1 distribute-list T0002 out Tunnel2 distribute-list T0003 out Tunnel3 distribute-list T0004 out Tunnel4 distribute-list T0005 out Tunnel5 timers active-time 10 redistribute connected metric 900 100 255 1 1400 ! router ospf 10 log-adjacency-changes summary-address 4.0.0.0 255.0.0.0 29-32 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring QoS on the WS-IPSEC-3 IPSEC VSPA redistribute connected metric 10 subnets network 6.0.0.0 0.0.0.255 area 0 distribute-list 10 out ! ip default-gateway 44.0.100.1 ip classless ip route 43.0.0.0 255.0.0.0 44.0.100.1 ip route 223.255.254.53 255.255.255.255 44.0.100.1 ! ! no ip http server no ip http secure-server ! ! ip access-list standard T0000 permit 1.0.0.0 0.0.0.255 ip access-list standard T0001 permit 1.0.1.0 0.0.0.255 ip access-list standard T0002 permit 1.0.2.0 0.0.0.255 ip access-list standard T0003 permit 1.0.3.0 0.0.0.255 ip access-list standard T0004 permit 1.0.4.0 0.0.0.255 ip access-list standard T0005 permit 1.0.5.0 0.0.0.255 logging alarm informational logging 43.0.111.111 access-list 10 permit 4.0.0.0 0.255.255.255 ! ! ! ! no cdp run ! ! control-plane ! ! dial-peer cor custom ! ! ! ! line con 0 exec-timeout 0 0 line vty 0 4 password cisco login line vty 5 15 login ! exception core-file mac-address-table aging-time 0 ntp clock-period 17219357 ntp update-calendar ntp server 223.255.254.53 ! end 29-33 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuring Sequenced Crypto ACLs Configuring Sequenced Crypto ACLs Access control lists (ACLs) are made up of access control entries (ACEs). With sequenced ACLs, ACEs can be entered with a sequence number in front of the ACE and the ACEs are then processed by sequence number. Additionally, ACEs can be deleted one at a time by using the sequence number in the front of the ACE that you want to delete. The sequence numbers do not appear in the configuration but they can be displayed using the show access-list command. Note If an ACE is removed or modified, the ACL is reconfigured on the IPSec VPN SPA, which might result in tearing down existing sessions. Configuring Deny Policy Enhancements for Crypto ACLs Specifying a deny address range in an ACL results in “jump” behavior. When a denied address range is hit, it forces the search to “jump” to the beginning of the ACL associated with the next sequence in a crypto map and continue the search. If you want to pass clear traffic on these addresses, you must insert a deny address range for each sequence in a crypto map. In turn, each permit list of addresses inherits all the deny address ranges specified in the ACL. A deny address range causes the software to do a subtraction of the deny address range from a permit list, and creates multiple permit address ranges that need to be programmed in hardware. This behavior can cause repeated address ranges to be programmed in the hardware for a single deny address range, resulting in multiple permit address ranges in a single ACL. To avoid this problem, use the crypto ipsec ipv4-deny {jump | clear | drop} command set as follows: • The jump keyword results in the standard “jump” behavior. • The clear keyword allows a deny address range to be programmed in hardware. The deny addresses are then filtered out for encryption and decryption. If the VPN mode is crypto-connect, when a deny address is hit, the search is stopped and traffic is allowed to pass in the clear (unencrypted) state. If the VPN mode is VRF, the deny address matching traffic is dropped. • The drop keyword causes traffic to be dropped when a deny address is hit. The clear and drop keywords can be used to prevent repeated address ranges from being programmed in the hardware, resulting in more efficient TCAM space utilization. Deny Policy Enhancements for Crypto ACLs Configuration Guidelines and Restrictions When configuring the deny policy enhancements, follow these guidelines and restrictions: • The crypto ipsec ipv4-deny {jump | clear | drop} command is a global command that is applied to a single IPSec VPN SPA. The specified keyword (jump, clear, or drop) is propagated to the ACE software of the IPSec VPN SPA. The default behavior is jump. • When the clear keyword is used with VRF mode, deny address traffic is dropped rather than passed in the clear state. VRF mode does not pass traffic in the clear state. • If you apply the specified keyword (jump, clear, or drop) when crypto maps are already configured on the IPSec VPN SPA, all existing IPSec sessions are temporarily removed and restarted, which impacts traffic on your network. • The number of deny entries that can be specified in an ACL are dependent on the keyword specified: 29-34 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuration Examples – jump—Supports up to 8 deny entries in an ACL. Note The limit of 8 deny jump entries in an ACL should be considered a guideline rather than a fixed limit. Depending on your configuration, the practical limit could be fewer than 8. – clear—Supports up to 1000 deny entries in an ACL. – drop—Supports up to 1000 deny entries in an ACL. For a deny policy enhancements configuration example, see the “Deny Policy Enhancements for ACLs Configuration Example” section on page 29-40. Configuration Examples This section provides examples of the following configurations: • Advanced Encryption Standard Configuration Example, page 29-34 • Reverse Route Injection Configuration Examples, page 29-34 • IPSec Anti-Replay Window Size Configuration Examples, page 29-36 • IPSec Preferred Peer Configuration Examples, page 29-38 • IPSec Security Association Idle Timer Configuration Examples, page 29-38 • Distinguished Name-Based Crypto Maps Configuration Example, page 29-39 • QoS Configuration Example, page 29-40 • Deny Policy Enhancements for ACLs Configuration Example, page 29-40 Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA. As of Cisco IOS Release 12.2(33)SRA, the crypto engine subslot command used in previous releases has been replaced with the crypto engine slot command (of the form crypto engine slot slot {inside | outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that this command has been modified in your start-up configuration to avoid extended maintenance time. Advanced Encryption Standard Configuration Example The following example configures the Advanced Encryption Standard (AES) 256-bit key: crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac mode transport crypto map aesmap 10 ipsec-isakmp set peer 10.0.110.1 set transform-set aesset Reverse Route Injection Configuration Examples The following examples show how to configure RRI: 29-35 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuration Examples • RRI Under a Static Crypto Map Configuration Example, page 29-35 • RRI Under a Dynamic Crypto Map Configuration Example, page 29-35 • RRI with Existing ACLs Configuration Example, page 29-35 • RRI for Two Routes Configuration Example, page 29-35 • RRI Through a User-Defined Hop Configuration Example, page 29-35 RRI Under a Static Crypto Map Configuration Example The following example shows how to configure RRI under a static crypto map. In this example, the RRI-created route has been tagged with a tag number. This tag number can then be used by a routing process to redistribute the tagged route through a route map: Router(config)# crypto map mymap 1 ipsec-isakmp Router(config-crypto-map)# reverse-route tag 5 RRI Under a Dynamic Crypto Map Configuration Example The following example shows how to configure RRI under a dynamic crypto map: Router(config)# crypto dynamic-map mymap 1 Router(config-crypto-map)# reverse-route remote peer 10.1.1.1 RRI with Existing ACLs Configuration Example The following example shows how to configure RRI for a situation in which there are existing ACLs: Router(config)# crypto map mymap 1 ipsec-isakmp Router(config-crypto-map)# set peer 172.17.11.1 Router(config-crypto-map)# reverse-route static Router(config-crypto-map)# set transform-set esp-3des-sha Router(config-crypto-map)# match address 101 access-list 101 permit ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255 RRI for Two Routes Configuration Example The following example shows how to configure two routes, one for the remote endpoint and one for route recursion to the remote endpoint via the interface on which the crypto map is configured: Router(config-crypto-map)# reverse-route remote-peer RRI Through a User-Defined Hop Configuration Example The following example shows that one route has been created to the remote proxy through a user-defined next hop. This next hop should not require a recursive route lookup unless it will recurse to a default route. Router(config-crypto-map)# reverse-route remote-peer 10.4.4.4 29-36 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuration Examples IPSec Anti-Replay Window Size Configuration Examples The following examples show how to configure the IPSec anti-replay window size: • IPSec Anti-Replay Window Global Configuration Example, page 29-36 • IPSec Anti-Replay Window per Crypto Map Configuration Example, page 29-37 IPSec Anti-Replay Window Global Configuration Example The following example shows that the anti-replay window size has been set globally to 1024: service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN-Gateway1 ! boot-start-marker boot-end-marker ! clock timezone EST 0 no aaa new-model ip subnet-zero ! ip audit po max-events 100 no ftp-server write-enable ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 192.165.201.2 ! crypto ipsec security-association replay window-size 1024 ! crypto ipsec transform-set basic esp-des esp-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 192.165.201.2 set transform-set basic match address 101 ! interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 ! interface Serial1/0 ip address 192.165.200.2 255.255.255.252 serial restart-delay 0 crypto map mymap ! ip classless ip route 0.0.0.0 0.0.0.0 192.165.200.1 no ip http server no ip http secure-server ! access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.2.0 0.0.0.255 !access-list 101 remark Crypto ACL ! control-plane ! line con 0 line aux 0 29-37 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuration Examples line vty 0 4 end IPSec Anti-Replay Window per Crypto Map Configuration Example The following example shows that anti-replay checking is disabled for IPSec connections to 172.150.150.2, but enabled (and the default window size is 64) for IPSec connections to 172.150.150.3 and 172.150.150.4: service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname dr_whoovie ! enable secret 5 $1$KxKv$cbqKsZtQTLJLGPN.tErFZ1 enable password ww ! ip subnet-zero cns event-service server crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco170 address 172.150.150.2 crypto isakmp key cisco180 address 172.150.150.3 crypto isakmp key cisco190 address 172.150.150.4 crypto ipsec transform-set 170cisco esp-des esp-md5-hmac crypto ipsec transform-set 180cisco esp-des esp-md5-hmac crypto ipsec transform-set 190cisco esp-des esp-md5-hmac crypto map ETH0 17 ipsec-isakmp set peer 172.150.150.2 set security-association replay disable set transform-set 170cisco match address 170 crypto map ETH0 18 ipsec-isakmp set peer 150.150.150.3 set transform-set 180cisco match address 180 crypto map ETH0 19 ipsec-isakmp set peer 150.150.150.4 set transform-set 190cisco match address 190 ! interface Ethernet0 ip address 172.150.150.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache no mop enabled crypto map ETH0 ! interface Serial0 ip address 172.160.160.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache no fair-queue ! ip classless ip route 172.170.170.0 255.255.255.0 172.150.150.2 29-38 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuration Examples ip route 172.180.180.0 255.255.255.0 172.150.150.3 ip route 172.190.190.0 255.255.255.0 172.150.150.4 no ip http server ! access-list 170 permit ip 172.160.160.0 0.0.0.255 172.170.170.0 0.0.0.255 access-list 180 permit ip 172.160.160.0 0.0.0.255 172.180.180.0 0.0.0.255 access-list 190 permit ip 172.160.160.0 0.0.0.255 172.190.190.0 0.0.0.255 ! dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 transport input none line aux 0 line vty 0 4 password ww login end IPSec Preferred Peer Configuration Examples The following examples show how to configure an IPSec preferred peer: • Default Peer Configuration Example, page 29-38 • IPSec Idle Timer with Default Peer Configuration Example, page 29-38 Default Peer Configuration Example The following example shows how to configure a default peer. In this example, the first peer, at IP address 1.1.1.1, is the default peer: Router(config)# crypto map tohub 1 ipsec-isakmp Router(config-crypto-map)# set peer 1.1.1.1 default Router(config-crypto-map)# set peer 2.2.2.2 Router(config-crypto-map)# exit IPSec Idle Timer with Default Peer Configuration Example The following example shows how to configure an IPSec idle timer with a default peer. In the following example, if the current peer is idle for 600 seconds, the default peer 1.1.1.1 (which was specified in the set peer command) is used for the next attempted connection: Router (config)# crypto map tohub 1 ipsec-isakmp Router(config-crypto-map)# set peer 1.1.1.1 default Router(config-crypto-map)# set peer 2.2.2.2 Router(config-crypto-map)# set security-association idle-time 600 default Router(config-crypto-map)# exit IPSec Security Association Idle Timer Configuration Examples The following examples show how to configure the IPSec SA idle timer: • IPSec SA Idle Timer Global Configuration Example, page 29-39 • IPSec SA Idle Timer per Crypto Map Configuration Example, page 29-39 29-39 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuration Examples IPSec SA Idle Timer Global Configuration Example The following example globally configures the IPSec SA idle timer to drop SAs for inactive peers after 600 seconds: Router(config)# crypto ipsec security-association idle-time 600 IPSec SA Idle Timer per Crypto Map Configuration Example The following example configures the IPSec SA idle timer for the crypto map named test to drop SAs for inactive peers after 600 seconds: Router(config) # crypto map test 1 ipsec-isakmp Router(config-crypto-map)# set security-association idle-time 600 Distinguished Name-Based Crypto Maps Configuration Example The following example shows how to configure distinguished name based crypto maps that have been authenticated by DN and hostname. Comments are included inline to explain various commands. ! DN based crypto maps require you to configure an IKE policy at each peer. crypto isakmp policy 15 encryption 3des hash md5 authentication rsa-sig group 2 lifetime 5000 crypto isakmp policy 20 authentication pre-share lifetime 10000 crypto isakmp key 1234567890 address 171.69.224.33 ! !The following is an IPSec crypto map (part of IPSec configuration). It can be used only ! by peers that have been authenticated by DN and if the certificate belongs to BigBiz. crypto map map-to-bigbiz 10 ipsec-isakmp set peer 172.21.114.196 set transform-set my-transformset match address 124 identity to-bigbiz ! crypto identity to-bigbiz dn ou=BigBiz ! ! ! This crypto map can be used only by peers that have been authenticated by hostname !and if the certificate belongs to little.com. crypto map map-to-little-com 10 ipsec-isakmp set peer 172.21.115.119 set transform-set my-transformset match address 125 identity to-little-com ! crypto identity to-little-com fqdn little.com ! 29-40 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 29 Configuring Enhanced IPSec Features Using the IPSec VPN SPA Configuration Examples QoS Configuration Example The following example shows how to configure the dual-priority queue for module QoS: mls qos ! Interface GigabitEthernet4/0/1 mls qos trust cos priority-queue cos-map 1 0 1 5 ! Interface GigabitEthernet4/0/2 mls qos trust cos priority-queue cos-map 1 0 1 5 Deny Policy Enhancements for ACLs Configuration Example The following example shows a configuration using the deny policy clear option. In this example, when a deny address is hit, the search will stop and traffic will be allowed to pass in the clear (unencrypted) state: Router(config)# crypto ipsec ipv4-deny clearC H A P T E R 30-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 30 Configuring PKI Using the IPSec VPN SPA This chapter provides information about configuring PKI-related features using the IPSec VPN SPA on the Cisco 7600 series router. It includes the following sections: • Overview of PKI, page 30-2 • Configuring Multiple RSA Key Pairs, page 30-3 • Configuring Protected Private Key Storage, page 30-5 • Configuring a Trustpoint CA, page 30-8 • Configuring Query Mode Definition Per Trustpoint, page 30-11 • Configuring a Local Certificate Storage Location, page 30-14 • Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates), page 30-16 • Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste), page 30-22 • Configuring Certificate Autoenrollment, page 30-26 • Configuring Key Rollover for Certificate Renewal, page 30-30 • Configuring PKI: Query Multiple Servers During Certificate Revocation Check, page 30-36 • Configuring the Online Certificate Status Protocol, page 30-37 • Configuring Optional OCSP Nonces, page 30-41 • Configuring Certificate Security Attribute-Based Access Control, page 30-41 • Configuring PKI AAA Authorization Using the Entire Subject Name, page 30-45 • Configuring Source Interface Selection for Outgoing Traffic with Certificate Authority, page 30-47 • Configuring Persistent Self-Signed Certificates, page 30-48 • Configuring Certificate Chain Verification, page 30-52 • Configuration Examples, page 30-53 Note The procedures in this chapter assume you have some familiarity with PKI configuration concepts. For detailed information about PKI configuration concepts, refer to the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference. For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals Command Reference publications. 30-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Overview of PKI For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 15.0SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the configuration summaries and guidelines before you perform any configuration tasks. Overview of PKI Cisco IOS public key infrastructure (PKI) provides certificate management to support security protocols such as IP Security (IPSec), secure shell (SSH), and secure socket layer (SSL). A PKI is composed of the following entities: • Peers communicating on a secure network • At least one certificate authority (CA) that grants and maintains certificates • Digital certificates, which contain information such as the certificate validity period, peer identity information, encryption keys that are used for secure communications, and the signature of the issuing CA • An optional registration authority (RA) to offload the CA by processing enrollment requests • A distribution mechanism (such as Lightweight Directory Access Protocol (LDAP) or HTTP) for certificate revocation lists (CRLs) PKI provides customers with a scalable, secure mechanism for distributing, managing, and revoking encryption and identity information in a secured data network. Every entity (a person or a device) participating in the secured communications is enrolled in the PKI , a process where the entity generates a Rivest, Shamir, and Adelman (RSA) key pair (one private key and one public key) and has their identity validated by a trusted entity (also known as a CA or trustpoint). After each entity enrolls in a PKI, every peer (also known as an end host) in a PKI is granted a digital certificate that has been issued by a CA. When peers must negotiate a secured communication session, they exchange digital certificates. Based on the information in the certificate, a peer can validate the identity of another peer and establish an encrypted session with the public keys contained in the certificate. Configuring PKI involves the following tasks: • Deploying Rivest, Shamir, and Adelman (RSA) keys within a public key infrastructure (PKI). An RSA key pair (a public and a private key) is required before you can obtain a certificate for your router; that is, the end host must generate a pair of RSA keys and exchange the public key with the certificate authority (CA) to obtain a certificate and enroll in a PKI. • Configuring authorization and revocation of certificates within a PKI. After a certificate is validated as a properly signed certificate, it is authorized using methods such as certificate maps, PKI-AAA, or a certificate-based access control list (ACL). The revocation status is checked by the issuing certificate authority (CA) to ensure that the certificate has not been revoked. 30-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Multiple RSA Key Pairs • Configuring certificate enrollment, which is the process of obtaining a certificate from a certificate authority (CA). Certificate enrollment occurs between the end host requesting the certificate and the CA. Each peer that participates in the public key infrastructure (PKI) must enroll with a CA. Various methods are available for certificate enrollment. • Storing public key infrastructure (PKI) credentials, such as Rivest, Shamir, and Adelman (RSA) keys and certificates. These credentials can be stored in the default location on the router, which is NVRAM, or other locations. Configuring Multiple RSA Key Pairs The multiple RSA key pair support feature allows you to configure a Cisco 7600 series router to have multiple Rivest, Shamir, and Adelman (RSA) key pairs. The Cisco IOS software can maintain a different key pair for each identity certificate. Before this feature, Cisco IOS public key infrastructure (PKI) configurations allowed either one general-purpose key pair or a set of special-purpose key pairs (an encryption and a signing key pair). The scenarios in which the key pairs were deployed often required configurations that required the router to enroll with multiple certificate servers because each server has an independent policy and may also have different requirements regarding general-purpose versus special-purpose certificates or key length. With this feature, a user can configure different key pairs for each certification authority (CA) with which the router enrolls and can match policy requirements for each CA without compromising the requirements specified by the other CAs, such as key length, key lifetime, and general-purpose versus special-usage keys. Multiple RSA Key Pairs Configuration Guidelines and Restrictions When configuring multiple RSA key pair support, follow these guidelines and restrictions: • It is recommended that Secure Socket Layer (SSL) or other PKI clients do not attempt to enroll with the same CA multiple times. • Internet Key Exchange (IKE) will not work for any identity that is configured to use a named key pair. If an IKE peer requests a certificate from a PKI trustpoint that is using multiple key support, the initial portion of the exchange will work, that is, the correct certificate will be sent in the certificate response; however, the named keypair will not be used and the IKE negotiation will fail. • Whenever you regenerate a key pair, you must always reenroll the certificate identities with that key pair. 30-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Multiple RSA Key Pairs To configure an RSA key pair, perform this task beginning in global configuration mode: Removing RSA Key Pair Settings To delete a specified RSA key pair or all RSA key pairs that have been generated by your router, enter the crypto key zeroize rsa command in global configuration mode as follows: Router(config)# crypto key zeroize rsa [key-pair-label] Ikey-pair-label specifies the name of the key pair to be deleted. If the key-pair-label argument is used, you will delete only the specified RSA key pair. If no argument is used, you will delete all the RSA key pairs from your router. Verifying RSA Key Information To verify RSA key information, use at least one of the privileged EXEC commands used in the examples. Command Purpose Step 1 Router(config)# crypto key generate rsa [usage-keys | general-keys] [key-pair-label] Generates RSA key pairs. • usage-keys—(Optional) Specifies that two special-usage key pairs should be generated, instead of one general-purpose key pair. • general-keys—(Optional) Specifies that the general-purpose key pair should be generated. • key-pair-label—(Optional) Specifies the name of the key pair that the router will use. (If this argument is enabled, you must specify either usage-keys or general-keys.) Step 2 Router(config)# crypto pki trustpoint name Declares the CA that the router should use and enters ca-trustpoint configuration mode. • name—Name of the CA. Step 3 Router(ca-trustpoint)# rsakeypair key-label [key-size [encryption-key-size]] Specifies which key pair to associate with the certificate. • key-label—The name of the key pair, which is generated during enrollment if it does not already exist or if the auto-enroll regenerate command is configured. • key-size—(Optional) The size of the desired RSA key. If not specified, the existing key size is used. (The specified size must be the same as the encryption-key-size.) • encryption-key-size—(Optional) The size of the second key, which is used to request separate encryption, signature keys, and certificates. (The specified size must be the same as the key-size.) 30-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Protected Private Key Storage To display your router’s RSA public keys, use the show crypto key mypubkey rsa command: Router# show crypto key mypubkey rsa % Key pair was generated at: 06:07:50 UTC Jan 13 1996 Key name: myrouter.example.com Usage: Encryption Key Key Data: 00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5 18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB 07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21 To display a list of all the RSA public keys stored on your router (including the public keys of peers that have sent your router their certificates during peer authentication for IPSec), or to display details of a particular RSA public key stored on your router, use the show crypto key pubkey-chain rsa command: Router# show crypto key pubkey-chain rsa Codes: M - Manually Configured, C - Extracted from certificate Code Usage IP-address Name M Signature 10.0.0.l myrouter.example.com M Encryption 10.0.0.1 myrouter.example.com C Signature 172.16.0.1 routerA.example.com C Encryption 172.16.0.1 routerA.example.com C General 192.168.10.3 routerB.domain1.com For complete configuration information for Multiple RSA Key Pair Support, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftmltkey.html For an RSA key pair configuration example, see the “Multiple RSA Key Pairs Configuration Example” section on page 30-53. Configuring Protected Private Key Storage The protected private key storage feature allows a user to encrypt and lock the RSA private keys that are used on a Cisco 7600 series router, thereby preventing unauthorized use of the private keys. 30-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Protected Private Key Storage Protected Private Key Storage Configuration Guidelines and Restrictions When configuring protected private key storage, follow these guidelines and restrictions: • An encrypted key is not effective after the router boots up until you manually unlock the key (using the crypto key unlock rsa command). Depending on which key pairs are encrypted, this functionality may adversely affect applications such as IP Security (IPSec), Secure Shell (SSH) and Secure Socket Layer (SSL); that is, management of the router over a secure channel may not be possible until the necessary key pair is unlocked. • If a passphrase is lost, you must regenerate the key, enroll with the CA server again, and obtain a new certificate. A lost passphrase cannot be recovered. • If you want to change a passphrase, you must decrypt the key with the current passphrase using the crypto key decrypt rsa command and encrypt the key once more to specify the new passphrase. Configuring Private Keys To encrypt, decrypt, lock, and unlock private keys, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto key encrypt [write] rsa [name key-name] passphrase passphrase Encrypts the RSA keys. After this command is entered, the router can continue to use the key; the key remains unlocked. • write—(Optional) Router configuration is immediately written to NVRAM. If the write keyword is not specified, the configuration must be manually written to NVRAM; otherwise, the encrypted key will be lost next time the router is reloaded. • name key-name—(Optional) Name of the RSA key pair that is to be encrypted. If a key name is not specified, the default key name, routername.domainname, is used. • passphrase passphrase—Passphrase that is used to encrypt the RSA key. To access the RSA key pair, the passphrase must be specified. Step 2 Router(config)# exit Exits global configuration mode. Step 3 Router# show crypto key mypubkey rsa (Optional) Shows that the private key is encrypted (protected) and unlocked. 30-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Protected Private Key Storage Step 4 Router# crypto key lock rsa [name key-name] passphrase passphrase (Optional) Locks the encrypted private key on a running router. • name key-name—(Optional) Name of the RSA key pair that is to be locked. If a key name is not specified, the default key name, routername.domainname, is used. • passphrase passphrase—Passphrase that is used to lock the RSA key. To access the RSA key pair, the passphrase must be specified. Note After the key is locked, it cannot be used to authenticate the router to a peer device. This behavior disables any IPSec or SSL connections that use the locked key. Any existing IPSec tunnels created on the basis of the locked key will be closed. If all RSA keys are locked, SSH will automatically be disabled. Step 5 Router# show crypto key mypubkey rsa (Optional) Shows that the private key is protected and locked. The output will also show failed connection attempts by applications such as IKE, SSH, and SSL. Step 6 Router# crypto key unlock rsa [name key-name] passphrase passphrase (Optional) Unlocks the private key. • name key-name—(Optional) Name of the RSA key pair that is to be unlocked. If a key name is not specified, the default key name, routername.domainname, is used. • passphrase passphrase—Passphrase that is used to unlock the RSA key. To access the RSA key pair, the passphrase must be specified. Note After this command is entered, you can continue to establish IKE tunnels. Command Purpose 30-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring a Trustpoint CA Verifying the Protected and Locked Private Keys To verify that the key is protected (encrypted) and locked, enter the show crypto key mypubkey rsa command: Router# show crypto key mypubkey rsa % Key pair was generated at:20:29:41 GMT Jun 20 2003 Key name:pki1-72a.cisco.com Usage:General Purpose Key *** The key is protected and LOCKED. *** Key is exportable. Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC 0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9F B6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001 For complete configuration information for protected private key storage, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_ppkey.html For protected private key configuration examples, see the “Protected Private Key Storage Configuration Examples” section on page 30-54. Configuring a Trustpoint CA The crypto pki trustpoint command allows you to declare the certificate authority (CA) that your router should use and to specify characteristics for the CA. The crypto pki trustpoint command combines and replaces the functionality of the existing crypto ca identity command and the crypto ca trusted-root command. Although both of these existing commands allow you to declare the certification authority (CA) that your router should use, only the crypto ca identity command supports enrollment (the requesting of a router certificate from a CA). Step 7 Router# configure terminal Enters global configuration mode. Step 8 Router(config)# crypto key decrypt [write] rsa [name key-name] passphrase passphrase (Optional) Deletes the encrypted key and leaves only the unencrypted key. • write—(Optional) Unencrypted key is immediately written to NVRAM. If the write keyword is not specified, the configuration must be manually written to NVRAM; otherwise, the key will remain encrypted the next time the router is reloaded. • name key-name—(Optional) Name of the RSA key pair that is to be deleted. If a key name is not specified, the default key name, routername.domainname, is used. • passphrase passphrase—Passphrase that is used to delete the RSA key. To access the RSA key pair, the passphrase must be specified. Command Purpose 30-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring a Trustpoint CA Trustpoint CA Configuration Guidelines and Restrictions When configuring a trustpoint CA, follow these guidelines and restrictions: • After the trustpoint CA has been configured, you can obtain the certificate of the CA by using the crypto pki authenticate command or you can specify that certificates should not be stored locally but retrieved from a CA trustpoint by using the crypto pki certificate query command. • Normally, certain certificates are stored locally in the router’s NVRAM, and each certificate uses a moderate amount of memory. To save NVRAM space, you can use the crypto pki certificate query command to put the router into query mode, preventing certificates from being stored locally; instead, they are retrieved from a specified CA trustpoint when needed. This will save NVRAM space but could result in a slight performance impact. To declare the CA that your router should use and specify characteristics for the trustpoint CA, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use. Enabling this command puts you in ca-trustpoint configuration mode. • name—Name for the trustpoint CA. Step 2 Router(ca-trustpoint)# enrollment [[mode ra] | [retry period minutes] | [retry count number] | [url url]] Specifies enrollment parameters for your CA. • mode ra—(Optional) Specifies registration authority (RA) mode if your CA system provides a RA. RA mode is turned off until you enable the mode ra keyword. • minutes—(Optional) Specifies the wait period between certificate request retries. The default is 1 minute between retries. (Specify from 1 to 60 minutes.) • number—(Optional) Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. The default is 10 retries. (Specify from 1 to 100 retries.) • url—Specifies the URL of the CA where your router should send certificate requests; for example, http://ca_server. url must be in the form http://CA_name, where CA_name is the CA’s host Domain Name System (DNS) name or IP address. Router(ca-trustpoint)# root tftp server-hostname filename Obtains the CA via TFTP. • server-hostname—Name for the server that will store the trustpoint CA • filename—Name for the file that will store the trustpoint CA. 30-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring a Trustpoint CA Verifying a Trustpoint CA To verify information about your certificate, the certificate of the CA, and registration authority (RA) certificates, enter the show crypto pki certificates command: Router# show crypto pki certificates Step 3 Router(ca-trustpoint)# enrollment http-proxy host-name port-num Obtains the CA via HTTP through the proxy server. • host-name—Name of the proxy server used to get the CA. • port-num—Port number used to access the CA. Note This command can be used in conjunction only with the enrollment command. Step 4 Router(ca-trustpoint)# primary name (Optional) Assigns a specified trustpoint as the primary trustpoint of the router. • name—Name of the primary trustpoint of the router. Step 5 Router(ca-trustpoint)# crl {query url | optional} (Optional) Queries the certificate revocation list (CRL) to ensure that the certificate of the peer has not been revoked. • url —Lightweight Directory Access Protocol (LDAP) URL published by the certificate authority (CA) server is specified to query the CRL; for example, ldap://another_server. • optional—CRL verification is optional. Note If the query url option is not enabled, the router will check the certificate distribution point (CDP) that is embedded in the certificate. Step 6 Router(ca-trustpoint)# default command-name (Optional) Sets the value of ca-trustpoint configuration mode to its default. • command-name—pki-trustpoint configuration subcommand. Default is off. Step 7 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and enters global configuration mode. Step 8 Router(config)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate of the CA.) • name—Name of the CA. Enter the name value entered in Step 1. Step 9 Router(config)# crypto pki trustpoint name Reenters ca-trustpoint configuration mode. • name—Name for the trustpoint CA. Step 10 Router(ca-trustpoint)# crypto pki certificate query (Optional) Turns on query mode per specified trustpoint, causing certificates not to be stored locally. Command Purpose 30-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Query Mode Definition Per Trustpoint CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set RA Signature Certificate Status: Available Certificate Serial Number: 34BCF8A0 Key Usage: Signature RA KeyEncipher Certificate Status: Available Certificate Serial Number: 34BCF89F Key Usage: Encryption To display the trustpoints that are configured in the router, enter the show crypto pki trustpoints command: Router# show crypto pki trustpoints Trustpoint bo: Subject Name: CN = bomborra Certificate Manager O = cisco.com C = US Serial Number:01 Certificate configured. CEP URL:http://bomborra CRL query url:ldap://bomborra For complete configuration information for the trustpoint CA, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/fttrust.html For a trustpoint CA configuration example, see the “Trustpoint CA Configuration Example” section on page 30-54. Configuring Query Mode Definition Per Trustpoint Certificates contain public key information and are signed by certificate authority (CA) as proof of identity. Normally, all certificates are stored locally in the router’s NVRAM, and each certificate uses a moderate amount of memory. The query mode definition per trustpoint feature allows you to define a query for a specific trustpoint so that the certificates associated with that specific trustpoint can be stored on a remote server. This feature is especially useful for environments where multiple trustpoints are configured on a router because it allows you more control over use of the trustpoint. Query mode can be activated on specific trustpoints rather than on all of the trustpoints on a router. 30-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Query Mode Definition Per Trustpoint Query Mode Definition Per Trustpoint Configuration Guidelines and Restrictions When configuring query mode definition per trustpoint, follow these guidelines and restrictions: • Normally, certain certificates are stored locally in the router’s NVRAM, and each certificate uses a moderate amount of memory. To save NVRAM space, you can use the query certificate command to prevent certificates from being stored locally; instead, they are retrieved from a remote server, such as a CA or LDAP server, during startup. This will save NVRAM space but could result in a slight performance impact. • Certificates associated with a specified trustpoint will not be written into NVRAM and the certificate query will be attempted during the next reload of the router. • When the global crypto pki certificate query command is used, the query certificate will be added to all trustpoints on the router. When the no crypto pki certificate query command is used, any previous query certificate configuration will be removed from all trustpoints and any query in progress will be halted and the feature disabled. To configure a trustpoint CA and initiate query mode for the trustpoint, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use. Enabling this command puts you in ca-trustpoint configuration mode. • name—Name for the trustpoint CA. Step 2 Router(ca-trustpoint)# enrollment [[mode ra] | [retry period minutes] | [retry count number] | [url url]] Specifies enrollment parameters for your CA. • mode ra—(Optional) Specifies registration authority (RA) mode if your CA system provides a RA. RA mode is turned off until you enable the mode ra keyword. • minutes—(Optional) Specifies the wait period between certificate request retries. The default is 1 minute between retries. (Specify from 1 to 60 minutes.) • number—(Optional) Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. The default is 10 retries. (Specify from 1 to 100 retries.) • url—Specifies the URL of the CA where your router should send certificate requests; for example, http://ca_server. url must be in the form http://CA_name, where CA_name is the CA’s host Domain Name System (DNS) name or IP address. 30-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Query Mode Definition Per Trustpoint Verifying Query Mode Definition Per Trustpoint CA For query mode to operate correctly during the next reload, the certificates must be associated with the trustpoint. Use the show crypto pki certificates command to verify that each of the trustpoints has the needed certificates before storing the configuration and reloading the router: Router# show crypto pki certificates status Trustpoint yni: Issuing CA certificate pending: Subject Name: cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 Step 3 Router(ca-trustpoint)# enrollment http-proxy host-name port-num (Optional) Obtains the CA via HTTP through the proxy server. • host-name—Name of the proxy server used to get the CA. • port-num—Port number used to access the CA. Note This command can be used in conjunction only with the enrollment command. Step 4 Router(ca-trustpoint)# crl query url (Optional) Specifies the URL for the CA server if the CA server supports query mode through LDAP. • url —Lightweight Directory Access Protocol (LDAP) URL published by the certificate authority (CA) server. Step 5 Router(ca-trustpoint)# default command-name (Optional) Sets the value of ca-trustpoint configuration mode to its default. • command-name—pki-trustpoint configuration subcommand. Default is off. Step 6 Router(ca-trustpoint)# query certificate Turns on query mode per specified trustpoint, causing certificates not to be stored locally and to be retrieved from a remote server. Step 7 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and enters global configuration mode. Step 8 Router(config)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate of the CA.) • name—Name of the CA. Enter the name value entered in Step 1. Step 9 Router(config)# crypto key generate rsa (Optional) Generates RSA key pairs. Step 10 Router(config)# crypto pki enroll trustpoint-name (Optional) Obtains router certificate. • trustpoint-name—Name of the CA. Enter the name value entered in Step 1. Command Purpose 30-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring a Local Certificate Storage Location Router certificate pending: Subject Name: hostname=trance.cisco.com,o=cisco.com Next query attempt: 52 seconds For complete configuration information for Query Mode Definition Per Trustpoint, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_qerym.html For a query mode definition per trustpoint configuration example, see the “Query Mode Definition Per Trustpoint Configuration Example” section on page 30-54. Configuring a Local Certificate Storage Location The Local Certificate Storage Location feature enables you to store public key infrastructure (PKI) credentials, such as Rivest, Shamir, and Adelman (RSA) keys and certificates in a specific location. An example of a certificate storage location includes NVRAM, which is the default location, and other local storage locations as supported by your platform, such as flash. Note The Local Certificate Storage Location feature is only supported as of Cisco IOS Release 12.2(33)SRA. Local Certificate Storage Location Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring a local certificate storage location: • Before you can specify the local certificate storage location, your system should meet the following requirements: – A Cisco IOS Release 12.4(2)T PKI-enabled image or a later image – A platform that supports storing PKI credentials as separate files – A configuration that contains at least one certificate – An accessible local file system • When storing certificates to a local storage location, the following restrictions are applicable: – Only local file systems may be used. An error message will be displayed if a remote file system is selected, and the command will not take effect. – A subdirectory may be specified if supported by the local file system. NVRAM does not support subdirectories. – Certificates are stored to NVRAM by default, however, some routers do not have the required amount of NVRAM to successfully store certificates. Introduced in Cisco IOS Release 12.4(2)T is the ability to specify where certificates are stored on a local file system. – During run time, you can specify what active local storage device you would like to use to store certificates. 30-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring a Local Certificate Storage Location Specifying a Local Storage Location for Certificates To specify the local storage location for certificates, perform the following steps beginning in global configuration mode: Verifying the Local Certificate Storage Location Configuration To verify a local certificate storage location configuration, enter the show crypto pki certificates storage command. The show crypto pki certificates storage command displays the current setting for the PKI certificate storage location. The following example shows that certificates are stored in the certs subdirectory of disk0: Router# show crypto pki certificates storage Certificates will be stored in disk0:/certs/ For complete configuration information for local certificate storage location, refer to the Cisco IOS Security Configuration Guide or the following URL: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html For local certificate storage configuration examples, see the “Local Certificate Storage Location Configuration Example” section on page 30-55. Command Purpose Step 1 Router(config)# crypto pki certificate storage location-name Specifies the local storage location for certificates. • location-name—Name of the storage location. Step 2 Router (config)# exit Exits global configuration mode. Step 3 Router# copy source-url destination-url (Optional) Saves the running configuration to the startup configuration. • source-url—The location URL (or alias) of the source file or directory to be copied. The source can be either local or remote, depending upon whether the file is being downloaded or uploaded. • destination-url—The destination URL (or alias) of the copied file or directory. The destination can be either local or remote, depending upon whether the file is being downloaded or uploaded. Note Settings will only take effect when the running configuration is saved to the startup configuration. 30-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates) Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates) The direct HTTP enroll with CA servers feature allows users to bypass the registration authority (RA) when enrolling with a certification authority (CA) by configuring an enrollment profile. HTTP enrollment requests can be sent directly to the CA server. The reenroll using existing certificates functionality allows a router that is enrolled with a third-party vendor CA to use its existing certificate to enroll with the Cisco IOS certificate server so the enrollment request is automatically granted. Direct HTTP Enroll with CA Servers Configuration Guidelines and Restrictions When configuring direct HTTP enroll with CA servers, follow these guidelines and restrictions: • The CA certificate and router certificates must be returned in the privacy enhanced mail (PEM) format. • If an enrollment profile is specified, an enrollment URL can not be specified in the trustpoint configuration. • Because there is no standard for the HTTP commands used by various CAs, the user is required to enter the command that is appropriate to the CA that is being used. • The newly created trustpoint can only be used one time (which occurs when the router is enrolled with the Cisco IOS CA). After the initial enrollment is successfully completed, the credential information will be deleted from the enrollment profile. • The Cisco IOS certificate server will automatically grant only the requests from clients who were already enrolled with the non-Cisco IOS CA. All other requests must be manually granted unless the server is set to be in auto grant mode (using the grant automatic command). • To configure direct HTTP enroll with CA servers, you must perform the following steps: – Either configure a certificate enrollment profile for the client router (see the “Configuring an Enrollment Profile for a Client Router” section on page 30-17) or configure an enrollment profile for a client router that is already enrolled with a third-party vendor (see the “Configuring an Enrollment Profile for a Client Router Enrolled with a Third-Party Vendor CA” section on page 30-18). – Configure the CA certificate server to accept enrollment requests only from clients who are already enrolled with the third-party vendor CA trustpoint (see the “Configuring the CA to Accept Enrollment Requests from Clients of a Third-Party Vendor CA” section on page 30-20). 30-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates) Configuring an Enrollment Profile for a Client Router To configure a certificate enrollment profile, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the trustpoint a given name and enters ca-trustpoint configuration mode. • name—Name of the CA trustpoint. Step 2 Router(ca-trustpoint)# enrollment profile label Specifies that an enrollment profile can be used for certificate authentication and enrollment. • label—Name for the enrollment profile. Step 3 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and enters global configuration mode. Step 4 Router(config)# crypto pki profile enrollment label Defines an enrollment profile and enters ca-profile-enroll configuration mode. • label—Name for the enrollment profile; the enrollment profile name must match the name specified in the enrollment profile command. Step 5 Router(ca-profile-enroll)# authentication url url (Optional) Specifies the URL of the CA server to which to send certificate authentication requests. • url—URL of the CA server to which your router should send authentication requests. If using HTTP, the URL should read “http://CA_name,” where CA_name is the host Domain Name System (DNS) name or IP address of the CA. If using TFTP, the URL should read “tftp://certserver/file_specification.” (If the URL does not include a file specification, the fully qualified domain name (FQDN) of the router will be used. Router(ca-profile-enroll)# authentication terminal (Optional) Specifies manual cut-and-paste certificate authentication. Step 6 Router(ca-profile-enroll)# authentication command (Optional) Sends the HTTP request to the CA for authentication. This command should be used after the authentication url command has been entered. Step 7 Router(ca-profile-enroll)# enrollment url url or Specifies the URL of the CA server to which to send certificate enrollment requests via HTTP or TFTP. • url—URL of the CA server. Router(ca-profile-enroll)# enrollment terminal Specifies manual cut-and-paste certificate enrollment. Step 8 Router(ca-profile-enroll)# enrollment command (Optional) Specifies the HTTP command is sent to the CA for enrollment. 30-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates) Configuring an Enrollment Profile for a Client Router Enrolled with a Third-Party Vendor CA When a client router is already enrolled with a third-party vendor CA, but you want to reenroll that router with a Cisco IOS certificate server, perform the following procedures. Note that some prerequisite steps are required before beginning the configuration. Prerequisites Before configuring a certificate enrollment profile for the client router enrolled with a third-party vendor, you should have already performed the following tasks at the client router: • Defined a trustpoint that points to a third-party vendor CA. • Authenticated and enrolled the client router with the third-party vendor CA. Step 9 Router(ca-profile-enroll)# parameter number {value value | prompt string} (Optional) Specifies parameters for an enrollment profile. • number—User parameters. Valid values range from 1 to 18. • value—To be used if the parameter has a constant value. • string—To be used if the parameter is supplied after the crypto pki authenticate command or the crypto pki enroll command has been entered. Note The value of the string argument does not have an effect on the value that is used by the router. This command can be used multiple times to specify multiple values. Step 10 Router(ca-profile-enroll config)# exit Exits ca-profile-enroll configuration mode and enters global configuration mode. Step 11 Router(config)# exit Exits global configuration mode and enters Privileged EXEC mode. Step 12 Router# show crypto pki certificates (Optional) Verifies information about your certificate, the certificate of the CA, and RA certificates. Step 13 Router# show crypto pki trustpoints (Optional) Displays the trustpoints that are configured in the router. Command Purpose 30-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates) To configure a certificate enrollment profile for a client router that is already enrolled with a third-party vendor CA so that the router can reenroll with a Cisco IOS certificate server, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and enters ca-trustpoint configuration mode. • name—Name of the Cisco IOS CA that is to be used. Step 2 Router(ca-trustpoint)# enrollment profile label Specifies that an enrollment profile is to be used for certificate reenrollment. • label—Name for the enrollment profile. Step 3 Router(ca-trustpoint)# exit Exists ca-trustpoint configuration mode and enters global configuration mode. Step 4 Router(config)# crypto pki profile enrollment label Defines an enrollment profile and enters ca-profile-enroll configuration mode. • label—Name for the enrollment profile; the enrollment profile name must match the name specified in the enrollment profile command in Step 2. Step 5 Router(ca-profile-enroll)# enrollment url url Specifies the URL of the CA server to which to send certificate enrollment requests via HTTP. • url—The enrollment URL should point to the Cisco IOS CA. Step 6 Router(ca-profile-enroll)# enrollment credential label Specifies the non-Cisco IOS CA trustpoint that is to be enrolled with the Cisco IOS CA. • label—Name of the CA trustpoint of another vendor. Step 7 Router(ca-profile-enroll)# exit Exits ca-profile-enroll configuration mode and enters global configuration mode. Step 8 Router(config)# exit Exits global configuration mode and enters Privileged EXEC mode. Step 9 Router# show crypto pki certificates (Optional) Verifies information about your certificate, the certificate of the CA, and RA certificates Step 10 Router# show crypto pki trustpoints (Optional) Displays the trustpoints that are configured in the router. 30-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates) Configuring the CA to Accept Enrollment Requests from Clients of a Third-Party Vendor CA To configure the CA certificate server to accept enrollment requests only from clients who are already enrolled with the third-party vendor CA trustpoint, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# ip http server Enables the HTTP server on your system. Step 2 Router(config)# crypto pki server cs-label Enables the certificate server and enters certificate server configuration mode. • cs-label—The cs-label argument must match the name that was specified by the crypto pki trustpoint command for the client router. Step 3 Router(cs-server)# database url root-url Specifies the location where all database entries for the certificate server will be written out. • root-url—Root URL. Note If this command is not specified, all database entries will be written to NVRAM. Step 4 Router(cs-server)# database level {minimal | names | complete} Controls what type of data is stored in the certificate enrollment database. • minimal—Enough information is stored only to continue issuing new certificates without conflict; the default value. • names—In addition to the information given in the minimal level, the serial number and subject name of each certificate. • complete—In addition to the information given in the minimal and names levels, each issued certificate is written to the database. Note The complete keyword produces a large amount of information; if it is specified, you should also specify an external TFTP server in which to store the data using the database url command. Step 5 Router(cs-server)# issuer-name DN-string Sets the CA issuer name to the specified DN-string. • DN-string—The default value is as follows: issuer-name CN=cs-label. 30-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates) For complete configuration information for direct HTTP enroll with CA servers, including the “reenroll using existing certificates” functionality, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gthttpca.html For direct HTTP enroll with CA servers configuration examples, see the “Direct HTTP Enrollment with CA Servers Configuration Examples” section on page 30-55. Step 6 Router(cs-server)# grant auto trustpoint label Enables the certificate server to automatically grant only the requests from clients that are already enrolled with the specified non-Cisco IOS CA trustpoint. • label—Name of the CA trustpoint of another vendor. Note The label argument should match the trustpoint that was specified for the client router’s enrollment profile (using the enrollment credential command). Step 7 Router(cs-server)# lifetime {ca-certificate | certificate} time (Optional) Specifies the lifetime, in days, of a CA certificate or a certificate. • time—Valid values range from 1 day to 1825 days. The default CA certificate lifetime is 3 years; the default certificate lifetime is 1 year. The maximum certificate lifetime is 1 month less than the lifetime of the CA certificate. Step 8 Router(cs-server)# lifetime crl time (Optional) Defines the lifetime, in hours, of the Certificate Revocation List (CRL) that is used by the certificate server. • time—Maximum lifetime value is 336 hours (2 weeks). The default value is 168 hours (1 week). Step 9 Router(cs-server)# cdp-url url (Optional) Defines a Certificate Distribution Point (CDP) to be used in the certificates that are issued by the certificate server. • url—URL must be an HTTP URL. Step 10 Router(cs-server)# shutdown Disables a certificate server without removing the configuration. You should enter this command only after you have completely configured your certificate server. Step 11 Router(cs-server)# exit Exits certificate server configuration mode. Step 12 Router(config)# exit Exits global configuration mode. Step 13 Router# show crypto pki server (Optional) Displays the current state and configuration of the certificate server. Command Purpose 30-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste) Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste) The manual certificate enrollment (TFTP and cut-and-paste) feature allows users to generate a certificate request and accept certification authority (CA) certificates as well as the router’s certificates; these tasks are accomplished by a TFTP server or manual cut-and-paste operations. You might want to utilize TFTP or manual cut-and-paste enrollment in the following situations: • The CA does not support Simple Certificate Enrollment Protocol (SCEP) (which is the most commonly used method for sending and receiving requests and certificates). • A network connection between the router and CA is not possible (which is how a router running Cisco IOS software obtains its certificate). Manual Certificate Enrollment (TFTP and Cut-and-Paste) Configuration Guidelines and Restrictions When configuring nanualcertificate enrollment (TFTP and cut-and-paste), follow these guidelines and restrictions: • You can switch between TFTP and cut-and-paste; for example, you can paste the CA certificate using the enrollment terminal command, then enter no enrollment terminal and enrollment url tftp://certserver/file_specification to switch to TFTP to send or receive requests and router certificates. However, Cisco does not recommend switching URLs if SCEP is used; that is, if the enrollment URL is http://, do not change the enrollment URL between fetching the CA certificate and enrolling the certificate. Configuring Manual Enrollment Using TFTP Before configuring manual enrollment using TFTP, you must meet the following prerequisites: • You must know the correct URL to use if you are configuring certificate enrollment using TFTP. • The router must be able to write a file to the TFTP server for the crypto pki enroll command. • Some TFTP servers require that the file exist on the server before it may be written. • Most TFTP servers require that the file be writeable by anyone. This requirement may pose a risk because any router or other device may write or overwrite the certificate request; thus, the router will not be able to use the certificate once it is granted by the CA because the request was modified. 30-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste) To declare the trustpoint CA that your router should use and configure that trustpoint CA for manual enrollment using TFTP, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and enters ca-trustpoint configuration mode. • name—Name of the CA. Step 2 Router(ca-trustpoint)# enrollment [mode] [retry period minutes] [retry count number] url url Specifies the enrollment parameters of your CA. • mode—Specifies registration authority (RA) mode if your CA system provides a RA. • minutes—Specifies the wait period between certificate request retries. The default is 1 minute between retries. • number—Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. (Specify from 1 to 100 retries.) • url—Specifies the URL of the CA where your router should send certificate requests. If you are using SCEP for enrollment, the URL must be in the form http://CA_name, where CA_name is the CA’s host Domain Name System (DNS) name or IP address. If you are using TFTP for enrollment, the URL must be in the form tftp://certserver/file_specification. Step 3 Router(ca-trustpoint)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate of the CA.) • name—Name of the CA. Enter the name value entered in Step 1. Step 4 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and returns to global configuration. Step 5 Router(config)# crypto pki enroll name Obtains your router’s certificates from the CA. • name—Name of the CA. Enter the name value entered in Step 1. Step 6 Router(config)# crypto pki import name certificate Imports a certificate using TFTP. • name—Name of the CA. Enter the name value entered in Step 1. 30-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste) Configuring Certificate Enrollment Using Cut-and-Paste To declare the trustpoint CA that your router should use and configure that trustpoint CA for manual enrollment using cut-and-paste, perform this task: Verifying the Manual Certificate Enrollment Configuration To verify information about your certificate, the certificate of the CA, and RA certificates, enter the show crypto pki certificates command: Router# show crypto pki certificates Certificate Status:Available Certificate Serial Number:14DECE05000000000C48 Certificate Usage:Encryption Issuer: CN = msca-root O = Cisco Systems C = U Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and enters ca-trustpoint configuration mode. • name—Name of the CA. Step 2 Router(ca-trustpoint)# enrollment terminal Specifies manual cut-and-paste certificate enrollment. Step 3 Router(ca-trustpoint)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate of the CA.) • name—Specifies the name of the CA. Enter the name value entered in Step 1. Step 4 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and returns to global configuration. Step 5 Router(config)# crypto pki enroll name Obtains your router’s certificates from the CA. • name—Specifies the name of the CA. Enter the name value entered in Step 1. Step 6 Router(config)# crypto pki import name certificate Imports a certificate manually at the terminal. • name—Specifies the name of the CA. Enter the name value entered in Step 1. Note You must enter the crypto pki import command twice if usage keys (signature and encryption keys) are used. The first time the command is entered, one of the certificates is pasted into the router; the second time the command is entered, the other certificate is pasted into the router. (It does not matter which certificate is pasted first.) 30-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste) Subject: Name:Router.cisco.com OID.1.2.840.113549.1.9.2 = Router.cisco.com CRL Distribution Point: http://msca-root/CertEnroll/msca-root.crl Validity Date: start date:18:16:45 PDT Jun 7 2002 end date:18:26:45 PDT Jun 7 2003 renew date:16:00:00 PST Dec 31 1969 Associated Trustpoints:MS Certificate Status:Available Certificate Serial Number:14DEC2E9000000000C47 Certificate Usage:Signature Issuer: CN = msca-root O = Cisco Systems C = US Subject: Name:Router.cisco.com OID.1.2.840.113549.1.9.2 = Router.cisco.com CRL Distribution Point: http://msca-root/CertEnroll/msca-root.crl Validity Date: start date:18:16:42 PDT Jun 7 2002 end date:18:26:42 PDT Jun 7 2003 renew date:16:00:00 PST Dec 31 1969 Associated Trustpoints:MS CA Certificate Status:Available Certificate Serial Number:3AC0A65E9547C2874AAF2468A942D5EE Certificate Usage:Signature Issuer: CN = msca-root O = Cisco Systems C = US Subject: CN = msca-root O = Cisco Systems C = US CRL Distribution Point: http://msca-root/CertEnroll/msca-root.crl Validity Date: start date:16:46:01 PST Feb 13 2002 end date:16:54:48 PST Feb 13 2007 Associated Trustpoints:MS 30-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Certificate Autoenrollment To display the trustpoints that are configured in the router, enter the show crypto pki trustpoints command: Router# show crypto pki trustpoints Trustpoint bo: Subject Name: CN = bomborra Certificate Manager O = cisco.com C = US Serial Number:01 Certificate configured. CEP URL:http://bomborra CRL query url:ldap://bomborra For complete configuration information for manual certificate enrollment (TFTP and cut-and-paste), refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftmancrt.html For manual certificate enrollment configuration examples, see the “Manual Certificate Enrollment Configuration Examples” section on page 30-56. Configuring Certificate Autoenrollment The certificate autoenrollment feature allows you to configure your router to automatically request a certificate from the certification authority (CA) that is using the parameters in the configuration. Thus, operator convention is no longer required at the time the enrollment request is sent to the CA server. Automatic enrollment will be performed on startup for any trustpoint CA that is configured and does not have a valid certificate. When the certificate expires that is issued by a trustpoint CA that has been configured for autoenrollment, a new certificate is requested. Although this feature does not provide seamless certificate renewal, it does provide unattended recovery from expiration. Before the certificate autoenrollment feature, certificate enrollment required complicated, interactive commands that had to be executed on every router. This feature allows you to preload all of the necessary information into the configuration and cause each router to obtain certificates automatically when it is booted. Autoenrollment also checks for expired router certificates. Note Before submitting an automatic enrollment request, all necessary enrollment information must be configured. 30-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Certificate Autoenrollment To configure autoenrollment with a CA on startup, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the name of the CA that your router should use and enters ca-trustpoint configuration mode. • name—Name of the CA. Step 2 Router(ca-trustpoint)# enrollment url url Specifies the URL of the CA on which your router should send certificate requests; for example, http://ca_server. • url—Must be in the form of http://CA_name, where CA_name is the name of the CA’s host Domain Name System or the IP address. Step 3 Router(ca-trustpoint)# subject-name [x.500-name] (Optional) Specifies the requested subject name that will be used in the certificate request. • x.500-name—If the x-500-name argument is not specified, the fully qualified domain name (FQDN), which is the default subject name, is used. Step 4 Router(ca-trustpoint)# ip-address {interface | none} Includes the IP address of the specified interface in the certificate request. • interface—IP address of the interface. • none—Specify this keyword if no IP address should be included. If this command is enabled, you will not be prompted for an IP address during enrollment for this trustpoint. Step 5 Router(ca-trustpoint)# serial-number [none] Specifies the router serial number in the certificate request, unless the none keyword is specified. • none—Specify this keyword if no serial number should be included. Step 6 Router(ca-trustpoint)# auto-enroll [regenerate] Enables autoenrollment. This command allows you to automatically request a router certificate from the CA. By default, only the DNS name of the router is included in the certificate. • regenerate—Specify this keyword to generate a new key for the certificate even if a named key already exists. 30-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Certificate Autoenrollment Preloading Root CAs After enabling automatic enrollment, you must authenticate the CA to establish a chain of trust. This can be done by implementing one of the following methods: • Obtaining the Certificate of the CA, page 30-28 • Adding the Certificate of the CA, page 30-29 Obtaining the Certificate of the CA To obtain the certificate of the CA, enter the crypto pki authenticate command in global configuration mode. Router(config)# crypto pki authenticate name name specifies the name of the CA. Step 7 Router(ca-trustpoint)# password string (Optional) Specifies the revocation password for the certificate. • string—Text of the password. Note If this command is enabled, you will not be prompted for a password during enrollment for this trustpoint. Step 8 Router(ca-trustpoint)# rsakeypair key-label [key-size [encryption-key-size]] Specifies which key pair to associate with the certificate. • key-label—Name of the key pair, which is generated during enrollment if it does not already exist or if the auto-enroll regenerate command is configured. • key-size—(Optional) Size of the desired RSA key. If not specified, the existing key size is used. (The specified size must be the same as the encryption-key-size.) • encryption-key-size—(Optional) Size of the second key, which is used to request separate encryption, signature keys, and certificates. (The specified size must be the same as the key-size.) If this command is not enabled, the FQDN key pair is used. Command Purpose 30-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Certificate Autoenrollment Adding the Certificate of the CA To add the certificate of the CA, perform this task beginning in global configuration mode: Verifying CA Information To display information about your certificates, the certificates of the CA, and registration authority (RA) certificates, enter the show crypto pki certificates command: Router# show crypto pki certificates Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95 Key Usage: Signature Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897 Key Usage: Encryption CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set Command Purpose Step 1 Router (config)# crypto pki certificate chain name Enters certificate chain configuration mode, which allows you to add or delete specified certificates. • name—Name of the CA. Step 2 Router (config-cert-chain)# certificate certificate-serial-number Manually adds or deletes certificates. • certificate-serial-number—Serial number of the CA to add. 30-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Key Rollover for Certificate Renewal To display the trustpoints configured in the router, enter the show crypto pki trustpoints command: Router# show crypto pki trustpoints Trustpoint bo: Subject Name: CN = bomborra Certificate Manager O = cisco.com C = US Serial Number:01 Certificate configured. CEP URL:http://bomborra CRL query url:ldap://bomborra For complete configuration information for Certificate Autoenrollment, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftautoen.html For a certificate autoenrollment configuration example, see the “Certificate Autoenrollment Configuration Example” section on page 30-59. Configuring Key Rollover for Certificate Renewal Automatic certificate enrollment was introduced to allow the router to automatically request a certificate from the certification authority (CA) server. By default, the automatic enrollment feature requests a new certificate when the old certificate expires. Connectivity can be lost while the request is being serviced because the existing certificate and key pairs are deleted immediately after the new key is generated. The new key does not have a certificate to match it until the process is complete, and incoming Internet Key Exchange (IKE) connections cannot be established until the new certificate is issued. The key rollover for certificate renewal feature allows the certificate renewal request to be made before the certificate expires and retains the old key and certificate until the new certificate is available. Key rollover can also be used with a manual certificate enrollment request. Using the same method as key rollover with certificate autoenrollment, a new key pair is created with a temporary name, and the old certificate and key pair are retained until a new certificate is received from the CA. When the new certificate is received, the old certificate and key pair are discarded and the new key pair is renamed with the name of the original key pair. Do not regenerate the keys manually; key rollover will occur whenyou enter the crypto pki enroll command. Key Rollover for Certificate Renewal Configuration Guidelines and Restrictions When configuring key rollover for certificate renewal, follow these guidelines and restrictions: • Trustpoints configured to generate a new key pair using the regenerate command or the regenerate keyword of the auto-enroll command must not share key pairs with other trustpoints. To give each trustpoint its own key pair, use the rsakeypair command in ca-trustpoint configuration mode. Sharing key pairs among regenerating trustpoints is not supported and will cause loss of service on some of the trustpoints because of key and certificate mismatch. 30-31 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Key Rollover for Certificate Renewal Configuring Automatic Certificate Enrollment with Key Rollover To configure key rollover with automatic certificate enrollment, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the name of the CA that your router should use and enters ca-trustpoint configuration mode. • name—Name of the CA. Step 2 Router(ca-trustpoint)# enrollment url url Specifies the URL of the CA on which your router should send certificate requests; for example, http://ca_server. • url—Must be in the form of http://CA_name, where CA_name is the name of the CA’s host Domain Name System or the IP address. Step 3 Router(ca-trustpoint)# subject-name [x.500-name] (Optional) Specifies the requested subject name that will be used in the certificate request. • x.500-name—If the x-500-name argument is not specified, the fully qualified domain name (FQDN), which is the default subject name, is used. Step 4 Router(ca-trustpoint)# ip-address {interface | none} Includes the IP address of the specified interface in the certificate request. • interface—IP address of the interface. • none—Specify this keyword if no IP address should be included. If this command is enabled, you will not be prompted for an IP address during enrollment for this trustpoint. Step 5 Router(ca-trustpoint)# serial-number [none] Specifies the router serial number in the certificate request, unless the none keyword is specified. • none—Specify this keyword if no serial number should be included. 30-32 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Key Rollover for Certificate Renewal Step 6 Router(ca-trustpoint)# auto-enroll [percent][regenerate] Enables autoenrollment. This command allows you to automatically request a router certificate from the CA. By default, only the DNS name of the router is included in the certificate. • percent—Use the percent argument to specify that a new certificate will be requested after the percent lifetime of the current certificate is reached. • regenerate—Specify this keyword to generate a new key for the certificate even if a named key already exists. Note If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear in the trustpoint configuration to indicate whether the key pair is exportable: ! RSA key pair associated with trustpoint is exportable. Step 7 Router(ca-trustpoint)# password string (Optional) Specifies the revocation password for the certificate. • string—Text of the password. Note If this command is enabled, you will not be prompted for a password during enrollment for this trustpoint. Step 8 Router(ca-trustpoint)# rsakeypair key-label [key-size [encryption-key-size]] Specifies which key pair to associate with the certificate. • key-label—Name of the key pair, which is generated during enrollment if it does not already exist or if the auto-enroll regenerate command is configured. • key-size—(Optional) Size of the desired RSA key. If not specified, the existing key size is used. (The specified size must be the same as the encryption-key-size.) • encryption-key-size—(Optional) Size of the second key, which is used to request separate encryption, signature keys, and certificates. (The specified size must be the same as the key-size.) Note If this command is not enabled, the FQDN key pair is used. Step 9 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and returns to global configuration mode. Command Purpose 30-33 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Key Rollover for Certificate Renewal Configuring Manual Certificate Enrollment with Key Rollover Note Do not regenerate the keys manually using the crypto key generate command; key rollover will occur when the crypto pki enroll command is entered. To configure key rollover with manual certificate enrollment, perform this task beginning in global configuration mode: Step 10 Router(config)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate of the CA.) • name—Name of the CA. Enter the name value entered in Step 1. Check the certificate fingerprint if prompted. Note This command is optional if the CA certificate is already loaded into the configuration. Step 11 Router(config)# exit Exits global configuration mode and returns to privileged EXEC mode. Step 12 Router# copy system:running-config nvram:startup-config (Optional) Copies the running configuration to the NVRAM startup configuration. Command Purpose Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the name of the CA that your router should use and enters ca-trustpoint configuration mode. • name—Name of the CA. Step 2 Router(ca-trustpoint)# enrollment url url Specifies the URL of the CA on which your router should send certificate requests; for example, http://ca_server. • url—Must be in the form of http://CA_name, where CA_name is the name of the CA’s host Domain Name System or the IP address. Step 3 Router(ca-trustpoint)# subject-name [x.500-name] (Optional) Specifies the requested subject name that will be used in the certificate request. • x.500-name—If the x-500-name argument is not specified, the fully qualified domain name (FQDN), which is the default subject name, is used. 30-34 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Key Rollover for Certificate Renewal Step 4 Router(ca-trustpoint)# ip-address {interface | none} Includes the IP address of the specified interface in the certificate request. • interface—IP address of the interface. • none—Specify this keyword if no IP address should be included. If this command is enabled, you will not be prompted for an IP address during enrollment for this trustpoint. Step 5 Router(ca-trustpoint)# serial-number [none] Specifies the router serial number in the certificate request, unless the none keyword is specified. • none—Specify this keyword if no serial number should be included. Step 6 Router(ca-trustpoint)# regenerate Enables key rollover with certificate enrollment when the crypto pki enroll command is entered. Note This command generates a new key for the certificate even if a named key already exists. Do not use the crypto key generate command with the key rollover feature. If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear in the trustpoint configuration to indicate whether the key pair is exportable: ! RSA key pair associated with trustpoint is exportable. Step 7 Router(ca-trustpoint)# password string (Optional) Specifies the revocation password for the certificate. • string—Text of the password. Note If this command is enabled, you will not be prompted for a password during enrollment for this trustpoint. Command Purpose 30-35 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Key Rollover for Certificate Renewal Step 8 Router(ca-trustpoint)# rsakeypair key-label [key-size [encryption-key-size]] Specifies which key pair to associate with the certificate. • key-label—Name of the key pair, which is generated during enrollment if it does not already exist or if the auto-enroll regenerate command is configured. • key-size—(Optional) Size of the desired RSA key. If not specified, the existing key size is used. (The specified size must be the same as the encryption-key-size.) • encryption-key-size—(Optional) Size of the second key, which is used to request separate encryption, signature keys, and certificates. (The specified size must be the same as the key-size.) Note If this command is not enabled, the FQDN key pair is used. Step 9 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and enters global configuration mode. Step 10 Router(config)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate of the CA.) • name—Name of the CA. Enter the name value entered in Step 1. Check the certificate fingerprint if prompted. Note This command is optional if the CA certificate is already loaded into the configuration. Step 11 Router(config)# crypto pki enroll name Requests certificates for all of your RSA key pairs. • name—Name of the CA. This command causes your router to request as many certificates as there are RSA key pairs, so you need perform this command only once, even if you have special-usage RSA key pairs. When the regenerate configuration command is configured, this command will perform key rollover. Note This command requires you to create a challenge password that is not saved with the configuration. This password is required if your certificate needs to be revoked, so you must remember this password. Step 12 Router(config)# exit Exits global configuration mode. Command Purpose 30-36 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring PKI: Query Multiple Servers During Certificate Revocation Check For complete configuration information for key rollover for certificate renewal, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtkyroll.html For key rollover configuration examples, see the “Key Rollover for Certificate Renewal Configuration Examples” section on page 30-60. Configuring PKI: Query Multiple Servers During Certificate Revocation Check Before an X.509 certificate presented by a peer is validated, the certificate revocation list (CRL) is checked to make sure that the certificate has not been revoked by the issuing certification authority (CA). The certificate usually contains a certificate distribution point (CDP) in the form of a URL. Cisco IOS software uses the CDP to locate and retrieve the CRL. Previous versions of Cisco IOS software make only one attempt to retrieve the CRL, even when the certificate contains more than one CDP. If the CDP server does not respond, the Cisco IOS software reports an error, which may result in the peer’s certificate being rejected. The PKI:query multiple servers during certificate revocation check feature provides the ability for Cisco IOS software to make multiple attempts to retrieve the CRL by trying all of the available CDPs in a certificate. This allows operations to continue when a particular server is not available. In addition, the ability to override the CDPs in a certificate with a manually configured CDP is also provided. Manually overriding the CDPs in a certificate can be advantageous when a particular server is unavailable for an extended period of time. The certificate’s CDPs can be replaced with a URL or directory specification without reissuing all of the certificates that contain the original CDP. 30-37 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring the Online Certificate Status Protocol To manually override the existing CDPs for a certificate with a URL or directory specification, perform this task beginning in global configuration mode: For complete configuration information for the PKI: Query Multiple Servers During Certificate Revocation Check feature, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtcertrc.html For a query multiple servers configuration example, see the “Local Certificate Storage Location Configuration Example” section on page 30-55. Configuring the Online Certificate Status Protocol The Online Certificate Status Protocol (OCSP) feature allows users to enable OCSP instead of certificate revocation lists (CRLs) to check certificate status. Unlike CRLs, which provide only periodic certificate status, OCSP can provide timely information regarding the status of a certificate. OCSP Configuration Guidelines and Restrictions When configuring OCSP, follow these guidelines and restrictions: • OCSP transports messages over HTTP, so there may be a time delay when you access the OCSP server. If the OCSP server is unavailable, certificate verification will fail. Command Purpose Step 1 Router (config)# crypto pki trustpoint name Declares the CA that your router should use and enters ca-trustpoint configuration mode. • name—Name for the trustpoint CA. Step 2 Router(ca-trustpoint)# match certificate certificate-map-label override cdp {url | directory} string Manually overrides the existing CDP entries for a certificate with a URL or directory specification. • certificate-map-label—A user-specified label that must match the label argument specified in a previously defined crypto pki certificate map command. • url—Specifies that the certificate’s CDPs will be overridden with an HTTP or LDAP URL. • directory—Specifies that the certificate’s CDPs will be overridden with an LDAP directory specification. • string—The URL or directory specification. Some applications may time out before all CDPs have been tried and will report an error message. This will not affect the router, and the Cisco IOS software will continue attempting to retrieve a CRL until all CDPs have been tried. 30-38 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring the Online Certificate Status Protocol • The increased certificate size may cause a problem for low-end routers when certificates are stored on NVRAM. Before you add the Authority Info Access (AIA) extension to a certificate, make sure that the increased size will not cause deployment problems. • An OCSP server usually operates in either push or poll mode. You can configure a CA server to push revocation information to an OCSP server or configure an OCSP server to periodically download (poll) a CRL from the CA server. To ensure that timely certificate revocation status is obtained, you should carefully consider the push and poll interval. • When configuring an OCSP server to return the revocation status for a CA server, the OCSP server must be configured with an OCSP response signing certificate that is issued by that CA server. Ensure that the signing certificate is in the correct format, or the router will not accept the OCSP response. Refer to your OCSP manual for additional information. To configure your router for OCSP to check certificate status, perform this task beginning in global configuration mode: Verifying the OCSP Configuration To display information about your certificate and the CA certificate, enter the show crypto pki certificates command: Router# show crypto pki certificates Certificate Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and puts you in ca-trustpoint configuration mode. • name—Name for the trustpoint CA. Step 2 Router(ca-trustpoint)# ocsp url url (Optional) Specifies the URL of an OCSP server so that the trustpoint can check the certificate status. This URL will override the URL of the OCSP server (if one exists) in the Authority Info Access (AIA) extension of the certificate. • url —Specifies the HTTP URL to be used. Step 3 Router(ca-trustpoint)# revocation-check method1 [method2[method3]] Checks the revocation status of a certificate. • method1 [method2[method3]]—Specifies the method used by the router to check the revocation status of the certificate. Available methods are as follows: – crl—Certificate checking is performed by a CRL. This is the default option. – none—Certificate checking is ignored. – ocsp—Certificate checking is performed by an OCSP server. If a second and third method are specified, each method will be used only if the previous method returns an error, such as a server being down. 30-39 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring the Online Certificate Status Protocol Status: Available Version: 3 Certificate Serial Number: 18C1EE03000000004CBD Certificate Usage: General Purpose Issuer: cn=msca-root ou=pki msca-root o=cisco l=santa cruz2 st=CA c=US ea=user@example.com Subject: Name: myrouter.example.com hostname=myrouter.example.com CRL Distribution Points: http://msca-root/CertEnroll/msca-root.crl Validity Date: start date: 19:50:40 GMT Oct 5 2004 end date: 20:00:40 GMT Oct 12 2004 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (360 bit) Signature Algorithm: SHA1 with RSA Encryption Fingerprint MD5: 2B5F53E6 E3E892E6 3A9D3706 01261F10 Fingerprint SHA1: 315D127C 3AD34010 40CE7F3A 988BBDA5 CD528824 X509v3 extensions: X509v3 Key Usage: A0000000 Digital Signature Key Encipherment X509v3 Subject Key ID: D156E92F 46739CBA DFE66D2D 3559483E B41ECCF4 X509v3 Authority Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9 Authority Info Access: Associated Trustpoints: msca-root Key Label: myrouter.example.com CA Certificate Status: Available Version: 3 Certificate Serial Number: 1244325DE0369880465F977A18F61CA8 Certificate Usage: Signature Issuer: cn=msca-root ou=pki msca-root o=cisco l=santa cruz2 st=CA c=US ea=user@example.com Subject: cn=msca-root ou=pki msca-root o=cisco 30-40 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring the Online Certificate Status Protocol l=santa cruz2 st=CA c=US ea=user@example.com CRL Distribution Points: http://msca-root.example.com/CertEnroll/msca-root.crl Validity Date: start date: 22:19:29 GMT Oct 31 2002 end date: 22:27:27 GMT Oct 31 2017 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Signature Algorithm: SHA1 with RSA Encryption Fingerprint MD5: 84E470A2 38176CB1 AA0476B9 C0B4F478 Fingerprint SHA1: 0F57170C 654A5D7D 10973553 EFB0F94F 2FAF9837 X509v3 extensions: X509v3 Key Usage: C6000000 Digital Signature Non Repudiation Key Cert Sign CRL Signature X509v3 Subject Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9 X509v3 Basic Constraints: CA: TRUE Authority Info Access: Associated Trustpoints: msca-root To display the trustpoints and configured trustpoint subcommands that are configured in the router, enter the show crypto pki trustpoints command: Router# show crypto pki trustpoints Trustpoint bo: Subject Name: CN = bomborra Certificate Manager O = cisco.com C = US Serial Number:01 Certificate configured. CEP URL:http://bomborra CRL query url:ldap://bomborra For complete configuration information for OCSP, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ocsp.html For OCSP configuration examples, see the “Online Certificate Status Protocol Configuration Examples” section on page 30-61. 30-41 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Optional OCSP Nonces Configuring Optional OCSP Nonces The Optional OCSP Nonces feature provides users with the ability to disable the sending of a nonce, or unique identifier for an Online Certificate Status Protocol (OCSP) request, during OCSP communications. Note The Optional OCSP Nonces feature is only supported as of Cisco IOS Release 12.2(33)SRA. When using OCSP as your revocation method, unique identifiers, or nonces, are sent by default during peer communications with the OCSP server. The use of unique identifiers during OCSP server communications enables more secure and reliable communications. However, not all OCSP servers support the use of unique identifiers. (Refer to your OCSP manual for more information.) To disable the use of unique identifiers during OCSP communications, use the ocsp disable-nonce subcommand in the crypto pki trustpoint command. Disabling OCSP Nonces By default, OCSP nonces are used. To disable the use of these nonces and specify that your router should not send unique identifiers, or nonces, during OCSP communication, use the ocsp disable-nonce subcommand in the crypto pki trustpoint command as follows beginning in global configuration mode: For complete configuration information for optional OCSP nonces, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/s_pkinon.html For an optional OCSP nonces configuration example, see the “Optional OCSP Nonces Configuration Example” section on page 30-62. Configuring Certificate Security Attribute-Based Access Control Under the IPSec protocol, certificate authority (CA) interoperability permits Cisco IOS devices and a CA to communicate so that the Cisco IOS device can obtain and use digital certificates from the CA. Certificates contain several fields that are used to determine whether a device or user is authorized to perform a specified action. The certificate security attribute-based access control feature adds fields to the certificate to create a certificate-based ACL. Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the certificate authority (CA) that your router should use and enters ca-trustpoint configuration mode. • name—Name of the CA. Step 2 Router (ca-trustpoint)# ocsp disable-nonce Specifies that your router will not send unique identifiers, or nonces, during OCSP communications. Step 3 Router(ca-trustpoint)# end (Optional) Exits ca-trustpoint configuration mode. 30-42 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Certificate Security Attribute-Based Access Control Certificate Security Attribute-Based Access Control Configuration Guidelines and Restrictions When configuring certificate security attribute-based access control, follow these guidelines and restrictions: • The certificate-based ACL specifies one or more fields within the certificate and an acceptable value for each specified field. You can specify which fields within a certificate should be checked and which values those fields may or may not have. There are six logical tests for comparing the field with the value: equal, not equal, contains, does not contain, less than, and greater than or equal. • If more than one field is specified within a single certificate-based ACL, the tests of all of the fields within the ACL must succeed to match the ACL. • The same field can be specified multiple times within the same ACL. • More than one ACL can be specified. Each ACL will be processed in turn until a match is found or all of the ACLs have been processed. • Memory is required to hold the ACLs as they are created and as they are loaded from the configuration file. The amount of memory depends on which fields within the certificate are being checked and how many ACLs have been defined. Certificate-based ACL support requires one or more compare operations when the fields in a certificate are being checked. Only the fields specified by the ACL are checked. The compare operations are a small part of certificate validation and will not have a noticeable effect on router performance when validating certificates. 30-43 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Certificate Security Attribute-Based Access Control To configure Certificate Security Attribute-Based Access Control, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto pki certificate map label sequence-number Starts ca-certificate-map mode and defines certificate-based ACLs by assigning a label for the ACL that will also be referenced within the crypto pki trustpoint command. • label—An arbitrary string that identifies the ACL. • sequence-number—A sequence number that orders ACLs with the same label. Step 2 Router(ca-certificate-map)# field-name match-criteria match-value In ca-certificate-map mode, you specify one or more certificate fields together with their matching criteria and the value to match. • field-name—Specifies one of the following case-insensitive name strings or a date: – subject-name – issuer-name – unstructured-subject-name – alt-subject-name – name – valid-start – expires-on Note Date field format is dd mm yyyy hh:mm:ss or mmm dd yyyy hh:mm:ss. • match-criteria—Specifies one of the following logical operators: – eq—Equal (valid for name and date fields) – ne—Not equal (valid for name and date fields) – co—Contains (valid only for name fields) – nc—Does not contain (valid only for name fields) – lt —Less than (valid only for date fields) – ge —Greater than or equal (valid only for date fields) • match-value—Specifies the name or date to test with the logical operator assigned by match-criteria. For example: Router(ca-certificate-map)# subject-name co Cisco 30-44 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Certificate Security Attribute-Based Access Control Verifying Certificate-Based ACLs To verify the certificate-based ACL configuration, enter the show crypto pki certificates command. The following example shows the components of the certificates (CA and router certificate) installed on the router when the router has both authenticated and enrolled with a trustpoint: Router# show crypto pki certificates CA Certificate Status: Available Certificate Serial Number: 1244325DE0369880465F977A18F61CA8 Certificate Usage: Signature Issuer: CN = new-user OU = pki new-user O = cisco L = santa cruz2 ST = CA C = US EA = user@cysco.net Subject: CN = new-user OU = pki new-user O = cisco L = santa cruz2 ST = CA C = US EA = user@cysco.net CRL Distribution Point: http://new-user.cysco.net/CertEnroll/new-user.crl Validity Date: start date: 14:19:29 PST Oct 31 2002 end date: 14:27:27 PST Oct 31 2017 Associated Trustpoints: MS Certificate Status: Available Step 3 Router(ca-certificate-map)# exit Exits ca-certificate-map mode. Step 4 Router(config)# crypto pki trustpoint name Starts ca-trustpoint configuration mode and creates a name for the CA. • name—Specifies a name for the CA. Step 5 Router(ca-trustpoint)# match certificate certificate-map-label Associates the certificate-based ACL defined with the crypto pki certificate map command to the trustpoint. • certificate-map-label—Specifies the label argument specified in the previously defined crypto pki certificate map command in Step 1. Step 6 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode. Command Purpose 30-45 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring PKI AAA Authorization Using the Entire Subject Name Certificate Serial Number: 193E28D20000000009F7 Certificate Usage: Signature Issuer: CN = new-user OU = pki new-user O = cisco L = santa cruz2 ST = CA C = US EA = user@cysco.net Subject: Name: User1.Cysco.Net OID.1.2.840.113549.1.9.2 = User1.Cysco.Net CRL Distribution Point: http://new-user.cysco.net/CertEnroll/new-user.crl Validity Date: start date: 12:40:14 PST Feb 26 2003 end date: 12:50:14 PST Mar 5 2003 renew date: 16:00:00 PST Dec 31 1969 Associated Trustpoints: MS For complete configuration information for Certificate Security Attribute-Based Access Control, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftcrtacl.html For a certificate-based ACL example, see the “Certificate Security Attribute-Based Access Control Configuration Example” section on page 30-62. Configuring PKI AAA Authorization Using the Entire Subject Name When using public key infrastructure (PKI) and authentication, authorization, and accounting (AAA) functionality, users sometimes have attribute-value (AV) pairs that are different from those of every other user. As a result, a unique username is required for each user. The PKI AAA authorization using the entire subject name feature provides users with the ability to query the AAA server using the entire subject name from the certificate as a unique AAA username. PKI AAA Authorization Using the Entire Subject Name Configuration Guidelines and Restrictions When configuring PKI AAA authorization using the entire subject name, follow these guidelines and restrictions: • Some AAA servers limit the length of the username (for example, to 64 characters). As a result, the entire certificate subject name cannot be longer than the limitation of the server. • Some AAA servers limit the available character set that may be used for the username (for example, a space [ ] and an equal sign [=] may not be acceptable). This feature will not work for the AAA server having such a character-set limitation. 30-46 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring PKI AAA Authorization Using the Entire Subject Name • The subject-name command in the trustpoint configuration might not always be the final AAA subject name. If the fully qualified domain name (FQDN), serial number, or IP address of the router are included in a certificate request, the subject name field of the issued certificate will also have these components. To turn off the components, use the fqdn, serial-number, and ip-address commands with the none keyword. • Certificate authority (CA) servers sometimes change the requested subject name field when they issue a certificate. For example, CA servers of some vendors switch the relative distinguished names (RDNs) in the requested subject names to the following order: CN, OU, O, L, ST, and C. However, another CA server might append the configured Lightweight Directory Access Protocol (LDAP) directory root (for example, O=cisco.com) to the end of the requested subject name. • Depending on the tools you choose for displaying a certificate, the printed order of the RDNs in the subject name could be different. Cisco IOS software always displays the least significant RDN first, but other software, such as Open Source Secure Socket Layer (OpenSSL), does the opposite. Therefore, if you are configuring the AAA server with a full DN (subject name) as the corresponding username, ensure that the Cisco IOS software style (that is, with the least-significant RDN first) is used. To configure the entire certificate subject name for PKI authentication, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# aaa new-model Enables the AAA access control model. Step 2 Router config)# aaa authorization network listname [method] Sets the parameters that restrict user access to a network. • listname—Character string used to name the list of authorization methods. • method—Specifies an authorization method to be used for authorization. The method argument can be group radius, group tacacs+, or group group-name. Step 3 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and enters ca-trustpoint configuration mode. • name—Name of the CA. Step 4 Router(ca-trustpoint)# enrollment url url Specifies the enrollment parameters of your CA. • url—The url argument is the URL of the CA to which your router should send certificate requests. Step 5 Router(ca-trustpoint)# revocation-check method (Optional) Checks the revocation status of a certificate. • method—Method used by the router to check the revocation status. Available methods are ocsp, none, and crl. Step 6 Router(ca-trustpoint)# exit Exits ca-truspoint configuration mode and enters global configuration mode. Step 7 Router config)# authorization list {listname} Specifies the AAA authorization list. • listname—Name of the list. 30-47 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Source Interface Selection for Outgoing Traffic with Certificate Authority For complete configuration information for the PKI AAA authorization using the entire subject name feature, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gt_dnall.html For a PKI AAA Authorization Using the Entire Subject Name configuration example, see the “Local Certificate Storage Location Configuration Example” section on page 30-55. Configuring Source Interface Selection for Outgoing Traffic with Certificate Authority The source interface selection for outgoing traffic with certificate authority feature allows you to specify that the address of an interface be used as the source address for all outgoing TCP connections associated with that trustpoint when a designated trustpoint has been configured. To configure the interface that you want to use as the source address for all outgoing TCP connections associated with a trustpoint, perform this task beginning in global configuration mode: Step 8 Router(config)# authorization username subjectname all Sets parameters for the different certificate fields that are used to build the AAA username. The all parameter specifies that the entire subject name of the certificate will be used as the authorization username. Step 9 Router(config)# tacacs-server host hostname [key string] or Specifies a TACACS+ host. • name—Name of the host. • string—(Optional) Character string specifying authentication and encryption key. Router (config)# radius-server host hostname [key string] Specifies a RADIUS host. Command Purpose Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and enters ca-trustpoint configuration mode. • name—Name for the trustpoint CA. Step 2 Router(ca-trustpoint)# enrollment url url Specifies the enrollment parameters of your CA. • url—Specifies the URL of the CA where your router should send certificate requests; for example, http://ca_server. url must be in the form http://CA_name, where CA_name is the CA’s host Domain Name System (DNS) name or IP address. Step 3 Router(ca-trustpoint)# source interface interface-address Specifies the interface to be used as the source address for all outgoing TCP connections associated with that trustpoint. • interface-address—Interface address. 30-48 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Persistent Self-Signed Certificates For complete configuration information for source interface selection for outgoing traffic with certificate authority, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_asish.html For a source interface selection configuration example, see the “Source Interface Selection for Outgoing Traffic with Certificate Authority Configuration Example” section on page 30-63. Configuring Persistent Self-Signed Certificates The persistent self-signed certificates feature saves a certificate generated by a Secure HTTP (HTTPS) server for the Secure Sockets Layer (SSL) handshake in a router’s startup configuration. Note The persistent self-signed certificates feature is only supported as of Cisco IOS Release 12.2(33)SXH. Step 4 Router(config)# interface type slot/[subslot]/port Configures an interface type and enters interface configuration mode. • type—Type of interface being configured. • slot/[subslot]/ port—Number of the slot, subslot (optional), and port to be configured. Step 5 Router(config-if)# description string Adds a description to an interface configuration. • string—Descriptive string. Step 6 Router(config-if)# ip address ip-address mask Sets a primary or secondary IP address for an interface. • address—IP address. • mask—Subnet mask. Step 7 Router(config-if)# interface type slot/[subslot]/port Configures an interface type. • type—Type of interface being configured. • slot/[subslot]/ port—Number of the slot, subslot (optional), and port to be configured. Step 8 Router(config-if)# description string Adds a description to an interface configuration. • string—Descriptive string. Step 9 Router(config-if)# ip address ip-address mask [secondary] Sets a primary or secondary IP address for an interface. • address—IP address. • mask—Subnet mask. • [secondary]—Secondary address. Step 10 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to the interface. • map-name—Name that identifies the crypto map set. Command Purpose 30-49 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Persistent Self-Signed Certificates Cisco IOS software has an HTTPS server that allows access to web-based management pages using a secure SSL connection. SSL requires the server to have an X.509 certificate that is sent to the client (web browser) during the SSL handshake to establish a secure connection between the server and the client. The client expects the SSL server’s certificate to be verifiable using a certificate the client already possesses. If Cisco IOS software does not have a certificate that the HTTPS server can use, the server generates a self-signed certificate by calling a public key infrastructure (PKI) application programming interface (API). When the client receives this self-signed certificate and is unable to verify it, intervention is needed. The client asks you if the certificate should be accepted and saved for future use. If you accept the certificate, the SSL handshake continues. Future SSL handshakes between the same client and the server use the same certificate. However, if the router is reloaded, the self-signed certificate is lost. The HTTPS server must then create a new self-signed certificate. This new self-signed certificate does not match the previous certificate, so you are once again asked to accept it. Requesting acceptance of the router’s certificate each time that the router reloads can be annoying and may present an opportunity for an attacker to substitute an unauthorized certificate during the time that you are being asked to accept the certificate. The persistent self-signed certificates feature overcomes all these limitations by saving a certificate in the router’s startup configuration, resulting in the following benefits: • Having a persistent self-signed certificate stored in the router’s startup configuration (NVRAM) lessens the opportunity for an attacker to substitute an unauthorized certificate because the browser is able to compare the certificate offered by the router with the previously saved certificate and warn you if the certificate has changed. • Having a persistent self-signed certificate stored in the router’s startup configuration eliminates the user intervention that is necessary to accept the certificate every time that the router reloads. • Because user intervention is no longer necessary to accept the certificate, the secure connection process is faster. Persistent Self-Signed Certificates Configuration Guidelines and Restrictions When configuring persistent self-signed certificates, follow these guidelines and restrictions: • You must load an image that supports SSL. • You can configure only one trustpoint for a persistent self-signed certificate. 30-50 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Persistent Self-Signed Certificates Configuring a Trustpoint and Specifying Self-Signed Certificate Parameters Note This section is optional because if you enable the Secure HTTP (HTTPS) server, it generates a self-signed certificate automatically using default values. To specify parameters, you must create a trustpoint and configure it. To use default values, delete any existing self-signed trustpoints. Deleting all self-signed trustpoints causes the HTTPS server to generate a persistent self-signed certificate using default values as soon as it is enabled. To configure a trustpoint and specify self-signed certificate parameters, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto pki trustpoint name Declares the certificate authority (CA) that your router should use and enters ca-trustpoint configuration mode. • name—Name of the CA. Step 2 Router(ca-trustpoint)# enrollment selfsigned Specifies self-signed enrollment. Step 3 Router(ca-trustpoint)# subject-name [x.500-name] (Optional) Specifies the requested subject name to be used in the certificate request. • x.500-name—If the x.500-name argument is not specified, the fully qualified domain name (FQDN), which is the default subject name, is used. Step 4 Router(ca-trustpoint)# rsakeypair key-label [key-size [encryption-key-size]] (Optional) Specifies which key pair to associate with the certificate. • key-label—Name of the key pair, which is generated during enrollment if it does not already exist or if the auto-enroll regenerate command is configured. • key-size—(Optional) Size of the desired RSA key. If not specified, the existing key size is used. (The specified size must be the same as the encryption-key-size.) • encryption-key-size—(Optional) Size of the second key, which is used to request separate encryption, signature keys, and certificates. (The specified size must be the same as the key-size.) Note If this command is not enabled, the FQDN key pair is used. Step 5 Router(ca-trustpoint)# crypto pki enroll trustpoint-name Tells the router to generate the persistent self-signed certificate. • trustpoint-name—Name of the CA. Step 6 Router(ca-trustpoint)# end (Optional) Exits ca-trustpoint configuration mode. 30-51 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Persistent Self-Signed Certificates Enabling the HTTPS Server To enable the HTTPS server, perform this task beginning in global configuration mode: Note Yo u mu s t en te r a write memory command to save the configuration. This command also saves the self-signed certificate and the HTTPS server in enabled mode. Verifying the Persistent Self-Signed Certificate Configuration To verify that a self-signed certificate and a trustpoint have been created, use the show crypto pki certificates, show crypto mypubkey rsa, and the show crypto pki trustpoints commands. The show crypto pki certificates command displays information about your certificate, the CA certificate, and any registration authority certificates: Router# show crypto pki certificates Router Self-Signed Certificate Status: Available Certificate Serial Number: 01 Certificate Usage: General Purpose Issuer: cn=IOS-Self-Signed-Certificate-3326000105 Subject: Name: IOS-Self-Signed-Certificate-3326000105 cn=IOS-Self-Signed-Certificate-3326000105 Validity Date: start date: 19:14:14 GMT Dec 21 2004 end date: 00:00:00 GMT Jan 1 2020 Associated Trustpoints: TP-self-signed-3326000105 Note The number 3326000105 above is the router’s serial number and varies depending on the router’s actual serial number. The show crypto mypubkey rsa command displays information about the key pair corresponding to the self-signed certificate: Router# show crypto mypubkey rsa % Key pair was generated at: 19:14:10 GMT Dec 21 2004 Key name: TP-self-signed-3326000105 Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B88F70 Command Purpose Step 1 Router(config)# ip http secure-server Enables the secure HTTP web server. Note A key pair (modulus 1024) and a certificate are generated. Step 2 Router(config)# end Exits global configuration mode. 30-52 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuring Certificate Chain Verification 6BC78B6D 67D6CFF3 135C1D91 8F360292 CA44A032 5AC1A8FD 095E4865 F8C95A2B BFD1C2B7 E64A3804 9BBD7326 207BD456 19BAB78B D075E78E 00D2560C B09289AE 6DECB8B0 6672FB3A 5CDAEE92 9D4C4F71 F3BCB269 214F6293 4BA8FABF 9486BCFC 2B941BCA 550999A7 2EFE12A5 6B7B669A 2D88AB77 39B38E0E AA23CB8C B7020301 0001 % Key pair was generated at: 19:14:13 GMT Dec 21 2004 Key name: TP-self-signed-3326000105.server Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C5680E 89777B42 463E5783 FE96EA9E F446DC7B 70499AF3 EA266651 56EE29F4 5B003D93 2FC9F81D 8A46E12F 3FBAC2F3 046ED9DD C5F27C20 1BBA6B9B 08F16E45 C34D6337 F863D605 34E30F0E B4921BC5 DAC9EBBA 50C54AA0 BF551BDD 88453F50 61020301 0001 Note The second key pair with the name TP-self-signed-3326000105.server is the SSH key pair and is generated once any key pair is created on the router and SSH starts up. The show crypto pki trustpoints command displays the trustpoints that are configured in the router: Router# show crypto pki trustpoints Trustpoint local: Subject Name: serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.com Serial Number: 01 Persistent self-signed certificate trust point For complete configuration information for persistent self-signed certificates, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtpsscer.html For persistent self-signed certificates configuration examples, see the “Persistent Self-Signed Certificates Configuration Examples” section on page 30-64. Configuring Certificate Chain Verification To determine if a trustpoint has been successfully authenticated, a certificate has been requested and granted, and if the certificate is currently valid, enter the crypto pki cert validate command. Note The crypto pki cert validate command is only supported as of Cisco IOS Release 12.2(33)SRA. Certificate Chain Verification Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring certificate chain verification: • The crypto pki cert validate command validates the router’s own certificate for a given trustpoint. Use this command after enrollment to verify that the trustpoint is properly authenticated, a certificate has been requested and granted for the trustpoint, and that the certificate is currently valid. A certificate is valid if it is signed by the trustpoint certificate authority (CA), not expired, and so on. 30-53 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples To allow the router to send dead peer detection (DPD) messages to the peer, enter the crypto pki cert validate command in global configuration mode as follows: Router(config)# crypto pki cert validate trustpoint In this command, trustpoint specifies the trustpoint to be validated. For complete configuration information for certificate chain verification, refer to the Cisco IOS Security Command Reference. For certificate chain verification configuration examples, see the “Certificate Chain Verification Configuration Examples” section on page 30-65. Configuration Examples This section provides examples of the following configurations: • Multiple RSA Key Pairs Configuration Example, page 30-53 • Protected Private Key Storage Configuration Examples, page 30-54 • Trustpoint CA Configuration Example, page 30-54 • Query Mode Definition Per Trustpoint Configuration Example, page 30-54 • Local Certificate Storage Location Configuration Example, page 30-55 • Direct HTTP Enrollment with CA Servers Configuration Examples, page 30-55 • Manual Certificate Enrollment Configuration Examples, page 30-56 • Certificate Autoenrollment Configuration Example, page 30-59 • Key Rollover for Certificate Renewal Configuration Examples, page 30-60 • PKI: Query Multiple Servers During Certificate Revocation Check (CDP Override) Configuration Example, page 30-61 • Online Certificate Status Protocol Configuration Examples, page 30-61 • Optional OCSP Nonces Configuration Example, page 30-62 • Certificate Security Attribute-Based Access Control Configuration Example, page 30-62 • PKI AAA Authorization Using the Entire Subject Name Configuration Example, page 30-63 • Source Interface Selection for Outgoing Traffic with Certificate Authority Configuration Example, page 30-63 • Persistent Self-Signed Certificates Configuration Examples, page 30-64 • Certificate Chain Verification Configuration Examples, page 30-65 Multiple RSA Key Pairs Configuration Example The following example is a sample trustpoint configuration that specifies the RSA key pair “exampleCAkeys”: Router(config)# crypto key generate rsa general-purpose exampleCAkeys Router(config)# crypto pki trustpoint exampleCAkeys Router(config)# enroll url http://exampleCAkeys/certsrv/mscep/mscep.dll Router(config)# rsakeypair exampleCAkeys 1024 1024 30-54 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples Protected Private Key Storage Configuration Examples This section contains the following configuration examples: • Encrypted Key Configuration Example, page 30-54 • Locked Key Configuration Example, page 30-54 Encrypted Key Configuration Example The following example shows how to encrypt the pki1-72a.cisco.com RSA key: Router(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234 Router(config)# exit Locked Key Configuration Example The following example shows how to lock the pki1-72a.cisco.com key: Router# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234 Trustpoint CA Configuration Example The following example shows how to declare the CA named kahului and specify characteristics for the trustpoint CA: Router(config)# crypto pki trustpoint kahului Router(ca-trustpoint)# enrollment url http://kahului Router(ca-trustpoint)# crl query ldap://kahului Query Mode Definition Per Trustpoint Configuration Example The following configuration example shows a trustpoint CA that uses query mode: Router(config)# crypto pki trustpoint trustpoint1 Router(ca-trustpoint)# enrollment url http://ca-server1 Router(ca-trustpoint)# crl query http://ca-server1 Router(ca-trustpoint)# default query certificate Router(ca-trustpoint)# query certificate Router(ca-trustpoint)# exit Router(config)# crypto pki authenticate trustpoint1 Router(config)# crypto key generate rsa Router(config)# crypto pki enroll trustpoint1 30-55 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples Local Certificate Storage Location Configuration Example The following example shows how to store certificates to the certs subdirectory. Note that the certs subdirectory does not exist and is automatically created. Router(config)# crypto pki certificate storage disk0:/certs Requested directory does not exist -- created Certificates will be stored in disk0:/certs/ Router(config)# end Router# write *May 27 02:09:00:%SYS-5-CONFIG_I:Configured from console by consolemem Building configuration... [OK] Router# directory disk0:/certs Directory of disk0:/certs/ 14 -rw- 707 May 27 2005 02:09:02 +00:00 ioscaroot#7401CA.cer 15 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#826E.cer 16 -rw- 759 May 27 2005 02:09:02 +00:00 msca-root#1BA8CA.cer 17 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#75B8.cer 18 -rw- 1149 May 27 2005 02:09:02 +00:00 storagename#6500CA.cer 19 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#83EE.cer 47894528 bytes total (20934656 bytes free) ! The certificate files are now on disk0/certs: Direct HTTP Enrollment with CA Servers Configuration Examples This section provides the following configuration examples: • Enrollment Profile for a Client Router Configuration Example, page 30-55 • Enrollment Profile for a Client Router Already Enrolled with a Third-Party Vendor CA Example, page 30-55 • Certificate Server Automatically Accepting Enrollment Requests Only from the Client Router Configuration Example, page 30-56 Enrollment Profile for a Client Router Configuration Example The following example show how to configure an enrollment profile for direct HTTP enrollment with a CA server: Router(config)# crypto pki trustpoint Entrust Router(ca-trustpoint)# enrollment profile E Router(ca-trustpoint)# exit Router(config)# crypto pki profile enrollment E Router(ca-profile-enroll)# authentication url http://entrust:81 Router(ca-profile-enroll)# authentication command GET /certs/cacert.der Router(ca-profile-enroll)# enrollment url http://entrust:81/cda-cgi/clientcgi.exe Router(ca-profile-enroll)# enrollment command POST reference_number=$P2&authcode=$P1 &retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ Router(ca-profile-enroll)# parameter 1 value aaaa-bbbb-cccc Router(ca-profile-enroll)# parameter 2 value 5001 Enrollment Profile for a Client Router Already Enrolled with a Third-Party Vendor CA Example The following example shows how to configure the following tasks on the client router: 30-56 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples • Define the msca-root trustpoint that points to the third-party vendor CA and enroll and authenticate the client with the third-party vendor CA. • Define cs trustpoint for the Cisco IOS CA. • Define enrollment profile “cs1,” which points to Cisco IOS CA and mention (via the enrollment credential command) that msca-root is being initially enrolled with the Cisco IOS CA. ! Define trustpoint "msca-root" for non-Cisco IOS CA. Router(config)# crypto pki trustpoint msca-root Router(ca-trustpoint)# enrollment mode ra Router(ca-trustpoint)# enrollment url http://msca-root:80/certsrv/mscep/mscep.dll Router(ca-trustpoint)# ip-address FastEthernet2/0 Router(ca-trustpoint)# revocation-check crl ! Configure trustpoint "cs" for Cisco IOS CA. Router(config)# crypto pki trustpoint cs Router(ca-trustpoint)# enrollment profile cs1 Router(ca-trustpoint)# revocation-check crl ! Define enrollment profile "cs1." Router(config)# crypto pki profile enrollment cs1 Router(ca-profile-enroll)# enrollment url http://cs:80 Router(ca-profile-enroll)# enrollment credential msca-root Certificate Server Automatically Accepting Enrollment Requests Only from the Client Router Configuration Example The following example shows how to configure the certificate server, and enter the grant auto trustpoint command to instruct the certificate server to accept enrollment requests only from clients who are already enrolled with msca-root trustpoint: Router(config)# crypto pki server cs Router(cs-server)# database level minimum Router(cs-server)# database url nvram: Router(cs-server)# issuer-name CN=cs Router(cs-server)# grant auto trustpoint msca-root Router(config)# crypto pki trustpoint cs Router(ca-trustpoint)# revocation-check crl Router(ca-trustpoint)# rsakeypair cs Router(ca-trustpoint)# crypto pki trustpoint msca-root Router(ca-trustpoint)# enrollment mode ra Router(ca-trustpoint)# enrollment url http://msca-root:80/certsrv/mscep/mscep.dll Router(ca-trustpoint)# revocation-check crl Manual Certificate Enrollment Configuration Examples This section provides the following manual certificate enrollment configuration examples: • Manual Certificate Enrollment Using TFTP Configuration Example, page 30-56 • Manual Certificate Enrollment Using Cut-and-Paste Configuration Example, page 30-57 Manual Certificate Enrollment Using TFTP Configuration Example The following example shows the configuration of manual certificate enrollment using TFTP: Router(config)# crypto pki trustpoint MS 30-57 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples Router(ca-trustpoint)# enrollment url tftp://CA-Server/TFTPfiles/router1 Router(ca-trustpoint)# crypto pki authenticate MS Router(ca-trustpoint)# exit Router(config)# crypto pki enroll MS Router(config)# crypto pki import MS certificate Manual Certificate Enrollment Using Cut-and-Paste Configuration Example The following example shows how to configure manual cut-and-paste certificate enrollment. In this example, the name of the trustpoint CA is MS, and the crypto pki import command is entered twice because usage keys (signature and encryption keys) are used. Router(config)# crypto pki trustpoint MS Router(ca-trustpoint)# enrollment terminal Router(ca-trustpoint)# crypto pki authenticate MS Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIICNDCCAd6gAwIBAgIQOsCmXpVHwodKryRoqULV7jANBgkqhkiG9w0BAQUFADA5 MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJ bXNjYS1yb290MB4XDTAyMDIxNDAwNDYwMVoXDTA3MDIxNDAwNTQ0OFowOTELMAkG A1UEBhMCVVMxFjAUBgNVBAoTDUNpc2NvIFN5c3RlbXMxEjAQBgNVBAMTCW1zY2Et cm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCix8nIGFg+wvy3BjFbVi25wYoG K2N0HWWHpqxFuFhqyBnIC0OshIn9CtrdN3JvUNHr0NIKocEwNKUGYmPwWGTfAgMB AAGjgcEwgb4wCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE FKIacsl6dKAfuNDVQymlSp7esf8jMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9t c2NhLXJvb3QvQ2VydEVucm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8v XFxtc2NhLXJvb3RcQ2VydEVucm9sbFxtc2NhLXJvb3QuY3JsMBAGCSsGAQQBgjcV AQQDAgEAMA0GCSqGSIb3DQEBBQUAA0EAeuZkZMX9qkoLHfETYTpVWjZPQbBmwNRA oJDSdYdtL3BcI/uLL5q7EmODyGfLyMGxuhQYx5r/40aSQgLCqBq+yg== -----END CERTIFICATE----- Certificate has the following attributes: Fingerprint:D6C12961 CD78808A 4E02193C 0790082A % Do you accept this certificate? [yes/no]:y Trustpoint CA certificate accepted. % Certificate successfully imported Router(config)# Router(config)# crypto pki enroll MS % Start certificate enrollment.. % The subject name in the certificate will be:Router.cisco.com % Include the router serial number in the subject name? [yes/no]:n 30-58 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples % Include an IP address in the subject name? [no]:n Display Certificate Request to terminal? [yes/no]:y Signature key certificate request - Certificate Request follows: MIIBhTCB7wIBADAlMSMwIQYJKoZIhvcNAQkCFhRTYW5kQmFnZ2VyLmNpc2NvLmNv bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxdhXFDiWAn/hIZs9zfOtssKA daoWYu0ms9Fe/Pew01dh14vXdxgacstOs2Pr5wk6jLOPxpvxOJPWyQM6ipLmyVxv ojhyLTrVohrh6Dnqcvk+G/5ohss9o9RxvONwx042pQchFnx9EkMuZC7evwRxJEqR mBHXBZ8GmP3jYQsjS8MCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/ BAQDAgeAMA0GCSqGSIb3DQEBBAUAA4GBAMT6WtyFw95POY7UtF+YIYHiVRUf4SCq hRIAGrljUePLo9iTqyPU1Pnt8JnIZ5P5BHU3MfgP8sqodaWub6mubkzaohJ1qD06 O87fnLCNid5Tov5jKogFHIki2EGGZxBosUw9lJlenQdNdDPbJc5LIWdfDvciA6jO Nl8rOtKnt8Q+ ---End - This line not part of the certificate request--- Redisplay enrollment request? [yes/no]: Encryption key certificate request - Certificate Request follows: MIIBhTCB7wIBADAlMSMwIQYJKoZIhvcNAQkCFhRTYW5kQmFnZ2VyLmNpc2NvLmNv bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwG60QojpDbzbKnyj8FyTiOcv THkDP7XD4vLT1XaJ409z0gSIoGnIcdFtXhVlBWtpq3/O9zYFXr1tH+BMCRQi3Lts 0IpxYa3D9iFPqev7SPXpsAIsY8a6FMq7TiwLObqiQjLKL4cbuV0Frjl0Yuv5A/Z+ kqMOm7c+pWNWFdLe9lsCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/ BAQDAgUgMA0GCSqGSIb3DQEBBAUAA4GBACF7feURj/fJMojPBlR6fa9BrlMJx+2F H91YM/CIiz2n4mHTeWTWKhLoT8wUfa9NGOk7yi+nF/F7035twLfq6n2bSCTW4aem 8jLMMaeFxwkrV/ceQKrucmNC1uVx+fBy9rhnKx8j60XE25tnp1U08r6om/pBQABU eNPFhozcaQ/2 ---End - This line not part of the certificate request--- Redisplay enrollment request? [yes/no]: n Router(config)#crypto pki import MS certificate Enter the base 64 encoded certificate. End with a blank line or the word "quit" on a line by itself MIIDajCCAxSgAwIBAgIKFN7C6QAAAAAMRzANBgkqhkiG9w0BAQUFADA5MQswCQYD VQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1y b290MB4XDTAyMDYwODAxMTY0MloXDTAzMDYwODAxMjY0MlowJTEjMCEGCSqGSIb3 DQEJAhMUU2FuZEJhZ2dlci5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAMXYVxQ4lgJ/4SGbPc3zrbLCgHWqFmLtJrPRXvz3sNNXYdeL13cYGnLL TrNj6+cJOoyzj8ab8TiT1skDOoqS5slcb6I4ci061aIa4eg56nL5Phv+aIbLPaPU cbzjcMdONqUHIRZ8fRJDLmQu3r8EcSRKkZgR1wWfBpj942ELI0vDAgMBAAGjggHM MIIByDALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFL8Quz8dyz4EGIeKx9A8UMNHLE4s MHAGA1UdIwRpMGeAFKIacsl6dKAfuNDVQymlSp7esf8joT2kOzA5MQswCQYDVQQG EwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1yb290 ghA6wKZelUfCh0qvJGipQtXuMCIGA1UdEQEB/wQYMBaCFFNhbmRCYWdnZXIuY2lz Y28uY29tMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9tc2NhLXJvb3QvQ2VydEVu 30-59 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples cm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8vXFxtc2NhLXJvb3RcQ2Vy dEVucm9sbFxtc2NhLXJvb3QuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDA/BggrBgEF BQcwAoYzaHR0cDovL21zY2Etcm9vdC9DZXJ0RW5yb2xsL21zY2Etcm9vdF9tc2Nh LXJvb3QuY3J0MEEGCCsGAQUFBzAChjVmaWxlOi8vXFxtc2NhLXJvb3RcQ2VydEVu cm9sbFxtc2NhLXJvb3RfbXNjYS1yb290LmNydDANBgkqhkiG9w0BAQUFAANBAJo2 r6sHPGBdTQX2EDoJpR/A2UHXxRYqVSHkFKZw0z31r5JzUM0oPNUETV7mnZlYNVRZ CSEX/G8boi3WOjz9wZo= % Router Certificate successfully imported Router(config)# Router(config)# crypto pki import MS certificate Enter the base 64 encoded certificate. End with a blank line or the word "quit" on a line by itself MIIDajCCAxSgAwIBAgIKFN7OBQAAAAAMSDANBgkqhkiG9w0BAQUFADA5MQswCQYD VQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1y b290MB4XDTAyMDYwODAxMTY0NVoXDTAzMDYwODAxMjY0NVowJTEjMCEGCSqGSIb3 DQEJAhMUU2FuZEJhZ2dlci5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAMButEKI6Q282yp8o/Bck4jnL0x5Az+1w+Ly09V2ieNPc9IEiKBpyHHR bV4VZQVraat/zvc2BV69bR/gTAkUIty7bNCKcWGtw/YhT6nr+0j16bACLGPGuhTK u04sCzm6okIyyi+HG7ldBa45dGLr+QP2fpKjDpu3PqVjVhXS3vZbAgMBAAGjggHM MIIByDALBgNVHQ8EBAMCBSAwHQYDVR0OBBYEFPDO29oRdlEUSgBMg6jZR+YFRWlj MHAGA1UdIwRpMGeAFKIacsl6dKAfuNDVQymlSp7esf8joT2kOzA5MQswCQYDVQQG EwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1yb290 ghA6wKZelUfCh0qvJGipQtXuMCIGA1UdEQEB/wQYMBaCFFNhbmRCYWdnZXIuY2lz Y28uY29tMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9tc2NhLXJvb3QvQ2VydEVu cm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8vXFxtc2NhLXJvb3RcQ2Vy dEVucm9sbFxtc2NhLXJvb3QuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDA/BggrBgEF BQcwAoYzaHR0cDovL21zY2Etcm9vdC9DZXJ0RW5yb2xsL21zY2Etcm9vdF9tc2Nh LXJvb3QuY3J0MEEGCCsGAQUFBzAChjVmaWxlOi8vXFxtc2NhLXJvb3RcQ2VydEVu cm9sbFxtc2NhLXJvb3RfbXNjYS1yb290LmNydDANBgkqhkiG9w0BAQUFAANBAHaU hyCwLirUghNxCmLzXRG7C3W1j0kSX7a4fX9OxKR/Z2SoMjdMNPPyApuh8SoT2zBP ZKjZU2WjcZG/nZF4W5k= % Router Certificate successfully imported Certificate Autoenrollment Configuration Example The following example shows how to configure the router to autoenroll with a CA on start-up: Router(config)# crypto pki trustpoint frog Router(ca-trustpoint)# enrollment url http://frog.phoobin.com/ Router(ca-trustpoint)# subject-name OU=Spiral Dept., O=tiedye.com Router(ca-trustpoint)# ip-address ethernet-0 Router(ca-trustpoint)# auto-enroll regenerate Router(ca-trustpoint)# password revokeme Router(ca-trustpoint)# rsa-key frog 2048 ! Router(config)# crypto pki certificate chain frog Router(config-cert-chain)# certificate ca 0B 30820293 3082023D A0030201 0202010B 300D0609 2A864886 F70D0101 04050030 79310B30 09060355 04061302 5553310B 30090603 55040813 02434131 15301306 0355040A 130C4369 73636F20 53797374 656D3120 301E0603 55040B13 17737562 6F726420 746F206B 6168756C 75692049 50495355 31243022 06035504 03131B79 30-60 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples 6E692D75 31302043 65727469 66696361 7465204D 616E6167 6572301E 170D3030 30373134 32303536 32355A17 0D303130 37313430 31323834 335A3032 310E300C 06035504 0A130543 6973636F 3120301E 06092A86 4886F70D 01090216 11706B69 2D343562 2E636973 636F2E63 6F6D305C 300D0609 2A864886 F70D0101 01050003 4B003048 024100B3 0512A201 3B4243E1 378A9703 8AC5E3CE F77AF987 B5A422C4 15E947F6 70997393 70CF34D6 63A86B9C 4347A81A 0551FC02 ABA62360 01EF7DD2 6C136AEB 3C6C3902 03010001 A381F630 81F3300B 0603551D 0F040403 02052030 1C060355 1D110415 30138211 706B692D 3435622E 63697363 6F2E636F 6D301D06 03551D0E 04160414 247D9558 169B9A21 23D289CC 2DDA2A9A 4F77C616 301F0603 551D2304 18301680 14BD742C E892E819 1D551D91 683F6DB2 D8847A6C 73308185 0603551D 1F047E30 7C307AA0 3CA03AA4 38303631 0E300C06 0355040A 13054369 73636F31 24302206 03550403 131B796E 692D7531 30204365 72746966 69636174 65204D61 6E616765 72A23AA4 38303631 0E300C06 0355040A 13054369 73636F31 24302206 03550403 131B796E 692D7531 30204365 72746966 69636174 65204D61 6E616765 72300D06 092A8648 86F70D01 01040500 03410015 BC7CECF9 696697DF E887007F 7A8DA24F 1ED5A785 C5C60452 47860061 0C18093D 08958A77 5737246B 0A25550A 25910E27 8B8B428E 32F8D948 3DD1784F 954C70 quit Key Rollover for Certificate Renewal Configuration Examples This section contains the following examples: • Certificate Autoenrollment with Key Rollover Configuration Example, page 30-60 • Manual Certificate Enrollment with Key Rollover Configuration Example, page 30-60 Certificate Autoenrollment with Key Rollover Configuration Example The following example shows how to configure the router to autoenroll with the CA named trustme1 on startup. In this example, the regenerate keyword is specified, so a new key will be generated for the certificate. The renewal percentage is configured as 90 so if the certificate has a lifetime of one year, a new certificate is requested 36.5 days before the old certificate expires. The changes made to the running configuration are saved to the NVRAM startup configuration because autoenrollment will not update NVRAM if the running configuration has been modified but not written to NVRAM. Router(config)# crypto pki trustpoint trustme1 Router(ca-trustpoint)# enrollment url http://trustme1.company.com/ Router(ca-trustpoint)# subject-name OU=Spiral Dept., O=tiedye.com Router(ca-trustpoint)# ip-address ethernet0 Router(ca-trustpoint)# serial-number none Router(ca-trustpoint)# auto-enroll 90 regenerate Router(ca-trustpoint)# password revokeme Router(ca-trustpoint)# rsakeypair trustme1 2048 Router(ca-trustpoint)# exit Router(config)# crypto pki authenticate trustme1 Router(config)# copy system:running-config nvram:startup-config Manual Certificate Enrollment with Key Rollover Configuration Example The following example shows how to configure key rollover to regenerate new keys with a manual certificate enrollment from the CA named trustme2. Router(config)# crypto pki trustpoint trustme2 Router(ca-trustpoint)# enrollment url http://trustme2.company.com/ Router(ca-trustpoint)# subject-name OU=Spiral Dept., O=tiedye.com Router(ca-trustpoint)# ip-address ethernet0 Router(ca-trustpoint)# serial-number none 30-61 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples Router(ca-trustpoint)# regenerate Router(ca-trustpoint)# password revokeme Router(ca-trustpoint)# rsakeypair trustme2 2048 Router(ca-trustpoint)# exit Router(config)# crypto pki authenticate trustme2 Router(config)# crypto pki enroll trustme2 Router(config)# exit PKI: Query Multiple Servers During Certificate Revocation Check (CDP Override) Configuration Example The following example uses the match certificate override cdp command to override the CDPs for the certificate map named Group1 defined in a crypto pki certificate map command: Router(config)# crypto pki certificate map Group1 10 Router(ca-certificate-map)# subject-name co ou=WAN Router(ca-certificate-map)# subject-name co o=Cisco Router(config)# crypto pki trustpoint pki Router(ca-trustpoint)# match certificate Group1 override cdp url http://server.cisco.com Online Certificate Status Protocol Configuration Examples This section provides the following configuration examples: • OCSP Server Configuration Example, page 30-61 • CRL Then OCSP Server Configuration Example, page 30-61 • Specific OCSP Server Configuration Example, page 30-61 OCSP Server Configuration Example The following example shows how to configure the router to use the OCSP server that is specified in the AIA extension of the certificate: Router(config)# crypto pki trustpoint mytp Router(ca-trustpoint)# revocation-check ocsp CRL Then OCSP Server Configuration Example The following example shows how to configure the router to download the CRL from the certificate distribution point (CDP); if the CRL is unavailable, the OCSP server that is specified in the AIA extension of the certificate will be used. If both options fail, certificate verification will also fail. Router(config)# crypto pki trustpoint mytp Router(ca-trustpoint)# revocation-check crl ocsp Specific OCSP Server Configuration Example The following example shows how to configure your router to use the OCSP server at the HTTP URL http://myocspserver:81. If the server is down, revocation check will be ignored. Router(config)# crypto pki trustpoint mytp Router(ca-trustpoint)# ocsp url http://myocspserver:81 Router(ca-trustpoint)# revocation-check ocsp none 30-62 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples Optional OCSP Nonces Configuration Example The following example shows the unique identifier being disabled for OCSP communications for a previously created trustpoint named ts: Router(config)# crypto pki trustpoint ts Router (ca-truspoint)# ocsp disable-nonce Router(ca-trustpoint)# end Certificate Security Attribute-Based Access Control Configuration Example The following example shows how to configure a certificate-based ACL: Router(config)# crypto pki certificate map Group 10 Router(ca-certificate-map)# subject-name co Cisco Router(config-cert-map)# exit Router(config)# crypto pki trustpoint Access Router(ca-trustpoint)# match certificate Group Router(ca-trustpoint)# exit 30-63 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples PKI AAA Authorization Using the Entire Subject Name Configuration Example The following example shows that the entire subject name of the certificate is to be used for PKI AAA authorization: Router(config)# aaa new-model Router(config)# aaa authorization network tac-o group tacacs+ Router(config)# crypto pki trustpoint test Router(ca-trustpoint)# enrollment url http://caserver:80 Router(ca-trustpoint)# revocation-check crl Router(ca-trustpoint)# exit Router(config)# authorization list tac-o Router(config)# authorization username subjectname all Router(config)# tacacs-server host 20.2.2.2 key a_secret_ke Source Interface Selection for Outgoing Traffic with Certificate Authority Configuration Example In the following example, the router is located in a branch office. The router uses IP Security (IPSec) to communicate with the main office. Ethernet 1 is the outside interface that connects to the Internet Service Provider (ISP). Ethernet 0 is the interface connected to the LAN of the branch office. To access the CA server located in the main office, the router must send its IP datagrams out interface Ethernet 1 (address 10.2.2.205) using the IPSec tunnel. Address 10.2.2.205 is assigned by the ISP. Address 10.2.2.205 is not a part of the branch office or main office. The CA cannot access any address outside the company because of a firewall. The CA sees a message coming from 10.2.2.205 and cannot respond (that is, the CA does not know that the router is located in a branch office at address 10.1.1.1, which it is able to reach). Adding the source interface command tells the router to use address 10.1.1.1 as the source address of the IP datagram that it sends to the CA. The CA is able to respond to 10.1.1.1. This example is configured using the source interface command and the interface addresses as described above. Router(config)# crypto pki trustpoint ms-ca Router(ca-trustpoint)# enrollment url http://ms-ca:80/certsrv/mscep/mscep.dll Router(ca-trustpoint)# source interface ethernet0 Router(config)# interface ethernet 0 Router(config-if)# description inside interface Router(config-if)# ip address 10.1.1.1 255.255.255.0 Router(config)# interface ethernet 1 Router(config-if)# description outside interface Router(config-if)# ip address 10.2.2.205 255.255.255.0 Router(config-if)# crypto map main-office 30-64 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples Persistent Self-Signed Certificates Configuration Examples The following examples show how to configure a persistent self-signed certificate: • Trustpoint and Self-Signed Certificate Configuration Example, page 30-64 • Enabling the HTTPS Server Configuration Example, page 30-64 Trustpoint and Self-Signed Certificate Configuration Example The following example shows how to configure a trustpoint and a self-signed certificate. In this example, a trustpoint named local is declared, its enrollment is requested, and a self-signed certificate with an IP address is generated. Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# crypto pki trustpoint local Router(ca-trustpoint)# enrollment selfsigned Router(ca-trustpoint)# end Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# crypto pki enroll local Nov 29 20:51:13.067: %SSH-5-ENABLED: SSH 1.99 has been enabled Nov 29 20:51:13.267: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair % Include the router serial number in the subject name? [yes/no]: yes % Include an IP address in the subject name? [no]: yes Enter Interface name or IP Address[]: ethernet 0 Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created Note A router can have only one self-signed certificate. If you attempt to enroll a trustpoint configured for a self-signed certificate and one already exists, you receive a notification and are asked if you want to replace it. If so, a new self-signed certificate is generated to replace the existing one. Enabling the HTTPS Server Configuration Example In the following example, the HTTPS server is enabled and a default trustpoint is generated because one was not previously configured: Router(config)# ip http secure-server % Generating 1024 bit RSA keys ...[OK] *Dec 21 19:14:15.421:%PKI-4-NOAUTOSAVE:Configuration was modified. Issue "write memory" to save new certificate Router(config)# Note You must save the configuration to NVRAM if you want to keep the self-signed certificate and have the HTTPS server enabled following router reloads. 30-65 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration Examples The following message also appears: *Dec 21 19:14:10.441:%SSH-5-ENABLED:SSH 1.99 has been enabled Router(config)# Note Creation of the key pair used with the self-signed certificate causes the Secure Shell (SSH) server to start. This behavior cannot be suppressed. You may want to modify your access control lists (ACLs) to permit or deny SSH access to the router. Certificate Chain Verification Configuration Examples The following examples show the possible output from the crypto pki cert validate command: Router(config)# crypto pki cert validate ka Validation Failed: trustpoint not found for ka Router(config)# crypto pki cert validate ka Validation Failed: can't get local certificate chain Router(config)# crypto pki cert validate ka Certificate chain has 2 certificates. Certificate chain for ka is valid Router(config)# crypto pki cert validate ka Certificate chain has 2 certificates. Validation Error: no certs on chain Router(config)# crypto pki cert validate ka Certificate chain has 2 certificates. Validation Error: unspecified error 30-66 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 30 Configuring PKI Using the IPSec VPN SPA Configuration ExamplesC H A P T E R 31-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 31 Configuring Advanced VPNs Using the IPSec VPN SPA This chapter provides information about configuring advanced IPSec VPNs on the IPSec VPN SPA on the Cisco 7600 series router. It includes the following sections: • Overview of Advanced VPNs, page 31-2 • Configuring DMVPN, page 31-2 • Configuring the Easy VPN Server, page 31-15 • Configuring the Easy VPN Remote, page 31-16 • Configuring Easy VPN Remote RSA Signature Storage, page 31-16 • Configuration Examples, page 31-17 Note The procedures in this chapter assume you have familiarity with security configuration concepts, such as VLANs, ISAKMP policies, preshared keys, transform sets, access control lists, and crypto maps. For more information about these and other security configuration concepts, refer to the following Cisco IOS documentation: Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html Cisco IOS Security Command Reference, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals Command Reference publications. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 12.2SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the configuration summaries and guidelines before you perform any configuration tasks. 31-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Overview of Advanced VPNs Overview of Advanced VPNs Configuring IP Security (IPSec) Virtual Private Networks (VPNs) in large, complicated networks can be quite complex. This chapter introduces Dynamic Multipoint VPN (DMVPN) and Easy VPN, two features that ease IPSec configuration in advanced environments. Configuring DMVPN The DMVPN feature allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP). Figure 31-1 shows an example of a DMVPN configuration with a hub and two spokes. Figure 31-1 DMVPN Configuration Example DMVPN Configuration Guidelines and Restrictions When configuring DMVPN, follow these guidelines and restrictions: • A tunnel key should not be configured. If a tunnel key is configured, neither the PFC3 or the IPSec VPN SPA will take over the tunnel and the tunnel will be switched in software. • GRE tunnels in different Virtual Routing and Forwarding (VRF) instances cannot share the same tunnel source. Spoke1 80.0.0.0/24 ivrf Int Tunnel 0 30.1.0.1 Tunnel Source Loopback 0 11.0.0.1 G3/1 G3/1 G3/13 Spoke2 90.0.0.0/24 ivrf Int Tunnel 0 30.2.0.1 Tunnel Source 21.0.0.1 G3/13 HUB fvrf Int Tunnel0 30.0.0.1 ivrf G3/1 70.0.0.0/24 G3/13 Tunnel Source VLAN 10 VLAN10 10.0.0.1 186347 31-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN • In non-VRF mode, multipoint GRE tunnels should not share the same tunnel source. • Multicast streaming is not supported across DMVPN on a Cisco 7600 series router. Only multicast packets from a control plane such as routing protocols are supported. • In a VRF-Aware DMVPN configuration, the mls mpls tunnel-recir command must be configured globally on the PE/hub if the CE/DMVPN spokes need to talk to other CEs across the MPLS cloud. • For the NAT-transparency aware enhancement to work with DMVPN, you must use IPSec transport mode on the transform set. Also, even though NAT-transparency (IKE and IPSec) can support two peers (IKE and IPSec) being translated to the same IP address (using the User Datagram Protocol [UDP] ports to differentiate them [this would be Peer Address Translation]), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated. • If you use the dynamic creation for spoke-to-spoke tunnels benefit of this feature, you must use IKE certificates or wildcard preshared keys for Internet Security Association and Key Management Protocol (ISAKMP) authentication. Note We recommend that you do not use wildcard preshared keys because access to the entire VPN is compromised if one spoke router is compromised. • GRE tunnel keepalive (that is, the keepalive command under the GRE interface) is not supported on multipoint GRE tunnels • FVRF is not supported on a multipoint GRE (mGRE) tunnel configured on a DMVPN spoke. FVRF is supported on an mGRE tunnel configured on a DMVPN hub. To enable mGRE and IPSec tunneling for hub and spoke routers, configure your mGRE tunnel for IPSec encryption using the following procedures: • DMVPN Prerequisites, page 31-3 • Configuring an IPSec Profile, page 31-4 • Configuring the Hub for DMVPN in VRF Mode, page 31-5 • Configuring the Hub for DMVPN in Crypto-Connect Mode, page 31-7 • Configuring the Spoke for DMVPN in VRF Mode, page 31-8 • Configuring the Spoke for DMVPN in Crypto-Connect Mode, page 31-10 • Verifying the DMVPN Configuration, page 31-12 • DMVPN Configuration Examples, page 31-18 For complete configuration information for DMVPN support, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html DMVPN Prerequisites Before configuring an IPSec profile, you must define a transform set by using the crypto ipsec transform-set command. 31-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN Configuring an IPSec Profile The IPSec profile shares most of the same commands with the crypto map configuration, but only a subset of the commands are valid in an IPSec profile. Only commands that pertain to an IPSec policy can be issued under an IPSec profile; you cannot specify the IPSec peer address or the access control list (ACL) to match the packets that are to be encrypted. To configure an IPSec profile, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto ipsec profile name Defines the IPSec parameters that are to be used for IPSec encryption between “spoke and hub” and “spoke and spoke” routers. This command enters crypto map configuration mode. • name—Name of the IPSec profile. Step 2 Router(config-crypto-map)# set transform-set transform-set-name Specifies which transform sets can be used with the IPSec profile. • transform-set-name—Name of the transform set. Step 3 Router(config-crypto-map)# set identity (Optional) Specifies identity restrictions to be used with the IPSec profile. Step 4 Router(config-crypto-map)# set security association lifetime {seconds seconds | kilobytes kilobytes} (Optional) Overrides the global lifetime value for the IPSec profile. • seconds— Number of seconds a security association will live before expiring. • kilobytes— Volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. Step 5 Router(config-crypto-map)# set pfs [group1 | group14 | group2 | group5] (Optional) Specifies that IP Security should ask for perfect forward secrecy (PFS) when requesting new security associations for this IPSec profile. If this command is not specified, the default (group1) will be enabled. • group1—(Optional) Specifies that IPsec should use the 768-bit Diffie-Hellman (DH) prime modulus group when performing the new DH exchange. • group14—(Optional) Specifies the 2048-bit DH prime modulus group. • group2—(Optional) Specifies the 1024-bit DH prime modulus group. • group5—(Optional) Specifies the 1536-bit DH prime modulus group. 31-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN Configuring the Hub for DMVPN in VRF Mode In VPN routing and forwarding instance (VRF) mode, to configure the hub router for mGRE and IPSec integration (that is, to associate the tunnel with the IPSec profile configured in the previous procedure), perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface tunnel tunnel-number Configures a tunnel interface and enters interface configuration mode. • tunnel-number—Number of the tunnel interface that you want to create or configure. There is no limit on the number of tunnel interfaces you can create. Step 2 Router(config-if)# ip vrf forwarding inside-vrf-name (Optional) Associates a VRF with an interface or subinterface. This step is required only when configuring an inside VRF. • inside-vrf-name—Name assigned to the VRF. Step 3 Router(config-if)# ip address ip-address mask [secondary] Sets a primary or secondary IP address for the tunnel interface. • address—IP address. • mask—Subnet mask. • secondary—(Optional) Secondary IP address. Step 4 Router(config-if)# ip mtu bytes (Optional) Sets the maximum transmission unit (MTU) size, in bytes, of IP packets sent on an interface. • bytes—MTU size in bytes. Step 5 Router(config-if)# ip nhrp authentication string (Optional) Configures the authentication string for an interface using the Next Hop Resolution Protocol (NHRP). • string—Text of the authentication string. This string must be identical for all tunnels belonging to the same DMVPN. Step 6 Router(config-if)# ip nhrp map multicast dynamic Allows NHRP to automatically add spoke routers to the multicast NHRP mappings. Step 7 Router(config-if)# ip nhrp network-id number Enables NHRP on an interface. • number—A 32-bit network identifier, unique within this chassis, from a nonbroadcast multiaccess (NBMA) network. The range is from 1 to 4294967295. Step 8 Router(config-if)# tunnel source {ip-address | type number} Sets source address for a tunnel interface. • ip-address—IP address to use as the source address for packets in the tunnel. • type number—Interface type and number (for example, VLAN 2). 31-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN Step 9 Router(config-if)# tunnel mode gre multipoint Sets the encapsulation mode to mGRE for the tunnel interface. Step 10 Router(config-if)# tunnel vrf front-door-vrf-name (Optional) Associates a VRF instance with a specific tunnel destination, interface, or subinterface. This step is required only when configuring a front door VRF (FVRF). • front-door-vrf-name—Name assigned to the VRF. This may or may not be the same as the inside-vrf-name. Step 11 Router(config-if)# tunnel protection ipsec profile name Associates a tunnel interface with an IPSec profile. • name—Name of the IPSec profile; this value must match the name specified in the crypto ipsec profile command. Step 12 Router(config-if)# crypto engine slot slot/subslot inside Assigns the specified crypto engine to the inside interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Step 13 Router(config-if)# interface type slot/subslot/port Configures the DMVPN physical egress interface. Step 14 Router(config-if)# ip vrf forwarding front-door-vrf-name (Optional) Associates a VRF with an interface or subinterface. This step is required only when configuring a front door VRF (FVRF). • front-door-vrf-name—Name assigned to the VRF. This is the same name used in Step 10. Step 15 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an interface. • address—IP address. • mask—Subnet mask. Step 16 Router(config-if)# crypto engine slot slot/subslot outside Enables the crypto engine on the interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Command Purpose 31-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN Configuring the Hub for DMVPN in Crypto-Connect Mode In crypto-connect mode, to configure the hub router for mGRE and IPSec integration (that is, to associate the tunnel with the IPSec profile configured in the previous procedure), perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface tunnel tunnel-number Configures a tunnel interface and enters interface configuration mode. • tunnel-number—Number of the tunnel interface that you want to create or configure. There is no limit on the number of tunnel interfaces you can create. Step 2 Router(config-if)# ip address ip-address mask [secondary] Sets a primary or secondary IP address for the tunnel interface. • address—IP address. • mask—Subnet mask. • secondary—(Optional) Secondary IP address. Step 3 Router(config-if)# ip mtu bytes (Optional) Sets the maximum transmission unit (MTU) size, in bytes, of IP packets sent on an interface. • bytes—MTU size in bytes. Step 4 Router(config-if)# ip nhrp authentication string (Optional) Configures the authentication string for an interface using the Next Hop Resolution Protocol (NHRP). • string—Text of the authentication string. This string must be identical for all tunnels belonging to the same DMVPN. Step 5 Router(config-if)# ip nhrp map multicast dynamic Allows NHRP to automatically add spoke routers to the multicast NHRP mappings. Step 6 Router(config-if)# ip nhrp network-id number Enables NHRP on an interface. • number—A 32-bit network identifier, unique within this chassis, from a nonbroadcast multiaccess (NBMA) network. The range is from 1 to 4294967295. Step 7 Router(config-if)# tunnel source {ip-address | type number} Sets source address for a tunnel interface. • ip-address—IP address to use as the source address for packets in the tunnel. • type number—Interface type and number (for example, VLAN 2). Step 8 Router(config-if)# tunnel mode gre multipoint Sets the encapsulation mode to mGRE for the tunnel interface. 31-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN Configuring the Spoke for DMVPN in VRF Mode In VRF mode, to configure spoke routers for mGRE and IPSec integration, perform this task beginning in global configuration mode: Step 9 Router(config-if)# tunnel protection ipsec profile name Associates a tunnel interface with an IPSec profile. • name—Name of the IPSec profile; this value must match the name specified in the crypto ipsec profile command. Step 10 Router(config-if)# crypto engine slot slot/subslot Assigns the specified crypto engine to the interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Step 11 Router(config)# interface vlan ifvlan Configures the DMVPN inside VLAN. Step 12 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an interface. • address—IP address. Enter the value specified in Step 7. • mask—Subnet mask. Step 13 Router(config-if)# crypto engine slot slot/subslot Assigns the specified crypto engine to the interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Step 14 Router(config-if)# interface type slot/subslot/port Configures the DMVPN physical egress interface. Step 15 Router(config-if)# no ip address Assigns no IP address to the interface. Step 16 Router(config-if)# crypto connect vlan ifvlan Connects the outside access port VLAN to the inside (crypto) interface VLAN and enters crypto-connect mode. • ifvlan—DMVPN inside VLAN identifier. Command Purpose Command Purpose Step 1 Router(config)# interface tunnel tunnel-number Configures a tunnel interface and enters interface configuration mode • tunnel-number—Number of the tunnel interface that you want to create or configure. There is no limit on the number of tunnel interfaces you can create. Step 2 Router(config-if)# ip vrf forwarding inside-vrf-name (Optional) Associates a VRF with an interface or subinterface. This step is required only when configuring an inside VRF. • inside-vrf-name—Name assigned to the VRF. 31-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN Step 3 Router(config-if)# ip address ip-address mask [secondary] Sets a primary or secondary IP address for the tunnel interface. • address—IP address. • mask—Subnet mask. • secondary—(Optional) Secondary IP address. Step 4 Router(config-if)# ip mtu bytes (Optional) Sets the maximum transmission unit (MTU) size, in bytes, of IP packets sent on an interface. • bytes—MTU size in bytes. Step 5 Router(config-if)# ip nhrp authentication string Configures the authentication string for an interface using NHRP. • string—Text of the authentication string. This string must be identical for all tunnels belonging to the same DMVPN. Step 6 Router(config-if)# ip nhrp map hub-tunnel-ip-address hub-physical-ip-address Statically configures the IP-to-NonBroadcast MultiAccess (NBMA) address mapping of IP destinations connected to an NBMA network. • hub-tunnel-ip-address—Defines the NHRP server at the hub, which is permanently mapped to the static public IP address of the hub. • hub-physical-ip-address—Defines the static public IP address of the hub. Step 7 Router(config-if)# ip nhrp map multicast hub-physical-ip-address Enables the use of a dynamic routing protocol between the spoke and hub, and sends multicast packets to the hub router. • hub-physical-ip-address—Defines the static public IP address of the hub. Step 8 Router(config-if)# ip nhrp nhs hub-tunnel-ip-address Configures the hub router as the NHRP next-hop server. • hub-tunnel-ip-address—Defines the NHRP server at the hub, which is permanently mapped to the static public IP address of the hub. Step 9 Router(config-if)# ip nhrp network-id number Enables NHRP on an interface. • number—A 32-bit network identifier, unique within this chassis, from a nonbroadcast multiaccess (NBMA) network. The range is from 1 to 4294967295. Step 10 Router(config-if)# tunnel source {ip-address | type number} Sets source address for a tunnel interface. • ip-address—IP address to use as the source address for packets in the tunnel. • type number—Interface type and number; for example, VLAN 2. Command Purpose 31-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN Configuring the Spoke for DMVPN in Crypto-Connect Mode In crypto-connect mode, to configure spoke routers for mGRE and IPSec integration, perform this task beginning in global configuration mode: Step 11 Router(config-if)# tunnel mode gre multipoint Sets the encapsulation mode to mGRE for the tunnel interface. Use this command if data traffic can use dynamic spoke-to-spoke traffic. Step 12 Router(config-if)# tunnel protection ipsec profile name Associates a tunnel interface with an IPSec profile. • name—Name of the IPSec profile; this value must match the name specified in the crypto ipsec profile command. Step 13 Router(config-if)# crypto engine slot slot/subslot inside Assigns the specified crypto engine to the inside interface. • slot/subslot—The slot where the VSPA is located. Step 14 Router(config-if)# interface type slot/subslot/port Configures the DMVPN physical egress interface. Step 15 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an interface. • address—IP address. • mask—Subnet mask. Step 16 Router(config-if)# crypto engine slot slot/subslot outside Enables the crypto engine on the interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Command Purpose Command Purpose Step 1 Router(config)# interface tunnel tunnel-number Configures a tunnel interface and enters interface configuration mode • tunnel-number—Number of the tunnel interface that you want to create or configure. There is no limit on the number of tunnel interfaces you can create. Step 2 Router(config-if)# ip address ip-address mask [secondary] Sets a primary or secondary IP address for the tunnel interface. • address—IP address. • mask—Subnet mask. • secondary—(Optional) Secondary IP address. Step 3 Router(config-if)# ip mtu bytes (Optional) Sets the maximum transmission unit (MTU) size, in bytes, of IP packets sent on an interface. • bytes—MTU size in bytes. 31-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN Step 4 Router(config-if)# ip nhrp authentication string Configures the authentication string for an interface using NHRP. • string—Text of the authentication string. This string must be identical for all tunnels belonging to the same DMVPN. Step 5 Router(config-if)# ip nhrp map hub-tunnel-ip-address hub-physical-ip-address Statically configures the IP-to-NonBroadcast MultiAccess (NBMA) address mapping of IP destinations connected to an NBMA network. • hub-tunnel-ip-address—Defines the NHRP server at the hub, which is permanently mapped to the static public IP address of the hub. • hub-physical-ip-address—Defines the static public IP address of the hub. Step 6 Router(config-if)# ip nhrp map multicast hub-physical-ip-address Enables the use of a dynamic routing protocol between the spoke and hub, and sends multicast packets to the hub router. • hub-physical-ip-address—Defines the static public IP address of the hub. Step 7 Router(config-if)# ip nhrp nhs hub-tunnel-ip-address Configures the hub router as the NHRP next-hop server. • hub-tunnel-ip-address—Defines the NHRP server at the hub, which is permanently mapped to the static public IP address of the hub. Step 8 Router(config-if)# ip nhrp network-id number Enables NHRP on an interface. • number—A 32-bit network identifier, unique within this chassis, from a nonbroadcast multiaccess (NBMA) network. The range is from 1 to 4294967295. Step 9 Router(config-if)# tunnel source {ip-address | type number} Sets source address for a tunnel interface. • ip-address—IP address to use as the source address for packets in the tunnel. • type number—Interface type and number; for example, VLAN 2. Step 10 Router(config-if)# tunnel mode gre multipoint Sets the encapsulation mode to mGRE for the tunnel interface. Use this command if data traffic can use dynamic spoke-to-spoke traffic. Step 11 Router(config-if)# tunnel protection ipsec profile name Associates a tunnel interface with an IPSec profile. • name—Name of the IPSec profile; this value must match the name specified in the crypto ipsec profile command. Step 12 Router(config-if)# crypto engine slot slot/subslot Assigns the specified crypto engine to the interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Command Purpose 31-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN Verifying the DMVPN Configuration To verify that your DMVPN configuration is working, use the show crypto isakmp sa, show crypto map, and show ip nhrp commands. The show crypto isakmp sa command displays all current IKE security associations (SAs) at a peer. The following sample output is displayed after IKE negotiations have successfully completed between a hub and two spokes and between the two spokes, as shown in Figure 31-1 on page 31-2: HUB# show crypto isakmp sa dst src state conn-id slot status 10.0.0.1 11.0.0.1 QM_IDLE 68001 ACTIVE 10.0.0.1 21.0.0.1 QM_IDLE 68002 ACTIVE SPOKE1# show crypto isakmp sa dst src state conn-id slot status 11.0.0.1 21.0.0.1 QM_IDLE 68002 ACTIVE 21.0.0.1 11.0.0.1 QM_IDLE 68003 ACTIVE 10.0.0.1 11.0.0.1 QM_IDLE 68001 ACTIVE SPOKE2# show crypto isakmp sa dst src state conn-id slot status 10.0.0.1 21.0.0.1 QM_IDLE 68001 ACTIVE 11.0.0.1 21.0.0.1 QM_IDLE 68003 ACTIVE 21.0.0.1 11.0.0.1 QM_IDLE 68002 ACTIVE The show crypto map command displays the crypto map configuration. The following sample output is displayed after a crypto map has been configured: HUB# show crypto map Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp Profile name: VPN-PROF Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ Step 13 Router(config)# interface vlan ifvlan Configures the DMVPN inside VLAN. Step 14 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an interface. • address—IP address. Enter the value specified in Step 7. • mask—Subnet mask. Step 15 Router(config-if)# crypto engine slot slot/subslot Assigns the specified crypto engine to the interface. • slot/subslot—The slot where the IPSec VPN SPA is located. Step 16 Router(config-if)# interface type slot/subslot/port Configures the DMVPN physical egress interface. Step 17 Router(config-if)# no ip address Assigns no IP address to the interface. Step 18 Router(config-if)# crypto connect vlan ifvlan Connects the outside access port VLAN to the inside interface VLAN and enters crypto-connect mode. • ifvlan—DMVPN inside VLAN identifier. Command Purpose 31-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN ts, } Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 11.0.0.1 Extended IP access list access-list permit gre host 10.0.0.1 host 11.0.0.1 Current peer: 11.0.0.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ ts, } Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 21.0.0.1 Extended IP access list access-list permit gre host 10.0.0.1 host 21.0.0.1 Current peer: 21.0.0.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ ts, } Interfaces using crypto map Tunnel0-head-0: Tunnel0 using crypto engine SPA-IPSEC-2G[4/0] SPOKE1# show crypto map Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp Profile name: VPN-PROF Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ ts, } Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 10.0.0.1 Extended IP access list access-list permit gre host 11.0.0.1 host 10.0.0.1 Current peer: 10.0.0.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ ts, } Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 21.0.0.1 Extended IP access list access-list permit gre host 11.0.0.1 host 21.0.0.1 Current peer: 21.0.0.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ ts, } 31-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring DMVPN Interfaces using crypto map Tunnel0-head-0: Tunnel0 using crypto engine SPA-IPSEC-2G[4/0] SPOKE2# show crypto map Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp Profile name: VPN-PROF Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ ts, } Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 10.0.0.1 Extended IP access list access-list permit gre host 21.0.0.1 host 10.0.0.1 Current peer: 10.0.0.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ ts, } Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 11.0.0.1 Extended IP access list access-list permit gre host 21.0.0.1 host 11.0.0.1 Current peer: 11.0.0.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ ts, } Interfaces using crypto map Tunnel0-head-0: Tunnel0 using crypto engine SPA-IPSEC-2G[4/0] The show ip nhrp command displays the NHRP cache. The following sample output shows that NHRP registration occurred. Note that NHRP between the hub and a spoke is static, while NHRP between spokes is dynamic: Router# show ip nhrp HUB# show ip nhrp 30.1.0.1/32 via 30.1.0.1, Tunnel0 created 00:18:13, expire 01:41:46 Type: dynamic, Flags: authoritative unique registered NBMA address: 11.0.0.1 30.2.0.1/32 via 30.2.0.1, Tunnel0 created 00:11:55, expire 01:48:04 Type: dynamic, Flags: authoritative unique registered NBMA address: 21.0.0.1 SPOKE1# show ip nhrp 30.0.0.1/32 via 30.0.0.1, Tunnel0 created 00:23:39, never expire Type: static, Flags: authoritative used NBMA address: 10.0.0.1 30.2.0.1/32 via 30.2.0.1, Tunnel0 created 00:04:27, expire 01:47:59 Type: dynamic, Flags: router NBMA address: 21.0.0.1 31-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring the Easy VPN Server SPOKE2# show ip nhrp 30.0.0.1/32 via 30.0.0.1, Tunnel0 created 00:12:02, never expire Type: static, Flags: authoritative used NBMA address: 10.0.0.1 30.1.0.1/32 via 30.1.0.1, Tunnel0 created 00:04:29, expire 01:41:40 Type: dynamic, Flags: router NBMA address: 11.0.0.1 For DMVPN configuration examples, see the “DMVPN Configuration Examples” section on page 31-18. Configuring the Easy VPN Server The Easy VPN server provides server support for the Cisco VPN Client Release 4.x and later software clients and Cisco VPN hardware clients. The feature allows a remote end user to communicate using IP Security (IPSec) with any Cisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPSec policies are pushed to the client by the server, minimizing configuration by the end user. Easy VPN Server features include: • Mode configuration and Xauth support • User-based policy control • Session monitoring for VPN group access • RADIUS server support • backup-gateway command • pfs command • Virtual IPSec interface support • Banner, auto-update, and browser proxy • Configuration management enhancements (pushing a configuration URL through a mode-configuration exchange) • Per-user AAA policy download with PKI • Syslog message enhancements • Network admission control support Easy VPN Server Configuration Guidelines and Restrictions When configuring the Easy VPN server, follow these guidelines and restrictions: • The following IPSec protocol options and attributes currently are not supported by Cisco VPN clients, so these options and attributes should not be configured on the router for these clients: – Authentication with public key encryption – Digital Signature Standard (DSS) – Diffie-Hellman (DH) groups (1) – IPSec Protocol Identifier (IPSEC_AH) – IPSec Protocol Mode (Transport mode) 31-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuring the Easy VPN Remote – Manual keys – Perfect Forward Secrecy (PFS) • Enhanced Easy VPN, which uses Dynamic Virtual Tunnel Interfaces (DVTI) instead of dynamic crypto maps, is not supported. For complete configuration information about the Easy VPN Server feature and the enhancements, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html Configuring the Easy VPN Remote The Easy VPN remote feature allows Cisco routers and security appliances to establish a site-to-site VPN connection to a Cisco Easy VPN Server without complex remote-side configuration. Centrally managed IPSec policies are pushed to the client by the server, minimizing configuration by the end user. Easy VPN Remote features include the following: • Virtual IPSec interface support • Banner, auto-update, and browser proxy • Dual tunnel support • Configuration management enhancements (pushing a configuration URL through a mode-configuration exchange) • Reactivate primary peer Easy VPN Remote Configuration Guidelines Follow these guidelines when configuring Easy VPN for the IPSec VPN SPA: Caution You must clear all other crypto configurations from your running configuration on the Cisco IOS-based Easy VPN client that you are using to connect to the IPSec VPN SPA. If an ISAKMP policy is configured, it takes precedence over the preinstalled Easy VPN ISAKMP policies and the connection will fail. Other clients such as the VPN3000 and PIX systems running Easy VPN will prevent you from configuring Easy VPN unless all crypto configurations are removed. For complete configuration information for Easy VPN client support, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftezvpnr.html For an Easy VPN server configuration example, see the “Easy VPN Server (Router Side) Configuration Example” section on page 31-22. Configuring Easy VPN Remote RSA Signature Storage The Easy VPN remote RSA signature support feature provides for the support of Rivest, Shamir, and Adelman (RSA) signatures on Easy VPN remote devices. The support is provided through RSA certificates that can be stored on or off the remote device. 31-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuration Examples Note The Easy VPN remote RSA signature support feature supported in Cisco IOS Release 12.2(33)SRA and later releases. Easy VPN Remote RSA Signature Support Configuration Guidelines and Restrictions When configuring Easy VPN remote RSA signature support, follow these guidelines and restrictions: • You must have a Cisco Virtual Private Network (VPN) remote device and be familiar with configuring the device. • You must have a certificate authority (CA) available to your network before you configure this interoperability feature. The CA must support the public key infrastructure (PKI) protocol of Cisco Systems, which is the Simple Certificate Enrollment Protocol (SCEP) (formerly called Certificate Enrollment Protocol [CEP]). • This feature should be configured only when you also configure both IPSec and Internet Key Exchange (IKE) in your network. • The Cisco IOS software does not support CA server public keys greater than 2048 bits. Configuring Easy VPN Remote RSA Signature Support The RSA signatures for an Easy VPN remote device are configured the same way that you would configure RSA signatures for any other Cisco device. For information about configuring RSA signatures, refer to the Cisco IOS Security Configuration Guide. To enable the RSA signatures, when you are configuring the Easy VPN remote and assigning the configuration to the outgoing interface, you must omit the group command. The content of the first Organizational Unit (OU) field will be used as the group. For information about configuring Cisco Easy VPN remote devices, refer to the feature document, Easy VPN Remote RSA Signature Support, at the following location: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtevcrsa.html Configuration Examples This section provides examples of the following configurations: • DMVPN Configuration Examples, page 31-18 • Easy VPN Server (Router Side) Configuration Example, page 31-22 Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA. As of Cisco IOS Release 12.2(33)SRA, the crypto engine subslot command used in previous releases has been replaced with the crypto engine slot command (of the form crypto engine slot slot {inside | outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that this command has been modified in your start-up configuration to avoid extended maintenance time. 31-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuration Examples DMVPN Configuration Examples The following sections provide examples of DMVPN configuration: • DMVPN Hub with VRF Mode Configuration Example, page 31-18 • DMVPN Spoke with VRF Mode Configuration Example, page 31-19 • DMVPN Spoke with Crypto-Connect Mode Configuration Example, page 31-21 The DMVPN examples are based on the implementation shown in Figure 31-1 on page 31-2, using the following configuration parameters: • The hub router (HUB) is configured in VRF mode with inside VRF (IVRF) and front-door VRF (FVRF). • One spoke router (SPOKE1) is configured in VRF mode with IVRF but no FVRF. • One spoke router (SPOKE2) is configured in crypto-connect mode. • EIGRP is configured to distribute routes over the tunnels. • In all routers, interface gi3/1 is the interface to the provider network. • In all routers, interface gi3/13 is the interface to the private LAN . Note The tunnel source can be the same as the physical egress port. If the tunnel source is not the physical egress port, make sure that traffic to and from the tunnel source passes through the physical egress port. DMVPN Hub with VRF Mode Configuration Example The following is a configuration example of the IPSec VPN SPA serving as a DMVPN hub using VRF mode with inside VRF and front-door VRF (FVRF): hostname HUB ! ip vrf fvrf rd 1000:1 ! ip vrf ivrf rd 1:1 ! crypto engine mode vrf ! crypto keyring RING1 vrf fvrf pre-shared-key address 0.0.0.0 0.0.0.0 key abcdef ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share ! crypto ipsec transform-set ts esp-3des esp-md5-hmac mode transport ! crypto ipsec profile VPN-PROF set transform-set ts ! ! interface Tunnel0 ! EIGRP uses the configured bandwidth to allocate bandwidth for its routing update mechanism 31-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuration Examples bandwidth 1000000 ip vrf forwarding ivrf ip address 30.0.0.1 255.0.0.0 ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp network-id 1000 ! For a large number of tunnels, the following two commands are recommended ! EIGRP timers are adjusted to match the default timers for a WAN interface ip hello-interval eigrp 200 60 ip hold-time eigrp 200 180 ! The following two EIGRP commands are necessary to allow spoke-to-spoke communication no ip next-hop-self eigrp 200 no ip split-horizon eigrp 200 tunnel source Vlan10 tunnel mode gre multipoint tunnel vrf fvrf tunnel protection ipsec profile VPN-PROF crypto engine slot 4/0 inside ! interface Vlan10 ip vrf forwarding fvrf ip address 10.0.0.1 255.255.255.0 crypto engine outside ! interface GigabitEthernet3/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10 switchport mode trunk interface GigabitEthernet3/13 description Local LAN interface ip vrf forwarding ivrf ip address 70.0.0.1 255.255.255.0 router eigrp 10 no auto-summary ! address-family ipv4 vrf ivrf redistribute connected network 30.0.0.0 network 70.0.0.0 no auto-summary autonomous-system 200 exit-address-family ! ! In this example, tunnel destination reachability is provided by static routes ! A routing protocol could also be used ip route vrf fvrf 11.0.0.0 255.0.0.0 10.0.0.2 ip route vrf fvrf 21.0.0.0 255.0.0.0 10.0.0.2 end DMVPN Spoke with VRF Mode Configuration Example The following is a configuration example of the IPSec VPN SPA serving as a DMVPN spoke using VRF mode with inside VRF but no front-door VRF: hostname SPOKE1 ! ip vrf ivrf 31-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuration Examples rd 1:1 ! crypto engine mode vrf ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share crypto isakmp key abcdef address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 ! ! crypto ipsec transform-set ts esp-3des esp-md5-hmac mode transport ! crypto ipsec profile VPN-PROF set transform-set ts ! interface Tunnel0 bandwidth 100000 ip vrf forwarding ivrf ip address 30.1.0.1 255.0.0.0 ip nhrp authentication cisco123 ip nhrp map 30.0.0.1 10.0.0.1 ip nhrp map multicast 10.0.0.1 ip nhrp network-id 1000 ip nhrp nhs 30.0.0.1 ip hello-interval eigrp 200 60 ip hold-time eigrp 200 180 tunnel source Loopback0 tunnel mode gre multipoint tunnel protection ipsec profile VPN-PROF crypto engine slot 4/0 inside ! interface Loopback0 ip address 11.0.0.1 255.255.255.0 ! interface GigabitEthernet3/1 ip address 11.255.255.1 255.255.255.0 crypto engine outside ! interface GigabitEthernet3/13 ip vrf forwarding ivrf ip address 80.0.0.1 255.255.255.0 router eigrp 10 no auto-summary ! address-family ipv4 vrf ivrf autonomous-system 200 network 30.0.0.0 network 70.0.0.0 no auto-summary redistribute connected exit-address-family ip route 10.0.0.0 255.0.0.0 11.255.255.2 ip route 21.0.0.0 255.0.0.0 11.255.255.2 end 31-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuration Examples DMVPN Spoke with Crypto-Connect Mode Configuration Example The following is a configuration example of the IPSec VPN SPA serving as a DMVPN spoke using crypto-connect mode: hostname SPOKE2 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share crypto isakmp key abcdef address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 ! ! crypto ipsec transform-set ts esp-3des esp-md5-hmac mode transport ! crypto ipsec profile VPN-PROF set transform-set ts ! interface Tunnel0 bandwidth 1000000 ip address 30.2.0.1 255.0.0.0 ip nhrp authentication cisco123 ip nhrp map 30.0.0.1 10.0.0.1 ip nhrp map multicast 10.0.0.1 ip nhrp network-id 1000 ip nhrp nhs 30.0.0.1 ip hello-interval eigrp 200 60 ip hold-time eigrp 200 180 tunnel source Vlan10 tunnel mode gre multipoint tunnel protection ipsec profile VPN-PROF crypto engine slot 4/0 inside ! interface Vlan10 ip address 21.0.0.1 255.255.255.0 no mop enabled crypto engine slot 4/0 inside ! interface GigabitEthernet3/1 no ip address crypto connect vlan 10 ! interface GigabitEthernet3/13 ip address 90.0.0.1 255.255.255.0 ! router eigrp 200 redistribute connected network 30.0.0.0 network 90.0.0.0 no auto-summary ip route 10.0.0.0 255.0.0.0 21.0.0.2 ip route 11.0.0.0 255.0.0.0 21.0.0.2 end 31-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuration Examples Easy VPN Server (Router Side) Configuration Example The following is an example of an Easy VPN server router-side configuration: ! version 12.2 ! hostname sanjose ! logging snmp-authfail logging buffered 1000000 debugging aaa new-model aaa authentication login authen local aaa authorization network author local ! username unity password 0 uc ip subnet-zero no ip source-route ! mpls ldp logging neighbor-changes mls flow ip destination mls flow ipx destination ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 12345 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 2 ! crypto isakmp client configuration group group1 key 12345 domain cisco.com pool pool1 ! crypto isakmp client configuration group default key 12345 domain cisco.com pool pool2 ! crypto ipsec transform-set myset3 esp-3des esp-md5-hmac ! crypto dynamic-map test_dyn 1 set transform-set myset3 reverse-route ! ! Static client mapping crypto map testtag client authentication list authen crypto map testtag isakmp authorization list author crypto map testtag client configuration address respond crypto map testtag 10 ipsec-isakmp set peer 10.5.1.4 set security-association lifetime seconds 900 set transform-set myset3 match address 109 ! ! Dynamic client mapping crypto map test_dyn client authentication list authen crypto map test_dyn isakmp authorization list author crypto map test_dyn client configuration address respond crypto map test_dyn 1 ipsec-isakmp dynamic test_dyn ! ! 31-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuration Examples no spanning-tree vlan 513 ! redundancy main-cpu auto-sync running-config auto-sync standard ! interface GigabitEthernet2/1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,513,1002-1005 switchport mode trunk ! interface GigabitEthernet2/2 no ip address shutdown ! interface GigabitEthernet6/1/1 no ip address flowcontrol receive on flowcontrol send off switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,513,1002-1005 switchport mode trunk cdp enable ! interface GigabitEthernet6/1/2 no ip address flowcontrol receive on flowcontrol send off switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk cdp enable ! interface Vlan1 no ip address shutdown ! interface Vlan2 no ip address crypto connect vlan 513 ! interface Vlan513 ip address 10.5.1.1 255.255.0.0 crypto map test_dyn crypto engine slot 6/1 inside ! ip local pool pool1 22.0.0.2 ip local pool pool2 23.0.0.3 ip classless ip pim bidir-enable ! access-list 109 permit ip host 10.5.1.1 host 22.0.0.2 arp 127.0.0.12 0000.2100.0000 ARPA ! snmp-server enable traps tty snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop ! line con 0 line vty 0 4 31-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 31 Configuring Advanced VPNs Using the IPSec VPN SPA Configuration Examples password lab transport input lat pad mop telnet rlogin udptn nasi ! endC H A P T E R 32-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA This chapter provides information about configuring duplicate hardware and IPSec failover using the IPSec VPN SPA on the Cisco 7600 series router. It includes the following sections: • Overview of Duplicate Hardware Configurations and IPSec Failover, page 32-2 • Configuring IPSec Failover, page 32-4 • Verifying HSRP Configurations, page 32-18 • Configuring Intrachassis IPSec Stateful Failover Using a Blade Failure Group, page 32-22 • Configuration Examples, page 32-24 For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications. For detailed information on Cisco IOS IPSec cryptographic operations and policies, refer to the Cisco IOS Security Configuration Guide, Release 12.2 and Cisco IOS Security Command Reference, Release 12.2. For more information about the commands used in this chapter, see the Cisco 7600 Series Router Command Reference, 12.2SR publication. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information about accessing these publications, see the “Related Documentation” section on page xlvii. Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the configuration summaries and guidelines before you perform any configuration tasks. 32-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Overview of Duplicate Hardware Configurations and IPSec Failover Overview of Duplicate Hardware Configurations and IPSec Failover For critical VPN communications, you can deploy redundant VPN hardware and configure your system for failover in case of hardware failure. The following topics provide information about configuring for IPSec failover using the IPSec VPN SPA: • Configuring Multiple IPSec VPN SPAs in a Chassis, page 32-2 • Understanding Stateless Failover Using HSRP, page 32-3 • Understanding Stateful Failover Using HSRP and SSP, page 32-3. Configuring Multiple IPSec VPN SPAs in a Chassis You can deploy up to ten IPSec VPN SPAs in a single chassis, with the restriction that no more than one IPSec VPN SPA can be used to perform IPSec services for any given interface VLAN. Multiple IPSec VPN SPAs in a Chassis Configuration Guidelines When configuring multiple IPSec VPN SPAs in a chassis, follow these guidelines: • If you enter the no switchport command followed by the switchport command, all VLANs are readded to a trunk port (this situation occurs when you are first switching to a routed port and then back to a switch port). For detailed information on configuring trunk ports, see the “Configuring a Trunk Port” section on page 25-15. • As with single IPSec VPN SPA deployments, you must properly configure each IPSec VPN SPA’s inside and outside port. You can add an interface VLAN only to the inside port of one IPSec VPN SPA. Do not add the same interface VLAN to the inside port of more than one IPSec VPN SPA. Assigning interface VLANs to the inside ports of the IPSec VPN SPAs allows you to decide which IPSec VPN SPA can be used to provide IPSec services for a particular interface VLAN. Note You do not need to explicitly add interface VLANs to the inside trunk ports of the IPSec VPN SPAs. Entering the crypto engine slot command achieves the same results. Note There is no support for using more than one IPSec VPN SPA to do IPSec processing for a single interface VLAN. • SA-based load balancing is not supported. • If you assign the same crypto map to multiple interfaces, then you must use the crypto map local address command, and all interfaces must be assigned to the same crypto engine. For a configuration example of multiple IPSec VPN SPAs in a chassis, see the “Multiple IPSec VPN SPAs in a Chassis Configuration Example” section on page 32-24. 32-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Overview of Duplicate Hardware Configurations and IPSec Failover Understanding Stateless Failover Using HSRP The IPSec failover (VPN high availability) feature allows you to employ a secondary (standby) router that automatically takes over the primary (active) router’s tasks in the event of an active router failure. IPSec failover, stateless or stateful, is designed to work in conjunction with the Hot Standby Routing Protocol (HSRP) and Reverse Route Injection (RRI). HSRP is used between the active and standby router in either stateless or stateful mode, tracking the state of router interfaces and providing a failover mechanism between primary and secondary devices. An HSRP group shares a single virtual IP address as its crypto peer address so that the remote crypto peer requires no reconfiguration after a failover. The configured HSRP timers determine the time that it takes for the standby router to take over. RRI uses information derived from the negotiated IPSec SAs to create static routes to the networks identified in those SAs. During an HSRP and IPSec failover, RRI allows dynamic routing information updates. In an IPSec stateless failover, the HSRP group’s virtual IP address transfers over to the standby router, but no IPSec or ISAKMP SA state information is transferred to the standby router. The remote crypto peer detects the failure using Dead Peer Detection (DPD) or a keepalive mechanism. The remote crypto peer then communicates with the standby router at the HSRP group address to renegotiate the dropped ISAKMP SAs and IPSec SAs before traffic transmission can resume. When used together, HSRP and RRI provide a reliable network design for VPNs and reduce configuration complexity on remote peers. Understanding Stateful Failover Using HSRP and SSP Note Support for IPSec stateful failover using HSRP and SSP is removed in Cisco IOS Release 12.2(33)SRA and later releases. The feature is supported in Release 12.2SXF. IPSec stateful failover enables a router to continue processing and forwarding IPSec packets after a planned or unplanned outage. The failover process is transparent to users and to remote IPSec peers. As with IPSec stateless failover, IPSec stateful failover is designed to work with HSRP and RRI, but IPSec stateful failover also uses the State Synchronization Protocol (SSP). During an HSRP and IPSec failover, SSP transfers IPSec and ISAKMP SA state information between the active and standby routers, allowing existing VPN connections to be maintained after a router failover. IPSec Stateful Failover Configuration Guidelines and Restrictions When configuring IPSec stateful failover, follow these guidelines and restrictions: • When configuring IPSec stateful failover with the IPSec VPN SPA, all IPSec VPN SPA configuration rules apply. You must apply crypto maps to interface VLANs. • When configuring IPSec stateful failover with an IPSec VPN SPA in two chassis, the hardware configurations of both chassis must be exactly the same. For example, in one chassis if the IPSec VPN SPA that is in slot 2 is used to protect interface VLAN 100 and the IPSec VPN SPA that is in slot 3 is used to protect interface VLAN 101, the exact same configuration must be reflected in the second chassis. An example of a misconfiguration would be if the IPSec VPN SPA in slot 3 of the second chassis is used to protect interface VLAN 100. 32-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover • Do not add nonexistent or inadequately configured HSRP standby groups to the State Synchronization Protocol (SSP) configuration because this action disables high-availability features until the configuration is corrected. • The recommended HSRP timer values are one second for hello timers and three seconds for hold timers. These values should prevent an undesirable failover that is caused by temporary network congestion or transient, high CPU loads. These timer values can be adjusted upward if you are running high loads or have a large number of HSRP groups. Temporary failures and load-related system stability can be positively affected by raising the timer values as needed. The hello timer value should be approximately a third of the hold timer value. • Use the HSRP delay timers to allow a device to finish booting, initializing, and synchronizing before participating as a high-availability pair. Set the minimum delay at 30 seconds or more to help prevent active/standby flapping and set the reload delay at some value greater than the minimum. You can use the delay timers to reflect the complexity and size of a particular configuration on various hardware. The delay timers tend to vary from platform to platform. • Sequence number updates from active to standby have a 20-second minimum interval per SA. • The standby preempt command is required, and should be configured with no priority or delay options. • To allow dynamic routing information updates during the HSRP and IPSec failover, enable the Reverse Route Injection (RRI) feature using the reverse-route command. • To verify that all processes are running properly after enabling both HSRP and IPSec stateful failover, use the show ssp, show standby, show crypto ipsec, and show crypto isakmp commands. • The following features are not supported with IPSec stateful failover: – The standby use-bia command—Always use a virtual HSRP MAC address for the router’s MAC address. – Easy VPN clients or IKE keepalives— IPSec stateful failover can be used with peers when DPD is used. – DMVPN or tunnel protection. – Secured WAN ports (for example, IPSec over FlexWAN or SIP module port adapters)— This restriction is due to limitations of HSRP. Configuring IPSec Failover The following sections describe how to configure IPSec stateless and stateful failover in crypto-connect and VRF modes: • Configuring IPSec Stateless Failover Using HSRP with Crypto-Connect Mode, page 32-5 • Configuring IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode, page 32-11 • Configuring IPSec Stateless and Stateful Failover with VRF Mode, page 32-18 32-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Configuring IPSec Stateless Failover Using HSRP with Crypto-Connect Mode To configure IP stateful failover using HSRP and SSP, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto isakmp policy priority ... Router(config-isakmp) # exit Defines an ISAKMP policy and enters ISAKMP policy configuration mode. • priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest. For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide. Step 2 Router(config)# crypto isakmp key keystring address peer-address Configures a preshared authentication key. • keystring—Preshared key. • peer-address—IP address of the remote peer. For details on configuring a preshared key, see the Cisco IOS Security Configuration Guide. Step 3 Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]] ... Router(config-crypto-tran)# exit Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode. • transform-set-name—Name of the transform set. • transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms. For accepted transformx values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference. 32-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Step 4 Router(config)# access-list access-list-number {deny | permit} ip source source-wildcard destination destination-wildcard Defines an extended IP access list. • access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699. • {deny | permit}—Denies or permits access if the conditions are met. • ip source—Address of the host from which the packet is being sent. • source-wildcard—Wildcard bits to be applied to the source address. • destination—Address of the host to which the packet is being sent. • destination-wildcard—Wildcard bits to be applied to the destination address. For details on configuring an access list, see the Cisco IOS Security Configuration Guide. Step 5 Router(config)# crypto dynamic-map dynamic-map-name seq-number ipsec-isakmp ... Router(config-crypto-map)# exit Creates or modifies a dynamic crypto map template and enters the crypto map configuration mode. • dynamic-map-name—Name that identifies the dynamic crypto map template. • seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations. For details on configuring a crypto map, see the Cisco IOS Security Configuration Guide. Step 6 Router(config)# crypto map map-name seq-number ipsec-isakmp dynamic dynamic-map-name Creates a crypto map entry and binds it to the dynamic crypto map template. • map-name—Name that identifies the crypto map set. • seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations. • dynamic-map-name—Name that identifies the dynamic crypto map template. Step 7 Router(config-if)# interface gigabitethernet slot/subslot/port Enters interface configuration mode for the LAN-side Gigabit Ethernet interface. Command Purpose 32-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Step 8 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the interface. • address—IP address. • mask—Subnet mask. Step 9 Router(config-if)# standby [group-number] ip ip-address Enables the HSRP. • group-number—(Optional) Group number on the interface for which HSRP is being activated. The default is 0. The group number range is from 0 to 255 for HSRP version 1 and from 0 to 4095 for HSRP version 2. • ip-address—(Optional) IP address of the standby router interface. Step 10 Router(config-if)# standby [group-number] timers [msec] hellotime [msec] holdtime Configures the time between hello packets and the hold time before other routers declare the active router to be down. • group-number—(Optional) Group number to which the timers apply. • msec—(Optional) Interval in milliseconds. Millisecond timers allow for faster failover. • hellotime—Hello interval (in seconds). This is an integer from 1 to 254. The default is 3 seconds. If the msec option is specified, hellotime is in milliseconds. This is an integer from 15 to 999. • holdtime—Time (in seconds) before the active or standby router is declared to be down. This is an integer from x to 255. The default is 10 seconds. If the msec option is specified, holdtime is in milliseconds. This is an integer from y to 3000. Command Purpose 32-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Step 11 Router(config-if)# standby [group-number] [priority priority] preempt [delay [minimum | sync] seconds] Sets the standby priority used in choosing the active router. • group-number—(Optional) Group number to which the priority applies. • priority—(Optional) The priority value range is from 1 to 255, where 1 denotes the lowest priority and 255 denotes the highest priority. Specify that, if the local router has priority over the current active router, the local router should attempt to take its place as the active router. • delay—Specifies a preemption delay, after which the Hot Standby router preempts and becomes the active router. • minimum—(Optional) Specifies the minimum delay period in seconds. • sync—(Optional) Specifies the maximum synchronization period for IP redundancy clients in seconds. • seconds—(Optional) Causes the local router to postpone taking over the active role for a minimum number of seconds since that router was last restarted. The range is from 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay). Step 12 Router(config-if)# standby [group-number] track type number [interface-priority] Configures the interface to track other interfaces, so that if one of the other interfaces goes down, the device’s Hot Standby priority is lowered. • group-number—(Optional) Group number on the interface for which HSRP is being activated. • type—Interface type (combined with interface number) that will be tracked. • number—Interface number (combined with interface type) that will be tracked. • interface-priority—(Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the interface goes down (or comes back up). Range is from 0 to 255. Default is 10. Step 13 Router(config-if)# standby [group-number] name Configures the standby group name for the interface. • group-number—(Optional) Group number to which the name is being applied. • name—Name of the HSRP standby group. Step 14 Router(config-if)# interface vlan vlan_ID Enters interface configuration mode for the specified crypto interface VLAN. Command Purpose 32-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Step 15 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the interface. • address—IP address. • mask—Subnet mask. Step 16 Router(config-if)# standby [group-number] ip ip-address Enables the HSRP. • group-number—(Optional) Group number on the interface for which HSRP is being activated. The default is 0. The group number range is from 0 to 255 for HSRP version 1 and from 0 to 4095 for HSRP version 2. • ip-address—(Optional) Virtual IP address of the HSRP standby group. Step 17 Router(config-if)# standby [group-number] timers [msec] hellotime [msec] holdtime Configures the time between hello packets and the hold time before other routers declare the active router to be down. • group-number—(Optional) Group number to which the timers apply. • msec—(Optional) Interval in milliseconds. Millisecond timers allow for faster failover. • hellotime—Hello interval (in seconds). This is an integer from 1 to 254. The default is 3 seconds. If the msec option is specified, hellotime is in milliseconds. This is an integer from 15 to 999. • holdtime—Time (in seconds) before the active or standby router is declared to be down. This is an integer from x to 255. The default is 10 seconds. If the msec option is specified, holdtime is in milliseconds. This is an integer from y to 3000. Command Purpose 32-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Step 18 Router(config-if)# standby [group-number] [priority priority] preempt [delay [minimum | sync] seconds] Sets the standby priority used in choosing the active router. • group-number—(Optional) Group number to which the priority applies. • priority—(Optional) The priority value range is from 1 to 255, where 1 denotes the lowest priority and 255 denotes the highest priority. Specify that, if the local router has priority over the current active router, the local router should attempt to take its place as the active router. • delay—(Optional) Specifies a preemption delay, after which the hot standby router preempts and becomes the active router. • minimum—(Optional) Specifies the minimum delay period in seconds. • sync—(Optional) Specifies the maximum synchronization period for IP redundancy clients in seconds. • seconds—(Optional) Causes the local router to postpone taking over the active role for a minimum number of seconds since that router was last restarted. The range is from 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay). Step 19 Router(config-if)# standby [group-number] track type number [interface-priority] Configures the interface to track other interfaces, so that if one of the other interfaces goes down, the device’s hot standby priority is lowered. • group-number—(Optional) Group number on the interface for which HSRP is being activated. • type—Interface type (combined with interface number) that will be tracked. • number—Interface number (combined with interface type) that will be tracked. • interface-priority—(Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the interface goes down (or comes back up). Range is from 0 to 255. Default is 10. Step 20 Router(config-if)# standby [group-number] name Configures the standby group name for the interface. • group-number—(Optional) Group number to which the name is being applied. • name—Name of the standby router. Command Purpose 32-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover For examples of IPSec stateless failover configurations using HSRP, see the “IPSec Stateless Failover Using HSRP with Crypto-Connect Mode Configuration Examples” section on page 32-27. Configuring IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode The configuration of IPSec stateful failover using HSRP is very similar to the configuration of IPSec stateless failover using HSRP with the addition of the SSP-related commands. To configure IP stateful failover using HSRP and SSP, perform this task beginning in global configuration mode: Step 21 Router(config-if)# crypto map map-name redundancy name Defines a backup IPSec peer. Both routers in the standby group are defined by the redundancy standby name and share the same virtual IP address. • map_name—Name of the crypto map set. • name—Name of the HSRP standby group. Step 22 Router(config-if)# crypto engine slot slot Assigns the crypto engine to the inside interface VLAN. • slot—The slot where the IPSec VPN SPA is located. Step 23 Router(config-if)# interface gigabitethernet slot/subslot/port Enters interface configuration mode for the outside Gigabit Ethernet interface. Step 24 Router(config-if)# crypto connect vlan vlan_ID Connects the outside access port to the inside interface VLAN and enters crypto-connect mode. • vlan_ID—Interface VLAN identifier. Command Purpose Command Purpose Step 1 Router(config)# ssp group group Indicates channel used to communicate high availability (HA) information and enters SSP configuration mode. • group—Integer between 1 and 100. Step 2 Router(config-ssp)# redundancy name Identifies the HSRP group. • name—Valid IP redundancy group name. Step 3 Router(config-ssp)# remote ipaddr Identifies peer that will receive high availability transmissions. • ipaddr—IP address of the standby router. 32-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Step 4 Router(config)# crypto isakmp policy priority ... Router(config-isakmp) # exit Defines an ISAKMP policy and enters ISAKMP policy configuration mode. • priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest. For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide. Step 5 Router(config)# crypto isakmp key keystring address peer-address Configures a preshared authentication key. • keystring—Preshared key. • peer-address—IP address of the remote peer. For details on configuring a preshared key, see the Cisco IOS Security Configuration Guide. Step 6 Router(config)# crypto isakmp ssp id Enables ISAKMP state to be transferred by the SSP channel described by the ID. If this feature is disabled, all dormant SA entries bound to that ID on the standby router will be removed and any new state entries will not be added. • id—Channel used to transfer SA entries. Step 7 Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]] ... Router(config-crypto-tran)# exit Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode. • transform-set-name—Name of the transform set. • transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms. For accepted transformx values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference. Step 8 Router(config)# crypto map name ha replay-interval inbound inbound-interval outbound outbound-interval (Optional) Specifies the intervals at which the active switch should update the standby switch with anti-replay sequence numbers. • name—Tag name of the crypto map described in the configuration. • inbound-interval—The interval at which the active switch sends packet sequence updates for incoming packets. The range is 0 to 10000 (packets); the default is 1000. • outbound-interval—The interval at which the active switch sends packet sequence updates for outgoing packets. The range is 1 to 10 (in millions of packets); the default is 1. Command Purpose 32-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Step 9 Router(config)# access-list access-list-number {deny | permit} ip source source-wildcard destination destination-wildcard Defines an extended IP access list. • access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699. • {deny | permit}—Denies or permits access if the conditions are met. • source—Address of the host from which the packet is being sent. • source-wildcard—Wildcard bits to be applied to the source address. • destination—Address of the host to which the packet is being sent. • destination-wildcard—Wildcard bits to be applied to the destination address. For details on configuring an access list, see the Cisco IOS Security Configuration Guide. Step 10 Router(config)# crypto dynamic-map dynamic-map-name seq-number ipsec-isakmp ... Router(config-crypto-map)# exit Creates or modifies a dynamic crypto map template and enters the crypto map configuration mode. • dynamic-map-name—Name that identifies the dynamic crypto map template. • seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations. For details on configuring a crypto map, see the Cisco IOS Security Configuration Guide. Step 11 Router(config)# crypto map map-name seq-number ipsec-isakmp dynamic dynamic-map-name Creates a crypto map entry and binds it to the dynamic crypto map template. • map-name—Name that identifies the crypto map set. • seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority. • ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations. • dynamic-map-name—Name that identifies the dynamic crypto map template. Step 12 Router(config-if)# interface gigabitethernet slot/subslot/port Enters interface configuration mode for the LAN-side Gigabit Ethernet interface. Command Purpose 32-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Step 13 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the interface. • address—IP address. • mask—Subnet mask. Step 14 Router(config-if)# standby [group-number] ip ip-address Enables the HSRP. • group-number—(Optional) Group number on the interface for which HSRP is being activated. The default is 0. The group number range is from 0 to 255 for HSRP version 1 and from 0 to 4095 for HSRP version 2. • ip-address—(Optional) Virtual IP address of the HSRP standby group. Step 15 Router(config-if)# standby [group-number] timers [msec] hellotime [msec] holdtime Configures the time between hello packets and the hold time before other routers declare the active router to be down. • group-number—(Optional) Group number to which the timers apply. • msec—(Optional) Interval in milliseconds. Millisecond timers allow for faster failover. • hellotime—Hello interval (in seconds). This is an integer from 1 to 254. The default is 3 seconds. If the msec option is specified, hellotime is in milliseconds. This is an integer from 15 to 999. • holdtime—Time (in seconds) before the active or standby router is declared to be down. This is an integer from x to 255. The default is 10 seconds. If the msec option is specified, holdtime is in milliseconds. This is an integer from y to 3000. Command Purpose 32-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Step 16 Router(config-if)# standby [group-number] [priority priority] preempt [delay [minimum | sync] seconds] Sets the standby priority used in choosing the active router. • group-number—(Optional) Group number to which the priority applies. • priority—(Optional) The priority value range is from 1 to 255, where 1 denotes the lowest priority and 255 denotes the highest priority. Specify that, if the local router has priority over the current active router, the local router should attempt to take its place as the active router. • delay—(Optional) Specifies a preemption delay, after which the Hot Standby router preempts and becomes the active router. • minimum—(Optional) Specifies the minimum delay period in seconds. • sync—(Optional) Specifies the maximum synchronization period for IP redundancy clients in seconds. • seconds—(Optional) Causes the local router to postpone taking over the active role for a minimum number of seconds since that router was last restarted. The range is from 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay). Step 17 Router(config-if)# standby [group-number] track type number [interface-priority] Configures the interface to track other interfaces, so that if one of the other interfaces goes down, the device’s Hot Standby priority is lowered. • group-number—(Optional) Group number on the interface for which HSRP is being activated. • type—Interface type (combined with interface number) that will be tracked. • number—Interface number (combined with interface type) that will be tracked. • interface-priority—(Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the interface goes down (or comes back up). Range is from 0 to 255. Default is 10. Step 18 Router(config-if)# standby [group-number] name Configures the standby group name for the interface. • group-number—(Optional) Group number to which the name is being applied. • name—Name of the HSRP standby group. Step 19 Router(config-if)# interface vlan vlan_ID Enters interface configuration mode for the specified crypto interface VLAN. Command Purpose 32-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Step 20 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the interface. • address—IP address. • mask—Subnet mask. Step 21 Router(config-if)# standby [group-number] ip ip-address Enables the HSRP. • group-number—(Optional) Group number on the interface for which HSRP is being activated. The default is 0. The group number range is from 0 to 255 for HSRP version 1 and from 0 to 4095 for HSRP version 2. • ip-address—(Optional) Virtual IP address of the HSRP standby group. Step 22 Router(config-if)# standby [group-number] timers [msec] hellotime [msec] holdtime Configures the time between hello packets and the hold time before other routers declare the active router to be down. • group-number—(Optional) Group number to which the timers apply. • msec—(Optional) Interval in milliseconds. Millisecond timers allow for faster failover. • hellotime—Hello interval (in seconds). This is an integer from 1 to 254. The default is 3 seconds. If the msec option is specified, hellotime is in milliseconds. This is an integer from 15 to 999. • holdtime—Time (in seconds) before the active or standby router is declared to be down. This is an integer from x to 255. The default is 10 seconds. If the msec option is specified, holdtime is in milliseconds. This is an integer from y to 3000. Command Purpose 32-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring IPSec Failover Step 23 Router(config-if)# standby [group-number] [priority priority] preempt [delay [minimum | sync] seconds] Sets the standby priority used in choosing the active router. • group-number—(Optional) Group number to which the priority applies. • priority—(Optional) The priority value range is from 1 to 255, where 1 denotes the lowest priority and 255 denotes the highest priority. Specify that, if the local router has priority over the current active router, the local router should attempt to take its place as the active router. • delay—(Optional) Specifies a preemption delay, after which the hot standby router preempts and becomes the active router. • minimum—(Optional) Specifies the minimum delay period in seconds. • sync—(Optional) Specifies the maximum synchronization period for IP redundancy clients in seconds. • seconds—(Optional) Causes the local router to postpone taking over the active role for a minimum number of seconds since that router was last restarted. The range is from 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay). Step 24 Router(config-if)# standby [group-number] track type number [interface-priority] Configures the interface to track other interfaces, so that if one of the other interfaces goes down, the device’s hot standby priority is lowered. • group-number—(Optional) Group number on the interface for which HSRP is being activated. • type—Interface type (combined with interface number) that will be tracked. • number—Interface number (combined with interface type) that will be tracked. • interface-priority—(Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the interface goes down (or comes back up). Range is from 0 to 255. Default is 10. Step 25 Router(config-if)# standby [group-number] name Configures the standby group name for the interface. • group-number—(Optional) Group number to which the name is being applied. • name—Name of the HSRP standby group. Command Purpose 32-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Verifying HSRP Configurations For an example of IPSec stateful failover configuration using HSRP and SSP, see the “IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode Configuration Example” section on page 32-29. Configuring IPSec Stateless and Stateful Failover with VRF Mode Note Support for IPSec stateful failover is removed in Cisco IOS Release 12.2(33)SRA. The feature is supported in Release 12.2SXF. Chassis-to- chassis failover with VRF mode is configured differently than in non-VRF (crypto-connect) mode. In VRF mode, the HSRP configuration goes on the physical interface, but the crypto map is added to the interface VLAN. In non-VRF mode, both the HSRP configuration and the crypto map are on the same interface. RRI dynamically inserts and removes routes from the active and standby router VRF routing tables. For a configuration example of VRF mode with stateless failover, see the “IPSec Stateless Failover Using HSRP with VRF Mode Configuration Example” section on page 32-33. For a configuration example of VRF mode with stateful failover, see the “IPSec Stateful Failover Using HSRP with VRF Mode Configuration Example” section on page 32-34 Verifying HSRP Configurations To verify the IPSec stateful failover HSRP configuration, use the show crypto isakmp ha standby, show crypto ipsec ha, show crypto ipsec sa, and show crypto ipsec sa standby commands. To view your ISAKMP standby or active SAs, enter the show crypto isakmp ha standby command: Router# show crypto isakmp ha standby dst src state I-Cookie R-Cookie 172.16.31.100 20.3.113.1 QM_IDLE 796885F3 62C3295E FFAFBACD EED41AFF Step 26 Router(config-if)# crypto map map-name ssp id Enables IPSec state information to be transferred by the SSP channel described by the ID. If this feature is disabled, all standby entries bound to that interface will be removed. Step 27 Router(config-if)# crypto engine slot slot Assigns the crypto engine to the inside interface VLAN. • slot—The slot where the IPSec VPN SPA is located. Step 28 Router(config-if)# interface gigabitethernet slot/subslot/port Enters interface configuration mode for the outside Gigabit Ethernet interface. Step 29 Router(config-if)# crypto connect vlan vlan_ID Connects the outside access port to the inside interface VLAN and enters crypto-connect mode. • vlan_ID—interface VLAN identifier. Command Purpose 32-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Verifying HSRP Configurations 172.16.31.100 20.2.148.1 QM_IDLE 5B78D70F 3D80ED01 FFA03C6D 09FC50BE 172.16.31.100 20.4.124.1 QM_IDLE B077D0A1 0C8EB3A0 FF5B152C D233A1E0 172.16.31.100 20.3.88.1 QM_IDLE 55A9F85E 48CC14DE FF20F9AE DE37B913 172.16.31.100 20.1.95.1 QM_IDLE 3881DE75 3CF384AE FF192CAB 795019AB To view your IPSec HA Manager state, enter the show crypto ipsec ha command: Router# show crypto ipsec ha Interface VIP SAs IPSec Ha State GigabitEthernet5/0/1 172.16.31.100 1800 Active since 13:00:16 EDT Tue Oct 1 2002 To view HA status of the IPSec SA (standby or active), enter the show crypto ipsec sa command: Router# show crypto ipsec sa interface: GigabitEthernet5/0/1 Crypto map tag: mymap, local addr. 172.168.3.100 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (5.6.0.0/255.255.0.0/0/0) current_peer: 172.168.3.1 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.168.3.100, remote crypto endpt.: 172.168.3.1 path mtu 1500, media mtu 1500 current outbound spi: 132ED6AB inbound esp sas: spi: 0xD8C8635F(3637011295) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2006, flow_id: 3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) IV size: 8 bytes replay detection support: Y HA Status: STANDBY inbound ah sas: spi: 0xAAF10A60(2867923552) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2004, flow_id: 3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) replay detection support: Y HA Status: STANDBY inbound pcp sas: outbound esp sas: spi: 0x132ED6AB(321836715) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2007, flow_id: 4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) 32-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Verifying HSRP Configurations IV size: 8 bytes replay detection support: Y HA Status: STANDBY outbound ah sas: spi: 0x1951D78(26549624) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2005, flow_id: 4, crypto map: mymap ssa timing: remaining key lifetime (k/sec): (4499/59957) replay detection support: Y HA Status: STANDBY outbound pcp sas: Enter the show crypto ipsec sa standby command to view your standby SAs: Router# show crypto ipsec sa standby interface: GigabitEthernet5/0/1 Crypto map tag: mymap, local addr. 172.168.3.100 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (5.6.0.0/255.255.0.0/0/0) current_peer: 172.168.3.1 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.168.3.100, remote crypto endpt.: 172.168.3.1 path mtu 1500, media mtu 1500 current outbound spi: 132ED6AB inbound esp sas: spi: 0xD8C8635F(3637011295) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2006, flow_id: 3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) IV size: 8 bytes replay detection support: Y HA Status: STANDBY inbound ah sas: spi: 0xAAF10A60(2867923552) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2004, flow_id: 3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) replay detection support: Y HA Status: STANDBY inbound pcp sas: outbound esp sas: spi: 0x132ED6AB(321836715) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2007, flow_id: 4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) IV size: 8 bytes 32-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Verifying HSRP Configurations replay detection support: Y HA Status: STANDBY outbound ah sas: spi: 0x1951D78(26549624) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2005, flow_id: 4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) replay detection support: Y HA Status: STANDBY outbound pcp sas: Displaying SSP Information To verify the IPSec stateful failover SSP configuration, use the show ssp client, show ssp packet, show ssp peers, and show ssp redundancy commands. To view SSP client information, enter the show ssp client command: Router# show ssp client SSP Client Information DOI Client Name Version Running Ver 1 IPSec HA Manager 1.0 1.0 2 IKE HA Manager 1.0 1.0 To view SSP packet information, enter the show ssp packet command: Router# show ssp packet SSP packet Information Socket creation time: 01:01:06 Local port: 3249 Server port: 3249 Packets Sent = 38559, Bytes Sent = 2285020 Packets Received = 910, Bytes Received = 61472 To view SSP peer information, enter the show ssp peers command: Router# show ssp peers SSP Peer Information IP Address Connection State Local Interface 40.0.0.1 Connected FastEthernet0/1 To view redundancy information, enter the show ssp redundancy command: Router# show ssp redundancy SSP Redundancy Information Device has been ACTIVE for 02:55:34 32-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring Intrachassis IPSec Stateful Failover Using a Blade Failure Group Virtual IP Redundancy Name Interface 172.16.31.100 KNIGHTSOFNI GigabitEthernet5/0/1GigabitEthernet0/0 For complete configuration information for Cisco IOS IPSec stateful failover support, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2/12_2y/12_2yx11/feature/guide/ft_vpnha.html For IPSec stateful failover configuration examples, see the “IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode Configuration Example” section on page 32-29. Configuring Intrachassis IPSec Stateful Failover Using a Blade Failure Group This section describes how to configure IPSec stateful failover within a chssis using a blade failure group (BFG). When one or more pairs of IPSec VPN SPAs are installed in a chassis, each pair can be configured as a blade failure group (BFG). The two modules do not need to reside within the same SSC. Within the BFG, each IPSec VPN SPA serves as a backup for the other IPSec VPN SPA. A BFG may be in either an active/active or an active/standby configuration. Each IPSec tunnel is associated with only one active IPSec VPN SPA. In a BFG, the other IPSec VPN SPA will act as a backup for that IPSec tunnel. For each IKE SA or IPSec tunnel, there is an active IPSec VPN SPA and its backup. For example, in a system that supports 1000 tunnels with two IPSec VPN SPAs, 500 of the tunnels may be active on one SPA and the remaining 500 may be active on the second SPA. Both SPAs then replicate data to each other so that either one can take over in the event of a failure. IPSec Stateful Failover Using a BFG Configuration Guidelines and Restrictions When configuring IPSec stateful failover using a BFG, follow these guidelines and restrictions: • You can install or remove one of the IPSec VPN SPAs comprising a BFG without disrupting any of the tunnels on the other IPSec VPN SPA. • We recommend deploying a BFG in an active/standby configuration to avoid oversubscription in the case of a failover. • When deploying a BFG in an active/active configuration, we recommend that you limit each IPSec VPN SPA to no more than 50% utilization to avoid oversubscription in the case of a failover. • In Cisco IOS Release 12.2(33)SXH and earlier releases, the IPsec statistics may experience a slight disruption during a stateful BFG failover, but will resume from approximately the values before the failover. • In Cisco IOS Release 12.2(33)SXI and later releases, the IPsec statistics are reset during a stateful BFG failover, and will resume from zero. 32-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuring Intrachassis IPSec Stateful Failover Using a Blade Failure Group Configuring a BFG for IPSec Stateful Failover To configure IPSec stateful failover using a BFG, perform this task beginning in global configuration mode: For an IPSec stateful failover using a BFG configuration example, see the “IPSec Stateful Failover Using a Blade Failure Group Configuration Example” section on page 32-38. Verifying the IPSec Stateful Failover Using a BFG Configuration To verify the IPSec stateful failover using a BFG configuration, use the show redundancy linecard group and show crypto ace redundancy commands. To display the components of a Blade Failure Group, enter the show redundancy linecard group command: Router# show redundancy linecard-group 1 Line Card Redundancy Group:1 Mode:feature-card Class:load-sharing Cards: Slot:3 Sublot:0 Slot:5 Sublot:0 To display information about a Blade Failure Group, enter the show crypto ace redundancy command: Router# show crypto ace redundancy -------------------------------------- LC Redundancy Group ID :1 Pending Configuration Transactions:0 Current State :OPERATIONAL Number of blades in the group :2 Slots -------------------------------------- Slot:3 subslot:0 Slot state:0x36 Booted Received partner config Command Purpose Step 1 Router(config)# redundancy Enters redundancy configuration mode. Step 2 Router(config-red)# linecard-group group-number feature-card Identifies the line card group ID for a Blade Failure Group and enters redundancy line card configuration mode. • group-number—Specifies a group ID for the BFG. Step 3 Router(config-r-lc)# subslot slot/subslot Adds the first SPA to the group. • slot—Specifies the chassis slot number where the SSC is installed. • subslot—Specifies the secondary slot number on an SSC where a SPA is installed. Step 4 Router(config-r-lc)# subslot slot/subslot Adds the second SPA to the group. 32-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples Completed Bulk Synchronization Crypto Engine in Service Rebooted 22 times Initialization Timer not running Slot:5 subslot:0 Slot state:0x36 Booted Received partner config Completed Bulk Synchronization Crypto Engine in Service Rebooted 24 times Initialization Timer not running Configuration Examples This section provides examples of the following configurations: • Multiple IPSec VPN SPAs in a Chassis Configuration Example, page 32-24 • IPSec Stateless Failover Using HSRP with Crypto-Connect Mode Configuration Examples, page 32-27 • IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode Configuration Example, page 32-29 • IPSec Stateless Failover Using HSRP with VRF Mode Configuration Example, page 32-33 • IPSec Stateful Failover Using HSRP with VRF Mode Configuration Example, page 32-34 • IPSec Stateful Failover Using a Blade Failure Group Configuration Example, page 32-38 Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA. As of Cisco IOS Release 12.2(33)SRA, the crypto engine subslot command used in previous releases has been replaced with the crypto engine slot command (of the form crypto engine slot slot {inside | outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that this command has been modified in your startup configuration to avoid extended maintenance time. Multiple IPSec VPN SPAs in a Chassis Configuration Example This section provides an example of a configuration using multiple IPSec VPN SPAs in a chassis as shown in Figure 32-1. Note the following in these examples: • An IPSec VPN SPA is in slot 2, subslot 0 and slot 3, subslot 0 of router 1. • In the configuration example, three exclamation points (!!!) precede descriptive comments. 32-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples Figure 32-1 Multiple IPSec VPN SPAs in a Chassis Configuration Example crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key mykey address 10.8.1.1 crypto isakmp key mykey address 10.13.1.1 ! crypto ipsec transform-set xform1 ah-md5-hmac esp-des esp-sha-hmac crypto ipsec transform-set xform2 esp-3des esp-sha-hmac ! !!! crypto map applied to VLAN 12, which is !!! assigned to "inside" port of IPSec VPN SPA in slot 3 crypto map cmap2 10 ipsec-isakmp set peer 10.8.1.1 set transform-set xform1 match address 102 ! !!! crypto map applied to VLAN 20, which is !!! assigned to "inside" port of IPSec VPN SPA in slot 2/0 crypto map cmap3 10 ipsec-isakmp set peer 10.13.1.1 set transform-set xform2 match address 103 ! !!! "port" VLAN, crypto connected to VLAN 12 by IPSec VPN SPA on slot 3/0 interface Vlan11 no ip address crypto connect vlan 12 ! !!! "interface" VLAN, assigned to IPSec VPN SPA on slot 3/0 interface Vlan12 ip address 10.8.1.2 255.255.0.0 crypto map cmap2 crypto engine slot 3/0 ! !!! "port" VLAN, crypto connected to VLAN 20 by IPSec VPN SPA on slot 2/0 interface Vlan19 no ip address crypto connect vlan 20 ! !!! "interface" VLAN, assigned to IPSec VPN SPA on slot 2/0 interface Vlan20 ip address 10.13.1.2 255.255.0.0 crypto map cmap3 crypto engine slot 2/0 ! !!! connected to Host 1 interface FastEthernet6/1 Router 1 Router 2 138109 Host 1 (10.9.1.3/24) FE 6/1 (10.9.1.2/24) FE 6/2 (10.9.2.2/24) Host 2 (10.9.2.1/24) Host 3 (10.6.1.4) Host 4 (10.6.2.1) GE 5/4 GE 5/3 32-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples ip address 10.9.1.2 255.255.255.0 ! !!! connected to Host 2 interface FastEthernet6/2 ip address 10.9.2.2 255.255.255.0 ! !!! connected to Router 2 interface GigabitEthernet5/3 switchport switchport mode access switchport access vlan 11 ! !!! connected to Router 2 interface GigabitEthernet5/4 switchport switchport mode access switchport access vlan 19 ! interface GigabitEthernet2/0/1 no ip address flowcontrol receive on switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 12,1002-1005 switchport mode trunk cdp enable ! interface GigabitEthernet2/0/2 no ip address flowcontrol receive on switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 11,1002-1005 switchport mode trunk cdp enable ! interface GigabitEthernet3/0/1 no ip address flowcontrol receive on switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 20,1002-1005 switchport mode trunk cdp enable ! interface GigabitEthernet3/0/2 no ip address flowcontrol receive on switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 19,1002-1005 switchport mode trunk cdp enable ! ip classless ! !!! packets from Host 1 to Host 3 are routed from FastEthernet6/1 !!! to VLAN 12, encrypted with crypto map cmap2 !!! using IPSec VPN SPA in slot 3/0, and forwarded to peer 10.8.1.1 !!! through GigabitEthernet5/3 ip route 10.6.1.4 255.255.255.255 10.8.1.1 ! !!! packets from Host 2 to Host 4 are routed from FastEthernet6/2 !!! to VLAN 20, encrypted with crypto map cmap3 32-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples !!! using IPSec VPN SPA in slot 2/0, and forwarded to peer 10.13.1.1 !!! through GigabitEthernet5/4 ip route 10.6.2.1 255.255.255.255 10.13.1.1 ! !!! ACL matching traffic between Host 1 and Host 3 access-list 102 permit ip host 10.9.1.3 host 10.6.1.4 ! !!! ACL matching traffic between Host 2 and Host 4 access-list 103 permit ip host 10.9.2.1 host 10.6.2.1 IPSec Stateless Failover Using HSRP with Crypto-Connect Mode Configuration Examples This section provides the following configuration examples of IPSec stateless failover using HSRP: • IPSec Stateless Failover for the Active Chassis Configuration Example, page 32-27 • IPSec Stateless Failover for the Remote Router Configuration Example, page 32-28 IPSec Stateless Failover for the Active Chassis Configuration Example The following example shows the configuration for an active chassis that is configured for IPSec stateless failover using HSRP: hostname router-1 ! vlan 2-1001 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 1234567890 address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set PYTHON esp-3des ! crypto dynamic-map dynamap_1 20 set transform-set PYTHON reverse-route ! ! crypto map MONTY 1 ipsec-isakmp dynamic dynamap_1 ! interface GigabitEthernet1/3 switchport switchport access vlan 502 switchport mode access ! interface GigabitEthernet1/4 ip address 50.0.0.3 255.0.0.0 ! interface GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 2 switchport mode trunk mtu 9216 flowcontrol receive on 32-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 502 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 ip address 172.1.1.3 255.255.255.0 standby ip 172.1.1.100 standby preempt standby name KNIGHTSOFNI standby track GigabitEthernet1/3 standby track GigabitEthernet1/4 no mop enabled crypto map MONTY redundancy KNIGHTSOFNI crypto engine slot 4/0 ! interface Vlan502 no ip address crypto connect vlan 2 ! ip route 10.0.0.0 255.0.0.0 172.1.1.4 ip route 20.0.0.0 255.0.0.0 172.1.1.4 ip route 50.0.0.0 255.0.0.0 50.0.0.13 ip route 50.0.1.1 255.255.255.255 50.0.0.13 ip route 50.0.2.1 255.255.255.255 50.0.0.13 ip route 50.0.3.1 255.255.255.255 50.0.0.13 ip route 50.0.4.1 255.255.255.255 50.0.0.13 ip route 50.0.5.1 255.255.255.255 50.0.0.13 IPSec Stateless Failover for the Remote Router Configuration Example The following example shows the configuration for a remote router that is configured for IPSec stateless failover using HSRP. hostname router-remote ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 12345 address 172.1.1.100 ! ! crypto ipsec transform-set ha_transform esp-3des ! crypto map test_1 local-address Vlan2 crypto map test_1 10 ipsec-isakmp set peer 172.1.1.100 set security-association lifetime seconds 86400 set transform-set ha_transform set pfs group2 match address test_1 32-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples ! interface GigabitEthernet1/1 ip address 10.0.0.2 255.255.255.0 ! interface GigabitEthernet1/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,1002-1005 switchport mode trunk ! interface GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 ip address 20.0.1.1 255.255.255.0 crypto map test_1 crypto engine slot 4/0 ! interface Vlan502 no ip address crypto connect vlan 2 ! ip route 10.0.0.0 255.0.0.0 10.0.0.13 ip route 50.0.1.0 255.255.255.0 20.0.1.2 ip route 172.1.1.0 255.255.255.0 20.0.1.2 ! ip access-list extended test_1 permit ip host 10.0.1.1 host 50.0.1.1 IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode Configuration Example Note Support for IPSec stateful failover using HSRP and SSP is removed in Cisco IOS Release 12.2(33)SRA and later releases. The feature is supported in Release 12.2SXF. 32-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples Note This configuration example does not protect the SSP traffic. To protect the SSP traffic, you will need to define a new crypto map and attach it to the SSP interface without the ssp tag. The ACL for this crypto map can be derived from the remote IP address and the TCP port that are defined in the SSP group. The following example shows the configuration for an IPSec stateful failover using HSRP and SSP: hostname router-1 ! ssp group 100 remote 50.0.0.6 redundancy PUBLIC redundancy PRIVATE ! vlan 502 ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 1234567890 address 0.0.0.0 0.0.0.0 crypto isakmp ssp 100 ! ! ! crypto ipsec transform-set ha_transform esp-3des ! crypto dynamic-map ha_dynamic 10 set security-association lifetime seconds 86400 set transform-set ha_transform set pfs group2 ! ! crypto map ha_dynamic 10 ipsec-isakmp dynamic ha_dynamic ! ! ! interface GigabitEthernet1/1 no ip address crypto connect vlan 502 ! interface GigabitEthernet1/2 ip address 50.0.0.5 255.255.255.0 load-interval 30 no keepalive standby delay minimum 30 reload 60 standby 2 ip 50.0.0.100 standby 2 preempt standby 2 name PRIVATE standby 2 track GigabitEthernet1/1 standby 2 track Vlan502 ! interface GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on 32-31 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan502 ip address 172.1.1.5 255.255.255.0 no mop enabled standby delay minimum 30 reload 60 standby 1 ip 172.1.1.100 standby 1 preempt standby 1 name PUBLIC standby 1 track GigabitEthernet1/1 standby 1 track GigabitEthernet1/2 crypto map ha_dynamic ssp 100 crypto engine slot 4/0 ! ip route 10.0.0.0 255.0.0.0 172.1.1.4 ip route 20.0.0.0 255.0.0.0 172.1.1.4 ip route 50.0.0.0 255.0.0.0 50.0.0.13 The following example shows the configuration for a remote peer router that is configured for IPSec stateful failover using HSRP and SSP: hostname router-remote ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 12345 address 172.1.1.100 ! ! crypto ipsec transform-set ha_transform esp-3des ! crypto map test_1 local-address Vlan2 crypto map test_1 10 ipsec-isakmp set peer 172.1.1.100 set security-association lifetime seconds 86400 set transform-set ha_transform set pfs group2 match address test_1 ! crypto map test_2 local-address Vlan3 crypto map test_2 10 ipsec-isakmp set peer 172.1.1.100 set security-association lifetime seconds 86400 set transform-set ha_transform set pfs group2 match address test_2 ! interface GigabitEthernet1/1 32-32 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples ip address 10.0.0.2 255.255.255.0 ! interface GigabitEthernet1/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,503,1002-1005 switchport mode trunk no ip address ! interface GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-3,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,503,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 ip address 20.0.1.1 255.255.255.0 crypto map test_1 crypto engine slot 4/0 ! interface Vlan3 ip address 20.0.2.1 255.255.255.0 crypto map test_2 crypto engine slot 4/0 interface Vlan502 no ip address crypto connect vlan 2 ! interface Vlan503 no ip address crypto connect vlan 3 ! ip route 10.0.0.0 255.0.0.0 10.0.0.13 ip route 50.0.1.0 255.255.255.0 20.0.1.2 ip route 50.0.2.0 255.255.255.0 20.0.2.2 ip route 172.1.1.0 255.255.255.0 20.0.1.2 ! ip access-list extended test_1 permit ip host 10.0.1.1 host 50.0.1.1 ip access-list extended test_2 permit ip host 10.0.2.1 host 50.0.2.1 32-33 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples IPSec Stateless Failover Using HSRP with VRF Mode Configuration Example The following example shows a VRF mode configuration with HSRP chassis-to-chassis stateless failover with crypto maps: ! hostname router-1 ! ip vrf ivrf rd 1000:1 route-target export 1000:1 route-target import 1000:1 ! crypto engine mode vrf ! vlan 2,3 ! crypto keyring key1 pre-shared-key address 14.0.1.1 key 12345 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp keepalive 10 crypto isakmp profile ivrf vrf ivrf keyring key1 match identity address 14.0.1.1 255.255.255.255 ! crypto ipsec transform-set ts esp-3des esp-sha-hmac ! crypto map map_vrf_1 local-address Vlan3 crypto map map_vrf_1 10 ipsec-isakmp set peer 14.0.1.1 set transform-set ts set isakmp-profile ivrf match address acl_1 ! interface GigabitEthernet1/1 !switch inside port ip address 13.254.254.1 255.255.255.0 ! interface GigabitEthernet1/1.1 encapsulation dot1Q 2000 ip vrf forwarding ivrf ip address 13.254.254.1 255.0.0.0 ! interface GigabitEthernet1/2 !switch outside port switchport switchport access vlan 3 switchport mode access ! interface GigabitEthernet4/0/1 !IPSec VPN SPA inside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on 32-34 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 !IPSec VPN SPA outside port switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan3 ip address 15.0.0.2 255.255.255.0 standby delay minimum 0 reload 0 standby 1 ip 15.0.0.100 standby 1 timers msec 100 1 standby 1 priority 105 standby 1 preempt standby 1 name std-hsrp standby 1 track GigabitEthernet1/2 crypto engine slot 4/0 outside ! interface Vlan2 ip vrf forwarding ivrf ip address 15.0.0.252 255.255.255.0 crypto map map_vrf_1 redundancy std-hsrp crypto engine slot 4/0 inside ! ip classless ip route 12.0.0.0 255.0.0.0 15.0.0.1 ip route 13.0.0.0 255.0.0.0 13.254.254.2 ip route 14.0.0.0 255.0.0.0 15.0.0.1 ip route 223.255.254.0 255.255.255.0 17.1.0.1 ip route vrf ivrf 12.0.0.1 255.255.255.255 15.0.0.1 ! ip access-list extended acl_1 permit ip host 13.0.0.1 host 12.0.0.1 ! ! arp vrf ivrf 13.0.0.1 0000.0000.2222 ARPA IPSec Stateful Failover Using HSRP with VRF Mode Configuration Example Note Support for IPSec stateful failover with HSRP is removed in Cisco IOS Release 12.2(33)SRA and later releases. The feature is supported in Release 12.2SXF. The following example shows a VRF mode configuration with HSRP chassis-to-chassis stateful failover with crypto maps: hostname router-1 ! ip vrf vrf1 rd 2000:1 route-target export 2000:1 32-35 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples route-target import 2000:1 ! ssp group 100 remote 172.1.1.60 redundancy PUBLIC redundancy PRIVATE ! crypto engine mode vrf ! vlan 2-1001 ! crypto keyring key1 pre-shared-key address 0.0.0.0 0.0.0.0 key 12345 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp ssp 100 ! crypto isakmp profile prof1 vrf vrf1 keyring key1 match identity address 0.0.0.0 ! ! crypto ipsec transform-set ha_transform esp-3des ! crypto dynamic-map ha_dynamic 10 set security-association lifetime seconds 86400 set transform-set ha_transform set isakmp-profile prof1 reverse-route ! ! crypto map ha_dynamic local-address GigabitEthernet1/3 crypto map ha_dynamic 10 ipsec-isakmp dynamic ha_dynamic ! ! ! interface GigabitEthernet1/2 no ip address ! interface GigabitEthernet1/2.1 encapsulation dot1Q 2500 ip vrf forwarding vrf1 ip address 50.0.0.5 255.0.0.0 standby delay minimum 30 reload 90 standby 2 ip 50.0.0.100 standby 2 preempt standby 2 name PRIVATE standby 2 track GigabitEthernet1/3 standby 2 track Vlan100 ! interface GigabitEthernet1/3 ip address 172.1.1.50 255.255.255.0 standby delay minimum 30 reload 90 standby 1 ip 172.1.1.100 standby 1 preempt standby 1 name PUBLIC standby 1 track GigabitEthernet1/2 standby 1 track Vlan100 crypto engine slot 2/0 32-36 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples ! interface GigabitEthernet2/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,100,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet2/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan100 ip vrf forwarding vrf1 ip address 172.1.1.6 255.255.255.0 crypto map ha_dynamic ssp 100 crypto engine slot 2/0 ! ! ip route 10.0.0.0 255.0.0.0 172.1.1.4 ip route 20.0.0.0 255.0.0.0 172.1.1.4 ip route vrf vrf1 50.0.1.1 255.255.255.255 50.0.0.13 ! The following example shows the configuration for a remote peer router that is configured for IPSec stateful failover in VRF mode: hostname router-remote ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 12345 address 172.1.1.100 ! ! crypto ipsec transform-set ha_transform esp-3des ! crypto map test_1 local-address Vlan2 crypto map test_1 10 ipsec-isakmp set peer 172.1.1.100 set security-association lifetime seconds 86400 set transform-set ha_transform match address test_1 ! crypto map test_2 local-address Vlan3 crypto map test_2 10 ipsec-isakmp set peer 172.1.1.100 set security-association lifetime seconds 86400 set transform-set ha_transform match address test_2 32-37 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples ! interface GigabitEthernet1/1 ip address 10.0.0.2 255.255.255.0 ! interface GigabitEthernet1/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,503,1002-1005 switchport mode trunk no ip address ! interface GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-3,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502,503,1002-1005 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface Vlan2 ip address 20.0.1.1 255.255.255.0 crypto map test_1 crypto engine slot 4/0 ! interface Vlan3 ip address 20.0.2.1 255.255.255.0 crypto map test_2 crypto engine slot 4/0 ! interface Vlan502 no ip address crypto connect vlan 2 ! interface Vlan503 no ip address crypto connect vlan 3 ! ip route 10.0.0.0 255.0.0.0 10.0.0.13 ip route 50.0.1.0 255.255.255.0 20.0.1.2 ip route 50.0.2.0 255.255.255.0 20.0.2.2 ip route 172.1.1.0 255.255.255.0 20.0.1.2 ! ip access-list extended test_1 permit ip host 10.0.1.1 host 50.0.1.1 ip access-list extended test_2 permit ip host 10.0.2.1 host 50.0.2.1 32-38 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 32 Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA Configuration Examples IPSec Stateful Failover Using a Blade Failure Group Configuration Example The following example shows how to configure IPSec stateful failover using a blade failure group (BFG): Router(config)# redundancy Router(config-red)# line-card-group 1 feature-card Router(config-r-lc)# subslot 3/1 Router(config-r-lc)# subslot 5/1C H A P T E R 33-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 33 Configuring Monitoring and Accounting for the IPSec VPN SPA This chapter provides information about configuring monitoring and accounting using the IPSec VPN SPA on the Cisco 7600 series router. It includes the following sections: • Overview of Monitoring and Accounting for the IPSec VPN SPA, page 33-2 • Monitoring and Managing IPSec VPN Sessions, page 33-2 • Configuring IPSec VPN Accounting, page 33-5 • Configuring IPSec and IKE MIB Support for Cisco VRF-Aware IPSec, page 33-9 • Configuration Examples, page 33-10 Note For detailed information on Cisco IOS IPSec cryptographic operations and policies, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference. For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals Command Reference publications. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the configuration summaries and guidelines before you perform any configuration tasks. 33-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Overview of Monitoring and Accounting for the IPSec VPN SPA Overview of Monitoring and Accounting for the IPSec VPN SPA This chapter describes some IPSec features that can be used to monitor and manage the IPSec VPN. These features include: • The IPSec VPN monitoring feature, which provides VPN session monitoring enhancements that will allow you to troubleshoot the VPN and monitor the end-user interface. • The IPSec VPN accounting feature, which enables session accounting records to be generated by indicating when the session starts and when it stops. • The IPSec and IKE MIB support for Cisco VRF-aware IPSec feature, which provides manageability of VPN routing and forwarding- (VRF-) aware IPSec using MIBs. Monitoring and Managing IPSec VPN Sessions The IPSec VPN monitoring feature provides VPN session monitoring enhancements that will allow you to troubleshoot the Virtual Private Network (VPN) and monitor the end-user interface. A crypto session is a set of IPSec connections (flows) between two crypto endpoints. If the two crypto endpoints use IKE as the keying protocol, they are IKE peers to each other. Typically, a crypto session consists of one IKE security association (for control traffic) and at least two IPSec security associations (for data traffic, one per each direction). There may be duplicated IKE security associations (SAs) and IPSec SAs or duplicated IKE SAs or IPSec SAs for the same session in the duration of rekeying or because of simultaneous setup requests from both sides. Session monitoring enhancements include the following: • Ability to specify an Internet Key Exchange (IKE) peer description in the configuration file • Summary listing of crypto session status • Syslog notification for crypto session up or down status • Ability to clear both IKE and IP Security (IPSec) security associations (SAs) using one command-line interface (CLI) Adding the Description of an IKE Peer To add the description of an IKE peer to an IPSec VPN session, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto isakmp peer {ip-address ip-address} Enables an IPSec peer for IKE querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode and enters ISAKMP peer configuration mode. • ip-address—IP address of the peer. Step 2 Router(config-isakmp-peer)# description description Adds a description for an IKE peer. • description—Description identifying the peer. 33-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Monitoring and Managing IPSec VPN Sessions Verifying Peer Descriptions To verify peer descriptions, enter the show crypto isakmp peer command: Router# show crypto isakmp peer Peer: 10.2.2.9 Port: 500 Description: connection from site A flags: PEER_POLICY When the peer at address 10.2.2.9 connects and the session comes up, the syslog status will be shown as follows: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP. Peer 10.2.2.9:500 Description: connection from site A Id: ezvpn Getting a Summary Listing of Crypto Session Status You can get a list of all the active VPN sessions by entering the show crypto session command. The listing will include the following: • Interface • IKE peer description, if available • IKE SAs that are associated with the peer by which the IPSec SAs are created • IPSec SAs serving the flows of a session Multiple IKE or IPSec SAs may be established for the same peer, in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPSec SAs that are serving the flows of the session. You can also use the show crypto session detail variant of this command to obtain more detailed information about the sessions. The following is sample output for the show crypto session command without the detail keyword: Router# show crypto session Crypto session current status Interface: FastEthernet0/1 Session status: UP-ACTIVE Peer: 172.0.0.2/500 IKE SA: local 172.0.0.1/500 remote 172.0.0.2/500 Active IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.30.30.0/255.255.255.0 Active SAs: 2, origin: crypto map The following is sample output using the show crypto session command with the detail keyword: Router# show crypto session detail Interface: Tunnel0 Session status: UP-ACTIVE Peer: 10.1.1.3 port 500 fvrf: (none) ivrf: (none) Desc: this is my peer at 10.1.1.3:500 Green Phase1_id: 10.1.1.3 IKE SA: local 10.1.1.4/500 remote 10.1.1.3/500 Active Capabilities:(none) connid:3 lifetime:22:03:24 IPSEC FLOW: permit 47 host 10.1.1.4 host 10.1.1.3 Active SAs: 0, origin: crypto map 33-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Monitoring and Managing IPSec VPN Sessions Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 IPSEC FLOW: permit ip host 10.1.1.4 host 10.1.1.3 Active SAs: 4, origin: crypto map Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4605665/2949 Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4605665/2949 Syslog Notification for Crypto Session Up or Down Status The syslog notification for crypto session up or down status function provides syslog notification every time the crypto session comes up or goes down. To enable syslog logging of the session status, enter the crypto logging session and crypto logging ezvpn commands in configuration mode. The following is a sample syslog notification showing that a crypto session is up: %CRYPTO-5-SESSION_STATUS: Crypto session is UP. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20 Description: SJC24-2-VPN-Gateway Id: 10.5.5.2 The following is a sample syslog notification showing that a crypto session is down: %CRYPTO-5-SESSION_STATUS: Crypto session is DOWN. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20 Description: SJC24-2-VPN-Gateway Id: 10.5.5.2 Clearing a Crypto Session In previous Cisco IOS software releases, there was no single command to clear both IKE and IPSec security associations (SAs). Instead, you entered the clear crypto isakmp command to clear IKE and the clear crypto ipsec command to clear IPSec. The clear crypto session command allows you to clear both IKE and IPSec with a single command. To clear a specific crypto session or a subset of all the sessions (for example, a single tunnel to one remote site), you must provide session-specific parameters, such as a local or remote IP address, a local or remote port, a front-door VPN routing and forwarding (FVRF) name, or an inside VRF (IVRF) name. Typically, the remote IP address will be used to specify a single tunnel to be deleted. If a local IP address is provided as a parameter when you enter the clear crypto session command, all the sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE local address) will be cleared. If you do not provide a parameter when you enter the clear crypto session command, all IPSec SAs and IKE SAs in the router will be deleted. To clear a crypto session, enter the clear crypto session command in privileged EXEC mode from the router command line. No configuration statements are required in the configuration file to use this command: Router# clear crypto session For complete configuration information for IPSec VPN Monitoring, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ipsvm.html For IPSec VPN monitoring configuration examples, see the “IPSec VPN Monitoring Configuration Example” section on page 33-11. 33-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuring IPSec VPN Accounting Configuring IPSec VPN Accounting The IPSec VPN accounting feature enables session accounting records to be generated by indicating when the session starts and when it stops. A VPN session is defined as an Internet Key Exchange (IKE) security association (SA) and the one or more SA pairs that are created by the IKE SA. The session starts when the first IP Security (IPSec) pair is created and stops when all IPSec SAs are deleted. If IPSec accounting is configured, after IKE phases are complete, an accounting start record is generated for the session. New accounting records are not generated during a rekeying. Session-identifying information and session-usage information is passed to the Remote Authentication Dial-In User Service (RADIUS) server by standard RADIUS attributes and vendor-specific attributes (VSAs). To enable IPSec VPN accounting, perform this task beginning in global configuration mode: Command Purpose Step 1 Router(config)# aaa new-model Enables periodic interim accounting records to be sent to the accounting server. Step 2 Router(config)# aaa authentication login list-name group radius Sets authentication, authorization, and accounting (AAA) authentication at login using RADIUS servers. • list-name—Character string used to name the list of authentication methods activated when a user logs in. • group radius—Uses the list of all RADIUS servers for authentication. Step 3 Router(config)# aaa authorization network list-name group radius Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Programs (NCPs), and AppleTalk Remote Access (ARA). • list-name—Character string used to name the list of authorization methods activated when a user logs in. • group radius—Uses the list of all RADIUS servers for authentication. 33-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuring IPSec VPN Accounting Step 4 Router(config)# aaa accounting network list-name start-stop [broadcast] group radius Enables AAA accounting of network-related requested services for billing or security purposes when you use RADIUS. • list-name—Character string used to name the list of the accounting methods. • start-stop—Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server. • broadcast—(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group. • group radius—Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command. Step 5 Router(config)# aaa accounting update periodic minutes (Optional) Sends accounting updates to the accounting server while a session is up. • minutes — Specifies the interval (in number of minutes) at which accounting records are to be sent to the accounting server. Step 6 Router(config)# aaa session-id common Specifies whether the same session ID will be used for each AAA accounting service type within a call or whether a different session ID will be assigned to each accounting service type. • common—Ensures that all session identification (ID) information that is sent out for a given call will be made identical. The default behavior is common. Step 7 Router(config)# crypto isakmp profile profile-name Audits IP security (IPSec) user sessions and enters isakmp-profile configuration mode. • profile-name—Name of the user profile. To associate a user profile with the RADIUS server, the user profile name must be identified. Step 8 Router(conf-isa-prof)# vrf ivrf Associates the on-demand address pool with a Virtual Private Network (VPN) routing and forwarding (VRF) instance name. • ivrf—VRF to which the IPSec tunnel will be mapped. Command Purpose 33-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuring IPSec VPN Accounting Step 9 Router(conf-isa-prof)# match identity group group-name Matches an identity from a peer in an ISAKMP profile. • group-name—A unity group that matches identification (ID) type ID_KEY_ID. If unity and main mode Rivest, Shamir, and Adelman (RSA) signatures are used, the group-name argument matches the Organizational Unit (OU) field of the Distinguished Name (DN). Step 10 Router(conf-isa-prof)# client authentication list list-name Configures Internet Key Exchange (IKE) extended authentication (XAUTH) in an Internet Security Association and Key Management Protocol (ISAKMP) profile. • list-name—Character string used to name the list of authentication methods activated when a user logs in. The list name must match the list name that was defined during the authentication, authorization, and accounting (AAA) configuration. Step 11 Router(conf-isa-prof)# isakmp authorization list list-name Configures an IKE shared secret and other parameters using the AAA server in an ISAKMP profile. The shared secret and other parameters are generally pushed to the remote peer via mode configuration (MODECFG). • list-name—AAA authorization list used for configuration mode attributes or preshared keys for aggressive mode. Step 12 Router(conf-isa-prof)# client configuration address [initiate | respond] Configures IKE mode configuration (MODECFG) in the ISAKMP profile. • initiate—(Optional) Router will attempt to set IP addresses for each peer. • respond—(Optional) Router will accept requests for IP addresses from any requesting peer. Step 13 Router(conf-isa-prof)# accounting list-name Enables AAA accounting services for all peers that connect via this ISAKMP profile. • list-name— Name of a client accounting list. Step 14 Router(conf-isa-prof)# exit Exits isakmp profile configuration mode and returns to global configuration mode. Step 15 Router(config)# crypto dynamic-map dynamic-map-name dynamic-seq-num Creates a dynamic crypto map template and enters the crypto map configuration command mode. • dynamic-map-name—Name of the dynamic crypto map set that should be used as the policy template. • dynamic-seq-num—Sequence number you assign to the dynamic crypto map entry. Command Purpose 33-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuring IPSec VPN Accounting Step 16 Router(config-crypto-map)# set transform-set transform-set-name Specifies which transform sets can be used with the crypto map template. A transform set defines IPSec security protocols and algorithms. Transform sets and their accepted values are described in the Cisco IOS Security Command Reference. • transform-set-name—Name of the transform set. Step 17 Router(config-crypto-map)# set isakmp-profile profile-name Sets the ISAKMP profile name. • profile-name—Name of the ISAKMP profile. Step 18 Router(config-crypto-map)# reverse-route [remote-peer] Allows routes (IP addresses) to be injected for destinations behind the VPN remote tunnel endpoint and may include a route to the tunnel endpoint itself (using the remote-peer keyword for the crypto map). • remote-peer—(Optional) Routes of public IP addresses and IP security (IPSec) tunnel destination addresses are inserted into the routing table. Step 19 Router(config-crypto-map)# exit Exits crypto map configuration mode and returns to global configuration mode. Step 20 Router(config)# crypto map map-name ipsec-isakmp dynamic dynamic-map-name Creates a crypto profile that provides a template for configuration of dynamically created crypto maps. • map-name—Name that identifies the crypto map set. • dynamic-map-name—Name of the dynamic crypto map set that should be used as the policy template. Step 21 Router(config)# radius-server host ip-address [auth-port auth-port-number] [acct-port acct-port-number] Specifies a RADIUS server host. • ip-address —IP address of the RADIUS server host. • auth-port-number—(Optional) UDP destination port number for authentication requests; the host is not used for authentication if set to 0. If unspecified, the port number defaults to 1645. • acct-port-number—(Optional) UDP destination port number for accounting requests; the host is not used for accounting if set to 0. If unspecified, the port number defaults to 1646. Step 22 Router(config)# radius-server key string Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon. • string—The unencrypted (cleartext) shared key. Command Purpose 33-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuring IPSec and IKE MIB Support for Cisco VRF-Aware IPSec For complete configuration information for IPSec VPN Accounting, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_evpna.html For IPSec VPN accounting configuration examples, see the “IPSec VPN Accounting Configuration Example” section on page 33-10. Configuring IPSec and IKE MIB Support for Cisco VRF-Aware IPSec The IPSec and IKE MIB Support for Cisco VRF-Aware IPSec feature provides manageability of Virtual Private Network routing and forwarding (VRF)-aware IP security (IPSec) using MIBs. The benefit of this feature is that VRF-aware IPSec MIBs provide the granular details of IPSec statistics and performance metrics on a VRF basis. Note The IPSec and IKE MIB Support for the Cisco VRF-Aware IPSec feature is only supported as of Cisco IOS Release 12.2(33)SRA and later releases. MIBs Supported by the IPSec and IKE MIB Support for Cisco VRF-Aware IPSec Feature The following MIBs are supported by the IPSec and IKE MIB Support for the Cisco VRF-Aware IPSec feature: • CISCO-IPSEC-FLOW-MONITOR-MIB • ISCO-IPSEC-MIB • The CISCO-IPSEC-POLICY-MAP-MIB continues to be supported. However, because this MIB applies to the entire router rather than to a specific VPN VRF instance, it is not VRF-aware; therefore, polling of the object identifiers (OIDs) that belong to this MIB is accomplished with respect to the global VRF context. Configuring IPSec and IKE MIB Support for Cisco VRF-Aware IPSec No special configuration is needed for this feature. The SNMP framework can be used to manage VRF-aware IPSec using MIBs. Step 23 Router(config)# interface type slot/[subslot]/port Configures an interface type and enters interface configuration mode. • slot/[subslot]/ port—Number of the slot, subslot (optional), and port to be configured. Step 24 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to an interface. • map-name—Name that identifies the crypto map set. Command Purpose 33-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuration Examples For complete information for IPSec and IKE MIB Support for Cisco VRF-Aware IPSec, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_iimib.html Configuration Examples This section provide examples of the following configurations: • IPSec VPN Accounting Configuration Example, page 33-10 • IPSec VPN Monitoring Configuration Example, page 33-11 Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA. As of Cisco IOS Release 12.2(33)SRA, the crypto engine subslot command used in previous releases has been replaced with the crypto engine slot command (of the form crypto engine slot slot {inside | outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that this command has been modified in your start-up configuration to avoid extended maintenance time. IPSec VPN Accounting Configuration Example The following example shows how to enable the IPSec VPN accounting feature: aaa new-model ! ! aaa group server radius r1 server-private 10.30.1.52 auth-port 1812 acct-port 1813 key allegro ! aaa authentication login test_list group r1 aaa authorization network test_list group r1 aaa accounting update periodic 10 jitter maximum 0 aaa accounting network test_list start-stop group r1! ! ip vrf ivrf1 rd 1:2 ! crypto engine mode vrf ! crypto isakmp policy 5 encr 3des authentication pre-share group 2 lifetime 14400 ! crypto isakmp client configuration group test key world pool pool1 ! crypto isakmp profile test_pro vrf ivrf1 match identity group test client authentication list test_list isakmp authorization list test_list client configuration address respond accounting test_list 33-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuration Examples ! crypto ipsec transform-set t3 esp-3des esp-sha-hmac ! ! crypto dynamic-map dyn-ra 10 set transform-set t3 set isakmp-profile test_pro reverse-route ! ! crypto map map-ra local-address GigabitEthernet3/15 crypto map map-ra 1 ipsec-isakmp dynamic dyn-ra ! ! interface GigabitEthernet1/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,100,1002-1005 switchport mode trunk mtu 9216 mls qos trust ip-precedence flowcontrol receive on flowcontrol send off spanning-tree portfast edge trunk ! interface GigabitEthernet1/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1002-1005 switchport mode trunk mtu 9216 mls qos trust ip-precedence flowcontrol receive on flowcontrol send off spanning-tree portfast edge trunk ! ! interface GigabitEthernet3/15 mtu 9216 ip address 120.0.0.254 255.255.255.0 crypto engine outside ! ! ! interface Vlan100 ip vrf forwarding ivrf1 ip address 120.0.0.100 255.255.255.0 ip flow ingress crypto map map-ra crypto engine slot 1/0 inside ! ! ! ip local pool pool1 100.0.1.1 100.0.5.250 IPSec VPN Monitoring Configuration Example The following example shows how to configure an IKE peer for IPSec VPN monitoring: ! 33-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuration Examples upgrade fpd auto version 12.2 service timestamps debug datetime service timestamps log datetime no service password-encryption service counters max age 5 ! hostname Ez-DCM-CC ! boot-start-marker boot system disk1:s72033-adventerprisek9_wan-mz.122-33.SXH boot-end-marker ! logging buffered 1000000 debugging enable secret 5 $1$i5FZ$47ybx5dEaUKc3eRaDIZ/z. ! username cisco password 0 cisco username t1 password 0 t1 username t2 password 0 t2 username t3 password 0 t3 username t4 password 0 t4 username t5 password 0 t5 username t6 password 0 t6 username t7 password 0 t7 username t8 password 0 t8 username user1 password 0 letmein aaa new-model aaa authentication login myuserlist local aaa authorization network myuserlist local ! aaa session-id common clock timezone PST -7 call-home alert-group configuration alert-group diagnostic alert-group environment alert-group inventory alert-group syslog profile "CiscoTAC-1" no active no destination transport-method http destination transport-method email destination address email callhome@cisco.com destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService subscribe-to-alert-group diagnostic severity minor subscribe-to-alert-group environment severity minor subscribe-to-alert-group syslog severity major pattern ".*" subscribe-to-alert-group configuration periodic monthly 10 15:08 subscribe-to-alert-group inventory periodic monthly 10 14:53 ip subnet-zero ! no ip domain-lookup ip domain-name cisco.com ipv6 mfib hardware-switching replication-mode ingress vtp mode transparent no mls acl tcam share-global mls netflow interface no mls flow ip no mls flow ipv6 mls cef error action freeze ! redundancy keepalive-enable mode sso 33-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuration Examples linecard-group 0 feature-card class load-sharing subslot 4/0 main-cpu auto-sync running-config spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id diagnostic monitor syslog diagnostic cns publish cisco.cns.device.diag_results diagnostic cns subscribe cisco.cns.device.diag_commands ! power redundancy-mode combined port-channel per-module load-balance ! vlan internal allocation policy descending vlan access-log ratelimit 2000 ! vlan 2-3,16-17 ! crypto logging session crypto logging ezvpn ! crypto logging ezvpn group mygroup ! crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime 43200 crypto isakmp key WorldCup2006 address 0.0.0.0 0.0.0.0 ! crypto isakmp client configuration group mygroup key mykey pool mypool ! crypto isakmp peer address 16.0.0.3 description first-ezvpn-client ! crypto isakmp peer address 16.0.0.4 description second-ezvpn-client ! crypto ipsec security-association lifetime seconds 21600 ! crypto ipsec transform-set MyTranSet esp-aes esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto call admission limit ike in-negotiation-sa 10 ! crypto dynamic-map DynMap1 10 set transform-set MyTranSet reverse-route ! crypto map MyMap1 client authentication list myuserlist crypto map MyMap1 isakmp authorization list myuserlist crypto map MyMap1 client configuration address respond crypto map MyMap1 500 ipsec-isakmp dynamic DynMap1 ! interface GigabitEthernet1/25 no ip address crypto connect vlan 16 ! interface GigabitEthernet1/27 no ip address 33-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuration Examples crypto connect vlan 17 ! interface GigabitEthernet1/29 ip address 26.0.0.2 255.255.255.0 ! interface GigabitEthernet4/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 16,17,1002-1005 switchport mode trunk mtu 9216 mls qos vlan-based mls qos trust cos flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet4/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1002-1005 switchport mode trunk mtu 9216 mls qos trust cos flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet5/2 ip address 44.0.111.114 255.0.0.0 media-type rj45 ! interface Vlan1 no ip address ip flow ingress ip igmp snooping querier shutdown ! interface Vlan16 ip address 16.0.0.2 255.255.224.0 no mop enabled crypto map MyMap1 crypto engine slot 4/0 ! interface Vlan17 ip address 16.0.32.2 255.255.224.0 no mop enabled crypto map MyMap1 crypto engine slot 4/0 ! ip local pool mypool 36.0.0.1 36.0.15.254 ip local pool mypool 36.0.16.1 36.0.31.254 ip local pool mypool 36.0.32.1 36.0.47.254 ip local pool mypool 36.0.48.1 36.0.63.254 ip default-gateway 44.0.100.1 ip classless ip route 43.0.0.0 255.0.0.0 44.0.100.1 ip route 45.0.0.0 255.0.0.0 44.0.100.1 ip route 223.255.254.53 255.255.255.255 44.0.100.1 ip route 223.255.254.54 255.255.255.255 44.0.100.1 ! no ip http server no ip http secure-server ! 33-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuration Examples radius-server source-ports 1645-1646 ! control-plane ! dial-peer cor custom ! line con 0 exec-timeout 0 0 line vty 0 4 password cisco transport input lat pad mop udptn telnet rlogin ssh nasi acercon line vty 5 15 transport input lat pad mop udptn telnet rlogin ssh nasi acercon ! monitor event-trace platform cmfi lc agg-label monitor event-trace platform cmfi lc error ntp clock-period 17280219 ntp update-calendar ntp server 223.255.254.254 ntp server 223.255.254.53 mac-address-table aging-time 0 ! end 33-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 33 Configuring Monitoring and Accounting for the IPSec VPN SPA Configuration ExamplesC H A P T E R 34-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 34 Troubleshooting the IPSec VPN SPA This chapter describes techniques that you can use to troubleshoot the operation of your IPSec VPN SPAs in a Cisco 7600 series router. It includes the following sections: • General Troubleshooting Information, page 34-1 • Monitoring the IPSec VPN SPA, page 34-3 • Troubleshooting Specific Problems on the IPSec VPN SPA, page 34-24 • Using Crypto Conditional Debug, page 34-27 • Preparing for Online Insertion and Removal of a SPA, page 34-30 Note For detailed information on Cisco IOS IPSec cryptographic operations and policies, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference. For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 12.2SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information, see the “Related Documentation” section on page xlvii. General Troubleshooting Information This section describes general information for troubleshooting the IPSec VPN SPA and the Cisco 7600 SSC-400 SIP. It includes the following sections: • Interpreting Console Error Messages, page 34-2 • Using debug Commands, page 34-2 • Using show Commands, page 34-2 • Monitoring the IPSec VPN SPA, page 34-3 34-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA General Troubleshooting Information Interpreting Console Error Messages The Cisco 7600 series router can generate error messages and other system messages to inform the operator of events that might require attention. These messages can be displayed on the console, or sent to a logging host using the System Logging (Syslog) protocol or Simple Network Management Protocol (SNMP). System error messages are organized in the documentation according to the particular system facility that produces the messages. The IPSec VPN SPA and Cisco 7600 SSC-400 SIP use the following facility names in error messages: • IPSec VPN SPA—SPA_IPSEC_2G (also VPNSPA) • Cisco 7600 SSC-400—CAT6000_SSC (also C7600_SSC400) To view the explanations and recommended actions for Cisco 7600 series router error messages, including messages related to service modules, refer to the following documents: • System Messages for 12.2S (for error messages in Release 12.2S) at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_system_message_guides_list. html Using debug Commands For information about debug commands specific to the Cisco IOS software release 12.2SX, see the Cisco IOS Master Command List, Release 12.2SX at this URL: http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html Caution Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support personnel. We recommend that you use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use. For information about available crypto conditional debugging commands, see the “Using Crypto Conditional Debug” section on page 34-27. For more information about other debug commands that can be used on a Cisco 7600 router see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/12_2/debug/command/reference/122debug.html Using show Commands You can use several show commands to monitor and troubleshoot the IPSec VPN SPA on the Cisco 7600 series router. 34-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA For more information about show commands to verify and monitor the IPSec VPN SPA, see the “Displaying IPSec VPN SPA Configuration Information” section on page 34-6 and the Cisco 7600 Series Cisco IOS Command Reference, 12.2 SR. For more information about security-related show commands, see the Cisco IOS Security Command Reference. Monitoring the IPSec VPN SPA This section describes commands that can be used to display information about the IPSec VPN SPA hardware and configuration. It consists of the following subsections: • Displaying IPSec VPN SPA Hardware and System Information, page 34-3 • Displaying IPSec VPN SPA Configuration Information, page 34-6 Displaying IPSec VPN SPA Hardware and System Information To display hardware and system information, use the following commands: • show diagbus, show module, show crypto eli—See the “Displaying Information About IPSec VPN SPA Ports” section on page 34-3. • show crypto engine accelerator statistic slot—See the “Displaying Platform and Network Interface Controller Statistics for the IPsec VPN SPA” section on page 34-4. • show hw-module slot fpd—See the “Displaying Information About Hardware Revision Levels” section on page 34-6. Displaying Information About IPSec VPN SPA Ports To display information about the type of SPAs that are installed in the router, use the show diagbus command. The following example shows output from the show diagbus command on a Cisco 7600 series router with an IPSec VPN SPA installed in subslot 1 of a Cisco 7600 SSC-400 that is installed in slot 5: Router# show diagbus Slot 5: Logical_index 10 2-subslot Services SPA Carrier-400 controller Board is analyzed ipc ready HW rev 0.3, board revision A01 Serial Number: abc Part number: 73-6348-01 Slot database information: Flags: 0x2004 Insertion time: 0x3DB5F4BC (4d20h ago) Controller Memory Size: 248 MBytes CPU Memory 8 MBytes Packet Memory 256 MBytes Total on Board SDRAM IOS (tm) cwlc Software (smsc-DWDBG-M), Experimental Version 12.2(20050623:231413) SPA Information: subslot 5/1: SPA-IPSEC-2G (0x3D7), status: ok 34-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA For information about the show module and show crypto eli commands, see the “Displaying the SPA Hardware Type” section on page 6-20. Displaying Platform and Network Interface Controller Statistics for the IPsec VPN SPA To display platform statistics and optionally display network interface controller statistics, use the show crypto engine accelerator statistic slot command. Note The show crypto engine accelerator statistic command is supported in Cisco IOS Release 12.2(33)SRA and later releases. The following example shows output from the show crypto engine accelerator statistic command on a Cisco 7600 series router with an IPSec VPN SPA in subslot 0 of a Cisco 7600 SSC-400 that is installed in slot 1. The output displays platform statistics for the IPSec VPN SPA and also displays the network interface controller statistics. Router# show crypto engine accelerator statistic slot 1/0 detail VPN module in slot 1/0 Decryption Side Data Path Statistics ==================================== Packets RX...............: 454260 Packets TX...............: 452480 IPSec Transport Mode.....: 0 IPSec Tunnel Mode........: 452470 AH Packets...............: 0 ESP Packets..............: 452470 GRE Decapsulations.......: 0 NAT-T Decapsulations.....: 0 Clear....................: 8 ICMP.....................: 0 Packets Drop.............: 193 Authentication Errors....: 0 Decryption Errors........: 0 Replay Check Failed......: 0 Policy Check Failed......: 0 Illegal CLear Packet.....: 0 GRE Errors...............: 0 SPD Errors...............: 0 HA Standby Drop..........: 0 Hard Life Drop...........: 0 Invalid SA...............: 191 SPI No Match.............: 0 Destination No Match.....: 0 Protocol No Match........: 0 Reassembly Frag RX.......: 0 IPSec Fragments..........: 0 IPSec Reasm Done.........: 0 Clear Fragments..........: 0 Clear Reasm Done.........: 0 Datagrams Drop...........: 0 Fragments Drop...........: 0 34-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA Decryption Side Controller Statistics ===================================== Frames RX................: 756088 Bytes RX.................: 63535848 Mcast/Bcast Frames RX....: 2341 RX Less 128Bytes.........: 756025 RX Less 512Bytes.........: 58 RX Less 1KBytes..........: 2 RX Less 9KBytes..........: 3 RX Frames Drop...........: 0 Frames TX................: 452365 Bytes TX.................: 38001544 Mcast/Bcast Frames TX....: 9 TX Less 128Bytes.........: 452343 TX Less 512Bytes.........: 22 TX Less 1KBytes..........: 0 TX Less 9KBytes..........: 0 Encryption Side Data Path Statistics ==================================== Packets RX...............: 756344 Packets TX...............: 753880 IPSec Transport Mode.....: 0 IPSec Tunnel Mode........: 753869 GRE Encapsulations.......: 0 NAT-T Encapsulations.....: 0 LAF prefragmented........: 0 Fragmented...............: 0 Clear....................: 753904 ICMP.....................: 0 Packets Drop.............: 123 IKE/TED Drop.............: 27 Authentication Errors....: 0 Encryption Errors........: 0 HA Standby Drop..........: 0 Hard Life Drop...........: 0 Invalid SA...............: 191 Reassembly Frag RX.......: 0 Clear Fragments..........: 0 Clear Reasm Done.........: 0 Datagrams Drop...........: 0 Fragments Drop...........: 0 Encryption Side Controller Statistics ===================================== Frames RX................: 454065 Bytes RX.................: 6168274/ Mcast/Bcast Frames RX....: 1586 RX Less 128Bytes.........: 1562 RX Less 512Bytes.........: 452503 RX Less 1KBytes..........: 0 RX Less 9KBytes..........: 0 RX Frames Drop...........: 0 Frames TX................: 753558 34-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA Bytes TX.................: 100977246 Mcast/Bcast Frames TX....: 2 TX Less 128Bytes.........: 3 TX Less 512Bytes.........: 753555 TX Less 1KBytes..........: 0 TX Less 9KBytes..........: 0 Router# Displaying Information About Hardware Revision Levels To display information about the hardware revision of the Cisco 7600 SSC-400 and the IPSec VPN SPA as well as the version of the field-programmable devices (FPDs) that are on the carrier card and the SPA, use the show hw-module slot fpd command. Cisco technical engineers might need this information to debug or troubleshoot problems with a SPA installation. The following example shows output from the show hw-module slot command on a Cisco 7600 series router with an IPSec VPN SPA installed in subslot 0 of a Cisco 7600 SSC-400 that is installed in slot 6: Router# show hw-module slot 2 fpd ==== ====================== ====== ============================================= H/W Field Programmable Current Min. Required Slot Card Type Ver. Device: "ID-Name" Version Version ==== ====================== ====== ================== =========== ============== 2 7600-SSC-400 0.5 1-I/O FPGA 1.0 1.0 ---- ---------------------- ------ ------------------ ----------- -------------- 2/0 SPA-IPSEC-2G 0.3 1-PROM 1.1 1.1 ==== ====================== ====== ============================================= Displaying IPSec VPN SPA Configuration Information To display information about the IPSec VPN SPA configuration, use the following commands: • show crypto vlan—See the “Displaying Information About Access and Routed Ports That Are Connected” section on page 34-7, “Displaying the VPN Running State” section on page 34-8, and “Displaying Information About IP Multicast Over a GRE Tunnel” section on page 34-23. • show interfaces trunk—See the “Displaying Information About the VLANs Allowed by a Trunk Port” section on page 34-7. • show crypto isakmp policy—See the “Displaying Information About IKE Policies” section on page 34-8. • show crypto ipsec transform-set—See the “Displaying Information About IPsec Transform Sets” section on page 34-9. • show crypto map—See the “Displaying Information About Crypto Maps” section on page 34-9. • show crypto isakmp sa—See the “Displaying Information About SAs at a Peer” section on page 34-11. • show crypto isakmp ha standby—See the “Displaying HSRP Information” section on page 34-11. • show crypto ipsec ha—See the “Displaying HSRP Information” section on page 34-11. • show crypto ipsec sa—See the “Displaying Information About IPsec Security Associations” section on page 34-9 and the “Displaying HSRP Information” section on page 34-11. • show crypto ipsec sa standby—See the “Displaying HSRP Information” section on page 34-11. • show ssp client—See the “Displaying SSP Information” section on page 34-14. 34-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA • show ssp packet—See the “Displaying SSP Information” section on page 34-14. • show ssp peers—See the “Displaying SSP Information” section on page 34-14. • show ssp redundancy—See the “Displaying SSP Information” section on page 34-14. • show redundancy linecard-group—See the “Displaying Information About a BFG Configuration” section on page 34-15. • show crypto ace redundancy—See the “Displaying Information About a BFG Configuration” section on page 34-15. • show crypto key mypubkey rsa—See the “Displaying Information About RSA Public Keys” section on page 34-15. • show crypto key pubkey-chain rsa—See the “Displaying Information About RSA Public Keys” section on page 34-15. • show crypto pki certificates—See the “Displaying Information About Certificates” section on page 34-16. • show crypto pki trustpoints—See the “Displaying Information About Trustpoints” section on page 34-17. • show ip nhrp—See the “Displaying Information About the NHRP Cache” section on page 34-18. • show crypto session—See the “Displaying Information About Crypto Sessions” section on page 34-18. • show interfaces tunnel—See the “Displaying Tunnel Interface Information” section on page 34-19. For a detailed description of the information displayed by the show commands, refer to the “IP Security and Encryption” chapter of the Cisco IOS Security Command Reference. Displaying Information About Access and Routed Ports That Are Connected To verify that an access or routed port is connected, use the show crypto vlan command. The following is sample output from the command: Router# show crypto vlan Interface VLAN 2 on IPSec Service Module port GigabitEthernet2/0/1 connected to VLAN 502 with crypto map set mymap1 Router# show crypto vlan Interface VLAN 2 on IPSec Service Module port GigabitEthernet2/0/1 connected to Gi2/8 with crypto map set mymap2 Displaying Information About the VLANs Allowed by a Trunk Port To display information about the VLANs allowed by a trunk port, use the show interfaces trunk command. The following is sample output from the command: Router# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi2/0/1 on 802.1q trunking 1 Gi2/0/2 on 802.1q trunking 1 Port Vlans allowed on trunk 34-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA Gi2/0/1 2 Gi2/0/2 502 Port Vlans allowed and active in management domain Gi2/0/1 2 Gi2/0/2 502 Port Vlans in spanning tree forwarding state and not pruned Gi2/0/1 2 Gi2/0/2 502 Displaying the VPN Running State To display the VPN running state, use the show crypto vlan command. The following is sample output from the command: In the following example, the interface VLAN belongs to the IPSec VPN SPA inside port: Router# show crypto vlan Interface VLAN 2 on IPSec Service Module port GigabitEthernet2/0/1 connected to Fa8/3 In the following example, VLAN 2 is the interface VLAN and VLAN 2022 is the hidden VLAN: Router# show crypto vlan Interface VLAN 2 on IPSec Service Module port GigabitEthernet2/0/1 connected to VLAN 2022 with crypto map set mymap2 In the following example, either the interface VLAN is missing on the IPSec VPN SPA inside port, the IPSec VPN SPA is removed from the chassis, or the IPSec VPN SPA was moved to a different subslot: Router# show crypto vlan Interface VLAN 2 connected to VLAN 3 (no IPSec Service Module attached) Displaying Information About IKE Policies To display information about IKE policies, use the show crypto isakmp policy command. The following is sample output from the command: Router# show crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit 34-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA Note If a user enters an IKE encryption method that the hardware does not support, a warning message will be displayed in the show crypto isakmp policy command output: WARNING:encryption hardware does not support the configured encryption method for ISAKMP policy value Displaying Information About IPsec Transform Sets To display information about transform set configurations, use the show crypto ipsec transform-set command. The following is sample output from the command: Router# show crypto ipsec transform-set Transform set combined-des-md5: {esp-des esp-md5-hmac} will negotiate = {Tunnel,}, Transform set t1: {esp-des esp-md5-hmac} will negotiate = {Tunnel,}, Transform set t100: {ah-sha-hmac} will negotiate = {Transport,}, Note If a user enters an IPsec transform that the hardware (the IPsec peer) does not support, a warning message will be displayed in the show crypto ipsec transform-set command output: WARNING:encryption hardware does not support transform. Displaying Information About Crypto Maps To display information about crypto map configurations, use the show crypto map command. The following is sample output from the command: Router# show crypto map Crypto Map "test" 10 ipsec-isakmp Peer = 11.1.0.1 Extended IP access list 101 access-list 101 permit ip host 1.0.0.1 host 2.0.0.1 Current peer: 11.1.0.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ tset: { esp-3des } , } Interfaces using crypto map test: Vlan2 using crypto engine SPA-IPSEC-2G[2/0] Displaying Information About IPsec Security Associations To display information about IPsec security associations, use the show crypto ipsec sa command. 34-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA Note When you first enter the show crypto ipsec sa command, the packet counters will not show the correct values. Subsequent instances of the command will display the correct values. The following is sample output from the command: Router# show crypto ipsec sa interface: Ethernet0 Crypto map tag: router-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F inbound esp sas: spi: 0x257A1039(628756537) transform: esp-des esp-md5-hmac, in use settings ={Tunnel,} slot: 0, conn id: 26, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y inbound ah sas: outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des esp-md5-hmac, in use settings ={Tunnel,} slot: 0, conn id: 27, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y outbound ah sas: interface: Tunnel0 Crypto map tag: router-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F inbound esp sas: spi: 0x257A1039(628756537) transform: esp-des esp-md5-hmac, in use settings ={Tunnel,} 34-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA slot: 0, conn id: 26, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y inbound ah sas: outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des esp-md5-hmac, in use settings ={Tunnel,} slot: 0, conn id: 27, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y outbound ah sas: Displaying Information About SAs at a Peer To display information about all current IKE SAs at a peer, use the show crypto isakmp sa command. The following is sample output from the command: Router# show crypto isakmp sa dst src state conn-id slot status 11.0.0.1 21.0.0.1 QM_IDLE 68002 ACTIVE 21.0.0.1 11.0.0.1 QM_IDLE 68003 ACTIVE 10.0.0.1 11.0.0.1 QM_IDLE 68001 ACTIVE Displaying HSRP Information To display information about HSRP configurations, use the show crypto isakmp ha standby, show crypto ipsec ha, show ipsec sa, and show crypto ipsec sa standby commands. Enter the show crypto isakmp ha standby command to view your ISAKMP standby or active SAs. The following is sample output from the command: Router# show crypto isakmp ha standby dst src state I-Cookie R-Cookie 172.16.31.100 20.3.113.1 QM_IDLE 796885F3 62C3295E FFAFBACD EED41AFF 172.16.31.100 20.2.148.1 QM_IDLE 5B78D70F 3D80ED01 FFA03C6D 09FC50BE 172.16.31.100 20.4.124.1 QM_IDLE B077D0A1 0C8EB3A0 FF5B152C D233A1E0 172.16.31.100 20.3.88.1 QM_IDLE 55A9F85E 48CC14DE FF20F9AE DE37B913 172.16.31.100 20.1.95.1 QM_IDLE 3881DE75 3CF384AE FF192CAB Enter the show crypto ipsec ha command to view your IPsec high availability (HA) manager state. The following is sample output from the command: 34-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA Router# show crypto ipsec ha Interface VIP SAs IPSec HA State FastEthernet0/0 172.16.31.100 1800 Active since 13:00:16 EDT Tue Oct 1 2002 Enter the show crypto ipsec sa command to view HA status of the IPsec SA (standby or active). The following is sample output from the command: Router# show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: mymap, local addr. 172.168.3.100 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (5.6.0.0/255.255.0.0/0/0) current_peer: 172.168.3.1 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.168.3.100, remote crypto endpt.: 172.168.3.1 path mtu 1500, media mtu 1500 current outbound spi: 132ED6AB inbound esp sas: spi: 0xD8C8635F(3637011295) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2006, flow_id: 3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) IV size: 8 bytes replay detection support: Y HA Status: STANDBY inbound ah sas: spi: 0xAAF10A60(2867923552) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2004, flow_id: 3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) replay detection support: Y HA Status: STANDBY inbound pcp sas: outbound esp sas: spi: 0x132ED6AB(321836715) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2007, flow_id: 4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) IV size: 8 bytes replay detection support: Y HA Status: STANDBY outbound ah sas: spi: 0x1951D78(26549624) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2005, flow_id: 4, crypto map: mymap 34-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA sa timing: remaining key lifetime (k/sec): (4499/59957) replay detection support: Y HA Status: STANDBY outbound pcp sas: Enter the show crypto ipsec sa standby command to view your standby SAs. The following is sample output from the command: Router# show crypto ipsec sa standby interface: FastEthernet0/0 Crypto map tag: mymap, local addr. 172.168.3.100 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (5.6.0.0/255.255.0.0/0/0) current_peer: 172.168.3.1 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.168.3.100, remote crypto endpt.: 172.168.3.1 path mtu 1500, media mtu 1500 current outbound spi: 132ED6AB inbound esp sas: spi: 0xD8C8635F(3637011295) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2006, flow_id: 3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) IV size: 8 bytes replay detection support: Y HA Status: STANDBY inbound ah sas: spi: 0xAAF10A60(2867923552) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2004, flow_id: 3, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) replay detection support: Y HA Status: STANDBY inbound pcp sas: outbound esp sas: spi: 0x132ED6AB(321836715) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2007, flow_id: 4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) IV size: 8 bytes replay detection support: Y HA Status: STANDBY outbound ah sas: spi: 0x1951D78(26549624) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2005, flow_id: 4, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4499/59957) 34-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA replay detection support: Y HA Status: STANDBY outbound pcp sas: Displaying SSP Information To display information about an SSP configuration, use the show ssp client, show ssp packet, show ssp peers, and show ssp redundancy commands. Enter the show ssp client command to display the domain of interpretation (DOI), name, running version and available version of each client that is registered with SSP. The following is sample output from the command: Router# show ssp client SSP Client Information DOI Client Name Version Running Ver 1 IPSec HA Manager 1.0 1.0 2 IKE HA Manager 1.0 1.0 Enter the show ssp packet command to display the byte count and packet count for the current socket, the creation time of the socket, the server port number, and the port number used for SSP communication. The following is sample output from the command: Router# show ssp packet SSP packet Information Socket creation time: 01:01:06 Local port: 3249 Server port: 3249 Packets Sent = 38559, Bytes Sent = 2285020 Packets Received = 910, Bytes Received = 61472 Enter the show ssp peers command to display the IP address of the remote peer, the interface used, and the connection state. The following is sample output from the command: Router# show ssp peers SSP Peer Information IP Address Connection State Local Interface 40.0.0.1 Connected FastEthernet0/1 Enter the show ssp redundancy command to display the current SSP state, the HSRP group name, interface used, and the elapsed time since last state change. The following is sample output from the command: Router# show ssp redundancy SSP Redundancy Information Device has been ACTIVE for 02:55:34 34-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA Virtual IP Redundancy Name Interface 172.16.31.100 KNIGHTSOFNI FastEthernet0/0 Displaying Information About a BFG Configuration To display information about a BFG configuration, use the show redundancy linecard-group and show crypto ace redundancy commands. The following is sample output from the commands: Router# show redundancy linecard-group 1 Line Card Redundancy Group:1 Mode:feature-card Class:load-sharing Cards: Slot:3 Subslot:0 Slot:5 Subslot:0 Router# show crypto ace redundancy -------------------------------------- LC Redundancy Group ID :1 Pending Configuration Transactions:0 Current State :OPERATIONAL Number of blades in the group :2 Slots -------------------------------------- Slot:3 Subslot:0 Slot state:0x36 Booted Received partner config Completed Bulk Synchronization Crypto Engine in Service Rebooted 22 times Initialization Timer not running Slot:5 Subslot:0 Slot state:0x36 Booted Received partner config Completed Bulk Synchronization Crypto Engine in Service Rebooted 24 times Initialization Timer not running Displaying Information About RSA Public Keys To display information the RSA public keys configured for your router, use the show crypto key mypubkey rsa command. The following is sample output from the command: Router# show crypto key mypubkey rsa % Key pair was generated at: 06:07:50 UTC Jan 13 1996 Key name: myrouter.example.com Usage: Encryption Key Key Data: 00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5 34-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA 18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB 07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21 To display a list of all the RSA public keys stored on your router (including the public keys of peers that have sent your router their certificates during peer authentication for IPsec), or to display details of a particular RSA public key stored on your router, use the show crypto key pubkey-chain rsa command. The following is sample output from the command: Router# show crypto key pubkey-chain rsa Codes: M - Manually Configured, C - Extracted from certificate Code Usage IP-address Name M Signature 10.0.0.l myrouter.example.com M Encryption 10.0.0.1 myrouter.example.com C Signature 172.16.0.1 routerA.example.com C Encryption 172.16.0.1 routerA.example.com C General 192.168.10.3 routerB.domain1.com Displaying Information About Certificates To display information about your certificate, the certificate of the CA, and any RA certificates, use the show crypto pki certificates command. The following is sample output from the command: Router# show crypto pki certificates CA Certificate Status: Available Certificate Serial Number: 1244325DE0369880465F977A18F61CA8 Certificate Usage: Signature Issuer: CN = new-user OU = pki new-user O = cisco L = santa cruz2 ST = CA C = US EA = user@example.com Subject: CN = new-user OU = pki new-user O = cisco L = santa cruz2 ST = CA C = US EA = user@example.com CRL Distribution Point: http://new-user.example.com/CertEnroll/new-user.crl Validity Date: start date: 14:19:29 PST Oct 31 2002 34-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA end date: 14:27:27 PST Oct 31 2017 Associated Trustpoints: MS Certificate Status: Available Certificate Serial Number: 193E28D20000000009F7 Certificate Usage: Signature Issuer: CN = new-user OU = pki new-user O = cisco L = santa cruz2 ST = CA C = US EA = user@example.com Subject: Name: User1.Example.Com CRL Distribution Point: http://new-user.example.com/CertEnroll/new-user.crl Validity Date: start date: 12:40:14 PST Feb 26 2003 end date: 12:50:14 PST Mar 5 2003 renew date: 16:00:00 PST Dec 31 1969 Associated Trustpoints: MS Displaying Information About Trustpoints To display the trustpoints that are configured in the router, use the show crypto pki trustpoints command. The following is sample output from the command: Router# show crypto pki trustpoints Trustpoint bo: Subject Name: CN = ACSWireless Certificate Manager O = cisco.com C = US Serial Number:01 Certificate configured. CEP URL:http://ACSWireless CRL query url:ldap://ACSWireless 34-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA Displaying Information About the NHRP Cache To display information about the Next Hop Resolution Protocol (NHRP) cache, use the show ip nhrp and the show crypto sockets commands. The following is sample output from the commands: Router# show ip nhrp 10.10.1.75/32 via 10.10.1.75, Tunnel5 created 00:32:11, expire 00:01:46 Type: dynamic, Flags: authoritative unique registered NBMA address: 172.16.175.75 10.10.1.76/32 via 10.10.1.76, Tunnel5 created 00:26:41, expire 00:01:37 Type: dynamic, Flags: authoritative unique registered NBMA address: 172.16.175.76 10.10.1.77/32 via 10.10.1.77, Tunnel5 created 00:31:26, expire 00:01:33 Type: dynamic, Flags: authoritative unique registered NBMA address: 172.17.63.20 Router# show crypto sockets Number of Crypto Socket connections 1 Tu0 Peers (local/remote): 9.1.1.1/11.1.1.1 Local Ident (addr/mask/port/prot): (9.1.1.1/255.255.255.255/0/47) Remote Ident (addr/mask/port/prot): (11.1.1.1/255.255.255.255/0/47) IPSec Profile: "MyIpsecProf" Socket State: Open Client: "TUNNEL SEC" (Client State: Active) Crypto Sockets in Listen state: Client: "TUNNEL SEC" Profile: "MyIpsecProf" Map-name: "Tunnel0-head-0" Router# Displaying Information About Crypto Sessions To display status information for active crypto sessions, use the show crypto session command. The output will include the following: • Interface • IKE peer description, if available • IKE SAs that are associated with the peer by which the IPsec SAs are created • IPsec SAs serving the flows of a session The following is sample output from the command: Router# show crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication 34-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA Interface: Ethernet1/0 Session status: UP-NO-IKE Peer: 10.2.80.179/500 fvrf: (none) ivrf: (none) Desc: My-manual-keyed-peer Phase1_id: 10.2.80.179 IPSEC FLOW: permit ip host 10.2.80.190 host 10.2.80.179 Active SAs: 4, origin: manual-keyed crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 Interface: Ethernet1/2 Session status: DOWN Peer: 10.1.1.1/500 fvrf: (none) ivrf: (none) Desc: SJC24-2-VPN-Gateway Phase1_id: 10.1.1.1 IPSEC FLOW: permit ip host 10.2.2.3 host 10.2.2.2 Active SAs: 0, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 IPSEC FLOW: permit ip 10.2.0.0/255.255.0.0 10.4.0.0/255.255.0.0 Active SAs: 0, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 Interface: Serial2/0.17 Session status: UP-ACTIVE Peer: 10.1.1.5/500 fvrf: (none) ivrf: (none) Desc: (none) Phase1_id: 10.1.1.5 IKE SA: local 10.1.1.5/500 remote 10.1.1.5/500 Active Capabilities:(none) connid:1 lifetime:00:59:51 IPSEC FLOW: permit ip host 10.1.1.5 host 10.1.2.5 Active SAs: 2, origin: dynamic crypto map Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 20085/171 Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 20086/171 Displaying Tunnel Interface Information To display tunnel interface information, use the show interfaces tunnel command. The following is sample output from the command: Router# show interfaces tunnel 1 Tunnel4 is up, line protocol is down Hardware is Routing Tunnel Internet address is 10.1.1.1/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, rely 255/255, load 1/255 Encapsulation TUNNEL, loopback not set Keepalive set (10 sec) Tunnel source 9.2.2.1, destination 6.6.6.2 Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled Tunnel TOS 0xF, Tunnel TTL 128 Checksumming of packets disabled, fast tunneling enabled Last input never, output never, output hang never Last clearing of "show interface" counters never Queueing strategy, fifo Output queue 0/0, 1 drops; input queue 0/75, 0 drops 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 34-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets, 0 restarts Table 34-1 describes significant fields shown in the display. Table 34-1 show interfaces tunnel Field Descriptions Field Description Tunnel is {up | down} Interface is currently active and inserted into ring (up) or inactive and not inserted (down). line protocol is {up | down | administratively down} Shows line protocol up if a valid route is available to the tunnel destination. Shows line protocol down if no route is available, or if the route would be recursive. Hardware Specifies the hardware type. MTU Maximum transmission unit of the interface. BW Bandwidth of the interface in kilobits per second. DLY Delay of the interface in microseconds. rely Reliability of the interface as a fraction of 255 (255/255 is 100 percent reliability), calculated as an exponential average over 5 minutes. load Load on the interface as a fraction of 255 (255/255 is completely saturated), calculated as an exponential average over 5 minutes. Encapsulation Encapsulation method is always TUNNEL for tunnels. loopback Indicates whether loopback is set or not. Keepalive Indicates whether keepalives are set or not. Tunnel source IP address used as the source address for the tunnel packets. destination IP address of the tunnel destination. Tunnel protocol Tunnel transport protocol (the protocol the tunnel is using). This is based on the tunnel mode command, which defaults to GRE. key (Optional) ID key for the tunnel interface. sequencing (Optional) Indicates whether the tunnel interface drops datagrams that arrive out of order. Last input Number of hours, minutes, and seconds (or never) since the last packet was successfully received by an interface and processed locally on the router. Useful for knowing when a dead interface failed. This field is not updated by fast-switched traffic. output Number of hours, minutes, and seconds (or never) since the last packet was successfully transmitted by an interface. 34-21 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA output hang Number of hours, minutes, and seconds (or never) since the interface was last reset because of a transmission that took too long. When the number of hours in any of the “last” fields exceeds 24 hours, the number of days and hours is displayed. If that field overflows, asterisks are displayed. Last clearing Time at which the counters that measure cumulative statistics (such as number of bytes transmitted and received) shown in this report were last reset to zero. Note that variables that might affect routing (for example, load and reliability) are not cleared when the counters are cleared. Three asterisks (***) indicate the elapsed time is too large to be displayed. 0:00:00 indicates the counters were cleared more than 231 ms (and less than 232 ms) ago. Output queue, drops Input queue, drops Number of packets in output and input queues. Each number is followed by a slash, the maximum size of the queue, and the number of packets dropped because of a full queue. 30 second input rate, 30 second output rate Average number of bits and packets transmitted per second in the last 30 seconds. The 30-second input and output rates should be used only as an approximation of traffic per second during a given 30-second period. These rates are exponentially weighted averages with a time constant of 30 seconds. A period of four time constants must pass before the average will be within two percent of the instantaneous rate of a uniform stream of traffic over that period. packets input Total number of error-free packets received by the system. bytes Total number of bytes, including data and MAC encapsulation, in the error-free packets received by the system. no buffer Number of received packets discarded because there was no buffer space in the main system. Compare with ignored count. Broadcast storms on Ethernet networks and bursts of noise on serial lines are often responsible for no input buffer events. broadcasts Total number of broadcast or multicast packets received by the interface. Table 34-1 show interfaces tunnel Field Descriptions (continued) Field Description 34-22 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA runts Number of packets that are discarded because they are smaller than the minimum packet size of the medium. giants Number of packets that are discarded because they exceed the maximum packet size of the medium. CRC Cyclic redundancy checksum generated by the originating LAN station or far-end device does not match the checksum calculated from the data received. On a LAN, this usually indicates noise or transmission problems on the LAN interface or the LAN bus itself. A high number of CRCs is usually the result of a station transmitting bad data. frame Number of packets received incorrectly having a CRC error and a noninteger number of octets. overrun Number of times the serial receiver hardware was unable to hand received data to a hardware buffer because the input rate exceeded the receiver’s ability to handle the data. ignored Number of received packets ignored by the interface because the interface hardware ran low on internal buffers. These buffers are different than the system buffers mentioned previously in the buffer description. Broadcast storms and bursts of noise can cause the ignored count to be increased. abort Illegal sequence of one bits on a serial interface. This usually indicates a clocking problem between the serial interface and the data link equipment. packets output Total number of messages transmitted by the system. bytes Total number of bytes, including data and MAC encapsulation, transmitted by the system. underruns Number of times that the far-end transmitter has been running faster than the near-end router’s receiver can handle. This may never be reported on some interfaces. output errors Sum of all errors that prevented the final transmission of datagrams out of the interface being examined. Note that this may not balance with the sum of the enumerated output errors, as some datagrams may have more than one error, and others may have errors that do not fall into any of the specifically tabulated categories. Table 34-1 show interfaces tunnel Field Descriptions (continued) Field Description 34-23 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Monitoring the IPSec VPN SPA Displaying Information About IP Multicast Over a GRE Tunnel To display information about an IP multicast over a GRE tunnel configuration, enter the show crypto vlan and show ip mroute commands. Enter the show crypto vlan command to check that the tunnel has been taken over by the IPSec VPN SPA. The following is sample output from the command: Router# show crypto vlan Interface VLAN 100 on IPSec Service Module port Gi7/0/1 connected to Po1 with crypto map set map_t3 Tunnel15 is accelerated via IPSec SM in subslot 7/0 Enter the show ip mroute command and look for the H flag to check that the IP multicast traffic is hardware-switched. The following is sample output from the command: Router# show ip mroute 230.1.1.5 IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel Y - Joined MDT-data group, y - Sending to MDT-data group Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 230.1.1.5), 01:23:45/00:03:16, RP 15.15.1.1, flags: SJC Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16 collisions Number of messages retransmitted because of an Ethernet collision. This usually is the result of an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). Some collisions are normal. However, if your collision rate climbs to around 4 or 5 percent, you should consider verifying that there is no faulty equipment on the segment and moving some existing stations to a new segment. A packet that collides is counted only once in output packets. interface resets Number of times an interface has been reset. The interface may be reset by the administrator or automatically when an internal error occurs. restarts Number of times that the controller was restarted because of errors. Table 34-1 show interfaces tunnel Field Descriptions (continued) Field Description 34-24 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Troubleshooting Specific Problems on the IPSec VPN SPA (120.1.0.3, 230.1.1.5), 01:23:46/00:03:25, flags: T Incoming interface: GigabitEthernet8/1, RPF nbr 0.0.0.0, RPF-MFD Outgoing interface list: Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16, H Troubleshooting Specific Problems on the IPSec VPN SPA This section provides additional information about troubleshooting specific problems related to the IPSec VPN SPA. It includes the following subsections: • Clearing IPsec Security Associations, page 34-24 • Troubleshooting Trunk Port Configurations, page 34-24 • Troubleshooting IPsec Stateful Failover (VPN High Availability), page 34-25 • Troubleshooting a Blade Failure Group, page 34-27 • Troubleshooting IKE Policy and Transform Sets, page 34-27 Clearing IPsec Security Associations You can clear (and reinitialize) IPsec security associations by using the clear crypto sa command. Using the clear crypto sa command without parameters will clear out the full SA database, which will clear out active security sessions. You may also specify the peer, map, or entry keywords to clear out only a subset of the SA database. For more information, refer to the clear crypto sa command in the Cisco IOS Security Command Reference, Release 12.2. If you want to also remove the IKE (phase 1) SAs, follow the clear crypto sa command with the clear crypto isa command. Alternatively, you can use the clear crypto session command to achieve the same result as the clear crypto sa and the clear crypto isa commands. The clear crypto session command supports many of the same parameters as the clear crypto sa command. Troubleshooting Trunk Port Configurations Caution When you configure an Ethernet port as a trunk port, all the VLANs are allowed on the trunk port by default. This default configuration does not work well with the IPSec VPN SPA and causes network loops. To avoid this problem, you must explicitly specify only the desirable VLANs. For more information on trunk configuration guidelines, review the “Configuring a Trunk Port” section on page 25-15. To verify which ports are assigned to the VLAN, enter the show vlan id number command, using the interface VLAN identifier. Following is an example of a trunk port configuration and the output of the show vlan id command: Router# show run interface gi 1/3 Building configuration... Current configuration : 175 bytes ! interface GigabitEthernet1/3 34-25 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Troubleshooting Specific Problems on the IPSec VPN SPA switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,502-504,1002-1005 switchport mode trunk no ip address end Router# show crypto vlan Interface VLAN 2 on IPSec Service Module port Gi7/0/1 connected to VLAN 502 with crypto map set testtag_1 Interface VLAN 3 on IPSec Service Module port Gi7/0/1 connected to VLAN 503 with crypto map set testtag_2 Interface VLAN 4 on IPSec Service Module port Gi7/0/1 connected to VLAN 504 with crypto map set testtag_3 Router# show vlan id 2 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 2 VLAN0002 active Gi7/0/1 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 2 enet 100002 1500 - - - - - 0 0 Remote SPAN VLAN ---------------- Disabled Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ Router# show vlan id 502 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 502 VLAN0502 active Gi1/3, Gi7/0/2 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 502 enet 100502 1500 - - - - - 0 0 Remote SPAN VLAN ---------------- Disabled Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ Router# Troubleshooting IPsec Stateful Failover (VPN High Availability) If you find that either the active or standby IPsec stateful failover (VPN high availability) processes do not function as expected, you can perform the following checks: • Use the show ssp command to verify the SSP process is running. • Make sure that both routers share identical IPsec configurations. This is critical. If routers are configured differently, IPsec stateful failover (VPN high availability) will not work. 34-26 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Troubleshooting Specific Problems on the IPSec VPN SPA Note Support for IPsec stateful failover is removed in Cisco IOS Release 12.2SRA. The feature is supported in Cisco IOS Release 12.2SXF. • Verify that an IPsec connection can be formed with existing maps, transforms, and access lists. • Configure HSRP on the inside and outside interfaces and make the HSRP groups track one another. Verify this works properly by performing a shut command on either of the interfaces, then observe that the HSRP standby router takes active control from the active router. • Verify that SSP peers can see each other by performing a show ssp peer command on both the active and standby routers. • Bind the IKE and IPsec to SSP and send traffic over the tunnels. You can view high availability (HA) messages on the standby router as both the active and standby routers synchronize. • HSRP settings may require adjustments depending on the interface employed, such as Fast Ethernet or Gigabit Ethernet. Checking HSRP Settings To check HSRP settings, perform this task: Clearing Dormant SAs on Standby Routers To clear associated SA entries, perform this task: Command Purpose Step 1 Router# show standby brief Ensures that the interfaces are synchronized. Step 2 Router# no standby delay timer Leaves the delay timers at their default settings Step 3 Router# show standby brief When the other router comes online, enter the show standby brief command once again. If the output shows an interface on standby, you must set the standby router’s delay timer. Command Purpose Step 1 Router# clear crypto isakmp ha [standby][resync] Clears all dormant (standby) entries from the device. If the resync keyword is used, all standby IKE SAs will be removed, and a resynchronization of state will occur. Step 2 Router# clear crypto sa ha standby [peer ip address | resync] Clears all standby SAs for the device if peer is specified. 34-27 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Using Crypto Conditional Debug Enabling Debugging for HA To enable debugging for HA, perform this task: Troubleshooting a Blade Failure Group To enable IPSec VPN SPA debugging for a blade failure group, enter the debug crypto ace b2b command: Router# debug crypto ace b2b ACE B2B Failover debugging is on Troubleshooting IKE Policy and Transform Sets Any IPsec transforms or IKE encryption methods that the current hardware does not support should be disabled; they are ignored whenever an attempt to negotiate with the peer is made. If a user enters an IPsec transform or an IKE encryption method that the hardware does not support, a warning message will be generated. These warning messages are also generated at boot time. When an encrypted card is inserted, the current configuration is scanned. If any IPsec transforms or IKE encryption methods are found that are not supported by the hardware, a warning message will be generated. Using Crypto Conditional Debug The crypto conditional debug feature provides three command-line interface (CLI) commands that allow you to debug an IP Security (IPsec) tunnel on the basis of predefined crypto conditions such as the peer IP address, connection-ID of a crypto engine, and security parameter index (SPI). By limiting debug messages to specific IPsec operations and reducing the amount of debug output, you can better troubleshoot a router with a large number of tunnels. The crypto conditional debug commands (debug crypto condition, debug crypto condition unmatched, and show crypto debug-condition) allow you to specify conditions (filter values) in which to generate and display debug messages related only to the specified conditions. Table 34-2 lists the supported condition types. Command Purpose Step 1 Router# debug crypto isakmp ha [detail | fsm | update] Enables basic debug messages related to the IKE HA Manager. Step 2 Router# debug crypto ipsec ha [detail | fsm | update] Enables IPsec HA debugging Step 3 Router# debug ssp [fsm | socket | packet | peers | redundancy | config] Enables SSP debugging. 34-28 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Using Crypto Conditional Debug Note If connid, flowid, or spi is used as a debug condition, the debug messages for a related IPsec flow are generated. An IPsec flow has two connection-IDs, flow-IDs, and SPI values—one inbound and one outbound. Either one of the two connection-IDs, flow-IDs, and SPI values can be used as the debug condition that triggers debug messages for the IPsec flow. Table 34-2 Supported Condition Types for Crypto Conditional Debug Commands Condition Type (Keyword) Description connid An integer between 1 and 32766. Relevant debug messages will be shown if the current IPsec operation uses this value as the connection-ID to interface with the crypto engine. flowid An integer between 1 and 32766. Relevant debug messages will be shown if the current IPsec operation uses this value as the flow-ID to interface with the crypto engine. fvrf The name string of a virtual private network (VPN) routing and forwarding (VRF) instance. Relevant debug messages will be shown if the current IPsec operation uses this VRF instance as its front-door VRF (FVRF). ivrf The name string of a VRF instance. Relevant debug messages will be shown if the current IPsec operation uses this VRF instance as its inside VRF (IVRF). peer group A Unity group name string. Relevant debug messages will be shown if the peer is using this group name as its identity. peer hostname A fully qualified domain name (FQDN) string. Relevant debug messages will be shown if the peer is using this string as its identity. peer ipv4 A single IP address. Relevant debug messages will be shown if the current IPsec operation is related to the IP address of this peer. peer subnet A subnet and a subnet mask that specify a range of peer IP addresses. Relevant debug messages will be shown if the IP address of the current IPsec peer falls into the specified subnet range. peer username A username string. Relevant debug messages will be shown if the peer is using this username as its identity. spi A 32-bit unsigned integer. Relevant debug messages will be shown if the current IPsec operation uses this value as the SPI. 34-29 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Using Crypto Conditional Debug Crypto Conditional Debug Configuration Guidelines and Restrictions When configuring crypto conditional debug, follow these guidelines and restrictions: • This feature does not support debug message filtering for hardware crypto engines. • Although conditional debugging is useful for troubleshooting peer-specific or functionality-related Internet Key Exchange (IKE) and IPsec problems, conditional debugging may not be able to define and check large numbers of debug conditions. • Because extra space is needed to store the debug condition values, additional processing overhead is added to the CPU and memory usage is increased. Thus, enabling crypto conditional debugging on a router with heavy traffic should be used with caution. • Your router will perform conditional debugging only after at least one of the global crypto debug commands (debug crypto isakmp, debug crypto ipsec, or debug crypto engine) has been enabled. This requirement helps to ensure that the performance of the router will not be impacted when conditional debugging is not being used. Enabling Crypto Conditional Debug Filtering To enable crypto conditional debug filtering, perform the following tasks: . Disabling Crypto Conditional Debugging Before you disable crypto conditional debugging, you must first disable any crypto global debug CLIs that you have issued. You can then disable crypto conditional debugging. To disable crypto conditional debugging, enter the following command: Router# debug crypto condition reset Command Purpose Step 1 Router# enable Enables privileged EXEC mode. Step 2 Router# debug crypto condition [connid integer engine-id integer] [flowid integer engine-id integer] [fvrf string] [ivrf string] [peer [group string] [hostname string] [ipv4 ipaddress] [subnet subnet mask] [username string]] [spi integer] [reset] Defines conditional debug filters. See Table 34-2 for descriptions of values. Step 3 Router# show crypto debug-condition {[peer] [connid] [spi] [fvrf] [ivrf] [unmatched]} Displays crypto debug conditions that have already been enabled in the router. Step 4 Router# debug crypto isakmp Enables global IKE debugging. Step 5 Router# debug crypto ipsec Enables global IPsec debugging. Step 6 Router# debug crypto engine Enables global crypto engine debugging. Step 7 Router# debug crypto condition unmatched [isakmp | ipsec | engine] (Optional) Displays debug conditional crypto messages when no context information is available to check against debug conditions. If none of the optional keywords are specified, all crypto-related information will be shown. 34-30 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 34 Troubleshooting the IPSec VPN SPA Preparing for Online Insertion and Removal of a SPA Enabling Crypto Error Debug Messages Enabling the debug crypto error command displays only error-related debug messages, which allows you to easily determine why a crypto operation, such as an IKE negotiation, has failed within your system. To enable crypto error debug messages, enter the following command from privileged EXEC mode: Router# debug crypto {isakmp | ipsec | engine} error Note When enabling this command, ensure that global crypto debug commands are not enabled; otherwise, the global commands will override any possible error-related debug messages. For complete configuration information for crypto conditional debug support, refer to this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_dbcry.html Preparing for Online Insertion and Removal of a SPA The Cisco 7600 series router supports online insertion and removal (OIR) of the SSC, in addition to each of the SPAs. You can remove an SSC with its SPAs still intact, or you can remove a SPA independently from the SSC, leaving the SSC installed in the router. An SSC can remain installed in the router with one SPA remaining active while you remove another SPA from one of the SSC subslots. If you are not planning to immediately replace a SPA into the SSC, then be sure to install a blank filler plate in the subslot. The SSC should always be fully installed with either functional SPAs or blank filler plates. For more information about activating and deactivating SPAs in preparation for OIR, see the “Preparing for Online Insertion and Removal of SIPs and SPAs” topic in the “Troubleshooting the SIPs and SSC” chapter in this guide. P A R T 9 Field-Programmable Devices C H A P T E R 35-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 35 Upgrading Field-Programmable Devices In general terms, field-programmable devices (FPDs) are hardware devices implemented on router cards that support separate upgrades. The term “FPD” has been introduced to collectively and generically describe any type of programmable hardware device on SIPs and SPAs. FPDs were introduced on the Cisco 7600 series router to support SPAs and SIPs. This chapter describes the information that you need to know to verify image versions and to perform SIP and SPA FPD upgrades. This chapter includes the following sections: • Release History, page 35-1 • FPD Quick Upgrade, page 35-2 • Overview of FPD Images and Packages, page 35-3 • Upgrading FPD Images, page 35-3 • Optional FPD Procedures, page 35-6 • FPD Image Upgrade Examples, page 35-13 • Troubleshooting Problems with FPD Image Upgrades, page 35-16 Release History Table 35-1 provides the release and modification history for all FPD-related features on the Cisco 7600 series router. Table 35-1 FPD Release History Release Modification Cisco IOS Release 12.2(33)SRB The upgrade hw-module slot fpd file command was introduced. This command replaces the upgrade hw-module slot command. The upgrade hw-module subslot fpd file command was introduced. This command replaces the upgrade hw-module subslot command Cisco IOS Release 12.2(18)SXE SIPs and SPAs were released on the Cisco 7600 series router and Catalyst 6500 series switch for the first time. FPD images were introduced to support these SPAs. The Fast Software Upgrade (FSU) procedure supported by Route Processor Redundancy (RPR) for supervisor engines was added to the documentation.35-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices FPD Quick Upgrade FPD Quick Upgrade This section provides information if you simply want to upgrade FPDs for SIPs and SPAs as quickly as possible. These instructions are not always feasible for operating network environments and are not the only methods available for upgrading FPDs. If these methods of upgrade are not suitable for your situation, see the various other sections of this document for other methods of upgrading FPDs. This section addresses the following topics: • FPD Quick Upgrade Before Upgrading your Cisco IOS Release (Recommended), page 35-2 • FPD Quick Upgrade After Upgrading your Cisco IOS Release, page 35-2 FPD Quick Upgrade Before Upgrading your Cisco IOS Release (Recommended) Step 1 When getting your Cisco IOS image, download the FPD image package for the Cisco IOS release that you are upgrading to any Flash disk on your router before booting the new version of Cisco IOS. The FPD image package can be retrieved from the same site where you went to get your Cisco IOS image. Do not change the name of the FPD image package. Step 2 Boot using the new version of Cisco IOS. When the new Cisco IOS boots, it by default searches for the FPD image package in the router flash file systems and the FPD images will be updated automatically as part of the IOS boot process. FPD Quick Upgrade After Upgrading your Cisco IOS Release Step 1 An FPD upgrade is not always necessary after Cisco IOS is reloaded. If you have already reloaded your Cisco IOS, enter the show hw-module all fpd command to see if all system FPDs are compatible. If the FPDs are compatible, no further action is necessary. If at least one FPD needs an upgrade, proceed to Step 2. Step 2 Go to the cisco.com site where you downloaded your specific Cisco IOS software and locate the FPD image package, if you haven’t already. Step 3 Download this FPD image package to a Flash disk on your router. Do not change the name of the FPD image package. Do not change any FPD-related settings on your system (if upgrade fpd auto or upgrade fpd path has been changed, change the settings back to the default settings using the no form of the command). Reboot your Cisco IOS release software. When the new Cisco IOS boots, it by default searches for the FPD image package in the Flash file systems and the FPD images will be updated automatically as part of the IOS boot process.35-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Upgrading FPD Images Overview of FPD Images and Packages An FPD image package is used to upgrade FPD images. Whenever a Cisco IOS image is released that supports carrier cards and SPAs, a companion FPD image package is also released for that Cisco IOS software release. The FPD image package is available from Cisco.com and is accessible from the Cisco Software Center page where you also go to download your Cisco IOS software image. FPD packages are suffixed with a .pkg extension, and typically used to upgrade firmware images of the line card and supervisor programmable components. If you are running SIPs and SPAs on your router and are upgrading your Cisco IOS image, you should download the FPD image package file before booting the router using the new Cisco IOS release. If the SIP or SPA requires an FPD upgrade and the Cisco IOS image is unable to locate an FPD image package, the system messages will indicate that the FPD image is incompatible and you will need to go to the Cisco Software Center on Cisco.com to download the FPD image package for your Cisco IOS software release. An FPD incompatibility on a SPA disables all interfaces on that SPA until the incompatibility is addressed; an FPD incompatibility on a SIP disables all interfaces for all SPAs in the SIP until the incompatibility is addressed. Note The FPD automatic upgrade feature only searches for the FPD image package file that is the same version number as the Cisco IOS release being used by the system. For example, if you are using the Cisco IOS Release 12.2(18)SXE, then the system will search for the FPD image package file (c7600-fpd-pkg.122-18.SXE.pkg) that supports this particular IOS release. Therefore, ensure that the FPD image package file on your system is compatible with your Cisco IOS release. It is important not to change the name of the FPD package file. Upgrading FPD Images This section documents some of the common scenarios where FPD image updates are necessary. It discusses the following scenarios: • Migrating to a Newer Cisco IOS Release, page 35-3 • Upgrading FPD Images in a Production System, page 35-5 Migrating to a Newer Cisco IOS Release This section discusses the following topics: • Upgrading FPD Images Before Upgrading Cisco IOS Release (Recommended), page 35-3 • Upgrading FPD Images in a Production System, page 35-5 • Upgrading FPD Images Using Fast Software Upgrade, page 35-6 Upgrading FPD Images Before Upgrading Cisco IOS Release (Recommended) If you are still running your old Cisco IOS Release but are preparing to load a newer version of Cisco IOS, you can upgrade FPD for the new Cisco IOS Release using the following method: • Placing FPD Image Package on Flash Disk Before Upgrading IOS (Recommended), page 35-435-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Upgrading FPD Images Placing FPD Image Package on Flash Disk Before Upgrading IOS (Recommended) Placing the FPD image package for the IOS release that you are upgrading to before upgrading IOS is the recommended method for upgrading FPD because it is simple in addition to being fast. To perform this type of FPD upgrade, follow these steps: Step 1 While still running the Cisco IOS release that will be upgraded, place the FPD image package for the new version of Cisco IOS onto one of your router’s Flash file systems. For instance, if you are running Cisco IOS Release 12.2(18)SXE and are upgrading to Cisco IOS Release 12.2(19)SXE, place the FPD image package for Cisco IOS Release 12.2(19)SXE onto a Flash file system while still running Cisco IOS Release 12.2(18)SXE. You can locate the FPD image package for a specific IOS release on cisco.com from the same area where you download that Cisco IOS software image. Your router and SPAs should continue to operate normally since this action will have no impact on the current FPDs. Caution Do not change the filename of the FPD image package file. The Cisco IOS searches for the FPD image package file by filename, so the FPD image package file cannot be found if it has been renamed. Step 2 Reboot your router using the new upgraded Cisco IOS image. As part of the bootup process, the router will search for the FPD image package. Since the default settings for the FPD image package search are to check for the FPD image package for the specific Cisco IOS Release in a Flash file system, the FPD image package will be located during the bootup procedure and all FPDs that required upgrades will be upgraded. Step 3 When the router has booted, verify the upgrade was successful by entering the show hw-module all fpd command. Upgrade FPD Images after Upgrading the New Cisco IOS Release The following steps explain how to upgrade FPD images if you have already upgraded your Cisco IOS release but still need to upgrade your FPD images. To perform an FPD upgrade after the new Cisco release has been booted, follow these steps: Step 1 If you are unsure if your FPD images for your SIPs and SPAs are compatible, enter the show hw-module all fpd command to verify compatibility of all SIPs and SPAs. If all of your SIPs and SPAs are compatible, there is no reason to perform this upgrade. Step 2 If an FPD upgrade is necessary, place the FPD image package for the new version of Cisco IOS onto the router’s Flash Disk or on an accessible FTP or TFTP server. You can locate the FPD image package on cisco.com from the same area where you downloaded your Cisco IOS software image. Step 3 Enter the upgrade hw-module [slot slot-number | subslot slot-number/subslot-number] file-url [force] command. The file-url command should direct users to the location of the FPD image package. For instance, if you had placed the FPD image package for Release 12.2(18)SXE on the TFTP server abrick/muck/myfolder, you would enter upgrade hw-module [slot slot-number | subslot slot-number/subslot-number] tftp://abrick/muck/myfolder/c7600-fpd-pkg.122-18.SXE.pkg to complete this step. If multiple SIPs or SPAs require upgrades, the different pieces of hardware will have to be updated individually.35-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Upgrading FPD Images Note the force option is used in this command. This option will force an FPD upgrade even if no FPD mismatch is detected. In instances where the upgrade hw-module command is entered, this option is almost never necessary and should only be entered if requested by a technical support representative. Step 4 Verify the upgrade was successful by entering the show hw-module all fpd command. Upgrading FPD Images in a Production System Adding a SIP or SPA to a production system presents the possibility that the SIP or SPA may contain versions of FPD images that are incompatible with the Cisco IOS release currently running the router. In addition, the FPD upgrade operation can be a very CPU-intensive operation and therefore the upgrade operation may take more time when it is performed on a production system. The performance impact will vary depending on various factors, including network traffic load, the type of processing engine used, type of SPA, and the type of service configured. For these reasons, we recommend that one of the following alternatives be used to perform the FPD upgrade on a production system if possible: • Using a Non-Production System to Upgrade the SIP or SPA FPD Image, page 35-5 • Verifying System Compatibility First, page 35-6 Using a Non-Production System to Upgrade the SIP or SPA FPD Image Before beginning the upgrade, ensure: • The spare system is running the same version of the Cisco IOS software release that the target production system is running. • The automatic upgrade feature is enabled on the spare system (the automatic upgrade feature is enabled by default. It can also be enabled using the upgrade fpd auto command). Use the following procedure to perform an upgrade on a spare system: Step 1 Download the FPD image package file to the router’s flash file system or TFTP or FTP server accessible by the spare system. In most cases, it is preferable to place the file in a Flash file system since the router, by default, searches for the FPD image package in the Flash file systems. If the Flash file systems are full, use the upgrade fpd path command to direct the router to search for the FPD image package in the proper location. Step 2 Insert the SIP or SPA into the spare system. If an upgrade is required, the system will perform the necessary FPD image updates so that when this SIP or SPA is inserted to the target production system it will not trigger an FPD upgrade operation there. Step 3 Verify the upgrade was successful by entering the show hw-module all fpd command. Step 4 Remove the SIP or SPA from the spare system after the upgrade. Step 5 Insert the SIP or SPA into the target production system.35-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Optional FPD Procedures Verifying System Compatibility First If a spare system is not available to perform an upgrade, you can check for system compatibility by disabling the automatic upgrade feature before inserting the SIP or SPA (the automatic upgrade feature is enabled by default. It can be disabled using the no upgrade fpd auto command). • If the FPD images on the SIP or SPA are compatible with the system, you will only need to re-enable the automatic upgrade feature (the automatic upgrade feature can be re-enabled using the upgrade fpd auto command). • If the FPD images on the SIP or SPA are not compatible with the system, the SIP or SPA is disabled but will not impact system performance by attempting to perform an automatic upgrade. Use the following procedure to check the FPD images on the SIP or SPA for system compatibility: Step 1 Disable the automatic upgrade feature using the no upgrade fpd auto global configuration command. Step 2 Insert the SIP or SPA into the system. If the FPD images are compatible, the SIP or SPA will operate successfully after bootup. If the FPD images are not compatible, the SIP or SPA is disabled. At this point we recommend that you wait for a scheduled maintenance when the system is offline to manually perform the FPD upgrade using one of the procedures outlined in the “Upgrading FPD Images” section on page 35-3. Step 3 Re-enable the automatic upgrade feature using the upgrade fpd auto global configuration command. Upgrading FPD Images Using Fast Software Upgrade The fast software upgrade (FSU) procedure supported by Route Processor Redundancy (RPR) allows you to upgrade the Cisco IOS image on supervisor engines without reloading the system. When using FSU to upgrade the Cisco IOS image, remember that Cisco IOS software is configured, by default, to automatically load the new FPD images from a flash file system on the router. Therefore, if the FPD image package for the new Cisco IOS has not been downloaded to the router flash file system, the FPD image that needs to be upgraded will not get upgraded if the new supervisor engine with the upgraded Cisco IOS becomes the primary supervisor engine. To ensure FPD is upgraded at the time of the FSU, place the FPD image package for the new version of Cisco IOS onto the flash file system before upgrading the Cisco IOS and follow the instructions in the “Upgrading FPD Images Before Upgrading Cisco IOS Release (Recommended)” section on page 35-3. If a SIP or SPA is disabled after FSU is used to upgrade Cisco IOS and the supervisor engine with the upgraded Cisco IOS has become the primary supervisor engine, follow the instructions in the “Upgrade FPD Images after Upgrading the New Cisco IOS Release” section on page 35-4 to verify and, if necessary, upgrade FPD. Optional FPD Procedures This section provides information for optional FPD-related functions. None of the topics discussed in this section are necessary for completing FPD upgrades, but may be useful in some FPD-related scenarios. It covers the following topics: • Manually Upgrading SIP and SPA FPD Images, page 35-735-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Optional FPD Procedures • Upgrading FPD from an FTP or TFTP Server, page 35-7 • Modifying the Default Path for the FPD Image Package File Location, page 35-9 • Upgrading Multiple FPD Images, page 35-10 • Displaying Current and Minimum Required FPD Image Versions, page 35-10 • Displaying Information About the Default FPD Image Package, page 35-12 • Verifying the FPD Image Upgrade Progress, page 35-12 Manually Upgrading SIP and SPA FPD Images To manually upgrade the current FPD version on a SIP or SPA, use the following command: Router# upgrade hw-module [slot slot-number | subslot slot-number/subslot-number] file file-url [force] In this example, slot-number is the slot where the SIP is installed, subslot-number is the subslot number where the SPA is located, file-url is the location and name of the FPD image package file, and force is an option that forces the SPA to perform an FPD upgrade even if FPD is compatible (the force option is almost never necessary and should only be entered if requested by a technical support representative). Note that slot slot-number is entered to specify a SIP FPD upgrade, while subslot slot-number/subslot-number is used to specify a SPA FPD upgrade. The SIP or SPA will automatically be reloaded to complete the FPD upgrade. Caution An image upgrade can require a long period of time to complete depending on the SIP or SPA. Upgrading FPD from an FTP or TFTP Server The generally recommended method to perform an FPD image upgrade is to download the FPD image package to a Flash file system and use the FPD automatic upgrade. By default, the system searches the Flash file system for the FPD image package file when an FPD incompatibility is detected. This default behavior of loading an FPD image from Flash can be changed using the upgrade fpd path global configuration command, which sets the path to search for the FPD image package file to a location other than the router’s Flash file systems. For large deployments where all the systems are being upgraded to a specific Cisco IOS software release, we recommend that the FPD image package file be placed on an FTP or TFTP server that is accessible to all the affected systems, and then use the upgrade fpd path global configuration command to configure the routers to look for the FPD image package file from the FTP or TFTP server prior to the reloading of the system with the new Cisco IOS release. Note This approach can also be used if there is not enough disk space on the system Flash card to hold the FPD image package file. To download an FPD image package file to an FTP or TFTP server, use the following procedure: Step 1 Copy the FPD image package file to the FTP or TFTP server. Step 2 Access the router from a connection that does not use the SPA interface for access, if possible. We recommend not using the SPA interface as your connection to the router because an FPD incompatibility disables all interfaces on the SPA, making a manual FPD upgrade impossible through a SPA interface. 35-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Optional FPD Procedures If access through one of the SPA ports is the only access to the router you have, do not use the TFTP or FTP upgrade method. Instead, copy the FPD image package to your router’s default Flash card before upgrading your Cisco IOS Release. This will allow the router to find the FPD image package during the first IOS bootup and upgrade FPD automatically. Step 3 From global configuration mode, use the upgrade fpd path command to instruct the router to locate the FPD image package file from the FTP or TFTP server location. For example, enter one of the following global configuration commands from the target system’s console: Router(config)# upgrade fpd path tftp://my_tftpserver/fpd_pkg_dir/ or Router(config)# upgrade fpd path ftp://login:password@my_ftpserver/fpd_pkg_dir/ Note The final “/” at the end of each of the above examples is required. If the path is specified without the trailing “/” character, the command will not work properly. In these examples, my_tftpserver or my_ftpserver is the path to server name, fpd_pkg_dir is the directory on the TFTP server where the FPD image package is located, and login:password is your FTP login name and password. Step 4 Make sure that the FPD automatic upgrade feature is enabled by examining the output of the show running-config command. (Look for the upgrade fpd auto configuration line in the output. If there are no upgrade commands in the output, then upgrade fpd auto is enabled because it is the default setting.) If automatic upgrades are disabled, use the upgrade fpd auto global configuration command to enable automatic FPD upgrades. Step 5 Enter the show upgrade fpd file command to ensure your router is connecting properly to the default FPD image package. If you are able to generate output related to the FPD image package using this command, the upgrade should work properly. In the following example, the router is able to generate FPD image package information for the FPD image package on the TFTP server. Router# show upgrade fpd file tftp://mytftpserver/myname/myfpdpkg/c7600-fpd-pkg.122-18.SXE.pkg Loading myname/myfpdpkg/c7600-fpd-pkg.122-18.SXE.pkg from 124.0.0.0 (via FastEthernet0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [OK] Cisco Field Programmable Device Image Package for IOS C7600 Family FPD Image Package (c7600-fpd-pkg.122-18.SXE.pkg), Version 12.2(SXE) Copyright (c) 2004-2005 by cisco Systems, Inc. Built Fri 25-Mar-2005 09:12 by integ =============================== ================================================ Bundled FPD Image Version Matrix ================================================ Min. Req. Supported Card Types ID Image Name Version H/W Ver. =============================== == ========================= ========= ========= 2-port T3/E3 Serial SPA 1 T3E3 SPA ROMMON 2.12 0.0 2 T3E3 SPA I/O FPGA 0.24 0.0 3 T3E3 SPA E3 FPGA 0.6 0.0 4 T3E3 SPA T3 FPGA 0.14 0.0 ------------------------------- -- ------------------------- --------- ---------35-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Optional FPD Procedures 4-port T3/E3 Serial SPA 1 T3E3 SPA ROMMON 2.12 0.0 2 T3E3 SPA I/O FPGA 0.24 0.0 3 T3E3 SPA E3 FPGA 0.6 0.0 4 T3E3 SPA T3 FPGA 0.14 0.0 ------------------------------- -- ------------------------- --------- --------- ... Step 6 Save the configuration and reload the system with the new Cisco IOS release. During the system startup after the reload, the necessary FPD image version check for all the SIPs and SPAs will be performed and any upgrade operation will occur automatically if an upgrade is required. In each upgrade operation, the system extracts the necessary FPD images to the SIP or SPA from the FPD image package file located on the FTP or TFTP server. Modifying the Default Path for the FPD Image Package File Location By default, the Cisco IOS software looks for the FPD image package file on a Flash file system when performing an automatic FPD image upgrade. Note Be sure there is enough space on one of your Flash file systems to accommodate the FPD image package file. Alternatively, you can store an FPD image package file elsewhere. However, because the system looks on the Flash file systems by default, you need to change the FPD image package file location so that the system is directed to search an alternate location (such an FTP or TFTP server) that is accessible by the Cisco IOS software. Enter the upgrade fpd path fpd-pkg-dir-url global configuration command, where fpd-pkg-dir-url is the alternate location, to instruct the router to search for the FPD image package elsewhere. When specifying the fpd-pkg-dir-url, be aware of the following: • The fpd-pkg-dir-url is the path to the FPD image package, but the FPD image package should not be specified as part of the fpd-pkg-dir-url. For instance, if the c7600-fpd-pkg.122-18.SXE.pkg file can be found on the TFTP server using the path mytftpserver/myname/myfpdpkg/c7600-fpd-pkg.122-18.SXE.pkg and you wanted the router to utilize this FPD image package for FPD upgrades, the upgrade fpd path tftp://mytftpserver/myname/myfpdpkg/ command should be entered so the router knows where to find the file. The actual filename should not be specified. • The final “/” character in the fpd-pkg-dir-url is required. In the preceding example, note that the fpd-pkg-dir-url is tftp://mytftpserver/myname/myfpdpkg/. Entering tftp://mytftpserver/myname/myfpdpkg (note: the final “/” character is missing) as the fpd-pkg-dir-url in that scenario would not work. If the upgrade fpd path global configuration command has not been entered to direct the router to locate an FPD image package file in an alternate location, the system searches the Flash file systems on the Cisco 7600 series router for the FPD image package file. Failure to locate an FPD image package file when an upgrade is required will disable the SIP or SPA. Because SIPs and SPAs will not come online until FPD is compatible, the SIP or SPA will also be disabled if it requires an FPD upgrade and the automatic upgrade feature is disabled. 35-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Optional FPD Procedures Upgrading Multiple FPD Images A single piece of hardware can contain multiple FPD images. The Cisco 7600 series router can upgrade up to 4 FPD images simultaneously. However, only one FPD upgrade per router slot can occur at a time, so all FPD images on all SIPs and SPAs in a single slot will have to wait for another FPD upgrade to finish. Users should note that some FPD images require the SIP or SPA to reload to complete. The FPD upgrade process will perform this step automatically, so users do not have to intervene. However, the other FPDs in the hardware of the specified slot will have to wait for this reload to complete before their upgrade process begins. During an automatic upgrade, the Cisco 7600 series router will upgrade as many FPDs as possible at a time. No user intervention is possible or necessary. The upgrade process will not stop until all FPD images have been updated. During manual upgrades, it is important to note that users can only specify upgrades for a single piece of hardware each time the upgrade hw-module [slot slot-number | subslot slot-number/subslot-number] is entered. The up to 4 simultaneous upgrades applies to the manual upgrades as well; if you individually specify multiple manual FPD upgrades, only 4 FPDs can be upgraded simultaneously and that can only occur when the hardware is in different router slots. The FPD upgrade process will stop when all FPDs for the specified hardware have been upgraded. Displaying Current and Minimum Required FPD Image Versions To display the current version of FPD images on the SIPs and SPAs installed on your router, use the show hw-module [slot-number/subslot-number | all] fpd command, where slot-number is the slot number where the SIP is installed, and subslot-number is the number of the SIP subslot where a target SPA is located. Entering the all keyword shows information for hardware in all router slots. The following examples show the output when using this show command. The output display in this example shows that FPD versions on the SIPs and SPAs in the system meet the minimum requirements: Router# show hw-module all fpd ==== ====================== ====== ============================================= H/W Field Programmable Current Min. Required Slot Card Type Ver. Device:"ID-Name" Version Version ==== ====================== ====== ================== =========== ============== 1 7600-SIP-200 0.550 1-I/O FPGA 1.1 1.1 2-EOS FPGA 1.211 1.211 3-PEGASUS TX FPGA 1.129 1.129 4-PEGASUS RX FPGA 1.3 1.3 5-ROMMON 1.2 1.2 ---- ---------------------- ------ ------------------ ----------- -------------- 1/1 SPA-2XOC3-ATM 0.225 1-I/O FPGA 1.24 1.24 ---- ---------------------- ------ ------------------ ----------- -------------- 4 7600-SIP-200 0.550 1-I/O FPGA 1.1 1.1 2-EOS FPGA 1.211 1.211 3-PEGASUS TX FPGA 1.129 1.129 4-PEGASUS RX FPGA 1.3 1.3 5-ROMMON 1.2 1.2 ---- ---------------------- ------ ------------------ ----------- -------------- 4/0 SPA-2XT3/E3 1.0 1-ROMMON 2.12 2.12 2-I/O FPGA 0.24 0.24 3-E3 FPGA 0.6 0.6 4-T3 FPGA 0.14 0.14 ---- ---------------------- ------ ------------------ ----------- --------------35-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Optional FPD Procedures 4/1 SPA-4XOC3-POS 0.209 1-I/O FPGA 3.4 3.4 ---- ---------------------- ------ ------------------ ----------- -------------- 4/2 SPA-8XCHT1/E1 0.117 1-ROMMON 2.12 2.12 2-I/O FPGA 1.2 1.2 ==== ====================== ====== ============================================= This example shows the output when verifying all the FPDs for the carrier card and all the SPAs in a specific slot: Router# show hw-module slot 4 fpd ==== ====================== ====== ============================================= H/W Field Programmable Current Min. Required Slot Card Type Ver. Device:"ID-Name" Version Version ==== ====================== ====== ================== =========== ============== 4 7600-SIP-200 0.550 1-I/O FPGA 1.1 1.1 2-EOS FPGA 1.211 1.211 3-PEGASUS TX FPGA 1.129 1.129 4-PEGASUS RX FPGA 1.3 1.3 5-ROMMON 1.2 1.2 ---- ---------------------- ------ ------------------ ----------- -------------- 4/0 SPA-2XT3/E3 1.0 1-ROMMON 2.12 2.12 2-I/O FPGA 0.24 0.24 3-E3 FPGA 0.6 0.6 4-T3 FPGA 0.14 0.14 ---- ---------------------- ------ ------------------ ----------- -------------- 4/1 SPA-4XOC3-POS 0.209 1-I/O FPGA 3.4 3.4 ---- ---------------------- ------ ------------------ ----------- -------------- 4/2 SPA-8XCHT1/E1 0.117 1-ROMMON 2.12 2.12 2-I/O FPGA 1.2 1.2 ==== ====================== ====== ============================================= This example shows the output when using the slot-number/subslot-number argument to identify a particular SPA: Router# show hw-module subslot 4/2 fpd ==== ====================== ====== ============================================= H/W Field Programmable Current Min. Required Slot Card Type Ver. Device:"ID-Name" Version Version ==== ====================== ====== ================== =========== ============== 4/2 SPA-8XCHT1/E1 0.117 1-ROMMON 2.12 2.12 2-I/O FPGA 1.2 1.2 ==== ====================== ====== ============================================= The output display in this example shows that the SIP in slot 4 is disabled because one of the programmable devices does not meet the minimum version requirements. The output also contains a “NOTES” section that provides the name of the FPD image package file needed to upgrade the disabled SIP’s FPD image. Router#show hw-module all fpd ==== ====================== ====== ============================================= H/W Field Programmable Current Min. Required Slot Card Type Ver. Device:"ID-Name" Version Version ==== ====================== ====== ================== =========== ============== 1 7600-SIP-200 0.550 1-I/O FPGA 1.1 1.1 2-EOS FPGA 1.211 1.211 3-PEGASUS TX FPGA 1.129 1.129 4-PEGASUS RX FPGA 1.3 1.3 5-ROMMON 1.2 1.2 35-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Optional FPD Procedures ---- ---------------------- ------ ------------------ ----------- -------------- 1/1 SPA-2XOC3-ATM 0.225 1-I/O FPGA 1.24 1.24 ---- ---------------------- ------ ------------------ ----------- -------------- 4 7600-SIP... 0.550 1-I/O FPGA 1.1 1.1 2-EOS FPGA 1.211 1.211 3-PEGASUS TX FPGA 1.129 1.129 4-PEGASUS RX FPGA 1.3 1.3 5-ROMMON 1.1 1.2 * ==== ====================== ====== ============================================= NOTES: - FPD images that are required to be upgraded are indicated with a '*' character in the "Minimal Required Version" field. - The following FPD image package file is required for the upgrade: "c7600-fpd-pkg.122-18.SXE.pkg" Displaying Information About the Default FPD Image Package You can use the show upgrade fpd package default command to find out which SIPs and SPAs are supported with your current Cisco IOS release and which FPD image package you need for an upgrade. Router# show upgrade fpd package default ************************************************************************* This IOS release requires the following default FPD Image Package for the automatic upgrade of FPD images: ************************************************************************* Version:12.2(SXE) Package Filename:c7600-fpd-pkg.122-18.SXE.pkg List of card type supported in this package: Minimal No. Card Type HW Ver. ---- ------------------ ------- 1) 2 port adapter Enh 1.0 2) 2xCT3 SPA 0.100 3) 2xCT3 SPA 0.200 4) 4xCT3 SPA 0.100 5) 4xCT3 SPA 0.200 Verifying the FPD Image Upgrade Progress You can use the show upgrade fpd progress command to view a “snapshot” of the upgrade progress while an FPD image upgrade is taking place. The following example shows the type of information this command displays: Router#show upgrade fpd progress FPD Image Upgrade Progress Table: ==== =================== ==================================================== Approx.35-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices FPD Image Upgrade Examples Field Programmable Time Elapsed Slot Card Type Device : "ID-Name" Needed Time State ==== =================== ================== ========== ===================== 1/1 SPA-2XOC3-ATM 1-I/O FPGA 00:06:30 00:01:25 Updating... ---- ------------------- ------------------ ----------- -------------------- 4/0 SPA-2XT3/E3 1-ROMMON 00:00:30 00:00:02 Completed 2-I/O FPGA 00:01:00 00:00:01 Updating... 3-E3 FPGA 00:00:30 --:--:-- Waiting... 4-T3 FPGA 00:00:30 --:--:-- Waiting... ---- ------------------- ------------------ ----------- -------------------- 4/2 SPA-8XCHT1/E1 1-ROMMON --:--:-- --:--:-- Waiting... 2-I/O FPGA --:--:-- --:--:-- Waiting... ==== ======================================================================= FPD Image Upgrade Examples This section provides examples of automatic and manual FPD image upgrades. It includes the following examples: • System Cannot Locate FPD Image Package File for an Automatic FPD Image Upgrade Example, page 35-13 • Automatic FPD Image Upgrade Example, page 35-13 • Manual FPD Image Upgrade Example, page 35-14 • Pending FPD Upgrade Example, page 35-15 System Cannot Locate FPD Image Package File for an Automatic FPD Image Upgrade Example The following example displays the output when a SIP-200 requires an FPD upgrade and the upgrade fpd auto command is enabled, but the system cannot find the FPD image package file. Mar 25 16:14:13:%FPD_MGMT-3-INCOMP_IMG_VER:Incompatible ROMMON (FPD ID=5) image version detected for 7600-SIP-200 card in slot 1. Detected version = 1.1, minimum required version = 1.2. Current HW version = 0.550. Mar 25 16:14:13:%FPD_MGMT-5-UPGRADE_ATTEMPT:Attempting to automatically upgrade the FPD image(s) for 7600-SIP-200 card in slot 1. Use 'show upgrade fpd progress' command to view the upgrade progress ... Mar 25 16:14:14:%FPD_MGMT-3-PKG_FILE_SEARCH_FAILED:FPD image package (c7600-fpd-pkg.122-18.SXE.pkg) cannot be found in system's flash card or disk to do FPD upgrade. Mar 25 16:14:14:%OIR-6-REMCARD:Card removed from slot 1, interfaces disabled Mar 25 16:14:14:%FPD_MGMT-5-CARD_DISABLED:7600-SIP-200 card in slot 1 is being disabled because of an incompatible FPD image version. Note that the c7600-fpd-pkg.122-18.SXE.pkg package will be required if you want to perform the upgrade operation. Mar 25 16:14:14:%C6KPWR-SP-4-DISABLED:power to module in slot 1 set off (FPD Upgrade Failed) Automatic FPD Image Upgrade Example The following example shows the output displayed when a SIP-200 requires an FPD image upgrade and the upgrade fpd auto command is enabled. In this example, the router has been configured to locate the FPD image package from a TFTP server, but most of the output would be similar regardless of the location of the FPD image package. The required FPD image is automatically upgraded. Mar 25 16:22:48:%FPD_MGMT-3-INCOMP_IMG_VER:Incompatible ROMMON (FPD ID=5) image version detected for 7600-SIP-200 card in slot 1. Detected version = 1.1, minimum required version = 1.2. Current HW version = 0.550.35-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices FPD Image Upgrade Examples Mar 25 16:22:48:%FPD_MGMT-5-UPGRADE_ATTEMPT:Attempting to automatically upgrade the FPD image(s) for 7600-SIP-200 card in slot 1. Use 'show upgrade fpd progress' command to view the upgrade progress ... Mar 25 16:22:48:%FPD_MGMT-6-BUNDLE_DOWNLOAD:Downloading FPD image bundle for 7600-SIP-200 card in slot 1 ... Loading muck/luislu/c7600-fpd-pkg.122-18.SXE.pkg from 223.255.254.254 (via GigabitEthernet5/1):!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Mar 25 16:23:17:%FPD_MGMT-6-UPGRADE_TIME:Estimated total FPD image upgrade time for 7600-SIP-200 card in slot 1 = 00:02:00. Mar 25 16:23:17:%FPD_MGMT-6-UPGRADE_START:ROMMON (FPD ID=5) image upgrade in progress for 7600-SIP-200 card in slot 1. Updating to version 1.2. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:02:00) ... Mar 25 16:23:25:%FPD_MGMT-6-UPGRADE_PASSED:ROMMON (FPD ID=5) image in the 7600-SIP-200 card in slot 1 has been successfully updated from version 1.1 to version 1.2. Upgrading time = 00:00:08.452 Mar 25 16:23:25:%FPD_MGMT-6-OVERALL_UPGRADE:All the attempts to upgrade the required FPD images have been completed for 7600-SIP-200 card in slot 1. Number of successful/failure upgrade(s):1/0. Mar 25 16:23:26:%FPD_MGMT-5-CARD_POWER_CYCLE:7600-SIP-200 card in slot 1 is being power cycled for the FPD image upgrade to take effect. Mar 25 16:23:26:%OIR-6-REMCARD:Card removed from slot 1, interfaces disabled Mar 25 16:23:26:%C6KPWR-SP-4-DISABLED:power to module in slot 1 set off (Reset) Mar 25 16:24:16:%CWAN_RP-6-CARDRELOAD:Module reloaded on slot 1/0 Mar 25 16:24:18:%DIAG-SP-6-RUN_COMPLETE:Module 1:Running Complete Diagnostics... Mar 25 16:24:18:%DIAG-SP-6-DIAG_OK:Module 1:Passed Online Diagnostics Mar 25 16:24:19:%OIR-SP-6-INSCARD:Card inserted in slot 1, interfaces are now online Manual FPD Image Upgrade Example In the following example, FPD for the T1/E1 SPA in subslot 4/2 is upgraded manually from the FPD image package file that was placed on disk0: Router# upgrade hw-module subslot 4/2 file disk0:c7600-fpd-pkg.122-18.SXE.pkg % The following FPD(s) will be upgraded for SPA-8XCHT1/E1 (H/W ver = 0.117) in subslot 4/2: ================== =========== =========== ============ Field Programmable Current Upgrade Estimated Device:"ID-Name" Version Version Upgrade Time ================== =========== =========== ============ 1-ROMMON 2.11 2.12 00:00:20 2-I/O FPGA 1.1 1.2 00:01:00 ================== =========== =========== ============ % Are you sure that you want to perform this operation? [no]:y % Restarting the target card in subslot 4/2 for FPD image upgrade. Please wait ... Router# Mar 25 17:01:01:%FPD_MGMT-6-UPGRADE_TIME:Estimated total FPD image upgrade time for SPA-8XCHT1/E1 card in subslot 4/2 = 00:01:20.35-15 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices FPD Image Upgrade Examples Mar 25 17:01:01:%FPD_MGMT-6-UPGRADE_START:ROMMON (FPD ID=1) image upgrade in progress for SPA-8XCHT1/E1 card in subslot 4/2. Updating to version 2.12. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:00:20) ... Router# Mar 25 17:01:04:%FPD_MGMT-6-UPGRADE_PASSED:ROMMON (FPD ID=1) image in the SPA-8XCHT1/E1 card in subslot 4/2 has been successfully updated from version 2.11 to version 2.12. Upgrading time = 00:00:03.092 Mar 25 17:01:04:%FPD_MGMT-6-UPGRADE_START:I/O FPGA (FPD ID=2) image upgrade in progress for SPA-8XCHT1/E1 card in subslot 4/2. Updating to version 1.2. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:01:00) ... Router# Mar 25 17:01:26:%FPD_MGMT-6-UPGRADE_PASSED:I/O FPGA (FPD ID=2) image in the SPA-8XCHT1/E1 card in subslot 4/2 has been successfully updated from version 1.1 to version 1.2. Upgrading time = 00:00:22.580 Mar 25 17:01:26:%FPD_MGMT-6-OVERALL_UPGRADE:All the attempts to upgrade the required FPD images have been completed for SPA-8XCHT1/E1 card in subslot 4/2. Number of successful/failure upgrade(s):2/0. Router# Mar 25 17:01:26:%FPD_MGMT-5-CARD_POWER_CYCLE:SPA-8XCHT1/E1 card in subslot 4/2 is being power cycled for the FPD image upgrade to take effect. Pending FPD Upgrade Example In the following example, some FPD images are waiting for upgrades because the FPD upgrade process is upgrading another FPD on the same card (up to four FPD upgrades can occur at once, but the upgrades have to occur on hardware in different line card slots). In this particular example, the FPD upgrade process is happening on a SIP-200. Mar 25 17:04:59:%FPD_MGMT-6-UPGRADE_TIME:Estimated total FPD image upgrade time for 7600-SIP-200 card in slot 1 = 00:10:00. Mar 25 17:04:59:%FPD_MGMT-6-UPGRADE_START:ROMMON (FPD ID=5) image upgrade in progress for 7600-SIP-200 card in slot 1. Updating to version 1.2. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:02:00) ... Mar 25 17:05:08:%FPD_MGMT-6-UPGRADE_PASSED:ROMMON (FPD ID=5) image in the 7600-SIP-200 card in slot 1 has been successfully updated from version 1.1 to version 1.2. Upgrading time = 00:00:08.884 Mar 25 17:05:08:%FPD_MGMT-6-PENDING_UPGRADE:4 more FPD image upgrade operation will be required on 7600-SIP-200 in slot 1 after additional power-cycle operation on the target card. Mar 25 17:05:08:%FPD_MGMT-5-CARD_POWER_CYCLE:7600-SIP-200 card in slot 1 is being power cycled for the FPD image upgrade to take effect. Mar 25 17:05:08:%OIR-6-REMCARD:Card removed from slot 1, interfaces disabled Mar 25 17:05:08:%C6KPWR-SP-4-DISABLED:power to module in slot 1 set off (Reset) Mar 25 17:05:59:%CWAN_RP-6-CARDRELOAD:Module reloaded on slot 1/0 Mar 25 17:06:02:%FPD_MGMT-6-UPGRADE_TIME:Estimated total FPD image upgrade time for 7600-SIP-200 card in slot 1 = 00:10:00. Mar 25 17:06:02:%FPD_MGMT-6-UPGRADE_START:I/O FPGA (FPD ID=1) image upgrade in progress for 7600-SIP-200 card in slot 1. Updating to version 1.1. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:02:00) ... Mar 25 17:06:21:%FPD_MGMT-6-UPGRADE_PASSED:I/O FPGA (FPD ID=1) image in the 7600-SIP-200 card in slot 1 has been successfully updated from version 1.0 to version 1.1. Upgrading time = 00:00:18.592 Mar 25 17:06:21:%FPD_MGMT-6-UPGRADE_START:EOS FPGA (FPD ID=2) image upgrade in progress for 7600-SIP-200 card in slot 1. Updating to version 1.211. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:02:00) ... Mar 25 17:07:18:%FPD_MGMT-6-UPGRADE_PASSED:EOS FPGA (FPD ID=2) image in the 7600-SIP-200 card in slot 1 has been successfully updated from35-16 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Troubleshooting Problems with FPD Image Upgrades version 1.210 to version 1.211. Upgrading time = 00:00:56.812 Mar 25 17:07:18:%FPD_MGMT-6-UPGRADE_START:PEGASUS TX FPGA (FPD ID=3) image upgrade in progress for 7600-SIP-200 card in slot 1. Updating to version 1.129. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:02:00) ... Mar 25 17:08:17:%FPD_MGMT-6-UPGRADE_PASSED:PEGASUS TX FPGA (FPD ID=3) image in the 7600-SIP-200 card in slot 1 has been successfully updated from version 1.120 to version 1.129. Upgrading time = 00:00:59.188 Mar 25 17:08:17:%FPD_MGMT-6-UPGRADE_START:PEGASUS RX FPGA (FPD ID=4) image upgrade in progress for 7600-SIP-200 card in slot 1. Updating to version 1.3. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:02:00) ... Mar 25 17:09:03:%FPD_MGMT-6-UPGRADE_PASSED:PEGASUS RX FPGA (FPD ID=4) image in the 7600-SIP-200 card in slot 1 has been successfully updated from version 1.2 to version 1.3. Upgrading time = 00:00:45.396 Mar 25 17:09:03:%FPD_MGMT-6-OVERALL_UPGRADE:All the attempts to upgrade the required FPD images have been completed for 7600-SIP-200 card in slot 1. Number of successful/failure upgrade(s):5/0. Mar 25 17:09:03:%FPD_MGMT-5-CARD_POWER_CYCLE:7600-SIP-200 card in slot 1 is being power cycled for the FPD image upgrade to take effect. Troubleshooting Problems with FPD Image Upgrades This section contains information to help troubleshoot problems that can occur during the upgrade process. Power Failure or Removal of a SIP or SPA During an FPD Image Upgrade These instructions should only be used if a previous upgrade attempt has failed due to an external factor such as a power failure or a jacket card or SPA removal. If the FPD upgrade operation is interrupted by a power failure or the removal of the SIP or SPA, it could corrupt the FPD image. This corruption of the FPD image file makes the SIP or SPA unusable by the router and the system will display the following messages when it tries to power up the SIP or SPA: Note To find more information about FPD-related messages, check the system error messages guide for your Cisco IOS software release. Mar 29 11:30:36:%SPA_OIR-3-RECOVERY_RELOAD:subslot 4/1:Attempting recovery by reloading SPA Mar 29 11:30:51:%SPA_OIR-3-HW_INIT_TIMEOUT:subslot 4/1 Mar 29 11:30:56:%SPA_OIR-3-RECOVERY_RELOAD:subslot 4/1:Attempting recovery by reloading SPA Mar 29 11:31:11:%SPA_OIR-3-HW_INIT_TIMEOUT:subslot 4/1 Mar 29 11:31:16:%SPA_OIR-3-RECOVERY_RELOAD:subslot 4/1:Attempting recovery by reloading SPA Mar 29 11:31:31:%SPA_OIR-3-HW_INIT_TIMEOUT:subslot 4/1 Mar 29 11:31:31:%SPA_OIR-3-SPA_POWERED_OFF:subslot 4/1:SPA 4xOC3 POS SPA powered off after 5 failures within 600 seconds The show hw-module all fpd command can be used to verify that the SIP or SPA is using a corrupted FPD image. In this example, the SPA in slot 4/1 is corrupted. Router#show hw-module all fpd ==== ====================== ====== =============================================35-17 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Troubleshooting Problems with FPD Image Upgrades H/W Field Programmable Current Min. Required Slot Card Type Ver. Device:"ID-Name" Version Version ==== ====================== ====== ================== =========== ============== 4 7600-SIP-200 0.550 1-I/O FPGA 1.1 1.1 2-EOS FPGA 1.211 1.211 3-PEGASUS TX FPGA 1.129 1.129 4-PEGASUS RX FPGA 1.3 1.3 5-ROMMON 1.2 1.2 ---- ---------------------- ------ ------------------ ----------- -------------- 4/1 SPA-4XOC3 ?.? ???????????? ?.? ?.? ==== ====================== ====== ============================================= Performing a FPD Recovery Upgrade The recovery upgrade procedure can only be performed on a SIP or SPA that has been powered off by the system after it has failed all of the retries attempted to initialize the SIP or SPA. The following example displays the output of an attempt to perform a recovery upgrade before all the initialization retries have been attempted for the SPA in subslot 4/1. Note Other factors can cause the system to ask “Do you want to perform the recovery upgrade operation?” Only answer y to this question if you have attempted an FPD upgrade that has failed due to a power failure or a SIP or SPA removal. If you are prompted for this question without having previously had a failed upgrade attempt for one of the aforementioned reasons, contact Cisco Technical Support. Mar 29 11:29:55:%SPA_OIR-3-RECOVERY_RELOAD:subslot 4/1:Attempting recovery by reloading SPA Mar 29 11:30:10:%SPA_OIR-3-HW_INIT_TIMEOUT:subslot 4/1 Mar 29 11:30:15:%SPA_OIR-3-RECOVERY_RELOAD:subslot 4/1:Attempting recovery by reloading SPA Mar 29 11:30:31:%SPA_OIR-3-HW_INIT_TIMEOUT:subslot 4/1 Router#upgrade hw-module subslot 4/1 file disk0:c7600-fpd-pkg.122-18.SXE.pkg % Cannot get FPD version information for version checking. If a previous upgrade attempt has failed for the target card, then a recovery upgrade would be required to fix the failure. % The following FPD(s) will be upgraded for SPA-4XOC3-POS (H/W ver = 0.209) in subslot 4/1: ================== =========== =========== ============ Field Programmable Current Upgrade Estimated Device:"ID-Name" Version Version Upgrade Time ================== =========== =========== ============ 1-I/O FPGA ?.? 3.4 00:02:00 ================== =========== =========== ============ % Do you want to perform the recovery upgrade operation? [no]:y % Cannot perform recovery upgrade operation because the target card is not in a failed state. Please try again later. Once the following error message is displayed, you can perform the recovery upgrade:35-18 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Troubleshooting Problems with FPD Image Upgrades Note You must wait to see this error message before you attempt the upgrade. Mar 29 11:31:31:%SPA_OIR-3-SPA_POWERED_OFF:subslot 4/1:SPA 4xOC3 POS SPA powered off after 5 failures within 600 seconds Perform the manual FPD image upgrade method using the upgrade hw-module subslot command to recover from a corrupted image after the SIP or SPA has been powered off by the system. In this command, slot-number is the slot where the SIP is installed, subslot-number is the subslot of the SIP where the SPA is located, and file-url is the location of the FPD image package file. Note Before proceeding with this operation, make sure that the correct version of the FPD image package file has been obtained for the corresponding Cisco IOS release that the system is using. The following example displays the console output of a recovery upgrade operation: Router#upgrade hw-module subslot 4/1 file disk0:c7600-fpd-pkg.122-18.SXE.pkg % Cannot get FPD version information for version checking. If a previous upgrade attempt has failed for the target card, then a recovery upgrade would be required to fix the failure. % The following FPD(s) will be upgraded for SPA-4XOC3-POS (H/W ver = 0.209) in subslot 4/1: ================== =========== =========== ============ Field Programmable Current Upgrade Estimated Device:"ID-Name" Version Version Upgrade Time ================== =========== =========== ============ 1-I/O FPGA ?.? 3.4 00:02:00 ================== =========== =========== ============ % Do you want to perform the recovery upgrade operation? [no]:y % Proceeding with recovery upgrade operation ... Router# Mar 29 11:37:51:%FPD_MGMT-6-UPGRADE_TIME:Estimated total FPD image upgrade time for SPA-4XOC3-POS card in subslot 4/1 = 00:02:00. Mar 29 11:37:51:%FPD_MGMT-6-UPGRADE_START:Unknown FPD (FPD ID=1) image upgrade in progress for SPA-4XOC3-POS card in subslot 4/1. Updating to version 3.4. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:02:00) ... Router# Mar 29 11:39:11:%FPD_MGMT-6-UPGRADE_PASSED:Unknown FPD (FPD ID=1) image in the SPA-4XOC3-POS card in subslot 4/1 has been successfully updated from version ?.? to version 3.4. Upgrading time = 00:01:19.528 Mar 29 11:39:11:%FPD_MGMT-6-OVERALL_UPGRADE:All the attempts to upgrade the required FPD images have been completed for SPA-4XOC3-POS card in subslot 4/1. Number of successful/failure upgrade(s):1/0. Mar 29 11:39:11:%FPD_MGMT-5-CARD_POWER_CYCLE:SPA-4XOC3-POS card in subslot 4/1 is being power cycled for the FPD image upgrade to take effect. 35-19 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Troubleshooting Problems with FPD Image Upgrades Verifying a Successful Upgrade After the upgrade process is complete, you can use the show hw-module all fpd command to verify that the FPD image has been successfully upgraded: Router#show hw-module all fpd ==== ====================== ====== ============================================= H/W Field Programmable Current Min. Required Slot Card Type Ver. Device:"ID-Name" Version Version ==== ====================== ====== ================== =========== ============== 4 7600-SIP-200 0.550 1-I/O FPGA 1.1 1.1 2-EOS FPGA 1.211 1.211 3-PEGASUS TX FPGA 1.129 1.129 4-PEGASUS RX FPGA 1.3 1.3 5-ROMMON 1.2 1.2 ---- ---------------------- ------ ------------------ ----------- -------------- 4/1 SPA-4XOC3-POS 0.209 1-I/O FPGA 3.4 3.4 ==== ====================== ====== ============================================= 35-20 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Chapter 35 Upgrading Field-Programmable Devices Troubleshooting Problems with FPD Image Upgrades P A R T 1 0 Glossary GL-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 G L O S S A R Y B blank filler plate An empty panel used to fill vacant subslots on a SIP. For proper operation, a SIP should be fully installed with either functional SPAs or blank filler plates. D double height Describes the dimension of a SPA that occupies two, vertically-aligned SIP subslots. F FPD Field-programmable device. General term for any hardware component implemented on router cards that supports separate software upgrades. SIPs and SPAs must have the right FPD version to function properly; an FPD incompatibility will disable all interfaces on the SPA or all SPAs within the SIP. FPD image package An FPD image package is used to upgrade FPD images. Whenever a Cisco IOS image is released that supports SPAs, a companion SPA FPD image package is also released for that Cisco IOS software release. O OIR Online insertion and removal. Feature supported by SIPs and SPAs allowing removal of the cards while the router and the cards are activated, without affecting the operation of other cards or the router. Although this removal can be done while the SIP or SPA is activated, it is generally recommended that you gracefully deactivate the hardware using the appropriate commands for your platform prior to removal of the hardware. S SFP Small form-factor pluggable optical transceiver. A type of fiber optic receptacle device that mounts flush with the front panel to provide network connectivity. single height Describes the dimension of a SPA that occupies a single SIP subslot, or half of the SIP.Glossary GL-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 SIP SPA interface processor. A SIP is a platform-specific carrier card that inserts into a router slot like a line card. A SIP can hold one or more SPAs in its subslots, depending on the SIP type. The SPA provides the network interface. The SIP provides the connection between the route processor (RP) and the SPA. SPA Shared port adapter. A SPA is a modular, platform-independent port adapter that inserts into a subslot of a compatible SIP carrier card to provide network connectivity and increased interface port density. The SPA provides the interface between the network and the SIP. subslot Secondary slot on a SIP where a SPA is installed. The primary slot is the chassis slot on the router. IN-1 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 I N D E X Symbols 1-8 ? command 1-8 Numerics 802.1D 6-12 A AAL5CISCOPPP encapsulation 6-4 AAL5MUX encapsulation 6-4 AAL5NLPID encapsulation 6-4 AAL5SNAP encapsulation 6-5 access port configuration (example) 25-29 configuring 25-8 activation verifying for SIPs 5-5 verifying for SPAs 5-7 administratively down state 12-103 Advanced Encryption Standard. See AES. AES configuration (example) 28-22, 29-34 configuring 28-2, 29-2 AIS 8-16 alarm indication signal, see AIS anti-replay window size, configuring 29-6 aps reflector command 6-15, 9-15 asymmetric routing 25-6, 26-5 ATM AIS 8-16 encapsulation 6-4 FERF 8-16 HCSE 8-16 line coding errors 8-16 LOF 8-16 RAI 8-16 service classes 6-5 SPA system messages 8-16 ATM-ACCOUNTING-INFORMATION-MIB 3-24 atm bridge-enable command 6-15, 7-23 ATM-MIB 3-24 ATM-SOFT-PVC-MIB 3-24 ATMSPA system messages 8-16 ATM-TC-MIB 3-24 ATM-TRACE-MIB 3-24 AToM (Any Transport over ATM) configuration guidelines, Cisco 7600 SIP-400 4-81 AToM (Any Transport over MPLS) configuring on SIPs 4-80 AToM over GRE (configuration example) 12-109 automatic SPA FPD image upgrade (example) 35-13 cannot locate FPD image package (example) 35-13 disabling 35-6 re-enabling 35-6 autonegotiation configuring 12-11 to 12-12 disabling on fiber interfaces 12-12 enabling on fiber interfaces 12-12 average cell rate 6-5 Index IN-2 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 B bandwidths, modifying 4-116 BCP. See Bridging Control Protocol BFG configuration (example) 32-38 configuring 32-22 troubleshooting 34-27 blade failure group. See BFG. blank filler plate 8-27, 13-10, 23-18, 34-30 for empty subslots in an SSC 2-2 for empty subslots in a SIP 2-1 single-height size 2-3 BPDU packet formats 6-13 bridge-domain (VC configuration) command 4-42, 4-45, 4-48, 4-51 bridge-domain command 4-65, 12-95 Bridged Routed Encapsulation within an Automatic Protection Switching Group 7-28 Bridge Protocol Data Unit (BPDU) 6-12 Bridging Control Protocol configuring 17-17, 18-17, 19-22, 22-19 Bridging Control Protocol (BCP) 12-15 C CAC configuration 28-15 configuration (examples) 28-24 Call Admission Control (CAC) configuration (examples) 28-24 Call Admission Control. See CAC carriage return () 1-8 cautions, usage in text iii-xlix CBR 6-5 CEF 6-1, 7-1, 8-1, 9-1, 10-1 CEF for PFC2 See CEF certificate autoenrollment configuration (example) 30-59 configuring 30-26 certificate chain verification configuration (examples) 30-65 certificate chain verification, configuring 30-52 certificate security attribute-based access control configuration (example) 30-62 configuring 30-41 certificate to ISAKMP profile mapping configuration (examples) 28-23 certificate to ISAKMP profile mapping, configuring 28-6 Changing the speed of a Fast Ethernet SPA configuration (example) 12-114 Cisco 7600 SIP-200 description 3-5 faceplate (figure) 4-5 features 3-5 to 3-10 MLFR, configuring 4-7 to 4-13 MLPPP, configuring 4-14 to 4-21, 22-14 to ?? restrictions 3-19 SPA compatibility (table) 2-4, 2-5, 2-6 subslot numbering 4-5 Cisco 7600 SIP-400 description 3-5 features 3-11 to 3-15 restrictions 3-20 SPA compatibility (table) 2-4, 2-5, 2-6 Cisco 7600 SIP-600 description 3-5 features 3-16 to 3-18 SPA compatibility (table) 2-4, 2-5, 2-6 Cisco 7600 SSC-400 restrictions 3-24 Cisco 7609 router (figure) 4-4 CISCO-AAL5-MIB 3-24 CISCO-ATM-CONN-MIB 3-25 CISCO-ATM-RM-MIB 3-25 CISCO-ATM TRAFFIC-MIB 3-25 CISCO-CLASS-BASED-QOS-MIB 3-25 Index IN-3 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 Cisco Discovery Protocol (CDP) 12-13 CISCO-ENTITY-ASSET-MIB 3-24, 3-25 CISCO-ENTITY-EXT-MIB 3-24, 3-25 CISCO-ENTITY-FRU-CONTROL-MIB 3-24, 3-25 Cisco IOS configuration changes, saving 1-12 Cisco MIB Locator 11-20, 11-21 clear crypto sa command 34-24 command line processing 1-6 command modes, understanding 1-6 to 1-7 commands context-sensitive help for abbreviating 1-8 default form, using 1-11 no form, using 1-11 show interfaces serial troubleshooting serial lines 23-4 command syntax conventions iii-xlix displaying (example) 1-8 common part convergence sublayer 6-13 conditions status line, show interfaces serial command 23-3 configuration example BRE on a PVC 7-26 configurations, saving 1-12 configuration tasks, required for the Fast Ethernet SPA 12-2 for the Gigabit Ethernet SPA 12-2 configure terminal command 5-8, 12-3 Configuring Interfaces Using SDH Framing 21-7 configuring SPAs Fast Ethernet 12-1 Gigabit Ethernet 12-1 console error messages Cisco 7600 SSC-400 34-2 IPSec VPN SPA 34-2 constant bit rate, see CBR copy command 12-103 CoS 29-16, 29-18, 29-23 create on-demand command 6-15, 9-15 CRTP (Compressed Real-Time Protocol) configuring 4-5 crypto conditional debug support 34-27 crypto-connect mode configuring ports 25-4 defined 24-7 guidelines and restrictions 25-5 D deactivation verifying for SIPs 5-5 verifying for SPAs 5-7 debug atm bundle errors command 8-26 debug atm bundle events command 8-26 debug atm errors command 8-26 debug atm events command 8-26 debug atm oam command 8-26 debug atm packet command 8-26 debug command 13-1 debug crypto ace b2b command 34-27 debug hw-module subslot command 13-1 deny policy enhancements configuration (example) 29-40 configuring 29-33 direct HTTP enrollment with CA servers configuration (examples) 30-55 configuring 30-16 distinguished name-based crypto maps configuration (example) 29-39 configuring 29-13 dMLPPP (Multilink PPP) with IPSec VPN SPA 25-20 DMVPN (Dynamic Multipoint VPN) configuring 31-2 hub in configuration (example) 31-18 spoke configuration (example) 31-19, 31-21 dot1q encapsulation 12-11 configuration (example) 12-108 Index IN-4 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 configuring 12-13 DPD(Dead Peer Detection), configuring 28-17 DSS (Destination sensitive services) 3-21 E Easy VPN client, configuring 31-16 Easy VPN remote RSA signature storage, configuring 31-16 Easy VPN server configuring 31-15 enhanced 31-16 router-side configuration (example) 31-22 encapsulation ARPA 12-11 configuring 12-11 dot1q 12-11 configuration (example) 12-108 configuring 12-13 SNAP 12-9, 12-11 encapsulation, ATM 6-4 encapsulation command 6-15 encapsulation dot1q command 12-14, 12-78, 12-95 encapsulation frame-relay ietf command 4-46, 4-51, 12-89 encapsulation frame-relay mfr command 4-11, 4-12 encapsulation ppp command 4-19, 4-65, 22-15 encrypted preshared key configuration (example) 28-23 encrypted preshared key, configuring 28-13 ENTITY-ASSET-MIB 3-25 ENTITY-EXT-MIB 3-25 ENTITY-FRU-CONTROL-MIB 3-25 ENTITY-MIB 3-24, 3-25 EoMPLS configuration (example) 12-111 EtherChannel interface port-channel (command) 4-166, 4-167, 4-168, 4-169 ETHER-MIB 3-25 ethernet oam command 12-63 ethernet oam link-monitor frame-period threshold high command 12-68 ethernet oam link-monitor frame-period threshold low command 12-68 ethernet oam link-monitor frame-period window command 12-67 ethernet oam link-monitor frame-seconds threshold high command 12-69 ethernet oam link-monitor frame-seconds threshold low command 12-69 ethernet oam link-monitor frame-seconds window command 12-68 ethernet oam link-monitor frame threshold high command 12-67 ethernet oam link-monitor frame threshold low command 12-67 ethernet oam link-monitor frame window command 12-66 ethernet oam link-monitor on command 12-65 ethernet oam link-monitor receive-crc threshold high command 12-70 ethernet oam link-monitor receive-crc threshold low command 12-70 ethernet oam link-monitor receive-crc window command 12-69 ethernet oam link-monitor supported command 12-64 ethernet oam link-monitor symbol-period threshold high command 12-66 ethernet oam link-monitor symbol-period threshold low command 12-66 ethernet oam link-monitor symbol-period window command 12-66 ethernet oam link-monitor transmit-crc threshold high command 12-71 ethernet oam link-monitor transmit-crc threshold low command 12-71 ethernet oam link-monitor transmit-crc window command 12-70 ethernet oam remote-failure dying-gasp action error-disable-interface command 12-73 event tracer feature 5-2, 8-26, 13-9, 23-18 Index IN-5 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 F far-end receive failure, see FERF FERF 8-16 filtering output, show and more commands 1-12 flow control support 12-21 verifying 12-21, 12-22 flow control receive command 12-22 flow control send command 12-22 FPD image packages cannot locate (example) 35-13 caution 35-4, 35-9 displaying default information 35-12 downloading 35-7 to 35-9 modifying the default path 35-9 overview 35-3 FPD images displaying minimum and current versions 35-10 manually upgrading 35-7 troubleshooting upgrades 35-16 to 35-19 upgrade failure recovery (example) 35-17 to 35-18 upgrade scenarios 35-3 upgrading in production 35-5 to 35-6 verifying successful upgrade 35-19 verifying upgrade progress 35-12 FPDs (field-programmable devices) description 35-1 Frame Relay features, configuring on SIPs 4-7 to 4-32 frame-relay intf-type dce command 4-10, 4-11, 4-16, 4-19 frame-relay multilink ack command 4-13 frame-relay multilink bid command 4-10 frame-relay multilink hello command 4-13 frame-relay multilink lid command 4-12 frame-relay multilink retry command 4-13 FRF.16, See MLFR front door VRF (FVRF), defined 26-2 FTP server, downloading FPD images to 35-7 to 35-9 FVRF not supported on spoke 31-3 FVRF, defined 26-2 G Generic Routing Encapsulation. See GRE tunneling. giant packets 7-4 global configuration mode, summary of 1-7 GRE tunneling configuration (example) 25-40 configuring 25-21 interfaces and subinterfaces, configuring 12-18 takeover criteria 25-23 H hardware platforms See platforms, supported HCSE 8-16 help command 1-8 Hierarchical VPLS (H-VPLS) 12-46 Hot Standby Router Protocol (HSRP) verifying configuration 12-6 http //www.cisco.com/en/US/docs/general/whatsnew/what snew.html iii-l //www.cisco.com/en/US/docs/switches/lan/catalyst65 00/ios/12.2SXF/native/release/notes/OL_4164.html 3-12, 3-20, 3-23, 3-24 //www.cisco.com/en/US/support/tsd_cisco_worldwid e_contacts.html 10-61 hw-module reset command 4-170 hw-module slot subslot only command 26-33 hw-module subslot command 12-103 hw-module subslot shutdown command 5-6, 5-7, 5-8 I IC-SSO 20-27 Index IN-6 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 IEEE 802.1Q encapsulation 12-11 configuration (example) 12-108 configuring 12-13 IF-MIB 3-25 IKE policy troubleshooting 34-27 inside port, configuring 25-7 inside VRF (IVRF), defined 26-2 Inter Chassis Redundancy Manager 20-28 Inter Chassis-Stateful Switchover 20-27 interface basic configuration (example) 12-105 enabling 12-4 restarting 12-103 shutting down 12-103 verifying configuration 12-104 interface address, specifying 12-4 interface atm command 4-39, 4-40 interface configuration mode, summary of 1-7 interface fastethernet command 12-3, 12-14 interface gigabitethernet command 12-3, 12-14, 12-95 interface mfr command 4-10 interface multilink command 4-17, 22-15 interface port-channel (command) 4-166, 4-167, 4-168, 4-169 interface pos command 4-45, 4-46, 4-47, 4-61, 4-65 interface serial command 4-12, 4-19, 4-45, 4-46, 4-47, 4-50, 4-61, 4-65, 22-15 interface status line states, show interfaces serial command 23-3 interface tengigabitethernet command 12-3, 12-14 ip address command 4-16, 4-17, 12-3, 12-14, 22-15 ip cef distributed command 4-16 IP multicast over a GRE tunnel configuration (example) 25-43, 26-33 configuring 25-26 IP multicast over a VTI tunnel configuration (example) 26-37 ip pim smarse-mode command 12-18 IPSec and IKE MIB support for Cisco VRF-Aware IPSec configuring 33-9 IPSec anti-replay window size configuration (examples) 29-36 configuring 29-6 IPsec manual keying 25-6 IPSec NAT transparency, configuring 28-19 IPsec preferred peer configuration (examples) 29-38 IPSec preferred peer, configuring 29-8 IPSec security association (SA) idle timer configuration (examples) 29-38 IPsec security association (SA) idle timer configuring 29-12 IPsec stateful failover troubleshooting 34-25 IPSec stateful failover using a blade failure group (BFG) configuration (example) 32-38 configuring 32-22 IPSec stateful failover using HSRP and SSP active chassis configuration (example) 32-30 IPSec stateless failover using HSRP active chassis configuration (example) 32-27 configuring 32-3 remote router configuration (example) 32-31, 32-36 IPsec stateless failover using HSRP remote router configuration (example) 32-28 IPSec stateless failover using HSRP and RRI, configuring 32-3 IPSec VPN accounting configuration (examples) 33-10 configuring 33-5 IPSec VPN monitoring configuration (example) 33-11 configuring 33-2 IPSec VPN SPA IPSec stateful failover using HSRP RRI and SSP, configuring 32-3 IPSec stateless failover using HSRP RRI, configuring 32-3 VPN running state, displaying 25-21 Index IN-7 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 ISAKMP keyrings and peer filtering configuration (example) 28-22 configuring 28-4 IVRF, defined 26-2 K keyboard shortcuts 1-6 key rollover for certificate renewal configuration (examples) 30-60 configuring 30-30 L LACP over EVC Port Channel configuration commands, configuration steps 12-52 LAF 27-3 LFI (Link Fragmentation and Interleaving) configuring on SIPs 4-21 over MLPPP, configuring 4-20, 22-16 to ?? lines interface status states, show interfaces serial command 23-3 serial show interfaces serial command 23-4 local certificate storage location configuration (example) 30-55 local certificate storage location, configuring 30-14 LOF 8-16 Look-Ahead Fragmentation. See LAF. loopback external 13-8 internal 13-8 loopback command 8-17, 13-8 loopback diagnostic command 8-17, 8-20 loopback driver command 13-8 loopback external command 13-8 loopback internal command 13-8 loopback line command 8-22 loopback mac command 13-8 loss of frame, see LOF M MAC address configuration (example) 12-105 modifying 12-5 verifying 12-5 MAC address accounting configuration (example) 12-106 Management Information Base (MIB) downloading 11-20 supported on SPAs 11-20 manual certificate enrollment (TFTP and cut-and-paste) configuration (examples) 30-56 configuring 30-22 manual keying 25-6 match as command 3-21 match bgp-community command 3-21 match class-map command 3-21 match cos inner command 3-21 match discard-class command 3-21 match dscp command 3-18 match fr-dlci command 3-21 match input interface command 6-16 match input-interface command 3-21 match input vlan command 3-18, 3-21 match ip precedence command 3-18 match ip rtp command 3-21 match mac command 3-21 match mpls experimental command 3-18 match packet length command 3-21 match protocol command 3-21 match qos-group command 3-18, 3-21 match vlan command 3-18, 3-21 match vlan inner command 3-21 MBS 6-5 Index IN-8 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 mGRE enabling 31-3 MIB (Management Information Base) on Cisco 7600 SIP-200 3-24 on Cisco 7600 SIP-400 3-24 minimum burst size, see MBS MLFR (Multilink Frame Relay) configuration guidelines hardware-based 4-9 software-based 4-9 configuration tasks 4-10 overview 4-8 MLPPP (Multilink PPP) configuration guidelines hardware based 4-15 software based 4-15 configuration tasks 4-15, 22-14 LFI configuring 4-20, 22-16 guidelines, software based 4-20 verifying 4-20, 22-16 modes See command modes MPB (Multipoint Bridging) configuring 4-36 on Cisco 7600 SIP-200 ATM SPAs 3-5 on Cisco 7600 SIP-200 serial SPAs 3-6 on Cisco 7600 SIP-400 3-22 MPLS labels, and interface MTU size 12-10 mpls mtu command 12-10, 15-2 MPLSoGRE and mVPNoGRE 12-17 configuration (example) 12-110 MR-APS 20-27 MTU (maximum transmission unit) configuration (example) 12-108 configuring 27-12 default size 12-9 interface MTU additional overhead 12-10 and MPLS labels 12-10 configuration guidelines 12-10 configuring 12-10 description 12-9 verifying 12-11 IP MTU description 12-9 maximum size 12-9 MPLS MTU description 12-9 tag MTU description 12-9 types 12-9 mtu command 12-4, 12-10 Multicast over a GRE tunnel configuration (example) 25-43, 26-33 configuring 25-26 Multicast over a VTI tunnel configuration (example) 26-37 multicast routes 12-19 multicast Virtual Private Network over generic routing encapsulation (mVPNoGRE) 12-17 multilink-group command 4-19, 22-16 Multilink PPP (MLPPP) LFI guidelines, hardware based 4-20 multiple RSA key pairs configuration (example) 30-53 configuring 30-3 multiple SPAs in a chassis configuration (example) 32-24 configuring 32-2 Multipoint Bridging (MPB) 12-15 multiPoint bridging over Ethernet 12-93 multipoint GRE See mGRE 31-3 Multi Router-Automatic Protection Switching 20-27 mVPNoGRE 12-110 Index IN-9 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 N NAT keepalives configuration (example) 28-24 negotiation auto command 12-12, 12-13 no hw-module subslot shutdown command 5-7, 5-9 no negotiation auto command 12-12 no power enable module command 5-4, 5-8 no shut command 12-4 no shutdown command 4-62, 4-66 notes, usage in text iii-l no upgrade fpd auto command 35-6 NVRAM (nonvolatile random-access memory) 12-103 O OCSP (Online Certificate Status Protocol) configuration (example) 30-61 configuring 30-37 OIR (online insertion and removal) and shutting down or restarting interfaces 12-103 event tracing for SPAs 5-3, 8-27, 13-9, 23-18 for SIPs 2-1, 5-4 for SPAs 2-3, 5-6, 8-27, 13-10, 23-18, 34-30 for SSCs 2-2 troubleshooting 5-3, 8-27, 13-9, 23-18 OLD-CISCO-CHASSIS-MIB 3-24, 3-25 optics modules qualified for SPAs (table) 2-6 optional OCSP nonces configuration (example) 30-62 optional OCSP nonces, configuring 30-41 OSMs, OC-12 ATM overview 6-4 OUI in MAC address 6-12 outside port, configuring 25-7 oversubscription Cisco 7600 SIP-400 3-22, 5-3 P packet flow, on Fast Ethernet or Gigabit Ethernet SPA 11-21 PCR 6-5 peak cell rate, see PCR persistent self-signed certificates configuration (examples) 30-64 configuring 30-48 Per VLAN Spanning Tree (PVST) 6-12 PIM 25-26 ping command 8-16 PKI AAA authorization using the entire subject name configuration (example) 30-63 configuring 30-45 PKI query multiple servers during certificate revocation check configuration (example) 30-61 configuring 30-36 platforms, supported release notes, identify using 1-13 power enable module command 5-5, 5-8 PPP (Point-to-Point Protocol) with IPSec VPN SPA 25-20 ppp authentication chap command 4-19, 22-16 ppp chap hostname command 4-19 ppp multilink command 4-19 ppp multilink fragment-delay command 4-18, 22-15 ppp multilink interleave command 4-16, 4-17, 4-20, 22-15, 22-16 priority command 6-16 Private Hosts over Virtual Private LAN Service 4-54 privileged EXEC mode, summary of 1-7 prompts, system 1-7 protected private key storage configuration (example) 30-54 configuring 30-5 Provider Edge to Provider Edge (PE-to-PE) tunneling 12-18 PVST+ 6-12 Index IN-10 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 PVST and PVST+ interoperability 6-12 802.1D 6-12 common part convergence sublayer 6-13 L2PT topologies 7-17 line cards supported 6-13 problem summarized 6-13 Q QoS carrier, configuration (example) 29-24 configuring 29-17 module, configuration (example) 29-24, 29-40 QoS (Quality of Service) configuring on SIPs ?? to 4-129 QoS, configuring 29-15 quality of service. See QoS. query mode definition per trustpoint configuration (example) 30-54 configuring 30-11 query multiple servers during certificate revocation check configuration (example) 30-61 configuring 30-36 question mark (?) command 1-8 R RAI 8-16 release history Fast Ethernet SPAs 11-1 Gigabit Ethernet SPAs 11-1 release notes See platforms, supported remote alarm indication, see RAI Reverse Route Injection (RRI), configuring 29-3 rewrite ingress tag command 12-95 RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5, Bridged and Routed 3-10, 3-15 RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5, Multipoint Bridging 3-5, 3-10, 3-22 RFC 1490, Multiprotocol Interconnect over Frame Relay, Multipoint Bridging 3-6, 3-10 RFC 1663, PPP Reliable Transmission 3-19 RFC 1889, RTP A Transport Protocol for Real-Time Applications 4-5 RFC 3518, Point-to-Point Protocol (PPP) Bridging Control Protocol (BCP) 3-10, 3-15, 4-56 ROM monitor mode, summary of 1-7 routed port configuration (example) 25-31 configuring 25-11 RRI, configuring 29-3 RSA signature storage, configuring 31-16 running configuration, saving to NVRAM 12-103 Rx cell HCS error, see HCSE S Safenet IPSec client support configuration (example) 28-22 configuring 28-4 SCR 6-5 security associations clearing 34-24 sequenced ACLs, configuring 29-33 serial lines troubleshooting show interfaces serial command 23-4 service instance command 12-95 set identity command 29-15 set mpls experimental command 4-82 SFP (small form-factor pluggable) optics Cisco Systems qualification check 2-6 qualified for SPAs (table) 2-6 shape adaptive command 6-16 shape average command 6-16 shape command 6-16 Index IN-11 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 shape fecn-adapt command 6-16 shape peak command 6-16 show aps command 8-13 show aps group command 8-15 show atm class-link command 8-13 show atm ilmi-status 8-10 show atm ilmi-status command 8-11 show atm interface atm command 7-6, 8-6 show atm map command 8-11 show atm pvc command 7-10, 8-9 show atm pvc interface atm command 8-9 show atm svc interface atm command 8-10 show atm traffic command 8-12 show atm traffic shaping slot command 8-12 show atm vc command 8-8, 8-9, 8-10 show atm vc interface atm command 7-10 show atm vlan command 8-12 show atm vp command 8-8 show command 13-2 show commands for IPSec VPN SPA 34-6 show controllers atm command 6-17, 8-4, 8-5 example 6-21 show controllers command 6-20 show crypto ace redundancy 34-15 show crypto ace redundancy command 34-15 show crypto ca certificates 34-16 show crypto ca trustpoints command 34-17 show crypto engine accelerator statistic command 34-4 show crypto ipsec ha command 34-11 show crypto ipsec sa command 28-21, 34-9, 34-12 show crypto ipsec sa standby command 34-13 show crypto ipsec transform-set command 34-9 show crypto isakmp policy command 34-8 show crypto isakmp sa addr command 34-11 show crypto isakmp sa command 34-11 show crypto key mypublickey rsa command 34-15 show crypto key pubkey-chain rsa command 34-16 show crypto map command 34-9 show crypto redundancy linecard-group command 34-15 show crypto session 34-18 show crypto sockets command 34-18 show crypto vlan command 34-7, 34-8, 34-23 show cwan mplsogre command 12-20 show diagbus command 3-26, 4-4, 34-3 show diag command 6-20, 8-5, 9-17 example 6-21 show ethernet oam discovery command 12-74 show ethernet oam statistics command 12-74 show ethernet oam status command 12-75 show ethernet oam summary command 12-75 show frame-relay multilink command 4-13 show history command 1-6 show hw-module slot command 4-4 show hw-module slot fpd command 34-6 show hw-module subslot command 4-5, 35-10 show hw-module subslot fpd command 8-3, 35-16 show hw-module subslot oir command 5-7 show idprom command 3-26 show idprom module command 4-4, 4-5, 8-4 show interface atm command 8-5 show interface command 7-5, 7-7 show interfaces atm command 7-4 example 6-20, 9-17 show interfaces command 6-20, 9-17, 11-22, 13-2 show interfaces fastethernet 13-2 show interfaces fastethernet command 11-22 show interfaces gigabit ethernet command 12-11 show interfaces gigabitethernet command 11-23, 12-5, 12-22, 13-2 show interfaces serial command troubleshooting serial lines 23-4 show interfaces tengigabitethernet command 11-23, 13-2 show interfaces trunk command 4-63, 34-7 show interfaces tunnel 34-19 show ip interface command 5-7, 7-5, 7-7, 8-7 show ip mroute command 12-19, 34-23 show ip nhrp command 34-18 Index IN-12 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 show ip route command 12-18 show module command 3-26, 4-4, 5-5 show mpls interface command 7-5, 7-7 show ppp multilink command 4-20, 6-17, 22-16 show redundancy linecard-group command 34-15 show running-config command 35-8 show sip-disk command 4-4 show ssp client command 34-14 show ssp packet command 34-14 show ssp peers command 34-14 show ssp redundancy command 34-14 show standby command 12-6 show upgrade package default command 35-12 show upgrade progress command 35-12 show version command 8-3 show vlan id command 8-13 show vlans command 12-15 shutdown command 4-61, 4-66, 12-104 Simple Symmetric Transmission Protocol (SSTP) 6-12 single-SPA mode configuring 25-27 SIP (SPA interface processor) activation (example) 5-8 blank filler plates 2-1 chassis slot installation (figure) 4-4 deactivating 5-4 deactivation (example) 5-8 definition 2-1 features supported 3-5 general characteristics 2-1 hardware type, displaying 3-26 to 3-27 reactivating 5-4 release history 3-1 resetting 4-170 SPA compatiblity (table) 2-4, 2-5 subslots description 2-1 numbering 4-5 specifying location in CLI 4-5 supervisor engine support 4-3 SNAP (Subnetwork Access Protocol) encapsulation 12-9, 12-11 SONET MIB 3-25 source interface selection for outgoing traffic with certificate authority configuration (example) 30-63 configuring 30-47 SPA automatic recovery 13-7 SPA (shared port adapter) activation (example) 5-8 chassis slot orientation (figure) 2-3 deactivating 5-6 deactivation (example) 5-8 definition 2-2 double-height description 2-2 FPD image packages overview 35-3 heights supported (figure) 2-2 description 2-2 interfaces 2-3 optics compatibility (table) 2-6 reactivating 5-7 single-height description 2-2 SIP compatibility (table) 2-4, 2-5 subslot numbering (figure) 4-4 SPA architecture description 11-21 POS SPA description 14-7 to 14-10 SPA hardware type, displaying 11-22 Spanning-Tree Protocol (STP) 6-12 SSC (SPA services card) blank filler plates 2-2 definition 2-2 general characteristics 2-2 states interface status line, show interfaces serial command 23-3 Index IN-13 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 subinterfaces, configuring 12-13 to 12-14 subslots description 2-1 numbering 4-5 specifying location in CLI 4-5 supervisor engines supported by SIPs 4-3 sustained cell rate, see SCR switchport command 4-40, 4-47, 4-61, 4-65 switchport trunk allowed vlan command 4-62 system error messages Cisco 7600 SSC-400 34-2 IPSec VPN SPA 34-2 T Tab key, command completion 1-8 TFTP server, downloading FPD images to 35-7 to 35-9 tips, usage in text iii-l transform sets troubleshooting 34-27 troubleshooting Fast Ethernet SPA 13-1 Gigabit Ethernet SPA 13-1 trunk port configuration (example) 25-34 configuring 25-15 trustpoint CA configuration (example) 30-54 configuring 30-8 tunnel-to-interface mappings 12-20 U UBR 6-5 unicast routes 12-18 unspecified bit rate, see UBR upgrade fpd auto command 35-6, 35-8, 35-13 upgrade fpd path command 35-7, 35-9 upgrade hw-module subslot command 35-7 user EXEC mode, summary of 1-7 V variable bit rate-non-real-time, see VBR-nrt variable bit rate-real-time, see VBR-rt VBR 6-5 VBR-nrt 6-5 Virtual Private LAN Service (VPLS) 12-46 Virtual Tunnel Interface. See VTI. vlan command 4-65 VLANs (virtual LANs) configuration (example) 12-108 configuring on a subinterface 12-13 verifying configuration 12-15 VPN Routing and Forwarding (VRF) number 12-18 VPN sessions, monitoring and managing 33-2 VRF-aware IPSec. See VRF mode. VRF instance, defined 26-2 VRF-lite 24-18, 24-19 VRF mode configuration (examples) 26-21 configuring VTI 26-16 defined 26-1 front door VRF (FVRF) 26-2 guidelines and restrictions 26-4 inside VRF (IVRF) 26-2 VRF instance 26-2 with chassis-to-chassis stateless failover configuring 32-18 without tunnel protection 26-6 with tunnel protection 26-12 VTI configuring in VRF mode 26-16 defined 26-16 Index IN-14 Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide OL-5070-30 W WAN interfaces ATM configuration (example) 25-36 configuring 25-20 POS configuration (example) 25-37 serial port configuration (example) 25-38 X xconnect command 3-21