background image

 

12-8

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 12      Configuring Traffic Filtering

Time-Based ACLs

Monitoring and Maintaining Time-Based ACLs

To monitor and maintain time-based ACLs, enter any of the following commands in privileged EXEC 
mode:

Configuration Examples for Time-Based ACLs

The following example permits Telnet connections from the 10.1.1.0 network to the 172.16.1.0 network 
on Monday, Wednesday, and Friday during the business hours.

time-range EVERYOTHERDAY 

periodic Monday Wednesday Friday 8:00 to 17:00 

!

access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range 

EVERYOTHERDAY

!

interface Ethernet0/0 

ip address 10.1.1.1 255.255.255.0 

ip access-group 101 in      

The following example permits SMTP traffic from all networks to indefinitely access all networks 
beginning at 12:00 p.m. on January 1, 2001. 

time-range forever

absolute start 12:00 1 January 2001

!

ip access-list extended allusers

permit tcp any any eq 25 time-range forever

The following example permits UDP traffic until noon on December 31, 2000. The ACL entry will no 
longer allow UDP traffic after that date and time.

time-range stop-udp

absolute end 12:00 31 December 2000

!

ip access-list extended usa

permit udp any any time-range stop-udp

The following configuration example permits telnet traffic on Monday, Tuesday, and Friday from 
9:00 a.m. and 5:00 p.m.:

time-range telnet

periodic Monday Tuesday Friday 9:00 to 17:00

!

ip access-list extended camden

permit tcp any any eq telnet time-range telnet

Command

Purpose

Router# 

show access-lists

 [

access-list-number

 | 

access-list-name

]

Displays the contents of current access lists or the access list you 
specify.

Router# 

show interface

 

type number

Displays information about the interface you specify and 
indicates if an access list is configured on the interface.

Router# 

show time-range

Displays the configured time ranges.

Summary of Contents for 10000-2P2-2DC

Page 1: ...co Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco 10000 Series Router Software Configuration Guide June 2010 Text Part Number OL 2226 23 ...

Page 2: ...NTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR ...

Page 3: ...tching Virtual Private Network Architecture 1 4 L2TP Architectures 1 5 L2TP to Virtual Routing and Forwarding Architecture 1 5 L2TP over MPLS to Virtual Routing and Forwarding Instance 1 6 L2TP Access Concentrator Architecture 1 7 Routed Bridge Encapsulation Architectures 1 7 RBE to Virtual Routing and Forwarding Architecture 1 8 RBE to Multiprotocol Label Switching Virtual Private Network Archite...

Page 4: ...ew Features in Cisco IOS Release 12 3 7 XI2 1 26 New Features in Cisco IOS Release 12 3 7 XI1 1 26 C H A P T E R 2 Scalability and Performance 2 1 Line Card VC Limitations 2 1 Limitations and Restrictions 2 3 Scaling Enhancements in Cisco IOS Release 12 2 33 XNE 2 4 Scaling Enhancements in Cisco IOS Release 12 2 33 SB 2 5 Layer 4 Redirect Scaling 2 5 Scaling Enhancements in Cisco IOS Release 12 3 ...

Page 5: ...cess Interfaces 2 20 Preventing Full Virtual Access Interfaces 2 21 C H A P T E R 3 Configuring Remote Access to MPLS VPN 3 1 MPLS VPN Architecture 3 2 Access Technologies 3 3 PPP over ATM to MPLS VPN 3 4 PPP over Ethernet to MPLS VPN 3 5 RBE over ATM to MPLS VPN 3 7 MPLS VPN ID 3 7 DHCP Relay Agent Information Option Option 82 3 9 DHCP Relay Support for MPLS VPN Suboptions 3 9 Feature History for...

Page 6: ...et 3 43 Monitoring and Maintaining the MPLS VPN 3 43 Verifying VRF Configurations 3 44 Verifying the Routing Table 3 44 Verifying the PE to PE Routing Protocols 3 45 Verifying the PE to CE Routing Protocol 3 46 Verifying the MPLS VPN Labels 3 46 Testing the VRF 3 46 Monitoring and Maintaining PPPoX to MPLS VPN 3 47 Monitoring and Maintaining RBE to MPLS VPN 3 48 C H A P T E R 4 Configuring Multipr...

Page 7: ...ers to VPDN Groups 4 16 VPDN Template Configuration 4 17 Feature History for Session Limit Per VRF 4 17 Restrictions for Session Limit Per VRF 4 17 Prerequisites for Session Limit Per VRF 4 17 Configuring Session Limit Per VRF 4 18 Verifying a Session Limit Per VRF Configuration 4 19 Configuration Examples for Session Limit Per VRF 4 19 Monitoring and Maintaining Session Limit Per VRF 4 21 Half Du...

Page 8: ...nel 5 8 Enabling the LAC to Conduct Tunnel Service Authorization 5 8 Configuring Sessions Per Tunnel Limiting on the LAC 5 12 RADIUS Server Optional Configuration Tasks for LAC 5 13 Enabling Tunnel Sharing for RADIUS Services 5 13 Enabling the RADIUS Server to Conduct Tunnel Service Authorization 5 14 Configuring Sessions Per Tunnel Limiting in the RADIUS Service Profile 5 16 Configuration Example...

Page 9: ...over Ethernet 6 1 Feature History for PPPoE over Ethernet 6 2 Restrictions for PPPoE over Ethernet 6 2 Configuration Tasks for PPPoE over Ethernet 6 2 Configuring a Virtual Template Interface 6 2 Creating an Ethernet Interface and Enabling PPPoE 6 3 Configuring PPPoE in a VPDN Group 6 3 Configuring PPPoE in a BBA Group 6 3 Configuration Example for PPPoE over Ethernet 6 5 Static MAC Address for PP...

Page 10: ...VLANs 7 3 Configuring IP Unnumbered for an Ethernet VLAN Subinterface 7 3 Configuring IP Unnumbered for a Range of Ethernet VLAN Subinterfaces 7 4 Configuration Examples for IP Unnumbered on VLANs 7 4 Monitoring and Maintaining IP Unnumbered Ethernet VLAN Subinterfaces 7 5 C H A P T E R 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning 8 1 ATM PVC Autoprovisioning 8 1 Local Template Bas...

Page 11: ...ion Tasks for Multihop 9 5 Specifying VPDN Tunnel Authorization Searches by Ingress Tunnel Name 9 5 Preserving the Type of Service Field of Encapsulated IP Packets 9 5 Configuring an Accept Dialin VPDN Group to Preserve IP TOS 9 6 Configuring a Request Dialout VPDN Group to Preserve IP TOS 9 7 Configuration Examples for Multihop 9 8 Monitoring and Maintaining Multihop Configurations 9 9 C H A P T ...

Page 12: ...PCP Negotiation 10 15 Monitoring and Maintaining an On Demand Address Pool 10 15 Overlapping IP Address Pools 10 16 Feature History for Overlapping IP Address Pools 10 17 Restrictions for Overlapping IP Address Pools 10 17 Configuration Tasks for Overlapping IP Address Pools 10 17 Configuring a Local Pool Group for IP Overlapping Address Pools 10 17 Verifying Local Pool Groups for IP Overlapping A...

Page 13: ...User Database Domain to VRF 11 12 C H A P T E R 12 Configuring Traffic Filtering 12 1 IP Receive ACLs 12 1 Feature History for IP Receive ACLs 12 2 Restrictions for IP Receive ACLs 12 2 Configuration Tasks for IP Receive ACLs 12 2 Configuring Receive ACLs 12 3 Verifying Receive ACLs 12 3 Configuration Example for IP Receive ACLs 12 3 Time Based ACLs 12 4 Feature History for Time Based ACLs 12 4 Re...

Page 14: ...tes on Unchannelized Line Cards 14 23 Configuring MR APS with Static Routes on Channelized Line Cards 14 25 Monitoring and Maintaining the MR APS Configuration 14 27 Single router Automatic Protection Switching 14 27 Feature History for SR APS 14 29 Configuring SR APS 14 29 Disabling SR APS 14 29 Monitoring and Maintaining the SR APS Configuration 14 30 Threshold Commands 14 31 Specifying SR APS S...

Page 15: ...nded NAS Port Type and NAS Port Support 16 44 Feature History for Extended NAS Port Type and NAS Port Support 16 45 NAS Port Type RADIUS Attribute 61 16 45 NAS Port RADIUS Attribute 5 16 46 NAS Port ID RADIUS Attribute 87 16 46 Prerequisites for Extended NAS Port Type and NAS Port Attributes Support 16 46 Configuring Extended NAS Port Type and NAS Port Attributes Support 16 47 Verifying Extended N...

Page 16: ...estrictions for Cisco 10000 Series Router PXF Stall Monitor 17 63 Configuring Cisco 10000 Series Router PXF Stall Monitor 17 64 Configuration Example of Cisco 10000 Series Router PXF Stall Monitor 17 65 C H A P T E R 18 SSO BFD 18 69 Feature History of SSO BFD 18 69 Information about SSO BFD 18 69 Enhanced Timers 18 70 BFD HA Process 18 70 Early Packet Send 18 70 Restrictions of SSO BFD 18 71 Moni...

Page 17: ...Environment 20 7 Stateful Switchover 20 7 Nonstop Forwarding for Routing Protocols 20 8 Restrictions for NSF SSO L2VPN 20 8 Configuring NSF SSO L2VPN 20 8 Configuration Examples of NSF SSO Layer 2 VPN 20 9 L2VPN Local Switching HDLC PPP 20 10 Prerequisites of L2VPN Local Switching HDLC PPP 20 10 Restrictions of L2VPN Local Switching HDLC PPP 20 10 PPP Like to Like Local Switching 20 10 HDLC Like t...

Page 18: ...lay over MPLS with Port to Port Connections 20 29 Enabling Other PE Devices to Transport Frame Relay Packets 20 30 Configuring Frame Relay to Frame Relay Local Switching 20 31 Configuring Frame Relay for Local Switching 20 32 Configuring Frame Relay Same Port Switching 20 33 Verifying Layer 2 Local Switching for Frame Relay 20 34 Configuring QoS Features 20 34 Configuring HDLC and PPP over MPLS 20...

Page 19: ...ridged Interworking 21 10 ATM to Ethernet Routed Interworking 21 11 Configuration Tasks and Examples 21 12 Local Switching 21 12 AToM 21 14 Ethernet VLAN to Frame Relay Interworking 21 17 Prerequisites of Ethernet VLAN to Frame Relay Interworking 21 17 Restrictions for Ethernet VLAN to Frame Relay Interworking 21 17 FR DLCI to Ethernet Local Switching Bridged Interworking 21 19 FR DLCI to VLAN 802...

Page 20: ...roup Command 22 12 MLP over Serial Interfaces 22 13 Performance and Scalability for MLP over Serial Interfaces 22 14 Restrictions and Limitations for MLP over Serial Interfaces 22 14 Single VC MLP over ATM Virtual Circuits 22 15 Performance and Scalability for Single VC MLP over ATM 22 15 Restrictions and Limitations for Single VC MLP over ATM 22 15 Multi VC MLP over ATM Virtual Circuits 22 16 Per...

Page 21: ...nging the Endpoint Discriminator 22 37 Configuration Examples for Configuring MLP 22 38 Configuration Example for Configuring MLP over Serial Interfaces 22 38 Configuration Example for Configuring Single VC MLP over ATM 22 38 Configuration Example for Configuring Multi VC MLP over ATM 22 39 Configuration Example for MLP on LNS 22 39 Configuration Example for MLPoE LAC Switching 22 41 Configuration...

Page 22: ...onfiguring MVPN Support on GEC Bundle 23 9 Configuration Tasks and Examples 23 9 Configuring PPPoX Support on a GEC Bundle 23 9 Restrictions for Configuring PPPoX Support for GEC Bundle 23 9 Configuration Tasks 23 10 Configuration Examples 23 10 Configuring High Availability Support on GEC Bundle 23 11 Configuring 8 Member Links per GEC Bundle 23 11 Configuration Tasks 23 11 Configuring VLAN Based...

Page 23: ...ess list template Command 25 6 Examples 25 6 show access list template Command 25 6 show access list template Command Modes 25 7 show access list template Command History 25 7 Examples 25 7 C H A P T E R 26 Protecting the Router from DoS Attacks 26 1 IP Options Selective Drop 26 1 Feature History for IP Options Selective Drop 26 2 Restrictions for IP Options Selective Drop 26 2 How to Configure IP...

Page 24: ...stination VRF Membership 27 3 Configuring Tunnel VRF 27 3 Configuring VRF Aware VPDN Tunnels 27 4 Configuration Examples 27 4 Configuration Example for Tunnel VRF 27 4 Configuration Examples for VRF Aware VPDN Tunnels 27 5 A P P E N D I X A RADIUS Attributes A 1 RADIUS IETF Attributes A 1 Vendor Proprietary RADIUS Attributes A 4 Vendor Specific RADIUS IETF Attributes A 8 G L O S S A R Y I N D E X ...

Page 25: ...uter are described in the general Cisco IOS documentation This introduction provides information about the following topics Guide Revision History page xxv Audience page xxx Document Organization page xxx Document Conventions page xxxii Related Documentation page xxxiii Obtaining Documentation Obtaining Support and Security Guidelines page xxxiv Guide Revision History Added the features listed in ...

Page 26: ...el IP Source and Destination VRF Membership feature in Chapter 27 IP Tunneling Added the New Features in Cisco IOS Release 12 2 31 SB5 section on page 1 19 Description Added the features listed in the New Features in Cisco IOS Release 12 2 31 SB3 section on page 1 19 Cisco IOS Release Part Number Publication Date Release 12 2 33 SB3 OL 2226 21 December 2008 Cisco IOS Release Part Number Publicatio...

Page 27: ... Tag Termination and added a pointer to the PPPoE QinQ Support feature guide located at the following URL This document includes support for IPoQ in Q http www cisco com en US products sw iosswrel ps5207 products_feature_guide09186a00801f0f4a html Relocated the remaining QoS features to the Cisco 10000 Series Router Quality of Service Configuration Guide located at the following URL http www cisco...

Page 28: ...P over Ethernet to MPLS VPN page 3 5 Added a description of PRE support on Cisco 10000 series routers in Hardware Requirements page 1 1 Description Added the features listed in the New Features in Cisco IOS Release 12 3 7 XI3 section on page 1 26 Corrected scaling limits for active VCs on ATM line cards CSCeg37235 in VC Scaling page 2 8 Configuring atm pxf queuing page 2 16 Restrictions for Hierar...

Page 29: ...ket Queue Congestion VC Weighting See Oversubscribing Physical and Virtual Links Dynamic ATM VP and VC Configuration Modification See Oversubscribing Physical and Virtual Links Interface Oversubscription See Oversubscribing Physical and Virtual Links 3 Level Hierarchical QoS Policies See Defining QoS for Multiple Policy Levels Description Added the features listed in the New Features in Cisco IOS ...

Page 30: ...PLS VPN Describes the Remote Access RA to MPLS VPN feature that allows the service provider to offer a scalable end to end VPN service to remote users Chapter 4 Configuring Multiprotocol Label Switching Describes MPLS related features such as BGP Multipath load sharing Session Limit per VRF and Half duplex VRF Chapter 5 Configuring Layer 2 Tunnel Protocol Access Concentrator and Network Server Des...

Page 31: ...nd protects the router from remote intrusions Chapter 13 Unicast Reverse Path Forwarding Describes the Unicast Reverse Path Forwarding feature that verifies if the path of an incoming packet is consistent with the local packet forwarding information The validity of this path determines whether uRPF passes or drops the packet Chapter 14 Configuring Automatic Protection Switching Describes the Multi...

Page 32: ... not covered in the guide Timesaver Means the described action saves time You can save time by performing the action described in the paragraph Caution Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Warning Means danger You are in a situation that could cause bodily injury Before you work on any equipment you must be aware of ...

Page 33: ...eries router documentation roadmap located at the following URL http www cisco com en US products hw routers ps133 products_documentation_roadmap09186a008 04ba4f3 html For information about Cisco IOS Release 12 2 including command reference and system error messages go to the Cisco IOS Release 12 2 documentation web page located at the following URL http www cisco com en US products sw iosswrel ps...

Page 34: ...FC 1483 Multiprotocol Encapsulation over ATM RFC 1490 Multiprotocol Interconnect over Frame Relay RFC 1661 The Point to Point Protocol PPP RFC 1990 The PPP Multilink Protocol MP RFC 2373 IP Version 6 Addressing Architecture RFC 2516 A Method for Transmitting PPP Over Ethernet PPPoE RFC 2529 Transmission of IPv6 over IPv4 Domains without Explicit Tunnels RFC 2661 Layer Two Tunneling Protocol L2TP R...

Page 35: ...dware Requirements page 1 1 Broadband Architecture Models page 1 2 Leased Line Architecture Models page 1 10 Load Balancing Architecture Models page 1 13 New Features Enhancements and Changes page 1 15 Hardware Requirements The performance routing engine PRE performs all Layer 2 and Layer 3 packet manipulation related to routing and forwarding operations Table 1 1 shows PRE support on Cisco 10000 ...

Page 36: ...pport CompNav Index pl You must be a registered user on Cisco com to access this tool Broadband Architecture Models This section shows broadband models for the following architectures PPP termination and aggregation PTA for PPPoA or PPPoE PTA to virtual routing and forwarding VRF PTA to Multiprotocol Label Switching MPLS Virtual Private Network VPN L2TP network server LNS L2TP to VRF L2TP over MPL...

Page 37: ... encapsulated in PPPoX The Cisco 10000 series router terminates the PPP sessions and routes the client data packets toward their final destination typically onto the ISP or corporate network Note PPPoX refers to either PPPoA or PPPoE PTA to Virtual Routing and Forwarding Architecture Figure 1 2 shows a PPP termination and aggregation PTA to virtual routing and forwarding VRF model for PPPoA or PPP...

Page 38: ...de and separates traffic at Layer 2 The PTA to MPLS VPN Architectural Model in Figure 1 3 uses MPLS and a tag interface and separates traffic at Layer 3 PTA to Multiprotocol Label Switching Virtual Private Network Architecture Figure 1 3 shows a MPLS VPN model for PPPoA or PPPoE sessions Figure 1 3 PTA to MPLS VPN Architectural Model CPE Cisco 10000 ESR Wholesale provider PPPoX sessions Retail pro...

Page 39: ...M circuits However the protocols used between the clients and the LAC do not affect LNS requirements The LAC creates L2TP tunnels to all of the LNSs at which its clients want to terminate Multiple tunnels might exist between each LAC and each LNS For each client PPP session the LAC signals the LNS to add another session to a tunnel The LAC forwards all traffic to the LNS including the PPP control ...

Page 40: ... traffic transported over an MPLS tag interface to the wholesale LNS provider Figure 1 6 L2TP over MPLS to VRF Architectural Model The LNS encapsulates the PPP in L2TP sessions in IP packets and forwards them to the retail LNS providers placing the sessions for each provider in separate VRFs NSP DSL IP network LNS home gateway NSP NSP NSP Cisco 10000 LNS VRF 1 VRF 2 AAA server AAA DHCP servers PPP...

Page 41: ...P sessions to the retail provider PPP in L2TP sessions are encapsulated in IP packets and forwarded over any IP transport network Routed Bridge Encapsulation Architectures Figure 1 8 shows a routed bridge encapsulation RBE model CPE PPP in L2TP sessions encapsulated in IP Retail providers LNS provider 1 76266 Wholesale provider LAC Access network ATM or Ethernet IP transport network Subscribers LN...

Page 42: ...Cs can use this single VC IP traffic of the client is encapsulated in RBE The Cisco 10000 series router processes ARP or DHCP requests and routes the client data packets toward their final destination typically onto the ISP or corporate network RBE to Virtual Routing and Forwarding Architecture Figure 1 9 shows an RBE to VRF model Cisco 10000 ESR RBE sessions Typically OC 3 OC 12 ATM 100K routed s...

Page 43: ... model Figure 1 10 RBE to MPLS VPN Topology In the figure the wholesale provider uses VPNs to separate the subscribers of different retail providers On the access side the subscribers are uniquely placed in VRFs A tag interface separates traffic for the different retail providers on the network side The MPLS VPN technology is used to assign tags in a VPN aware manner CPE RFC 2684 bridged format PD...

Page 44: ... low speed customer connections T1 E1 and aggregation into higher order optical interfaces in the central POP Numerous IP services are supported over channelized interfaces including IP QoS ACLs IP multicast and security services Frame Relay Aggregation Many service providers offer IP Internet access and VPN products over existing Frame Relay access networks Frame Relay packet switched networks al...

Page 45: ...1 13 ATM Architecture When used as an ATM aggregator the Cisco 10000 series router is usually placed in a central POP and connected to a local ATM switching node through optical interfaces ATM virtual circuits are terminated on the device and customer IP traffic destined for the Internet or VPN is routed onto the core network The Cisco 10000 series router supports ATM classes of service CoSs inclu...

Page 46: ...ge Applications MPLS technology has allowed providers to target small to medium sized businesses for outsourced VPN services The build once sell many approach of the network design provides scalability and flexibility with respect to VPN products and services MPLS provider edge functions and associated features and services are offered on the Cisco 10000 series router spanning all interfaces and e...

Page 47: ...ned Broadband and Leased Line Architecture Load Balancing Architecture Models This section describes how the Cisco 10000 series router load balances traffic in various network topologies The scenarios apply to a Cisco 10000 series router with a PRE2 IP and MPLS Applications Figure 1 17 shows a simple network topology that uses IP or basic MPLS forwarding It does not include MPLS VPN routes There a...

Page 48: ...ination CE that requires unique Label Switched Path LSP selection of the outgoing IGP path is in round robin fashion When there are multiple IGP paths from the ingress PE to egress PE the outgoing IGP path is chosen statically upon processing by the PXF For different destination prefixes path selection is round robin and each destination prefix has only one path All destination IP addresses mappin...

Page 49: ...th without basing the choice on the packet content Multiple Ingress and Multiple Egress Provider Edge Applications Figure 1 20 shows multiple IGP paths from PE to PE for iBGP paths into the PE2 router The theoretical load balance is eight IGP paths multiplied by eight iBGP paths for a total of 64 possible unique paths The Cisco 10000 series router supports eight unique paths The Single Ingress and...

Page 50: ...was added on the Cisco 10000 series router for the following feature AAA Supress System Accounting on Switchover For more information on the command used to enable or disable this feature after a PRE swtichover see the section Suppressing System Accounting Records over Switchover in the Configuring Accounting feature guide at the following link http www cisco com en US docs ios ios_xe sec_user_ser...

Page 51: ... Connecting to a Service Provider Using External BGP http www cisco com en US docs ios iproute_bgp configuration guide irg_external_sp html BGP per Neighbor SoO Configuration http www cisco com en US docs ios iproute_bgp configuration guide irg_neighbor_soo html Cisco BGP Overview http www cisco com en US docs ios iproute_bgp configuration guide irg_overview html OSPFv3 Graceful Restart For more i...

Page 52: ...e following features Unicast Reverse Path Forwarding uRPF For more information see Chapter 13 Unicast Reverse Path Forwarding Any Transport over MPLS AToM Tunnel Selection For more information see the Any Transport over MPLS Tunnel Selection section on page 20 47 L2VPN Interworking Ethernet VLAN to ATM AAL5 For more information see the Ethernet VLAN to ATM AAL5 Interworking section on page 21 5 L2...

Page 53: ...unnel IP Source and Destination VRF Membership section on page 27 1 Per Session Queuing and Shaping for PPPoE Over VLAN Using RADIUS For more information see the Shaping PPPoE Over VLAN Sessions Using RADIUS section in the Configuring Dynamic Subscriber Services chapter of the Cisco 10000 Series Router Quality of Service Configuration Guide located at the following URL http www cisco com en US pro...

Page 54: ...n see the following URL http www cisco com en US products sw iosswrel ps5207 products_feature_guide09186a00801f0 f4a html IP Options Selective Drop For more information see the Protecting the Router from DoS Attacks section on page 26 1 IPv6 Services Extended Access Control Lists For more information see the IPv6 Extended ACLs section on page 24 4 L2TP Domain Screening For more information see the...

Page 55: ...s122s 122snwft release 122s20 fssso 20s htm VRF Aware VPDN Tunnels For more information see the following URL http www cisco com univercd cc td doc product software ios122sb newft 122sb28 sbvpdnmh ht m New Features in Cisco IOS Release 12 2 28 SB1 IEEE 802 1Q in Q VLAN Tag Termination in the PPPoE QinQ Support feature guide located at the following URL http www cisco com en US products sw iosswrel...

Page 56: ...nds for Active Policies feature guide located at the following URL http www cisco com en US products ps6566 products_feature_guide09186a0080610cc8 htm l Define Interface Policy Map AV Pairs AAA in the Define Interface Policy Map AV Pairs AAA feature guide located at the following URL http www cisco com en US products sw iosswrel ps5413 products_feature_guide09186a0080335 ed5 html Frame Relay PVC I...

Page 57: ...rvice Configuration Guide located at the following URL http www cisco com en US products hw routers ps133 products_configuration_guide_book0918 6a00805b9497 html MPLS Carrier Supporting Carrier also known as MPLS VPN Carrier Supporting Carrier in the following feature guides These guides are located at the following URL http www cisco com en US products ps6566 products_feature_guides_list html LDP...

Page 58: ...sco com en US products ps6566 products_feature_guides_list html Load Splitting IP Multicast Traffic For more information about configuring native multicast load splitting see the configuration document located at the following URL http www cisco com en US products ps6350 products_configuration_guide_chapter09186a0080 5a595a html Note You should not configure native multicast load splitting for PE ...

Page 59: ...oducts_upgrade_guides09186a008059a dee html New Features in Cisco IOS Release 12 3 7 XI7 The following features are new on the Cisco 10000 series router in Cisco IOS Release 12 3 7 XI7 Dynamic Subscriber Bandwidth Selection in the Cisco 10000 Series Router Quality of Service Configuration Guide located at the following URL http www cisco com en US products hw routers ps133 products_configuration_g...

Page 60: ...xf queuing page 2 16 scaling enhancements Dynamic ATM VP and VC Configuration Modification in the Cisco 10000 Series Router Quality of Service Configuration Guide located at the following URL http www cisco com en US products hw routers ps133 products_configuration_guide_book0918 6a00805b9497 html Local Template Based ATM PVC Provisioning page 8 2 MQC Policy Map Support on Configured VC Range in t...

Page 61: ...9186a00801f0 f4a html Interface Oversubscription in the Cisco 10000 Series Router Quality of Service Configuration Guide located at the following URL http www cisco com en US products hw routers ps133 products_configuration_guide_book0918 6a00805b9497 html IP Receive ACLs page 12 1 Configuring IP Unnumbered on IEEE 802 1Q VLANs page 7 1 Configuring Local AAA Server User Database Domain to VRF page...

Page 62: ...t feature guide located at the following URL http www cisco com en US products sw iosswrel ps5207 products_feature_guide09186a00801f0 f4a html RADIUS Packet of Disconnect page 16 55 Scaling Enhancements in Cisco IOS Release 12 3 7 XI1 page 2 6 Time Based ACLs page 12 4 Variable Bit Rate Non Real Time Oversubscription page 8 14 VC Weighting in the Cisco 10000 Series Router Quality of Service Config...

Page 63: ... 7 XI1 page 2 6 Scaling Enhancements in Cisco IOS Release 12 3 7 XI2 page 2 7 Scaling Enhancements in Cisco IOS Release 12 2 28 SB page 2 8 Configuring the Cisco 10000 Series Router for High Scalability page 2 8 Using the RADIUS Attribute cisco avpair lcp interface config page 2 20 Using Full Virtual Access Interfaces page 2 20 Preventing Full Virtual Access Interfaces page 2 21 Line Card VC Limit...

Page 64: ...2 scheduler stops forwarding traffic on only the VC that is stuck in the SAR the other VCs still carry traffic On the PRE3 the PRE3 scheduler stops forwarding traffic on all the VCs configured on that ATM line card For example suppose a 1 port OC 12 line card at full line rate is configured for four levels of priority and a 4 port OC 3 line card at half line rate is configured for two levels of pr...

Page 65: ... translations are done in the RP When the destination IP address in the access control entries of the PBHK ACL does not match the redirect server IP address then L4R translations are done in the PXF and the packets that match the PBHK ACL are translated in the RP For configuration examples see the Layer 4 Redirect Scaling section on page 2 5 Certain restrictions apply on L4R translations for IP su...

Page 66: ... US products sw iosswrel ps5187 products_command_reference_book09 186a008017d0a2 html The Cisco 10000 series router high speed interfaces work efficiently to spread traffic flows equally over the queues However using single traffic streams in a laboratory environment might result in less than expected performance To ensure accurate test results test the throughput of the Gigabit Ethernet OC 48 POS...

Page 67: ... used with PBHK See also the Limitations and Restrictions section on page 2 3 In Example 2 1 when the destination IP used in the PBHK ACL 162 matches the redirected server IP address L4R translations are done in the RP Example 2 1 L4R Translations in the Route Processor class map type traffic match any class l4r match access group input 152 policy map type service ser l4r class type traffic class ...

Page 68: ...ing feature implements the following changes Up to 1 million routes in the global FIB table are supported without MPLS VPN configuration Total number of virtual routing and forwarding instances VRFs supported is 4095 Up to 100 routes per VRF with 4095 VRFs configured Up to 70 routes per VRF with 4095 VRFs configured plus 200 000 global BGP routes Up to 600 routes per VRF with 1000 or fewer VRFs co...

Page 69: ...The class default queue size on low speed interfaces has changed from 32 to 8 If the traffic is too bursty and packets drop you can use the queue limit command to increase the class default queue size If you change the queue size for 131 072 queues while traffic is running the queue size for a few queues might not be changed if packets were in the queues An out of resource message can also appear ...

Page 70: ...ed Because of a limit on the number of VPDN groups supported it is not possible to configure 16 384 tunnel definitions using the CLI Configure the remaining tunnel definitions using RADIUS Configuring the Cisco 10000 Series Router for High Scalability To ensure high scalability on the Cisco 10000 series router perform the following configuration tasks Configuring Parameters for RADIUS Authenticati...

Page 71: ...RADIUS server retransmit and timeout rates by using the radius server command Table 2 5 lists the recommended settings and see Example 2 4 Example 2 4 Configuring RADIUS Server Parameters Router config radius server retransmit 5 Router config radius server timeout 15 Configuring L2TP Tunnel Settings Configure an L2TP tunnel password using Cisco IOS Release 12 2 4 BZ1 or later We recommend that you...

Page 72: ...imiting Before the introduction of the VPDN Group Session Limiting feature introduced in Cisco IOS software release 12 2 1 DX you could only globally limit the number of VPDN sessions on a router with limits applied equally to all VPDN groups Using the VPDN Group Session Limiting feature you can limit the number of VPDN sessions allowed per VPDN group For more information see the VPDN Group Sessio...

Page 73: ...s that prevent the Cisco 10000 series router from attaining the highest possible PPP session scaling Table 2 7 Interface Specific Commands That Prevent PPP Scaling Command Function access expression Builds a bridge Boolean access expression asp Asynchronous Port ASP subcommands autodetect Autodetects encapsulations on serial interfaces bridge group Transparent bridging interface parameters bsc Bin...

Page 74: ...reserved bandwidth Specifies the maximum reservable bandwidth on an interface mpoa Multiprotocol over ATM MPOA interface configuration commands multilink Configures multilink parameters multilink group Puts the interface in a multilink bundle netbios Defines Network Basic Input Output System NetBIOS access list or enables name caching ntp Configures the Network Time Protocol NTP priority group Ass...

Page 75: ...binterfaces Router config no virtual template snmp SNMP Process and High CPU Utilization Network management applications retrieve information from devices by using SNMP If a user application polls the SNMP MIBs while the router is updating its routing table the SNMP engine process can cause CPU HOG messages to appear and sessions and tunnels to go down until the process releases the CPU For inform...

Page 76: ...ndamentals and Network Management Command Reference Release 12 3 located at the following URL http www cisco com en US products sw iosswrel ps5187 products_command_reference_book09186a 008017d0a2 html Command Purpose Step 1 Router config snmp server view view name oid tree included Creates or updates a view entry The view name argument is a label for the view record that you are updating or creati...

Page 77: ...for PPPoE because you can have 32 000 sessions on a single VC The Cisco 10000 series router supports three ATM traffic classes when you configure no atm pxf queuing unshaped UBR no PCR is specified shaped UBR PCR is specified and VBR nrt To configure an unspecified bit rate UBR quality of service QoS and specify the output peak cell rate PCR use the ubr command in the appropriate configuration mod...

Page 78: ...s across the ports in any fashion provided that you do not exceed the per port maximum Although the maximum number of VBR CBR and shaped UBR VCs per E3 DS3 and OC 3 ATM line card is 28 672 VCs the router supports a maximum of 22 204 VBR CBR and shaped UBR VCs per line card that you can place within virtual path VP tunnels If you attempt to bring up more than 22 204 VCs in a configuration that incl...

Page 79: ...upported on virtual access subinterfaces To accommodate the requirements of the lcp interface config VSA the per user authorization process forces the Cisco 10000 series router to create full virtual access interfaces which consume more memory and are less scalable In Cisco IOS Release 12 2 16 BX1 and later releases the ip vrf id attribute is used to map sessions to VRFs Any profile that uses the ...

Page 80: ...rofile Setting VRF and IP Unnumbered Interface Configuration in a Virtual Interface Template You can specify one VSA value in the user profile on RADIUS and another value locally in the virtual template interface The Cisco 10000 series router clones the template and then applies the values configured in the profiles it receives from RADIUS resulting in the removal of any IP configurations when the...

Page 81: ...ures passive mode for the PPPoA sessions on an ATM multipoint subinterface Router config interface atm 1 0 1 multipoint Router config subif atm pppatm passive Router config subif range range pppoa 1 pvc 100 199 Router config subif atm range encapsulation aal5mux ppp virtual template 1 Scaling L2TP Tunnel Configurations To prevent head of the line blocking of the IP input process and save system re...

Page 82: ...es the call rate To enhance the scalability of per user configurations in many cases different Cisco AV pairs are available to place the subscriber interface in a virtual routing and forwarding VRF instance or to apply a policy map to the session For example use the ip vrf id and ip ip unnumbered VSAs to reconfigure the user s VRF For more information see the Enhancing Scalability of Per User Conf...

Page 83: ...cy interface config allow subinterface command the router does not allow you to reconfigure the router using any commands that interact with the interface s hardware interface descriptor block HWIDB for example the compression command When you use the lcp interface config attribute sessions are not established if the sessions receive the attribute and the attribute reconfigures the HWIDB for the v...

Page 84: ...2 22 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 2 Scalability and Performance Preventing Full Virtual Access Interfaces ...

Page 85: ...ies By integrating access VPNs with MPLS VPNs a service provider can Enable remote users and offices to seamlessly access their corporate networks Offer equal access to a set of different ISPs or retail service providers Integrate their broadband access networks with the MPLS enabled backbone Provide an end to end VPN service to enterprise customers with remote access users and offices Separate ne...

Page 86: ...s The router such as the Cisco 10000 series router located at the edge of the service provider s MPLS core network The PE router connects to one or more CE routers and has full knowledge of the routes to the VPNs associated with those CE routers The PE router does not have knowledge of the routes to VPNs whose associated CE routers are not connected to it Provider P routers The service provider ro...

Page 87: ...HAP Per session accounting Per session quality of service Note The Cisco 10000 series router can terminate up to 32 000 ATM RBE sessions Figure 3 2 shows the topology of an integrated PPPoX PPPoE or PPPoA access to a multiprotocol label switching virtual private network MPLS VPN solution Figure 3 2 PPPoX Access to MPLS VPN Topology In the figure the service provider operates an MPLS VPN that inter...

Page 88: ...cur when the remote user attempts to access the corporate network or ISP 1 A PPPoA session is initiated over the broadband access network 2 The VHG PE router accepts and terminates the PPPoA session 3 The VHG PE router obtains virtual access interface VAI configuration information a The VHG PE obtains virtual template interface configuration information which typically includes virtual routing and...

Page 89: ...ecommend that you do not use this configuration Upgrading to Cisco IOS Release 12 2 16 BX1 or later eliminates this restriction PPP over Ethernet to MPLS VPN The Cisco 10000 series router supports a PPP over Ethernet PPPoE connection to an MPLS VPN architecture In this model when a remote user attempts to establish a connection with a corporate network a PPPoE session is initiated and is terminate...

Page 90: ... 12 2 16 BX1 and later releases when you map sessions to VRFs by using the RADIUS server use the syntax ip vrf id or ip ip unnumbered These vendor specific attributes VSAs enhance the scalability of per user configurations because a new full virtual access interface is not required For more information see the Enhancing Scalability of Per User Configurations section on page 2 17 Note For releases ...

Page 91: ... which is statically configured with a specific VRF Remote user authentication or authorization is available with Option 82 for DSL RBE remote access RBE treats the VHG PE subinterface as if it is connected to an Ethernet LAN but avoids the disadvantages of pure bridging such as broadcast storms IP hijacking and ARP spoofing issues Address management options include static and VRF aware DHCP serve...

Page 92: ...r 4 The DHCP server uses the VPN ID and IP address information to process the request 5 The DHCP server sends a response back to the PE router allowing the VPN DHCP client access to the VPN The RADIUS server uses the VPN ID to assign dialin users to the proper VPN Typically a user login consists of the following packets Access Request packet A query from the network access server NAS that contains...

Page 93: ...e to DHCP clients on those different VPNs needs to know the VPN where each client resides The relay agent typically knows about the VPN association of the DHCP client and includes this information in the relay agent information option The DHCP relay support for MPLS VPN suboptions feature allows the Cisco 10000 series router acting as the DHCP relay agent to forward VPN related information to the ...

Page 94: ...ates customer routes the received packets that match the aggregate route require an additional feedback in the PXF forwarding engine which reduces performance RBE to MPLS VPN does not support MAC layer access lists only IP access lists are supported Before configuring DHCP relay support for MPLS VPN suboptions you must configure standard MPLS VPNs For more information see the Configuring Virtual P...

Page 95: ... router and it cannot be turned off If you attempt to enable IP CEF an error appears For PPPoX to MPLS VPN networks the Cisco 10000 series router must be running Cisco IOS Release 12 2 4 BZ1 or later releases and the performance routing engine must be installed in the router s chassis For ATM RBE to MPLS VPN networks the Cisco 10000 series router must be running Cisco IOS Release 12 2 15 BX or lat...

Page 96: ...itching of IP Packets on Interfaces Enable label switching of IP packets on each PE router interface on the MPLS side of the network The Cisco 10000 series router MPLS network side interface is a tagged interface The packets passing through the interface are tagged packets Note Multiple interfaces require a Label Switch Router LSR To enable label switching of IP packets on interfaces enter the fol...

Page 97: ...rface The virtual template interface is used to create and configure a virtual access interface VAI For information about configuring a virtual template interface see the Configuring a Virtual Template Interface section on page 3 17 To associate a VRF enter the following commands on the PE router beginning in interface configuration mode Command Purpose Step 1 Router config ip vrf vrf name Enters ...

Page 98: ...s beginning in global configuration mode Step 4 Router config interface virtual template number Creates a virtual template interface and enters interface configuration mode Step 5 Router config if ip vrf forwarding vrf name Associates a VRF with a virtual template interface Command Purpose Command Purpose Step 1 Router config router bgp autonomous system Configures the internal BGP iBGP routing pr...

Page 99: ... 7 Router config router af redistribute protocol Redistributes routes from one routing domain into another routing domain The protocol argument is the source protocol from which routes are being redistributed It can be one of the following keywords bgp connected egp igrp isis ospf static ip or rip The connected keyword refers to routes that are established automatically by virtue of having enabled...

Page 100: ...figuration for an interface but it is not tied to the physical interface The VAI uses the attributes of the virtual template to create the session which results in a VAI that is uniquely configured for a specific user After you configure a virtual template configure the virtual connection that will use the template and then apply the template to the connection The order in which you create virtual...

Page 101: ...isplay and clear the VAI by using the following commands in privileged EXEC mode Example 3 5 Displaying the Active VAI Configuration Router show interfaces virtual access 1 1 configuration interface virtual access1 1 ip vrf forwarding vrf 1 ip unnumbered Loopback1 no ip proxy arp Command Purpose Step 1 Router config interface virtual template number Creates a virtual template interface and enters ...

Page 102: ... or multipoint subinterfaces Using point to multipoint PVCs significantly increases the maximum number of PPPoA sessions that you can run on the Cisco 10000 series router To configure a PVC range with encapsulated PPPoA enter the following commands beginning in global configuration mode Configuring PPPoE over ATM Virtual Connections and Applying Virtual Templates To configure PPPoE over ATM perfor...

Page 103: ...router Step 2 Router config vpdn group name Associates a VPDN group with a customer or VPDN profile Step 3 Router config vpdn accept dialin Creates an accept dial in VPDN group Step 4 Router config vpdn acc in protocol pppoe Specifies the VPDN group to be used to establish PPPoE sessions Step 5 Router config vpdn acc in virtual template template number Specifies the virtual template interface to u...

Page 104: ...rnet Virtual Connections and Applying Virtual Templates To configure PPPoE over Ethernet perform the following configuration tasks Configuring a Virtual Template Interface page 3 17 Configuring PPPoE over Ethernet in a BBA Group page 3 21 Command Purpose Step 1 Router config vpdn group pppoe term Specifies the VPDN group to be used to establish PPPoE sessions on a PVC Step 2 Router config vpdn acc...

Page 105: ...er MAC address for each PPPoE port that uses the group Step 4 Router config bba pppoe limit max sessions number Optional Specifies the maximum number of PPPoE sessions that can be terminated on this router from all interfaces Step 5 Router config bba pppoe limit per vc per vc limit Optional Specifies the maximum number of PPPoE sessions for each VC that uses the group Step 6 Router config bba exit...

Page 106: ...Relay Support for MPLS VPN Suboptions page 3 26 Specifying a VPN ID page 3 27 Configuring the PE Router To configure the PE router perform the following required configuration tasks Defining Loopbacks page 3 22 Defining PVCs page 3 23 Configuring Label Switching page 3 23 Configuring the VRF for Each VPN page 3 23 Configuring a Dedicated PVC page 3 24 Configuring BGP to Advertise Networks page 3 2...

Page 107: ...p 4 Router config subif pvc vpi vci number Configures the PVC on the subinterface Enters PVC configuration mode Step 5 Router config subif pvc encapsulation aal5snap Configures the ATM adaptation layer AAL and encapsulation type on the ATM PVC Step 6 Router config subif pvc no protocol ip inarp Disables Inverse ARP on the ATM PVC Command Purpose Step 1 Router config interface atm slot port subinte...

Page 108: ... layer AAL and encapsulation type on the ATM PVC Command Purpose Step 1 Router config router bgp autonomous system Configures the internal BGP iBGP routing process with the autonomous system number passed along to other iBGP routers Step 2 Router config router no bgp default ipv4 unicast Disables IPv4 BGP routing Step 3 Router config router neighbor ip address peer group name remote as as number C...

Page 109: ...outer config router address family vpnv4 unicast Enters address family configuration mode for configuring BGP routing sessions that use standard Virtual Private Network VPN Version 4 address prefixes Optional The unicast keyword specifies VPN Version 4 unicast address prefixes Step 10 Router config router af neighbor ip address peer group name activate Activates route exchanges with the global BGP...

Page 110: ... point ip unnumbered Loopback0 ip helper address 172 16 1 2 atm route bridged ip pvc 88 800 encapsulation aal5snap interface Ethernet 5 1 ip address 172 16 1 1 255 255 0 0 router eigrp 100 network 10 0 0 0 network 172 16 0 0 rbe nasip Loopback0 Configuring DHCP Relay Support for MPLS VPN Suboptions To configure DHCP relay support for MPLS VPN suboptions enter the following commands beginning in gl...

Page 111: ... interface If the DHCP server resides in a VPN or global space that is different from the VPN the vrf name or global options allow you to specify the name of the VRF or global space where the DHCP server resides The vrf name argument is the virtual routing and forwarding VRF instance for the VPN The global argument is the global routing table The address argument is the destination broadcast or ho...

Page 112: ...ter in the Cisco IOS Dial Technologies Configuration Guide Release 12 2 This chapter describes the procedures used to configure verify monitor and troubleshoot VPNs and also provides configuration examples Associating VPNs with a Virtual Template Interface After you configure the VPNs associate each one with a virtual template interface To do this association perform the following tasks Creating a...

Page 113: ...Loopback1 Note For more information about configuring a virtual template interface see the Configuring a Virtual Template Interface section on page 3 17 For more information about creating and associating VRFs see the Configuring Virtual Routing and Forwarding Instances section on page 3 13 and the Associating VRFs section on page 3 13 Step 3 Router config vrf vpn id route distinguisher Associates...

Page 114: ... the following commands in privileged EXEC mode Configuration Examples for RA to MPLS VPN This section provides configuration examples for the following configurations PPPoA to MPLS VPN Configuration Example page 3 31 PPPoE to MPLS VPN Configuration Example page 3 34 RBE to MPLS VPN Configuration Example page 3 38 Command Purpose Router show ip vrf Displays the defined VRFs and interfaces Router s...

Page 115: ...icy map for the default class policy map mypolicy class class default police 200000 400000 800000 conform action transmit exceed action drop no virtual template snmp Sets the size of the small and middle buffers buffers small permanent 20000 buffers middle permanent 7000 Defines the general loopback interface used for reachability to the router and as a source IP address for sessions IBGP TDP and ...

Page 116: ...ddress no atm pxf queuing no atm ilmi keepalive interface atm6 0 1 no ip address no atm ilmi keepalive interface ATM6 0 2 no ip address no atm ilmi keepalive interface ATM6 0 3 no ip address no atm ilmi keepalive Enables label switching of IP packets on the interface interface POS7 0 0 ip address 172 16 1 1 255 255 0 0 keepalive 30 tag switching ip crc32 interface POS8 0 0 ip address 172 16 2 1 25...

Page 117: ...10 1 1 4 activate Enters address family configuration mode to configure the VRF routing table on BGP address family ipv4 vrf vpn1 redistribute connected no auto summary no synchronization exit address family Configures MP IBGP address family vpnv4 neighbor 10 1 1 4 activate neighbor 10 1 1 4 send community both exit address family Specifies the IP local pool to use for the vpn1 VRF address assignm...

Page 118: ...isions slots in the Cisco 10000 series router for line cards card 1 0 1gigethernet 1 card 2 0 1gigethernet 1 card 3 0 1oc12pos 1 card 4 0 1oc12pos 1 card 5 0 1oc12atm 1 card 6 0 1oc12atm 1 card 7 0 4oc3atm 1 card 8 0 4oc3atm 1 Creates the common VRF ip vrf common rd 100 1000 route target export 100 1000 route target import 100 1000 Specifies the VPDN group to be used to establish PPPoE sessions an...

Page 119: ... Enables label switching of IP packets on the interface interface GigabitEthernet1 0 0 ip address 10 1 10 1 255 255 0 0 no ip redirects load interval 30 negotiation auto tag switching ip interface GigabitEthernet2 0 0 ip address 10 2 10 1 255 255 0 0 no ip redirects load interval 30 negotiation auto tag switching ip interface POS3 0 0 ip address 10 3 10 1 255 255 0 0 no ip redirects ip ospf cost 2...

Page 120: ...alive interface ATM7 0 1 no ip address no atm ilmi keepalive interface ATM7 0 2 no ip address no atm ilmi keepalive interface ATM7 0 3 no ip address no atm ilmi keepalive interface ATM8 0 0 no ip address no atm ilmi keepalive interface ATM8 0 1 no ip address no atm ilmi keepalive interface ATM8 0 2 no ip address no atm ilmi keepalive interface ATM8 0 3 no ip address no atm ilmi keepalive interface...

Page 121: ...ress family Configures BGP to advertise the networks for the VPN router bgp 100 no synchronization no bgp default ipv4 unicast bgp log neighbor changes neighbor 172 16 1 4 remote as 100 neighbor 172 16 1 4 activate Enters address family configuration mode to configure the common VRF for PE to CE routing sessions address family ipv4 vrf common no auto summary no synchronization aggregate address 2 ...

Page 122: ...3 14 Configuring RBE to MPLS VPN ip vrf CustomerA rd 100 100 route target export 100 100 route target import 100 100 ip vrf CustomerB rd 101 101 route target export 101 101 route target import 101 101 interface int g1 0 0 ip address 192 168 1 1 255 255 255 0 tag switching ip interface loopback0 BGP update source ip address 10 100 10 1 255 255 255 255 router ospf 1 network 192 168 1 0 0 0 0 255 are...

Page 123: ...static no auto summary no synchronization exit address family address family ipv4 vrf CustomerB redistribute connected redistribute static no auto summary no synchronization exit address family address family vpnv4 neighbor 192 168 1 2 activate neighbor 192 168 1 2 send community extended no auto summary exit address family Monitoring and Maintaining an MPLS Configuration To monitor and maintain a...

Page 124: ...3036 Tunnel field Indicates the capacity of traffic engineering on the interface Operational field Indicates the status of the LDP In the above example the Operational field indicates down on Serial 0 1 2 because the interface is down Verifying Connections Between Neighbors An unlabeled connection must exist between each pair of neighboring routers The routing protocol and the label distribution p...

Page 125: ...10 10 6 Type escape sequence to abort Sending 5 100 byte ICMP Echos to 10 10 10 6 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 56 56 60 ms Example 3 17 ping vrf Router ping vrf vrf 1 192 168 1 1 Type escape sequence to abort Sending 5 100 byte ICMP Echos to 192 168 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 1 2 4 ms Verifying Labe...

Page 126: ...ribution protocol cannot run Example 3 19 show tag switching tdp discovery Command Router show tag switching tdp discovery Local TDP Identifier 10 10 10 3 0 Discovery Sources Interfaces Serial0 1 1 tdp xmit recv TDP Id 10 10 10 1 0 Serial0 1 2 tdp xmit recv TDP Id 10 10 10 2 0 Serial0 1 3 tdp xmit recv TDP Id 10 10 10 6 0 Note The neighbor relationship is not established when the router ID for the...

Page 127: ...ce to abort Tracing the route to 10 10 10 4 1 10 1 1 21 MPLS Label 25 Exp 0 296 msec 256 msec 244 msec 2 10 1 1 5 MPLS Label 22 Exp 0 212 msec 392 msec 352 msec 3 10 1 1 14 436 msec 268 msec Monitoring and Maintaining the MPLS VPN To monitor and maintain an MPLS VPN configuration perform the following verification tasks Verifying VRF Configurations page 3 44 Verifying the Routing Table page 3 44 V...

Page 128: ...VRFs enter any of the following commands in privileged EXEC mode Command Purpose Router show ip vrf Displays a summary of all VRFs present on the current router and their associated route distinguishers and interfaces Use this command to verify the names and configuration of each VRF and the route distinguisher configuration at each PE router Router show ip vrf interfaces Displays the VRFs present...

Page 129: ...2 168 5 1 32172 16 1 11800202i Route Distinguisher 200 1 default for vrf vrf 2 i172 16 2 100 30192 168 1 101000 172 16 2 116 300 0 0 0032768 Example 3 25 show ip bgp vpnv4 vrf vrf name ip address Command Router show ip bgp vpnv4 vrf vrf 1 172 16 2 116 BGP routing table entry for 200 1 172 16 2 116 30 version 7 Paths 1 available best 1 table vrf 1 Advertised to non peer group peers 192 168 1 1 Loca...

Page 130: ...S aware traceroute and only if the backbone ATM switch routers are configured to propagate and generate IP Time to Live TTL information Example 3 26 traceroute vrf Command Router traceroute vrf vrf 1 192 168 1 1 Type escape sequence to abort Tracing the route to 192 168 1 1 1 10 0 1 17 4 msec 0 msec 4 msec 2 10 0 1 101 0 msec 0 msec 0 msec 3 10 0 1 102 4 msec 0 msec Testing the VRF To test the VRF...

Page 131: ...al access interface Displays status traffic data and configuration information about a specified virtual access interface Router show ip route vrf vrf name Displays the IP routing table associated with a VRF Router show ip local pool Displays statistics for any defined IP address pools Router show vpdn session all Displays information about active L2TP tunnel and message identifiers in a virtual p...

Page 132: ...Displays information associated with the Remote Authentication Dial In User RADIUS server Router debug vpdn pppoe events Displays PPPoE protocol errors that prevent a session from being established or errors that cause an established session to be closed Router debug vtemplate Displays cloning information for a virtual access interface from the time it is cloned from a virtual template to the time...

Page 133: ...riods decreases the likelihood that increased debug command processing overhead will affect system use Note For more information see the Troubleshooting DSL Access to MPLS VPN Integration chapter in the Troubleshooting Cisco Remote Access to MPLS VPN Integration Release 2 0 Router debug ip packet Displays general IP debugging information and IP security option IPSO security transactions Note This ...

Page 134: ...3 50 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining RBE to MPLS VPN ...

Page 135: ...eBGP and iBGP in an MPLS VPN Load sharing is a concept that allows the Cisco 10000 series router to take advantage of multiple best paths to a given destination The paths are derived either statically or with dynamic protocols such as RIP BGP OSPF and IGRP The best path algorithm decides which is the best path to install in the IP routing table and to use for forwarding traffic The BGP Multipath L...

Page 136: ...or eBGP and iBGP in an MPLS VPN feature is described in the following topics Feature History for BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN page 4 2 Restrictions for BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN page 4 3 Prerequisites for BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN page 4 3 IGP Convergence Acceleration page 4 3 Configuring BGP Multipa...

Page 137: ... will be selected for which prefix The path selected depends on the order in which the prefixes are configured in the routing table The bandwidths of the IGP paths are not considered in the path selection When the routing table contains multiple iBGP paths a route reflector advertises only one of the paths one next hop If a router is behind a route reflector all routers that are connected to multi...

Page 138: ...er Configuring IGP Convergence Acceleration To configure the IGP Convergence Acceleration feature for unequal cost paths enter the following commands beginning in global configuration mode Configuring BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN To configure the BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN feature perform the following configuration tasks Configu...

Page 139: ...d Sharing for eBGP and iBGP in an MPLS VPN This section provides the following configuration examples eBGP and iBGP Multipath Load Sharing Configuration Example page 4 6 Verifying eBGP and iBGP Multipath Load Sharing page 4 6 Command Purpose Step 1 Router config router bgp as number Configures the router to run a BGP process and enters router configuration mode Step 2 Router config router address ...

Page 140: ... bgp vpnv4 all 10 22 22 0 BGP routing table entry for 10 1 22 22 22 0 24 version 19 Paths 5 available best 5 Multipath eiBGP Advertised to non peer group peers 10 0 0 2 10 0 0 3 10 0 0 4 10 0 0 5 22 10 0 0 0 metric 20 from 10 0 0 4 10 0 0 4 Origin IGP metric 0 localpref 100 valid internal multipath Extended Community 0x0 0 0 RT 100 1 0x0 0 0 Originator 10 0 0 2 Cluster list 10 0 0 4 22 10 0 0 2 me...

Page 141: ...utes and filtering imported ones For scalability route reflectors can be used to concentrate routing paths and avoid a full PE mesh Similar to IPv4 BGP features in IPv6 such as route refresh automatic route filtering and outbound route filtering help reduce the number of routes held in each PE Figure 4 1 illustrates the important aspects of the IPv6 VPN architecture Command Purpose Router show ip ...

Page 142: ...r MPLS The following Cisco IOS services must be running on the network before you configure IPv6 VPN operation MPLS in provider backbone routers MPLS with VPN code in provider routers with VPN PE routers BGP in all routers providing a VPN service Cisco Express Forwarding switching in every MPLS enabled router The ipv6 unicast routing command enabled on VPN PE routers 270303 Host 1 IPv6 ND Site 1 2...

Page 143: ...r in the Cisco IOS IPv6 Configuration Library at http www cisco com en US docs ios 12_2t ipv6 v6addres html The IPv6VPN over MPLS 6VPE includes the configuration tasks in the following list For more information about these tasks see the Implementing IPv6 VPN over MPLS 6VPE chapter in the Cisco IOS IPv6 Configuration Guide Release 12 2SR at http www cisco com en US docs ios ipv6 configuration guide...

Page 144: ...s the Allow AS in BGP feature via the use of the allowas in keyword in the same way as the feature is currently supported by IPv4 VPNs BGP Prefix List Filtering The 6VPE feature supports the ability to filter MP BGP IPv6 advertisements based on configured IPv6 prefixes For information on configuring this feature see the Configuring BGP Filtering Using Prefix Lists section in the Configuring BGP ch...

Page 145: ... Note The 6VPE feature does not support per packet load sharing For information on configuring this feature see the How to Configure BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN section in the BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN guide at http www cisco com en US docs ios iproute configuration guide irp_bgp_ebgp_ibgp html wp10 54087 VRF aware BGP Dam...

Page 146: ...ng the VRF include the Internet routes This model involves redistributing the Internet routes into the VRF VRF Aware Router Applications The following features are supported on Cisco 10000 series routers by the IPv6VPN over MPLS 6VPE feature VRF aware Ping The VRF aware Ping ping vrf VRF name IPv6 address command is supported VRF aware Traceroute The VRF aware Traceroute traceroute vrf VRF name IP...

Page 147: ... 043021 Note When an IPv6 packet arrives on an input interface configured for IPv6 either the packet has a Differentiated Services Code Point DSCP value set or an IPv6 QoS setup is done on the router to mark the DSCP value This packet sent over a MPLS output interface receives the DSCP value that is mapped to the MPLS Experimental EXP bits The mapping propagates the IPv6 QoS value to its MPLS equi...

Page 148: ...n red rd 100 1 address family ipv6 route target export 100 1 route target import 100 1 exit address family ipv6 cef mpls ldp logging neighbor changes mpls ldp router id Loopback0 interface Loopback0 ip address 200 11 11 1 255 255 255 255 ipv6 address BEEF 11 1 64 ipv6 nd prefix default 0 0 off link no autoconfig no ipv6 mfib fast interface Ethernet0 0 vrf forwarding red ip address 50 1 1 2 255 255...

Page 149: ...mily address family ipv6 vrf blue neighbor 8008 72a activate no synchronization redistribute connected exit address family ip classless no ip http server end Monitoring and Maintaining IPv6 VPN over MPLS For information on monitoring and maintaining IPv6 VPN over MPLS see the Verifying and Troubleshooting IPv6 VPN section in the Implementing IPv6 VPN over MPLS 6VPE chapter of the Cisco IOS IPv6 Co...

Page 150: ...DN group with a named VPDN template that you have not configured the VPDN group uses the system defaults The session limit global configuration command takes precedence over the group session limit VPDN template configuration command The session limit command limits the number of VPDN sessions and the group session limit command specifies the maximum concurrent sessions allowed across all VPDN gro...

Page 151: ...you associate a VPDN group with a named VPDN template and then with a second VPDN template the VPDN group is detached from the first VPDN template and associated with the second template If you attempt to associate a VPDN group with a named VPDN template that you have not configured the VPDN group uses the system defaults The session limit global configuration command takes precedence over the gro...

Page 152: ...fies the maximum concurrent sessions allowed across all VPDN groups associated with the VPDN template you specified in step 3 The number option is a value from 1 to 32 767 Step 5 Repeat steps 2 and 3 to configure additional named VPDN templates Step 6 Router config vpdn exit Exits VPDN group configuration mode Step 7 Router config vpdn group tag Associates a VPDN group to a customer or VPDN profil...

Page 153: ...DN group1 and group2 cannot exceed 10 sessions If group1 has 5 sessions group2 can only have 5 sessions If group1 does not have any active sessions group2 can have a maximum of 10 sessions even though group2 is configured with the session limit 20 command In Example 4 5 VPDN group3 does not have a session limit configured Using the no source vpdn template command detaches group3 from the default V...

Page 154: ...e session limits set for the individual VPDN groups VPDN groupA and groupB are attached to VPDN templateA and each group has an individual session limit of 30 sessions Because groupA and groupB are attached to VPDN templateA they use the hostname host1 as their local name In Example 4 6 the source vpdn template command is not used to associate VPDN groupC with a specific VPDN template Therefore by...

Page 155: ... upstream Internet service provider ISP In releases earlier than Cisco IOS Release 12 2 16 BX2 when spokes connect to the same PE router it was necessary to configure each spoke in a separate VRF to ensure that the traffic between the spokes always traverses the central link between the wholesale service provider and the ISP However this solution is manageable only if the number of spokes is relat...

Page 156: ...pstream and Downstream VRFs HDVRF uses two unidirectional VRFs called upstream VRF and downstream VRF to forward IP traffic between the spokes and the hub PE router The upstream VRF is used to forward the IP traffic from the spokes toward the MPLS VPN backbone This VRF typically contains only a default route but depending on the configuration it might also contain such information as summary route...

Page 157: ...am VRF Feature History for Half Duplex VRF Restrictions for Half Duplex VRF The Half Duplex VRF feature has the following restrictions In both the upstream and downstream VRFs routing protocols are not supported on interfaces configured for half duplex VRFs Half duplex VRFs apply only to virtual access interfaces VAIs and virtual template interfaces Only IP unnumbered interfaces are supported It i...

Page 158: ...subscribers Router config vrf rd 1 8 Router config vrf route target export 1 100 Example 4 8 shows how to configure an upstream VRF named U Example 4 8 Configuring the Upstream VRF Router config ip vrf U Router config vrf description Upstream VRF to hub PE Router config vrf rd 1 0 Router config vrf route target import 1 0 Command Purpose Step 1 Router config ip vrf vrf name Enters VRF configuratio...

Page 159: ...unting vpn1 Command Purpose Step 1 Router config if ip vrf forwarding vrf name Associates an interface with the VRF you specify vrf name is the name of the VRF associated with the interface Step 2 Router config if ip unnumbered type number Enables IP processing on an interface without assigning an explicit IP address to the interface The type and number arguments are the type and number of another...

Page 160: ...ute when supported in Cisco IOS software Unlike the lcp interface config attribute which causes full virtual interfaces to be used the ip vrf id attribute causes virtual subinterfaces to be used which significantly improves scalability Example 4 10 shows how to configure a downstream VRF named D on a AAA server Example 4 10 Configuring the Downstream VRF on RADIUS cisco avpair ip vrf id U downstre...

Page 161: ... port 1812 acct port 1813 aaa authentication ppp default group radius aaa authorization network default group radius ip vrf D description Downstream VRF to spokes rd 1 8 route target export 1 100 ip vrf U description Upstream VRF to hub rd 1 0 route target import 1 0 vpdn enable vpdn group U accept dialin protocol pppoe virtual template 1 interface Loopback0 ip address 100 0 0 8 255 255 255 255 in...

Page 162: ...static routes The functionality of the HDVRF feature does not require that you define static routes per spoke This configuration was tested on FreeRADIUS 0 8 1 Example 4 12 Configuring RADIUS for Half Duplex VRFs DEFAULT Service Type Framed User Framed Protocol PPP cisco avpair ip vrf id U downstream D cisco avpair ip ip unnumbered Loopback 2 cisco avpair ip addr pool U pool Fall Through Yes labe ...

Page 163: ...downstream VRF associated with the VAI Router show ip interface virtual interface number Displays information about the VAI you specify including the downstream VRF associated with the VAI Router show ip route vrf vrf name Displays the IP routing table for the VRF you specify Use this command to display information about the per user static routes installed in the downstream VRF Router show ip vrf...

Page 164: ... IS IS level 2 ia IS IS inter area candidate default U per user static route o ODR P periodic downloaded static route Gateway of last resort is not set 2 0 0 0 8 is variably subnetted 5 subnets 2 masks U 2 0 0 2 32 1 0 via 2 8 1 1 S 2 0 0 0 8 is directly connected Null0 U 2 0 0 5 32 1 0 via 2 8 1 2 C 2 8 1 2 32 is directly connected Virtual Access4 C 2 8 1 1 32 is directly connected Virtual Access...

Page 165: ...4 31 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 4 Configuring Multiprotocol Label Switching Half Duplex VRF ...

Page 166: ...4 32 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 4 Configuring Multiprotocol Label Switching Half Duplex VRF ...

Page 167: ...2 L2TP Network Server page 5 22 IP Reassembly The Cisco 10000 series router supports the IP Reassembly feature on the fastpath This feature reassembles fragments of IP and L2TP encapsulated packets The IP Reassembly feature on the fastpath reassembles IP packets that have two IPv4 non overlapping no option fragments and drops two fragment overlapping fragments The Route Processor RP handles packet...

Page 168: ...ndpoint and is a peer to the LNS on the other side of the tunnel The LAC forwards packets to and from the LNS and a remote system Acting as the LNS you can configure the Cisco 10000 series router to terminate the PPP sessions and route the client IP packets onto the ISP or corporate network toward their final destination Figure 5 1 You can also configure the LNS to place the sessions in VRFs befor...

Page 169: ...from the LAC in VRFs Cisco 10000 ESR PPPoX sessions PPPoE sessions OC 3 OC 12 ATM Routed subscribers GigEthernet or OC 12 POS IP routed traffic AAA servers ISP corporate network Client Client Client Client ATM network EMS NMS 76099 CPE PPP in L2TP sessions Retail LNS provider Provider 1 Provider 2 Provider n 69867 L2TP sessions are terminated and placed in a VRF Wholesale LNS provider Cisco 10000 ...

Page 170: ... can choose and to charge a fee for each destination allowed The LAC can conduct static or dynamic tunnel service authorization A static domain name on an ATM PVC port overrides the domain name that the client session supplies Static tunnel service authorization does not support switched virtual circuits SVCs If a static domain is not configured the LAC conducts dynamic tunnel service authorizatio...

Page 171: ...onfiguration mode configures the per user tunnel selection feature Note When tunneling from a LAC to an LNS using L2TP when you use the authen before forward command to configure the LAC to authenticate the user to RADIUS before negotiating a tunnel with the LNS the user is authenticated and the LAC uses RADIUS information to determine if it should terminate a PPPoX session as PPP terminated aggre...

Page 172: ...vices The true load on the LNS devices is an aggregation of all LAC devices using the LNS devices Session Load Failover The session load failover feature works with the session load balancing feature to enable the LAC to direct sessions across multiple LNS devices If the primary set of LNS devices fails the session load failover feature enables the LAC to direct sessions to a set of failover LNS d...

Page 173: ...eries router as a LAC perform any of the following optional tasks Enabling Sessions with Different Domains to Share the Same Tunnel page 5 8 Enabling the LAC to Conduct Tunnel Service Authorization page 5 8 Configuring Sessions Per Tunnel Limiting on the LAC page 5 12 Command Purpose Step 1 Router enable Enters privileged EXEC mode Step 1 Router config terminal Enters global configuration mode Ste...

Page 174: ...privileged EXEC mode Step 2 Router config terminal Enters global configuration mode Step 3 Router config vpdn group group name Defines a local group name for which you can assign other VPDN variables Enters VPDN group configuration mode Step 4 Router config vpdn request dialin Enables the LAC to request L2TP tunnels to the Cisco 10000 series router and enters VPDN request dialin group mode Step 5 ...

Page 175: ... 2 Router config terminal Enters global configuration mode Step 3 Router config interface atm 0 0 0 subinterface number multipoint point to point tag switching Specifies the ATM interface and optional subinterface Step 4 Router config subif atm pppatm passive Places the sessions on the subinterface in passive listening mode Step 5 Router config subif no ip directed broadcast Disables forwarding of...

Page 176: ...pose Step 1 Router enable Enters privileged EXEC mode Step 2 Router config terminal Enters global configuration mode Step 3 Router config vc class atm vc class name Creates and names a map class Step 4 Router config vc class encapsulation aal5mux ppp Virtual Template number Configures the ATM adaptation layer AAL and encapsulation type for an ATM PVC SVC VC class or VC bundle mux ppp is for a MUX ...

Page 177: ... the RADIUS server for tunnel service authorization enter the following commands Command Purpose Step 1 Router enable Enters privileged EXEC mode Step 2 Router config terminal Enters global configuration mode Step 3 Router config vpdn authorize domain Enables domain preauthorization Command Purpose Router show running config Verifies that you successfully configured the maximum number of sessions ...

Page 178: ... 16 Step 5 Router config radius server attribute 44 include in access req vrf vrf name Sends RADIUS attribute 44 Accounting Session ID in access request packets before user authentication including requests for preauthentication Step 6 Router config radius server domain stripping vrf vrf name Optional Enables VRF aware domain stripping The vrf vrf name argument specifies the per VRF configuration ...

Page 179: ... RADIUS Services page 5 13 Enabling the RADIUS Server to Conduct Tunnel Service Authorization page 5 14 Configuring Sessions Per Tunnel Limiting in the RADIUS Service Profile page 5 16 Enabling Tunnel Sharing for RADIUS Services To configure tunnel sharing in the RADIUS service profile enter the following Cisco AV pair attributes in the profile vpdn group tunnel share Step 6 Router config vpdn req...

Page 180: ...documentation for your RADIUS server Enabling the RADIUS Server to Conduct Tunnel Service Authorization To enable the RADIUS server to conduct dynamic tunnel service authorization perform the following tasks Configuring the RADIUS User Profile for Domain Preauthorization page 5 14 Configuring the RADIUS Service Profile for Tunnel Service Authorization page 5 15 Configuring the RADIUS User Profile ...

Page 181: ...5 9 Configuring the RADIUS Service Profile for Tunnel Service Authorization user net1 com profile_id 45 profile_cycle 18 member me radius Cisco check_items 2 cisco reply_attributes 9 1 vpdn tunnel id LAC 1 9 1 vpdn 12tp tunnel_password MySecret 9 1 vpdn tunnel type 12tp 9 1 vpdn ip addresses 10 16 10 10 6 5 Verifying the RADIUS Service Profile for Tunnel Service Authorization To verify the RADIUS ...

Page 182: ...elect load sharing among IP addresses The delimiter slash argument groups IP addresses on the left side in higher priority than the right side Example 5 10 VPDN IP Addresses RADIUS Freeware Format In the following example the LAC sends the First PPP session through a tunnel to 10 16 1 1 Second PPP session to 10 16 2 2 Third PPP session to 10 16 3 3 Fourth PPP session to 10 16 1 1 If the LAC fails ...

Page 183: ...d encryption hostname c10k_mc_10005_1 no logging console aaa new model aaa session id common enable password lab username LAC1 1 nopassword username LNS1 1 nopassword no spd enable facility alarm intake temperature major 49 facility alarm intake temperature minor 40 facility alarm core temperature major 53 facility alarm core temperature minor 45 card 1 0 1gigethernet 1 card 2 0 1oc12atm 1 card 3 ...

Page 184: ... 0 101 encapsulation dot1Q 101 ip address 103 1 1 1 255 255 255 0 interface ATM2 0 0 no ip address no ip mroute cache atm clock INTERNAL atm sonet stm 4 no atm auto configuration no atm ilmi keepalive no atm address registration no atm ilmi enable interface ATM3 0 0 atm pppatm passive no ip address no ip mroute cache atm clock INTERNAL atm sonet stm 4 no atm auto configuration no atm ilmi keepaliv...

Page 185: ...int to point pvc 41 107 encapsulation aal5snap protocol pppoe interface ATM3 0 0 41108 point to point pvc 41 108 encapsulation aal5snap protocol pppoe interface ATM3 0 0 41109 point to point pvc 41 109 encapsulation aal5snap protocol pppoe interface ATM3 0 0 41110 point to point pvc 41 110 encapsulation aal5snap protocol pppoe interface ATM3 0 0 41111 point to point pvc 41 111 encapsulation aal5sn...

Page 186: ...p protocol pppoe interface ATM3 0 0 41118 point to point pvc 41 118 encapsulation aal5snap protocol pppoe interface ATM3 0 0 41119 point to point pvc 41 119 encapsulation aal5snap protocol pppoe interface ATM3 0 0 41120 point to point pvc 41 120 encapsulation aal5snap protocol pppoe interface ATM3 0 0 41121 point to point pvc 41 121 encapsulation aal5snap protocol pppoe interface ATM3 0 0 41122 po...

Page 187: ...thentication pap ip default gateway 23 3 0 4 ip classless ip route 1 0 0 253 255 255 255 255 23 3 0 4 no ip http server ip pim bidir enable no cdp run radius server retransmit 3 radius server authorization permit missing Service Type line con 0 exec timeout 0 0 line aux 0 line vty 0 4 end Monitoring and Maintaining LAC To monitor and maintain the LAC enter the following commands in privileged EXEC...

Page 188: ...RFs before routing the packets as shown in Figure 5 3 Figure 5 3 Managed LNS Topology All of a service provider s subscribers do not share the same L2TP trunk interface Typically the Cisco 10000 router uses virtual local area networks VLANs to separate a service provider s subscriber traffic The Cisco 10000 series router can also use permanent virtual circuits PVCs or a separate physical interface...

Page 189: ...fined configuration template is used to configure a VAI The VAI is created and configured dynamically using the virtual template interface Using AAA RADIUS attributes can further define the VAI configuration The VAI uses the attributes of the virtual template to create the session which results in a VAI that is uniquely configured for a specific user When the user is done the VAI goes down and the...

Page 190: ...default values are used You configure all server operational parameters per host per server group or globally Per host configurations have precedence over per server group configurations Per server group configurations have precedence over global configurations RADIUS Attribute Screening The RADIUS Attribute Screening feature allows you to configure a list of accept or reject RADIUS attributes on ...

Page 191: ...an be done automatically as a service of the Internet service provider ISP This service is used to provide remote intranet access to the employees of a corporation ISPs collect usage information about the service which they then can use for billing purposes and for managing the network Tunnel accounting allows dial up usage information to be collected and stored at a central location When you enab...

Page 192: ...ne If authorization is done locally the LNS searches the VPDN groups If RADIUS authorization is to be done the RADIUS server makes a RADIUS request to the LNS This request includes the LAC host name and a hardwired password 4 The LNS checks RADIUS attributes 90 Tunnel Client Auth ID and 69 Tunnel Password If the value in attribute 90 is inconsistent with the LAC host name or the value in attribute...

Page 193: ...ion or accounting method listed in the method list This process continues until successful communication with a listed authentication or accounting method occurs or all methods defined in the method list are exhausted The Cisco IOS software attempts authentication with the next listed authentication method only when there is no response from the previous method If authentication fails at any point...

Page 194: ...S To function as an LNS the Cisco 10000 series router has the following requirements Before you configure RADIUS tunnel accounting or authentication you must first Enable AAA on the LNS and the LAC by using the aaa new model global configuration command For more information see the AAA Overview chapter in the Cisco IOS Security Configuration Guide Release 12 2 Configure the LNS and LAC to communic...

Page 195: ...Router config terminal Enters global configuration mode Step 3 Router config interface virtual template number Creates a virtual template interface and enters interface configuration mode Step 4 Router config if ip vrf forwarding name Maps the virtual template interface to a VRF routing table Step 5 Router config if ip unnumbered loopback number Enables IP without assigning a specific IP address o...

Page 196: ...nal Configuration Tasks for LNS To configure the Cisco 10000 series router as an LNS perform as many of the following configuration tasks as desired All of these configuration tasks are optional Configuring per VRF AAA Services page 5 31 Configuring a VRF on the LNS page 5 36 Configuring Sessions per Tunnel Limiting on the LNS page 5 36 Configuring RADIUS Attribute Accept or Reject Lists page 5 37...

Page 197: ...nfigure private server operational parameters enter the following commands Command Purpose Step 1 Router enable Enters privileged EXEC mode Step 2 Router config terminal Enters global configuration mode Step 3 Router config aaa new model Enables AAA Command Purpose Step 1 Router enable Enters privileged EXEC mode Step 2 Router config terminal Enters global configuration mode Step 3 Router config a...

Page 198: ...s the VRF reference of the AAA RADIUS server group The vrf name argument is the name assigned to a VRF instance Command Purpose Command Purpose Step 1 Router enable Enters privileged EXEC mode Step 2 Router config terminal Enters global configuration mode Step 3 Router config aaa authentication ppp list name method1 method2 Specifies one or more AAA authentication methods for use on serial interfa...

Page 199: ...ervices for billing or security purposes when you use RADIUS The system default keyword performs accounting for all system level events not associated with users such as reloads The vrf vrf name keyword and argument specify a VRF configuration The network keyword runs accounting for all network related service requests The default keyword specifies the default accounting list none No accounting st...

Page 200: ...erial interface ms chap Enables Microsoft s version of CHAP MS CHAP on a serial interface pap Enables PAP on a serial interface The list name argument optional specifies the name of a list of methods of authentication to use This is the same name you specified in step 4 of the Configuring AAA for the VRF section on page 5 32 If no list name is specified the system uses the default Create the list ...

Page 201: ... of lower network traffic and fewer users Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use Step 10 Router config radius server attribute 44 include in access req vrf vrf name Sends RADIUS attribute 44 in access request packets before user authentication and enables the specification on a per VRF basis The vrf vrf name k...

Page 202: ...ute distinguisher Creates routing and forwarding tables Command Purpose Step 1 Router enable Enters privileged EXEC mode Step 2 Router config terminal Enters global configuration mode Step 3 Router config vpdn group group name Defines a local group name for which you can assign other VPDN variables Enters VPDN group configuration mode Step 4 Router config vpdn accept dialin Configures the LNS to a...

Page 203: ...rization network default group group name Sets parameters that restrict network access to the user Step 5 Router config aaa group server radius group name Groups different RADIUS server hosts into distinct lists and distinct methods and enters server group configuration mode Step 6 Router config sg radius server private ip address timeout seconds retransmit retries key string Configures the IP add...

Page 204: ...ng these periods decreases the likelihood that increased debug command processing overhead will affect system use Step 8 Router config sg radius exit Exits server group configuration mode Step 9 Router config radius server attribute list listname Defines the list name given to the set of attributes defined using the attribute command Define the listname argument to be the same as you defined it in...

Page 205: ...ou must configure the following attributes on the RADIUS server Acct Tunnel Connection Specifies the identifier assigned to the tunnel session This attribute and the Tunnel Client Endpoint and Tunnel Server Endpoint attributes provide a way to uniquely identify a tunnel session for auditing purposes Acct Tunnel Packets Lost Specifies the number of packets lost on a given link Command Purpose Step ...

Page 206: ...Tunnel Stop accounting record sent by the LNS to the RADIUS server Example 5 14 Tunnel Stop Accounting Record User Name LNS1 LAC1 NAS IP Address 23 1 2 10 Service Type Framed Framed Protocol PPP Ascend Multilink ID 2877 Ascend PreSession Time 0 Tunnel Type_tag0 L2TP Tunnel Medium Type_tag0 IPv4 Tunnel Client Endpoint_tag0 10 2 2 1 Tunnel Server Endpoint_tag0 10 2 2 2 Ascend Pre Input Packets 0 Asc...

Page 207: ...ation about RADIUS accounting attributes supported on the Cisco 10000 series router see Appendix A RADIUS Attributes For information about RADIUS attributes see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide Release 12 2 For more information on configuring RADIUS see your RADIUS user documentation Configuring Optional RADIUS Tunnel Accounting Features To configure RAD...

Page 208: ...nd Purpose Step 1 Router config aaa authorization network list name method1 method2 Sets parameters that restrict user access to a network The list name argument is a character string used to name the list of authentication methods tried when a user logs in The method1 method2 argument is at least one of the following keywords group radius Uses the list of all RADIUS servers for authentication gro...

Page 209: ...figuring AAA Scalability for PPP Requests Configuring ARAP Authentication Using AAA Configuring NASI Authentication Using AAA Specifying the Amount of Time for Login Input Enabling Password Protection at the Privileged Level Changing the Text Displayed at the Password Prompt Configuring Message Banners for AAA Authentication Configuring AAA Packet of Disconnect Enabling Double Authentication Enabl...

Page 210: ...lso configure an Outbound Service Type Service Type Outbound Note For information about RADIUS attributes supported on the Cisco 10000 series router see Appendix A RADIUS Attributes or see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide Release 12 2 For more information about configuring RADIUS see your RADIUS user documentation Example 5 15 is a RADIUS configuration t...

Page 211: ... server radius vpn1 server private 192 168 1 128 auth port 1645 acct port 1646 key cisco server private 192 168 2 128 auth port 1645 acct port 1646 timeout 10 retransmit 3 key Configures RADIUS attribute screening cisco1 authorization reject vpn1 autho list accounting reject vpn1 account list ip vrf forwarding vpn1 Configures private server parameters aaa group server radius vpn2 server private 19...

Page 212: ...nel retransmit timeout min 2 Associates the VRF with the interface interface Loopback1 ip vrf forwarding vpn1 ip address 10 1 1 1 255 255 255 255 interface Loopback2 ip vrf forwarding vpn2 ip address 10 1 2 1 255 255 255 255 interface FastEthernet0 0 0 no ip address shutdown Configures the interface used to connect to the LAC interface GigabitEthernet6 0 0 ip address 10 1 1 45 255 255 255 0 negoti...

Page 213: ...DIUS to use the IP address of a specified interface for all outgoing RADIUS packets ip radius source interface GigabitEthernet7 0 0 1 vrf vpn1 ip radius source interface GigabitEthernet7 0 0 2 vrf vpn2 no cdp run radius server retransmit is on by default and cannot be removed radius server retransmit 3 Configures optional features such as domain name stripping and RADIUS attribute filter radius se...

Page 214: ...spe 1 0 1 7 firmware location system ucode mica_port_firmware spe 2 0 2 9 firmware location system ucode mica_port_firmware resource pool disable clock timezone est 2 ip subnet zero no ip domain lookup ip host CALLGEN SECURITY V2 10 24 80 28 10 47 0 0 ip host dirt 172 16 1 129 vpdn enable vpdn tunnel accounting network m1 vpdn session accounting network m1 vpdn group 1 accept dialin protocol l2tp ...

Page 215: ...rver ip pim bidir enable dialer list 1 protocol ip permit no cdp run radius server host 172 16 192 80 auth port 1645 acct port 1646 key rad123 radius server retransmit 3 call rsvp sync RADIUS Tunnel Accounting Records Example 5 19 and Example 5 20 show RADIUS tunnel accounting record types Example 5 19 RADIUS Tunnel Accounting Record User Name gomer1 hello101 NAS IP Address 23 1 2 10 NAS Port 550 ...

Page 216: ...d 00000B42 Acct Authentic RADIUS Acct Session Time 45 Acct Input Packets 11 Acct Output Packets 12 Acct Terminate Cause User Request Acct Multi Session Id 00000B3D Acct Link Count 250 Tunnel Client Auth ID_tag0 LAC1 Tunnel Server Auth ID_tag0 LNS1 Ascend Connect Progress LAN Session Up NAS Port Type Virtual Acct Tunnel Connection 1088401809 Ascend Disconnect Cause PPP Rcv Terminate Req Ascend Num ...

Page 217: ...l Client Auth ID 0 myLACname Tunnel Password 0 mytunnelpassword Cisco Cisco Avpair vpdn vpdn vtemplate 10 Note For additional authentication examples see the Configuring Authentication chapter in the Cisco IOS Security Configure Guide Release 12 2 Monitoring and Maintaining LNS To monitor and maintain the features configured on the LNS enter the following commands in privileged EXEC mode Command P...

Page 218: ...counting Displays information on accountable events as they occur Router debug aaa authorization Displays information on AAA authorization Router debug ppp chap Displays authentication protocol messages for Challenge Authentication Protocol CHAP packet exchanges This command is useful when a CHAP authentication failure occurs due to a configuration mismatch between devices Verifying and correcting...

Page 219: ...owing features PPPoE over Ethernet page 6 1 Static MAC Address for PPPoE page 6 5 PPPoE over IEEE 802 1Q VLANs page 6 7 TCP MSS Adjust page 6 12 VLAN Range page 6 15 For more information see the Configuring Broadband Access PPP and Routed Bridge Encapsulation chapter in the Cisco IOS Wide Area Networking Configuration Guide and the VLAN Range Release 12 2 13 T feature guide PPPoE over Ethernet The...

Page 220: ...onfigure the PPPoE over Ethernet feature perform the following configuration tasks Configuring a Virtual Template Interface page 6 2 Creating an Ethernet Interface and Enabling PPPoE page 6 3 Configuring PPPoE in a VPDN Group page 6 3 Configuring PPPoE in a BBA Group page 6 3 Configuring a Virtual Template Interface Configure a virtual template before you configure PPPoE on an Ethernet interface T...

Page 221: ...Release 12 2 15 BX does not support the configuration of BBA groups using RADIUS You must configure BBA groups manually Command Purpose Step 1 Router config interface GigabitEthernet number Creates an Ethernet interface and enters interface configuration mode Step 2 Router config if pppoe enable Enables PPPoE and allows PPPoE sessions to be created through that interface Command Purpose Step 1 Rou...

Page 222: ...TM connections when a BBA group name is not specified Step 2 Router config bba group virtual template template number Specifies the virtual template interface to use to clone virtual access interfaces VAIs Step 3 Router config bba group sessions per mac limit per MAC session limit Optional Specifies the maximum number of sessions per MAC address for each PPPoE port that uses the group Step 4 Route...

Page 223: ...enable Configures the virtual template interface interface Virtual Template1 ip unnumbered loop 0 mtu 1492 peer default ip address pool pool1 ppp authentication chap Specifies the IP local pool to use for address assignment ip local pool pool1 192 168 0 1 192 168 0 100 Example 6 2 creates a BBA group named vpn 1 and links it to virtual template 1 The vpn 1 BBA group is associated with VLAN 20 Exam...

Page 224: ...f five sessions from each MAC address If more than five sessions are attempted from this MAC address any sessions using that particular MAC address are throttled for 30 seconds Example 6 3 Throttling PPP Sessions Using the MAC Address bba group pppoe PPPoE virtual template 1 sessions per vc limit 32000 sessions per mac limit 32000 sessions per mac throttle 5 1 30 To get a list of the throttled MAC...

Page 225: ...and IEEE 802 1Q VLAN page 6 11 Clearing PPPoE Sessions page 6 12 Feature History for PPPoE over IEEE 802 1Q VLANs Restrictions for PPPoE over IEEE 802 1Q VLANs The PPPoE over IEEE 802 1Q VLANs feature has the following restrictions The Cisco 10000 series router currently supports the PPPoE over IEEE 802 1Q VLANs feature on Gigabit Ethernet line cards and Fast Ethernet 8 port half height line cards...

Page 226: ...To create an Ethernet 802 1Q encapsulated subinterface and enable PPPoE on it enter the following commands beginning in global configuration mode Configuring PPPoE in a VPDN Group To configure a VPDN group for PPPoE and link it to the appropriate virtual template interface enter the following commands beginning in global configuration mode Command Purpose Step 1 Router config interface GigabitEthe...

Page 227: ...ual access interfaces VAIs Step 6 Router config vpdn pppoe limit per vlan number Optional Specifies the maximum number of PPPoE sessions under each VLAN Step 7 Router config vpdn pppoe limit per mac per mac limit Optional Specifies the maximum number of sessions per MAC address for each PPPoE port that uses the group Step 8 Router config vpdn pppoe limit max sessions number Optional Specifies the ...

Page 228: ...E 802 1Q VLANs Enables a virtual private dial up network configuration on the router vpdn enable Creates a VPDN session group and links it to a virtual template vpdn group 1 accept dialin protocol pppoe virtual template 1 pppoe limit per mac 10 pppoe limit per vlan 100 pppoe limit max sessions 32000 interface Loopback0 ip address 172 16 0 1 255 255 255 255 interface GigabitEthernet1 0 0 no ip addr...

Page 229: ...r vc limit 5 sessions per mac limit 10 sessions per vlan limit 5 interface GigabitEthernet1 0 0 1 encapsulation dot1q 20 protocol pppoe group VPN_1 interface GigabitEthernet 2 0 0 2 encapsulation dot1q 30 protocol pppoe group VPN_2 Verifying PPPoE over Ethernet and IEEE 802 1Q VLAN To verify PPPoE over Ethernet and IEEE 802 1Q VLAN enter the following commands in privileged EXEC mode Command Purpo...

Page 230: ... across the path is enabled on the host sessions may be dropped because system administrators sometimes disable the ICMP error messages that must be relayed from the host in order for path MTU to work In most cases the optimum value for the max segment size argument is 1452 bytes This value plus the 20 byte IP header the 20 byte TCP header and the 8 byte PPPoE header add up to a 1500 byte packet t...

Page 231: ... the Cisco 10000 Series router specifically TCP segments in the SYN bit and to configure the MTU size of IP packets SUMMARY STEPS 1 enable 2 configure terminal 3 ip pxf adjust mss max segment size 4 end DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal...

Page 232: ...0 0 1 1 38437 peer MSS 500 MSS is 500 Sep 5 18 42 46 247 TCP sending SYN seq 580539401 ack 6015751 Sep 5 18 42 46 247 TCP0 Connection to 10 0 1 1 38437 advertising MSS 500 Sep 5 18 42 46 251 TCP0 state was SYNRCVD ESTAB 23 10 0 1 1 38437 The MSS gets adjusted to 500 on Router_B as configured The following example shows the configuration of a PPPoE client with the MSS value set to 1452 vpdn enable ...

Page 233: ...The commands you enter for a group of VLAN subinterfaces apply to each subinterface within the group and are applied to all existing VLANs By using the VLAN range feature you can also configure overlapping ranges of subinterfaces and an individual subinterface within a range of subinterfaces The VLAN Range feature is described in the following topics Feature History for VLAN Range page 6 15 Restri...

Page 234: ...face range global configuration command Cisco IOS software does not support the no interface range command To delete a range of subinterfaces you must delete the individual subinterfaces Configuration Task for VLAN Range To configure the VLAN range feature perform the following required configuration task Configuring a Range of VLAN Subinterfaces page 6 16 Configuring a Range of VLAN Subinterfaces...

Page 235: ...ation dot1q 301 Router config if range no shutdown Step 2 Router config int range encapsulation dot1q vlan id native Enables IEEE 802 1Q encapsulation of traffic and applies a unique VLAN ID to each subinterface within the range The vlan id argument is the virtual LAN identifier You must enter a value from 1 to 4095 Note VLAN ID 0 is a valid ID but is not a valid designation of a VLAN VLAN ID 0 is...

Page 236: ... show running config Displays the current configuration including information about the interfaces and subinterfaces configured on the router and the type of encapsulation configured for each interface Router show interface Displays information about all interfaces and subinterfaces configured on the router including the type of encapsulation configured for each interface Router show interface int...

Page 237: ...sco 10000 series router builds on the RBE on an unnumbered interface service model to enable you to configure IP unnumbered on IEEE 802 1Q VLANs Instead of using a VPI VCI pair to identify a subscriber route the Cisco 10000 series router maps a VLAN identifier to the subscriber on an Ethernet interface The Cisco 10000 series router supports the IP Unnumbered on IEEE 802 1Q VLANs feature Prior to C...

Page 238: ...Feature History for IP Unnumbered on VLANs Benefits for IP Unnumbered on VLANs The IP Unnumbered on VLANs feature benefits service providers in the following ways DSL providers can easily migrate their ATM networks to IP networks and migrate their DSLAMs from an ATM uplink to a Gigabit Ethernet uplink for connection to the router Using one router and the same service model providers can aggregate ...

Page 239: ...7 3 Configuring IP Unnumbered for a Range of Ethernet VLAN Subinterfaces page 7 4 Configuring IP Unnumbered for an Ethernet VLAN Subinterface To configure IP unnumbered for an Ethernet VLAN subinterface enter the following commands beginning in global configuration mode Command Purpose Step 1 Router config interface type number slot module port subinterface Configures a subinterface and enters sub...

Page 240: ...xample enables IP unnumbered on the Fast Ethernet 0 0 1 VLAN subinterface interface fastethernet0 0 1 encapsulation dot1q 101 ip unnumbered ethernet 0 Command Purpose Step 1 Router config interface range type number slot module port subinterface type number slot module port subinterface Configures a range of subinterfaces and enters subinterface range configuration mode Step 2 Router config subif ...

Page 241: ...toring and Maintaining IP Unnumbered Ethernet VLAN Subinterfaces To monitor and maintain IP unnumbered Ethernet VLAN subinterfaces enter any of the following commands in privileged EXEC mode Command Purpose Router show interfaces type number slot module port subinterface Displays information about the interface you specify Router show running config Displays the contents of the currently running c...

Page 242: ...7 6 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 7 Configuring IP Unnumbered on IEEE 802 1Q VLANs Monitoring and Maintaining IP Unnumbered Ethernet VLAN Subinterfaces ...

Page 243: ...e 8 14 ATM PVC Autoprovisioning The Cisco 10000 series router supports the ATM PVC Autoprovisioning feature By using this feature DSL wholesale service providers can use a local configuration to dynamically provision ATM service for subscribers Incoming traffic on the VPI VCI pair triggers virtual circuit VC creation The Cisco 10000 series router does not create the on demand VC until incoming tra...

Page 244: ...l result in cell headers from the SAR until the VC is opened Autoprovisioned ATM PVCs are not created until there is activity on the virtual path identifier VPI virtual channel identifier VCI pair When the interface is disabled and re enabled using the shutdown and no shutdown commands autoprovisioned PVCs that are part of a PVC range or infinite range are removed upon shutdown and are not reestab...

Page 245: ...5 command Idle timeout idle timeout command Integrated Local Management Interface ILMI management ilmi manage command Inverse ARP broadcasts protocol command Inverse ARP time period inarp command OAM management on a PVC oam pvc command OAM management parameters for re establishing and removing a PVC connection oam retry command PVC autoprovisioning create on demand command Queue depth queue depth ...

Page 246: ...lowing values supported by the router s ATM interfaces Maximum number of active VCs Maximum number of VPI combinations that can be configured Maximum number of VCI combinations that can be configured To allow the SAR to support the same VPI VCI values per interface and thus discriminate among the VCs the SAR translates the external VPI VCI values into an internal 32 bit logical header that include...

Page 247: ...story for ATM PVC Autoprovisioning Restrictions for ATM PVC Autoprovisioning The ATM PVC autoprovisioning feature has the following restriction The Segmentation and Reassembly SAR chip on the OC 3 and OC 12 ATM line cards is responsible for all physical ports on the line card Restrictions on how VCs are assigned might reduce the VC counts The ATM line cards use a pair of unidirectional SAR chips t...

Page 248: ...eating an On Demand PVC With Infinite Range page 8 11 Creating an On Demand PVC Using a VC Class To create an on demand PVC using a VC class perform the following tasks Creating a VC Class with PVC Autoprovisioning Enabled page 8 6 Applying the VC Class page 8 7 Creating a VC Class with PVC Autoprovisioning Enabled To create a VC class with the ATM PVC autoprovisioning feature enabled enter the fo...

Page 249: ...PVC enter the following commands beginning in global configuration mode Example 8 2 applies the VC class myclass to PVC 100 100 Example 8 2 Applying a VC Class to an Individual PVC Router config interface atm 3 0 0 1 multipoint Router config subif atm pppatm passive Router config subif pvc 100 100 Router config subif atm vc class vc myclass Applying a VC Class to a Range of PVCs To apply a VC clas...

Page 250: ... vc myclass Creating an On Demand PVC Directly To configure an on demand PVC directly on an individual PVC a PVC range or a specific PVC within PVC range perform the following tasks Enabling ATM PVC Autoprovisioning on an Individual PVC page 8 9 Enabling ATM PVC Autoprovisioning on a Range of PVCs page 8 9 Enabling ATM PVC Autoprovisioning on a Specific PVC Within a PVC Range page 8 10 Step 2 Rout...

Page 251: ...rface atm slot 0 subinterface number multipoint point to point Specifies the ATM interface and enters interface or subinterface configuration mode Step 2 Router config if pvc name vpi vci Specifies the ATM PVC and enters atm vc configuration mode Step 3 Router config if atm vc create on demand Enables PVC autoprovisioning on the individual PVC Step 4 Router config if atm vc idle timeout time out i...

Page 252: ...idle timeout The Cisco 10000 series router waits until the traffic on a particular VC is processed before tearing down the VC even if you specify the minimum traffic in kbps option or if the VC is idle during the idle timeout period Command Purpose Command Purpose Step 1 Router config interface atm slot 0 subinterface number multipoint point to point Specifies the ATM interface and enters interfac...

Page 253: ...lass Router config vc class create on demand Router config vc class idle timeout 300 Router config int atm 3 0 0 Router config if class int myclass Command Purpose Step 1 Router config vc class atm name Creates a VC class and enters vc class configuration mode Step 2 Router config vc class create on demand Enables PVC autoprovisioning Note Configure additional VC parameters as appropriate For more...

Page 254: ... Example 8 9 show atm pvc Command Router show atm pvc VCD Peak Avg Min Burst Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells Sts 5 0 111 7 0 50 PVC A SNAP UBR 149760 UP 5 0 111 8 0 51 PVC A SNAP UBR 149760 UP 5 0 111 9 0 52 PVC A SNAP UBR 149760 UP Command Purpose Router show atm pvc Displays information about ATM PVCs such as the interface VPI VCI type and encapsulation PVC A PVC Automatic ...

Page 255: ...nPktDrops 0 OutPktDrops 0 CrcErrors 0 SarTimeOuts 0 OverSizedSDUs 0 LengthViolation 0 CPIErrors 0 Out CLP 1 Pkts 0 OAM cells received 0 F5 InEndloop 0 F5 InSegloop 0 F5 InAIS 0 F5 InRDI 0 F4 InEndloop 0 F4 InSegloop 0 F4 InAIS 0 F4 InRDI 0 OALM cells sent 0 F5 OutEndloop 0 F5 OutSegloop 0 F5 OutRDI 0 F4 OutEndloop 0 F4 OutSegloop 0 F4 OutRDI 0 OAM cell drops 0 Status UP PPP Virtual Access3 from Vi...

Page 256: ...es a fraction of the physical capacity unless a large number of VCs remain busy the overall network utilization remains low In Cisco IOS Release Cisco IOS Release 12 3 7 XI1 or later the VBR nrt Oversubscription feature enables you to specify the amount of oversubscription oversubscription factor you want to allow The CAC check is based on the oversubscription factor you specify and evaluated sepa...

Page 257: ...45 40 and 15 percent The distribution of bandwidth for each VC might be less than expected based on the speed of the VC Typically low speed VCs are allocated the expected bandwidth while high speed VCs share the remaining bandwidth equally The amount of bandwidth allocated for the PQ or latency might be less than expected Oversubscription Feature Oversubscription of the ATM interfaces is off by de...

Page 258: ...OS Release 12 3 7 XI2 or later releases is shown in Table 8 2 You can configure the maximum number of VCs across the ports in any fashion provided that you do not exceed the per port maximum Although the maximum number of VBR CBR and shaped UBR VCs per E3 DS3 and OC 3 ATM line card is 28 672 VCs the router supports a maximum of 22 204 VBR CBR and shaped UBR VCs per line card that you can place wit...

Page 259: ...le 8 11 oversubscribes an ATM interface by five times the physical transmission capacity Example 8 11 Oversubscribing an ATM VC Router config interface atm 4 0 0 Router config if atm over subscription factor 5 Verifying ATM PVC Oversubscription To verify the configuration of ATM PVC oversubscription enter any of the following commands in privileged EXEC mode Command Purpose Router config if atm ov...

Page 260: ...M Permanent Virtual Circuit Autoprovisioning Variable Bit Rate Non Real Time Oversubscription Configuration Example for ATM PVC Oversubscription The following example oversubscribes an ATM interface by 10 times the physical transmission capacity interface atm 4 0 0 atm over subscription factor 10 ...

Page 261: ...e IP type of service TOS field for tunneled IP packets Each L2TP data packet and IP packet has a TOS field When the router creates an L2TP data packet the TOS field sets to zero normal service ignoring the TOS field of the encapsulated IP packet being tunneled To preserve quality of service for tunneled packets the Cisco 10000 router supports the configuration of accept dialin and request dialout ...

Page 262: ...onfiguration Examples for Multihop page 9 8 Monitoring and Maintaining Multihop Configurations page 9 9 Feature History for Multihop Subscribers ISP Corporate network ISP Corporate network ATM network Service provider ISP core routers Edge router LAC LNS LNS LNS ISP core routers LNS LNS LNS Cisco 10000 ESR 87061 LAC LAC LAC Edge router Cisco IOS Release Description Required PRE 12 2 15 BX This fea...

Page 263: ...example you cannot apply an ACL or a service policy to the sessions To preserve the IP TOS field of tunneled IP packets the following restrictions apply The Cisco 10000 router supports only the L2TP tunneling protocol The tunneled link must carry IP to preserve the TOS field The Cisco 10000 router does not support proxy PPP dialin Required Configuration Tasks for Multihop To configure the Multihop...

Page 264: ...virtual template number Specifies the virtual template interface to use to clone the new virtual access interface Step 7 Router config vpdn acc in exit Returns to VPDN group mode Step 8 Router config vpdn terminate from hostname remote hostname Specifies the host name of the remote LAC that is required when accepting a VPDN tunnel The remote hostname must match the remote hostname configured in St...

Page 265: ...tion tasks Configuring an Accept Dialin VPDN Group to Preserve IP TOS page 9 6 Configuring a Request Dialout VPDN Group to Preserve IP TOS page 9 7 Step 6 Router config vpdn req in multihop hostname ingress tunnel name Initiates a tunnel based on the LAC s hostname or ingress tunnel ID Step 7 Router config vpdn req in exit Returns to VPDN group mode Step 8 Router config vpdn initiate to ip ip addr...

Page 266: ...DN configuration mode Step 2 Router config vpdn accept dialin Accepts tunneled PPP connections from the LAC and creates an accept dialin virtual private dialup network VPDN subgroup Step 3 Router config acc in protocol l2tp Specifies the Layer 2 Tunnel Protocol L2TP that the VPDN subgroup will use Note L2TP is the only protocol that supports dialout and IP TOS preservation Step 4 Router config vpd...

Page 267: ...col L2TP that the VPDN subgroup will use Note L2TP is the only protocol that supports dialout and IP TOS preservation Step 4 Router config vpdn req out pool member pool number OR Router config vpdn req out rotary group group number Specifies the dialer profile pool or dialer rotary group to use to dial out Note You can only configure one dialer profile pool or one dialer rotary group Attempting to...

Page 268: ...on creates a vpdn group named multihop0 which identifies the L2TP tunnel terminating from the LAC The multihop0 tunnel only accepts dialin connections from the LAC and identifies itself by using the local name Home Gateway 1 HGW1 7 On the LNS side the MH configuration creates a vpdn group named multihop1 which initiates an L2TP tunnel to the LNS at IP address 31 1 1 2 The multihop1 vpdn group requ...

Page 269: ...hop1 request dialin protocol l2tp multihop hostname LAC1 initiate to ip 31 1 1 2 priority 1 local name HGW1 l2tp tunnel password 7 0507070D LNS Configuration vpdn enable vpdn group tunnel1 accept dialin protocol l2tp virtual template 1 terminate from hostname HGW1 local name LNS1 l2tp tunnel password 7 04570A04 l2tp tunnel receive window 100 l2tp tunnel retransmit timeout min 2 interface Virtual T...

Page 270: ...access number Displays information about the virtual access interface LCP protocol states and interface statistics The following information indicates a normal working status for the virtual access interface indicates the number of the VAI Virtual Access is up line protocol is up Router clear vpdn tunnel l2tp remote name local name Shuts down a specific tunnel and all the sessions within the tunne...

Page 271: ...N Group 1206019602tunnel5est45 1 5 5170111tunnel5 LocIDRemIDTunIDIntfUsernameStateLast Chg 3 312060SSSCircuitu n5est2d19h 2 212060SSSCircuitu n5est2d19h 4 412060SSSCircuitu n5est2d19h 5 512060SSSCircuitu n5est2d19h 6 612060SSSCircuitu n5est2d19h 7 712060SSSCircuitu n5est2d19h 8 812060SSSCircuitu n5est2d19h 9 912060SSSCircuitu n5est2d19h 10 1012060SSSCircuitu n5est2d19h 11 1112060SSSCircuitu n5est2...

Page 272: ...pulsed for 5 seconds on reset LCP Open multilink Open Open IPCP Last input 00 02 30 output never output hang never Last clearing of show interface counters 1d19h Queueing strategy fifo Output queue 0 40 0 drops input queue 21 75 0 drops 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 55930 packets input 3347967 bytes 0 no buffer Received 0 broadcasts 0 ru...

Page 273: ...an address mechanism that provides for route summarization To enhance IP address space management the Cisco 10000 series router supports the following address pool features On Demand Address Pool Manager page 10 4 Provides an address assignment mechanism that dynamically resizes address pools and permits efficient route summarization Overlapping IP Address Pools page 10 16 Enables you to use multi...

Page 274: ... summarization avoids lengthy VRF and default routing tables Summarized routes correspond to all subnets present in the address pool The summarized routes are configured in the VRF associated with the address pool Limitations of a Local Address Pool A drawback to local address pools is that because they are statically configured the pool might be poorly utilized or it might run out of addresses Th...

Page 275: ...h router Remote users have limited connectivity during the time it takes for BGP to propagate a newly configured route to all PE routers DHCP Based Address Assignment Dynamic Host Configuration Protocol DHCP servers allocate IP addresses to remote users eliminating the need to configure users individually DHCP also provides all the parameters that user systems require to operate and exchange infor...

Page 276: ...PE router in the provider network When an ODAP is configured the pool manager for the PE router initiates a request to the central server for an initial subnet for a specific ODAP The pool manager then monitors the utilization of the ODAP If the utilization of the pool exceeds a high utilization threshold high utilization mark the pool manager requests an additional subnet from the central server ...

Page 277: ...cated subnet The pool manager takes no action if it does not find a releasable subnet If the high utilization mark is reached by releasing the subnet the pool manager does not release the subnet Regardless of the instantaneous utilization level the pool manager never releases the first leased subnet until it disables the ODAP On Demand Address Pools for MPLS VPNs The on demand address pool manager...

Page 278: ...initial subnet from the address pool server upon configuration of the on demand address pool ODAP Prerequisites for On Demand Address Pool Manager The on demand address pool manager feature has the following requirements You can choose to specify a VRF for an ODAP If you do you must configure the VRF first and then configure the VRF in the ODAP If you do not configure a VRF in the pool the pool is...

Page 279: ...bal configuration mode Example 10 2 configures two on demand DHCP address pools green_pool and red_pool The green_pool address pool is associated with the Green VRF and the red_pool address pool is associated with the Red VRF Both pools obtain their subnet addresses from an external DHCP server Command Purpose Router config ip address pool dhcp pool Enables on demand address pooling as the global ...

Page 280: ...ubnets from the RADIUS server enter the following commands in global configuration mode These commands configure the AAA client on the Cisco 10000 router Command Purpose Step 1 Router config aaa new model Enables AAA access control Step 2 Router config aaa authorization configuration default group radius Downloads static route configuration information from the AAA server using RADIUS Step 3 Route...

Page 281: ... 300 1 route target export 300 1 route target import 300 1 interface Ethernet1 1 ip address 172 16 1 12 255 255 255 0 duplex half Command Purpose Step 1 Router config ip radius source interface subinterface name Forces the Cisco 10000 router to use the IP address of the specified interface for all outgoing RADIUS packets Step 2 Router config radius server host ip address auth port port number acct...

Page 282: ... of the following optional configuration tasks Defining ODAPs on an Interface page 10 10 Configuring ODAPs to Obtain Subnets Through IPCP Negotiation page 10 11 Disabling ODAPs page 10 11 Defining ODAPs on an Interface To configure the on demand address pool manager feature on an interface enter the following commands beginning in global configuration mode Note When you configure the on demand add...

Page 283: ...isable an ODAP all leased subnets are released If active PPP sessions are using addresses from the released subnets those sessions are reset DHCP clients leasing addresses from the released subnets are not able to renew their leases Command Purpose Step 1 Router config ip dhcp pool name Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode Step 2 Router ...

Page 284: ...l The subnet request was scheduled because the Leased addresses count exceeds the high utilization mark of the pool Current index Indicates the subnet address to be allocated next to the pool In Example 10 5 three subnets are currently added The Current index for the first two subnets is 0 0 0 0 indicating that each of these subnets has used all its available addresses Note The Green pool and the ...

Page 285: ...es 6 Leased addresses 0 Pending event none 1 subnet is currently in the pool Current indexIP address rangeLeased addresses 172 16 0 1172 16 0 1 172 16 0 60 Example 10 6 uses the show ip dhcp binding command to display the bindings from the Green pool The example indicates the following Type On demand Indicates that the address binding is created for a PPP session Lease expiration Infinite Indicate...

Page 286: ...674 312d 7465 7374 InfiniteOn demand 2d39 3732 36 172 16 0 105674 312d 7465 7374 InfiniteOn demand 2d31 3637 172 16 0 115674 312d 7465 7374 InfiniteOn demand 2d39 3137 36 172 16 0 125674 312d 7465 7374 InfiniteOn demand 2d37 3838 30 172 16 0 135674 312d 7465 7374 InfiniteOn demand 2d32 3339 37 172 16 0 145674 312d 7465 7374 InfiniteOn demand 2d31 3038 31 172 16 0 175674 312d 7465 7374 InfiniteOn d...

Page 287: ...p address pool my_pool ip verify unicast reverse path shutdown hold queue 32 in Monitoring and Maintaining an On Demand Address Pool To monitor and maintain an ODAP enter the following commands in privileged EXEC mode Command Purpose Router clear ip dhcp pool name binding address Deletes an automatic address binding or objects for a specific pool from the DHCP server database Router clear ip dhcp ...

Page 288: ...eature enables you to use multiple IP address spaces and reuse IP addresses among different VPNs supported on the Cisco 10000 router Duplicate IP addresses cannot reside in the same IP address space To uniquely place IP addresses within a given IP address space multiple address spaces are assigned to IP address groups This also allows for the verification of nonoverlapping IP address pools within ...

Page 289: ...le duplicate addresses You should only use this feature in environments such as MPLS VPN where multiple IP address spaces are supported Configuration Tasks for Overlapping IP Address Pools To configure the IP overlapping address pools feature configure a local pool group as described in Configuring a Local Pool Group for IP Overlapping Address Pools Configuring a Local Pool Group for IP Overlappin...

Page 290: ...tem group No overlapping addresses occur within any group including the unnamed base system group which consists of pools lp1 and lp2 ip local pool p1_g1 10 1 1 1 10 1 1 50 group grp1 ip local pool p2_g1 10 1 1 100 10 1 1 110 group grp1 ip local pool p1_g2 10 1 1 1 10 1 1 40 group grp2 ip local pool lp1 10 1 1 1 10 1 1 10 ip local pool p3_g1 10 1 2 1 10 1 2 30 group grp1 ip local pool p2_g2 10 1 1...

Page 291: ...e name of the group In this example Pool group vpn1 consists of pools p1_vpn1 p2_vpn1 and p3_vpn1 Pool group vpn2 consists of pools p1_vpn2 p2_vpn2 Pools lp1 and lp2 are members of the base system The IP address 10 1 1 1 overlaps vpn1 vpn2 and the base system group No overlapping addresses occur within any group including the unnamed base system group which consists of pools lp1 and lp1 ip local p...

Page 292: ...10 20 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 10 Configuring Address Pools Overlapping IP Address Pools ...

Page 293: ...hat this feature provides is a mapping of user domain names to local AAA profiles This allows AAA attributes to be applied to the PPP session as part of the PPP session establishment These local AAA attributes are RADIUS attributes that would normally be defined on a Radius Server but now are defined locally on the router Subscriber profiles are used to match user domain names and on a match to us...

Page 294: ...Cisco IOS Security Configuration Guide Cisco IOS Release 12 2 Establishing a PPP Connection The following example describes the sequence of events involved in setting up AAA authentication authorization and accounting when a PPP connection is established and a local AAA server is used AAA Authentication Figure 11 1 shows the AAA authentication set up when establishing a PPP connection Figure 11 1 ...

Page 295: ...PP client AAA Authorization Figure 11 2 shows the AAA authorization set up when establishing a PPP connection Figure 11 2 AAA Authorization In the figure the PPP client requests an IP address using PPP IPCP to the BRAS The BRAS does a match of the domain to a local profile This local profile contains the VRF to assign to this PPP session The BRAS replies back to the PPP client with an IP address f...

Page 296: ...isco IOS AAA format of the attribute You must convert the attributes from RADIUS format to Cisco IOS AAA format Converting from RADIUS Format to Cisco IOS AAA Format Use the show aaa attribute protocol radius command to get the Cisco IOS AAA format of the IETF RADIUS Attribute This provides a complete list of all the aaa attributes supported The following is an example where you need to convert th...

Page 297: ...ile domain name service local aaa attribute list aaa attribute list name Command Purpose Router config aaa attribute list aaa attribute list name Defines an AAA attribute list locally on the router This attribute list is applied to the PPP session aaa attribute name is the name of the local AAA attribute list Router config aaa attribute type name value service ppp protocol ip atm vpdn tag Defines ...

Page 298: ...p method list name group radius aaa authorization network method list name local if authenticated aaa accounting network method list name start stop group radius aaa attribute list domain name attribute type ppp authen list method list name attribute type ppp author list method list name attribute type ppp acct list method list name Configuration Tasks for Local AAA Server User Database Domain to ...

Page 299: ...ault local Required to allow the definition of the AAA authorization list in the AAA attribute list Command Purpose Command Purpose Step 1 Router config radius server host ip address auth port 1645 acct port 1646 key password Defines the Radius server that AAA authentication authorization and accounting requests are sent to Step 2 Router config radius server attribute nas port format d Defines NAS...

Page 300: ...dress Command Purpose Step 1 Router config ip local pool start address end address Defines an IP pool from which the PPP sessions are IP addresses Command Purpose Step 1 Router config subscriber authorization enable Enables subscriber authorization Step 2 Router config subscriber profile domain name Specifies the user name domain to match Step 3 Router config service local Specifies to perform loc...

Page 301: ... name cisco2 com uses the parameters defined in the subscriber profile cisco2 com The name of the subscriber profile must be identical to the domain part of the full username username domain An attribute list cisco2 com defined in the service profile is used to reference aaa attributes for the PPP subscribers Subscriber cisco2 com is applied with AAA attributes from AAA attribute list cisco2 com A...

Page 302: ...bute type ip unnumbered loopback2 service ppp protocol ip attribute type vrf id vrf2 service ppp protocol ip attribute type ppp authen list test2 attribute type ppp author list test2 attribute type ppp acct list test2 ip dhcp pool dhcp pool vrf vrf1 network 101 1 0 0 255 255 0 0 default router 100 1 1 1 lease 0 2 30 ip vrf vrf1 rd 1 1 route target export 1 1 route target import 1 1 ip vrf vrf2 rd ...

Page 303: ...5 255 0 duplex auto interface FastEthernet6 0 1 ip vrf forwarding vrf2 ip address 192 168 2 202 255 255 255 0 duplex auto interface Virtual Template1 no ip address no logging event link status no snmp trap link status ppp mtu adaptive ppp authentication chap callin ip local pool pppoe2 12 1 1 1 12 1 250 1 ip radius source interface FastEthernet6 0 0 1 vrf vrf1 ip radius source interface FastEthern...

Page 304: ...authorization being used and the results of these methods debug aaa per user displays information about per user QoS parameters debug ppp negotiation shows PPP negotiation debug messages debug ppp authen indicates if a client is passing authentication debug ppp error displays protocol errors and error statistics associated with PPP connection negotiation and operation debug ppp forward displays wh...

Page 305: ...Filtering and Firewalls in the Cisco IOS Security Configuration Guide Release 12 2 This chapter describes the following features IP Receive ACLs page 12 1 Time Based ACLs page 12 4 IP Receive ACLs The IP Receive ACLs feature provides basic filtering capability for traffic that is destined for the router and protects the router from remote intrusions To restrict access to the router you apply a num...

Page 306: ...red ACL You cannot use a named ACL as the receive ACL The rules for numbered ACLs also apply to the access control entries ACEs of receive ACLs Time based and reflexive ACLs are not supported as receive ACLs Only traffic processed by the RP is filtered Traffic that is processed exclusively by the Forwarding Processor FP is not filtered For example GRE tunneled packets L2TP tunneled packets and som...

Page 307: ...es receive ACLs and begins filtering packets destined for the router Step 2 Router config access list access list number deny permit source source wildcard log or Router config access list access list number dynamic dynamic name timeout minutes deny permit protocol source source wildcard destination destination wildcard precedence precedence tos tos log log input time range time range name Defines...

Page 308: ...define when the permit and deny statements in the ACL are in effect Both named and numbered access lists can reference a time range When you create a time range you can specify both absolute and periodic time entries The periodic command in time range configuration mode allows you to specify the days of the week and the time of day that the access control entry ACE is active The absolute command i...

Page 309: ...days of the week hh mm Optional Defines the periodic times that the time range is active Valid values for days of the week are Monday Tuesday Wednesday Thursday Friday Saturday and Sunday You can also specify daily for Monday through Sunday weekdays for Monday through Friday and weekend for Saturday and Sunday The hh mm argument specifies hours minutes in a 24 hour format For example 8 00 is 8 00 ...

Page 310: ...nded access control list ACL enter the following commands beginning in global configuration mode Example 12 4 permits SMTP traffic to the access the mail host 128 88 1 2 on Monday through Sunday between the hours of 5 00 a m and 11 59 p m if the traffic belongs to an already established connection The example creates the time range named smtp and applies it to the ACE of the extended access list n...

Page 311: ...amed ACL Router config time range no ftp Router config time range periodic daily 9 00 to 15 00 Router config ip access list extended strict Router config ext nacl deny tcp any any eq 21 time range no ftp Router config ext nacl exit Router config interface ethernet 0 Router config if ip access group strict in Command Purpose Step 1 Router config ip access list standard extended access list name Def...

Page 312: ... p m on January 1 2001 time range forever absolute start 12 00 1 January 2001 ip access list extended allusers permit tcp any any eq 25 time range forever The following example permits UDP traffic until noon on December 31 2000 The ACL entry will no longer allow UDP traffic after that date and time time range stop udp absolute end 12 00 31 December 2000 ip access list extended usa permit udp any a...

Page 313: ...ACLs The following configuration example permits UDP traffic on Saturday and Sunday from 8 00 a m on January 1 1999 to 6 00 p m on December 31 2001 time range udp absolute start 8 00 1 January 1999 end 18 00 31 December 2001 periodic weekends 00 00 to 23 59 ip access list extended boothbay permit udp any any time range udp ...

Page 314: ...12 10 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 12 Configuring Traffic Filtering Time Based ACLs ...

Page 315: ...et The specific uRPF path validation criteria that is used to determine path consistency is dependent upon the particular uRPF mode enabled on an interface Table 13 1 shows two uRPF modes which are supported by Cisco 10000 series routers If the path is Valid the packet will be passed Invalid the packet is silently discarded uRPF uses the Cisco Express Forwarding CEF Forwarding Information Base FIB...

Page 316: ... same router because multihoming defeats the purpose of building a redundant service for the client Customers must ensure that the packets flowing up the link out to the Internet match the route advertised out the link Otherwise Unicast RPF filters those packets as malformed packets Unicast RPF is available only for platform images that support CEF Unicast RPF is supported in Cisco IOS Releases 11...

Page 317: ...ic interface by using the no ip route cache cef interface command that enables all but that specific interface to use express forwarding If you have disabled CEF operation on an interface and want to reenable it you can use the ip route cache cef command in interface configuration mode Step 2 Router config if interface type Selects the input interface on which you want to apply Unicast RPF This is...

Page 318: ...f packets getting dropped by the router using the following commands Caution Because debugging output is assigned high priority in the CPU process it can render the system unusable For this reason use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco Systems technical support personnel Moreover it is best to use debug commands during periods of low...

Page 319: ...a NULL 0 because the address is then considered as spoof Example 13 2 shows the total of dropped or suppressed packets at a specific interface using the show ip interface command Example 13 2 show ip interface Command Router show ip interface gigabitEthernet 8 1 0 GigabitEthernet8 1 0 is up line protocol is up Internet address is 80 1 1 1 24 Broadcast address is 255 255 255 255 Address determined ...

Page 320: ...rop interface Command router sh pxf cpu statistics drop g8 1 0 FP drop statistics for GigabitEthernet8 1 0 packets bytes vcci undefined 0 0 bad vlan id 0 0 vcci 9E6 in l2 max mtu 0 0 in l2 min mtu 0 0 encap not supported 0 0 mlfr fragament 0 0 mpls not enabled 0 0 ip version 0 0 ip header length 0 0 ip length max 0 0 ip length min 0 0 ip checksum 0 0 fib rpf fail 0 0 acl denied 0 0 ttl 0 0 unreach...

Page 321: ...ss allow self ping Allow router to ping itself opens vulnerability in verification cr Router config if ip verify unicast source reachable via any Router config if end Example 13 5 shows how you can use the show router interface command for verifying that Loose Mode uRPF has been configured on a router Example 13 5 Verifying Loose Mode uRPF on 8 1 0 interface Router sh ru interface gig8 1 0 interfa...

Page 322: ...ure Loose Mode uRPF with the allow default option Example 13 7 Loose Mode uRPF with the allow default option Router conf t Enter configuration commands one per line End with CNTL Z Router config int g8 1 0 Router config if ip verify unicast source reachable via any allow default Router config if end Router sh ru int gig8 1 0 interface GigabitEthernet8 1 0 ip address 80 1 1 1 255 255 255 0 ip verif...

Page 323: ... of channel signal or manual intervention In a multirouter environment the Multirouter APS MR APS feature allows the protect SONET interface to reside in a different router from the working SONET interface The protection mechanism used for this feature has a linear 1 1 architecture as described in the Bellcore publication TR TSY 000253 SONET Transport Systems Common Generic Criteria Section 5 3 Th...

Page 324: ...idth connection In a router configured for multirouter APS the configuration for the protect interface includes the IP address of the router normally its loopback address that has the working interface This chapter describes the MR APS feature in the following topics Feature History for MR APS page 14 20 Restrictions for MR APS page 14 21 Configuration Tasks for MR APS page 14 21 Monitoring and Ma...

Page 325: ...al configuration mode Command Purpose Step 1 Router config redundancy Enters redundancy configuration mode which allows you to associate two line cards as a redundant pair Step 2 Router config r associate slot slot one mr aps Logically associates slots for APS processor redundancy To allow MR APS to operate you must associate a slot on the working interface of one router and with a corresponding p...

Page 326: ...e router and with a corresponding protect interface on a second router Step 3 Router config r exit Exits redundancy configuration mode and returns to global configuration mode Step 4 Router config controller SONET slot subslot port Specifies the interface type and number Enters controller configuration mode Step 5 Router config controller aps group group number Permits more than one APS protect an...

Page 327: ... 3 0 0 aps group 1 aps protect 1 10 7 7 7 Configuring MR APS with Static Routes To configure MR APS with static routes perform the following procedures Configuring MR APS with Static Routes on Unchannelized Line Cards page 14 23 Configuring MR APS with Static Routes on Channelized Line Cards page 14 25 Configuring MR APS with Static Routes on Unchannelized Line Cards To optionally configure MR APS...

Page 328: ...mand allows you to filter link outages and to not report them as a link down event if they occur before the carrier delay timer expires In MR APS system performance can be enhanced if link down event messages are kept to a minimum Step 8 Router config if aps group group number Permits more than one APS protect and working interface to be supported on a router Step 9 Router config if aps working ci...

Page 329: ...troller configuration mode Step 6 Router config controller ip route static update immediate Optional Specifies that static routes will be added to the routing table immediately after the interface becomes active Step 7 Router config controller carrier delay seconds msec seconds Sets the carrier delay timer value in seconds or milliseconds This command allows you to filter link outages and to not r...

Page 330: ...multirouter APS working interface Example 14 2 Configuring MR APS with Static Routes Router A working interface configure terminal interface atm 1 0 0 ip address 10 7 7 7 255 255 255 0 ip route static update immediate carrier delay msec 8 redundancy associate slot 2 mr aps interface atm 2 0 0 aps group 1 aps working 1 ip route static update immediate carrier delay msec 8 ip route 172 16 1 0 255 25...

Page 331: ...hen the active line card fails the redundant line card takes over SR APS 1 1 support for line cards with multiple ports such as the OC 3 POS is port to port The PRE transmits data to both the active and the redundant line card When a port fails on the active line card the corresponding port on the redundant line card takes over In addition to port failovers multiple port line cards support line ca...

Page 332: ...LY POWER FAULT MISWIRE POWER FAULT MISWIRE CISCO 10000 CA RR IE R AL AR M LO OP FA IL CH OC 12 DSO SM IR CISCO 10000 CISCO 10000 CISCO 10000 CA RR IE R AL AR M LO OP FA IL CH OC 12 DSO SM IR CISCO 10000 CA RR IE R AL AR M LO OP FA IL CH OC 12 DSO SM IR CISCO 10000 CA RR IE R AL AR M LO OP FA IL CH OC 12 DSO SM IR CISCO 10000 CA RR IE R AL AR M LO OP FA IL CH OC 12 DSO SM IR FA IL PERFORMANCE ROUTI...

Page 333: ...l SR APS configuration information 2 The software creates two configurations one for the primary card and one for the protect card Table 14 1 shows examples of configuration files with redundancy enabled and disabled Cisco IOS Release Description Required PRE 12 0 21 ST This feature was introduced on the Cisco 10000 series router PRE1 12 2 13 BZ This feature was integrated into Cisco IOS Release 1...

Page 334: ... 1 interface POS5 0 0 ip address 5 5 5 5 255 255 255 0 no ip directed broadcast ip mtu 1500 loopback internal no keepalive crc 32 clock source internal pos scramble atm pos threshold sd ber 5 pos flag c2 0 pos flag j0 0 interface POS6 0 0 ip address 6 6 6 6 255 255 255 0 no ip directed broadcast ip mtu 1500 no ip route cache cef no keepalive Command Purpose Router show aps Displays the status of t...

Page 335: ...ame SLOF critical alarms and Line Alarm Indicate Signal LAIS major alarms Specifying SR APS Signal Degrade BER Threshold Use the aps signal degrade BER threshold command to modify the bit error rate threshold that if exceeded triggers an APS cutover aps signal degrade BER threshold value no aps signal degrade Where value can be in the range of 10 5 to 10 9 Enter this value as a single digit betwee...

Page 336: ...Specifying SR APS Signal Fail BER Threshold Use the aps signal fail BER threshold command to modify the bit error rate threshold that if exceeded causes an APS cutover aps signal fail BER threshold value no aps signal degrade Where value can be in the range of 10 3 to 10 5 Enter this value as a single digit between 3 and 5 The default signal fail BER threshold value is 10 3 Use the no form of the ...

Page 337: ...ols to implement IP multicast routing Internet Group Management Protocol IGMP Used between hosts on a LAN and the router s on that LAN to track the multicast groups of which hosts are members Protocol Independent Multicast PIM Used between routers so that they can track which multicast packets to forward to each other to their directly connected LANs Distance Vector Multicast Routing Protocol DVMR...

Page 338: ...tation of multicast traffic The Cisco 10000 series router does not support fragmentation on Multicast Distribution Tree MDT To avoid fragmentation we recommend that the value of MDT Maximum Transmission Unit MTU is set to a maximum of 64000 Configuration Tasks for IP Multicast Routing To configure basic IP multicast routing perform the following tasks Enabling IP Multicast Routing page 15 35 Enabl...

Page 339: ...ains the current IP multicast service mode of receiver initiated membership Enabling PIM on an interface also enables IGMP operation on that interface Configure an interface in one of the following modes Dense mode Sparse mode Sparse dense mode The mode determines how the Cisco 10000 router populates its multicast routing table and how it forwards multicast packets it receives from its directly co...

Page 340: ...d splitting see the configuration document located at the following URL http www cisco com en US docs ios ipmulti configuration guide imc_load_splt_ecmp_ps6350_TSD_ Products_Configuration_Guide_Chapter html Note A caveat exists for Cisco 10000 series routers you should not configure native multicast load splitting for PE devices running EIBGP as this can result in a loss of traffic Configuring the...

Page 341: ...Service policy input COPP Class map copp PIM match any 3261 packets 224098 bytes 5 minute offered rate 0 bps drop rate 0 bps Match access group name acl copp PIM 3261 packets 224098 bytes 5 minute rate 0 bps Police 64000 bps 8000 limit 16000 extended limit conformed 17 packets 1254 bytes action transmit exceeded 0 packets 0 bytes action transmit violated 0 packets 0 bytes action transmit Command P...

Page 342: ...15 38 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 15 Configuring IP Multicast Configuration Tasks for IP Multicast Routing ...

Page 343: ...000 series router Accepts and processes all standard RADIUS attributes Rejects all standard RADIUS attributes Before you configure a RADIUS accept or reject list enable AAA using the aaa new model command in global configuration mode For more information see the Cisco IOS Command Summary Volume 2 of 3 Release 12 2 The Cisco 10000 series router supports the RADIUS Attribute Screening feature in the...

Page 344: ...ever you can specify attribute 26 Vendor Specific in an accept or reject list which will accept or reject all VSAs Required Attributes Required attributes in a reject list are allowed to pass through Do not reject the following required attributes Authorization 6 Service Type and 7 Framed Protocol Accounting 4 NAS IP Address 40 Acct Status Type 41 Acct Delay Time and44 Acct Session ID Note When yo...

Page 345: ... an accept list for attribute 6 Service Type and attribute 7 Framed Protocol All other attributes including VSAs are rejected for RADIUS authorization aaa new model aaa authentication ppp default group radius sg aaa authorization network default group radius sg aaa group server radius radius sg server 10 1 1 1 authorization accept min author radius server host 10 1 1 1 key mykey1 radius server att...

Page 346: ...o the reject list Router debug aaa authorization AAA ACCT 6 Accounting method radius sg radius RADIUS attribute 44 cannot be rejected RADIUS attribute 61 rejected RADIUS attribute 31 rejected RADIUS attribute 40 cannot be rejected RADIUS attribute 41 cannot be rejected Caution Because debugging output is assigned high priority in the CPU process it can render the system unusable For this reason us...

Page 347: ...s Configuring RADIUS Transmit Retries To configure RADIUS transmit retries enter the following command in global configuration mode Note For more information about available options for the radius server command see the Cisco IOS Command Reference documentation for Cisco IOS Release 12 2 Configuration Example for RADIUS Transmit Retries Example 16 1 configures the router to retransmit up to 5 time...

Page 348: ...d NAS Port ID RADIUS attribute 87 were changed in the The Extended NAS Port Type Attribute Support feature The Extended NAS Port Type Attribute Support feature is described in the following topics Feature History for Extended NAS Port Type and NAS Port Support page 16 45 NAS Port Type RADIUS Attribute 61 page 16 45 NAS Port RADIUS Attribute 5 page 16 46 NAS Port ID RADIUS Attribute 87 page 16 46 P...

Page 349: ...to track users on given ports differently Service providers may especially want to track customers using shared resources such as Ethernet or ATM interfaces that have VLANs or Q in Q and VCs connected to certain customers The configuration command radius server attribute 61 extended enables identifying the following new non RFC compliant broadband service port types that are indicated by the follo...

Page 350: ...g routine will depend on the value of the NAS Port Type for the session Therefore if you use the extended NAS Port Type values values 30 34 you should also configure format e to use them If you do not use the extended NAS Port Type support then you should use the old values specifically value 5 for Virtual and value 15 for Ethernet service port types Configuring back to these port types can also a...

Page 351: ...outer config radius server attribute nas port format e SSSSAPPPUUUUUUUUUUUUUUUUUUUUUUUU First configure a default NAS Port format e string that will be used as the default format by a session that has a NAS Port Type which is not customized for a specific service port type value Specify a format string in configurable format e Format e requires you to explicitly define the usage of the 32 bits of ...

Page 352: ...to specify different format strings to represent different physical types of ports on the Cisco 10000 for any of the extended NAS Port Type values For example you can specify the string SSSSAAAAPPPPIIIIIIIICCCCCCCCCCCC for type 30 all PPPoA ports yet you can also specify string SSSSAAAAPPPPVVVVVVVVVVVVVVVVVVVV for type 33 all PPPoAoVLAN ports In this case the service provider can track VPI VCI spe...

Page 353: ...PPPUUUUUUUUUUUUUUUUUUUUUUUU Command Purpose Step 1 Router config interface atm 5 0 0 1 Enters ATM subinterface mode Step 2 Router config subif pvc 1 33 Enters PVC subinterface mode Step 3 Router config if atm vc radius attribute nas port type value To set a different extended NAS Port Type value for an interface or subinterface select a value for a port type to override the NAS Port type configure...

Page 354: ... port format e SSSSAAAAPPPPIIIIIIIICCCCCCCCCCCC type 30 radius server host 10 76 86 91 auth port 1645 acct port 1646 radius server key rad123 Configuration Examples for Extended NAS Port Type Attribute Support The following examples show how to configure global support for Extended NAS Port Type ports and to specify two separate e format strings globally but for two different types of ports type 3...

Page 355: ...History for PPPoX Calling Station ID page 16 51 Calling Station ID Formats page 16 51 Restrictions for PPPoX Calling Station ID page 16 52 Related Documents for PPPoX Calling Station ID page 16 53 Configuration Tasks for PPPoX Calling Station ID page 16 53 Configuration Example for PPPoX Calling Station ID page 16 54 Related Commands for PPPoX Calling Station ID page 16 55 Feature History for PPPo...

Page 356: ...modifications to their dictionary files to allow the Calling Station ID attribute to be presented correctly in the RADIUS logs This feature supports only RADIUS TACACS is not supported Currently PPPoEoVLAN and PPPoEoQinQ do not provide information on VLAN tags only the MAC address is provided to the RADIUS server RADIUS attribute 31 Calling Station ID is not supported for L2TP Network Server LNS e...

Page 357: ...To verify the Calling Station ID perform the following task in EXEC mode use the debug radius command in privileged EXEC mode The debug radius command verifies that RADIUS attribute 31 Calling Station ID is in the ACCESS REQUEST and ACCOUNTING REQUEST Example 16 2 shows sample output of the debug radius command Caution Because debugging output is assigned high priority in the CPU process it can re...

Page 358: ...4 43 259 RADIUS Calling Station Id 31 35 c10k xtnet com my_interface 00b0 c2ef 8400 Sep 14 14 54 43 259 RADIUS Service Type 6 6 Framed 2 Sep 14 14 54 43 259 RADIUS NAS IP Address 4 6 10 0 0 119 Configuration Example for PPPoX Calling Station ID The following PPP termination aggregation PTA and L2TP access concentrator LAC example shows how to configure your LAC for preauthorization by downloading ...

Page 359: ...clude in access req radius server host 10 0 0 8 auth port 1645 acct port 1646 key cisco Related Commands for PPPoX Calling Station ID RADIUS Packet of Disconnect The RADIUS Packet of Disconnect feature consists of a method for terminating a session that has already been connected This packet of disconnect POD is a RADIUS access_request packet and is intended to be used in situations where the auth...

Page 360: ...f Disconnect feature is discussed in the following topics Feature History for RADIUS Packet of Disconnect page 16 56 Benefits for RADIUS Packet of Disconnect page 16 56 Restrictions for RADIUS Packet of Disconnect page 16 56 Related Documents for RADIUS Packet of Disconnect page 16 57 Prerequisites for RADIUS Packet of Disconnect page 16 57 Configuration Tasks for RADIUS Packet of Disconnect page ...

Page 361: ...figuration Guide Release 12 2 Cisco Access Registrar 3 5 Installation and Configuration Guide RFC 2865 Remote Authentication Dial in User Service Prerequisites for RADIUS Packet of Disconnect Configure AAA as described in Cisco IOS Security Configuration Guide Cisco IOS Release 12 2 Configuration Tasks for RADIUS Packet of Disconnect To configure the RADIUS Packet of Disconnect feature perform the...

Page 362: ... sessions to be disconnected when specific session attributes are presented client ip address Optional Registers the IP address of all the clients who can send POD requests If not set it can receive a POD request from any client port number Optional The network access server User Data gram Protocol UDP port to use for POD requests Default value is 1700 auth type Optional The type of authorization ...

Page 363: ...n Router 4d18h POD Attribute List 4d18h 6291C598 0 00000009 username 336 8 pod_user 4d18h 7085EE1C 0 00000001 nas ip address 439 4 23 3 7 3 4d18h 4d18h POD 2 0 0 210 user pod_user 0 0 0 0 sessid 0x0 key 0x0 4d18h POD Line User IDB Session Id Key 4d18h POD Skip NULL 0 0 0 0 0x363 0x0 4d18h POD KILL Virtual pod_user 104 1 2 38 0x421A 0xD4105397 4d18h POD Skip Virtual NULL 0 0 0 0 0x421B 0x0 4d18h PO...

Page 364: ...16 60 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 16 Configuring RADIUS Features RADIUS Packet of Disconnect ...

Page 365: ...e History of Cisco 10000 Series Router PXF Stall Monitor page 17 61 Information about Cisco 10000 Series Router PXF Stall Monitor page 17 61 Restrictions for Cisco 10000 Series Router PXF Stall Monitor page 17 63 Configuring Cisco 10000 Series Router PXF Stall Monitor page 17 64 Configuration Example of Cisco 10000 Series Router PXF Stall Monitor page 17 65 Feature History of Cisco 10000 Series Ro...

Page 366: ...request On the PXF to LC path shown in Figure 17 2 an IB Stuck Pause Request error is detected by the Nickel driver This error occurs when the LC egress data path does not function correctly When this error occurs the Nickel driver restarts the Iron Bus If the error repeats from the same LC within 4 seconds the entire LC is reloaded Control path The RP and LCs are connected on the Backplane Ethern...

Page 367: ...imary and Secondary Actions Restrictions for Cisco 10000 Series Router PXF Stall Monitor The Cisco 10000 Series Router PXF Stall Monitor feature has the following restrictions For LCs using Vanadium and Nickel10G chips there is enhanced detection logic using the LC FIB TIB counter provided by Vanadium Nickel10G However for LCs using Barium chips the LC FIB TIB counter is not used in the detection ...

Page 368: ...t 6 show pxf stall monitoring counters reset active status cob fib cob tib pxf drop subslot sub slot DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters the global configuration mode Step 3 hw module pxf stall monitoring Example Router config hw m...

Page 369: ...er line End with CNTL Z Router config hw module pxf stall monitoring HT Reset 5 Router config hw module pxf stall monitoring LC Reset 4 Router config exit Step 5 exit Example Router config exit Exits the global configuration mode Step 6 show pxf stall monitoring counters reset active status cob fib cob tib pxf drop subslot sub slot Example Router show pxf stall monitoring Displays the current conf...

Page 370: ...Slot 3 Subslot 1 Cob TIB 1280 Cob FIB 0 PXF Drop 0 Slot 3 Subslot 2 Cob TIB 4975 Cob FIB 10370 PXF Drop 0 Slot 3 Subslot 3 Cob TIB 5172 Cob FIB 13840 PXF Drop 0 Slot 5 Subslot 0 Cob TIB 102077261 Cob FIB 0 PXF Drop 0 Slot 5 Subslot 1 Cob TIB 19888 Cob FIB 0 PXF Drop 0 Slot 6 Subslot 0 Cob TIB 0 Cob FIB 0 PXF Drop 0 Slot 6 Subslot 1 Cob TIB 2486 Cob FIB 0 PXF Drop 0 Slot 7 Subslot 0 Cob TIB 0 Cob F...

Page 371: ... 2226 23 Chapter 17 Cisco 10000 Series Router PXF Stall Monitor Configuration Example of Cisco 10000 Series Router PXF Stall Monitor Slot 5 Subslot 1 0 Slot 6 Subslot 0 0 Slot 6 Subslot 1 0 Slot 7 Subslot 0 0 Slot 7 Subslot 1 0 Slot 8 Subslot 0 0 Slot 8 Subslot 1 0 ...

Page 372: ...17 68 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 17 Cisco 10000 Series Router PXF Stall Monitor Configuration Example of Cisco 10000 Series Router PXF Stall Monitor ...

Page 373: ...ure History of SSO BFD page 18 69 Information about SSO BFD page 18 69 Restrictions of SSO BFD page 18 71 Monitoring and Maintaining SSO BFD page 18 72 Configuration Examples of SSO BFD page 18 72 Feature History of SSO BFD Information about SSO BFD Network deployments have dual route processor RP routers and switches to provide redundancy These routers have a graceful restart mechanism that prote...

Page 374: ... functions that are invoked at regular intervals The callback or notification function starts when the data path is established and packets can be transmitted out of an interface BFD HA Process The BFD High Availability HA process is a platform independent effort for the SSO BFD feature to enhance the BFD protocol to be stateful The BFD HA process maintains sessions on the standby RP if those sess...

Page 375: ...ntervals that is set earlier This process continues until the control plane on the new active RP is activated and the BFD protocol receives the RF_PROG_ACTIVE_FAST event Once that occurs the BFD spawns its own pseudo preemptive process The BFD protocol does not start the detect timers and echo timers for sessions when its starts receiving packets If it has not received packets from peer routers th...

Page 376: ...interval 999 min_rx 999 multiplier 5 bfd interval 999 min_rx 999 multiplier 6 bfd interval 500 min_rx 500 multiplier 8 Note The no bfd echo command is configured to enable or disable the echo mode When the echo mode is enabled the no ip redirect command must be configured under interfaces that are enabled with the BFD protocol Command Purpose Router show enhanced timers Displays status of the valu...

Page 377: ... ip redirect pvc 1 101 encapsulation aal5snap ip address 20 1 2 1 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo interface serial5 0 0 1 1 ip address 20 1 4 1 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo ip route static bfd GigabitEthernet1 1 0 1 20 1 1 2 ip route static bfd ATM4 0 0 1 20 1 2 2 ip route static bfd serial5 0 0 1 1 20 1 4 2 ip route static b...

Page 378: ...vrf vpn1005 rd 75 1005 route target export 75 1005 route target import 75 1005 interface GigabitEthernet1 0 0 1 no ip redirect encapsulation dot1q 101 second dot1q 500 ip vrf forwarding vpn1001 ip address 20 1 1 2 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo interface GigabitEthernet1 0 0 5 no ip redirect encapsulation dot1q 105 ip vrf forwarding vpn1005 ip address 20 1 5 2 2...

Page 379: ...art time 120 bgp graceful restart stalepath time 360 bgp graceful restart neighbor 2 2 2 2 remote as 75 neighbor 2 2 2 2 update source Loopback0 address family ipv4 no synchronization redistribute connected neighbor 2 2 2 2 activate no auto summary exit address family address family vpnv4 neighbor 2 2 2 2 activate neighbor 2 2 2 2 send community both exit address family address family ipv4 vrf vpn...

Page 380: ...ncapsulation aal5snap interface Serial5 0 0 1 1 no ip redirect ip address 20 1 4 1 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo router bgp 71 no synchronization bgp log neighbor changes bgp graceful restart restart time 120 bgp graceful restart stalepath time 360 bgp graceful restart network 30 1 1 0 mask 255 255 255 0 neighbor 20 1 1 2 remote as 75 neighbor 20 1 1 2 ha mode ...

Page 381: ...e GigabitEthernet1 0 0 1 no ip redirect encapsulation dot1Q 1001 second dot1q 500 ip vrf forwarding vpn1001 ip address 20 1 1 2 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo interface GigabitEthernet1 0 0 2 no ip redirect encapsulation dot1Q 1002 ip vrf forwarding vpn1002 ip address 20 1 2 2 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo interface ATM8 0 0 ...

Page 382: ... no auto summary exit address family address family vpnv4 neighbor 2 2 2 2 activate neighbor 2 2 2 2 send community both exit address family address family ipv4 vrf vpn1001 no synchronization redistribute connected neighbor 20 1 1 1 remote as 71 neighbor 20 1 1 1 ha mode sso neighbor 20 1 1 1 fall over bfd neighbor 20 1 1 1 activate exit address family address family ipv4 vrf vpn1002 no synchroniz...

Page 383: ...et1 1 0 1 no ip redirect encapsulation dot1q 101 second dot1q 500 ip address 20 1 1 1 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo interface GigabitEthernet1 1 0 5 no ip redirect encapsulation dot1q 105 ip address 20 1 5 1 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo interface ATM4 0 0 1 point no ip redirect pvc 1 101 encapsulation aal5snap ip address 20...

Page 384: ... 1 1 log adjacency changes nsf ietf network 1 1 1 1 0 0 0 0 area 0 network 50 0 0 0 0 255 255 255 area 0 mpls ldp router id Loopback0 force ip vrf vpn1001 rd 75 1001 route target export 75 1001 route target import 75 1001 ip vrf vpn1002 rd 75 1002 route target export 75 1002 route target import 75 1002 ip vrf vpn1004 rd 75 1004 route target export 75 1004 route target import 75 1004 ip vrf vpn1005...

Page 385: ...s system 1 nsf redistribute bgp 75 metric 10000 100 255 1 1500 network 20 1 1 0 0 0 0 255 bfd all interfaces router eigrp 2 nsf address family ipv4 vrf vpn1002 autonomous system 2 nsf redistribute bgp 75 metric 10000 100 255 1 1500 network 20 1 2 0 0 0 0 255 bfd all interfaces router eigrp 4 nsf address family ipv4 vrf vpn1004 autonomous system 4 nsf redistribute bgp 75 metric 10000 100 255 1 1500...

Page 386: ... 4 exit address family address family ipv4 vrf vpn1005 redistribute eigrp 5 exit address family end SSO BFD with ISIS Example Example 18 7 and Example 18 8 show the configuration example of the SSO BFD feature with an Integrated Intermediate System to Intermediate system ISIS client in a non VPN scenario Note The SSO BFD feature with ISIS is supported only on non VPN scenarios Example 18 7 SSO BFD...

Page 387: ...9 multiplier 5 no bfd echo int l0 ip address 1 1 1 1 255 255 255 255 ip router isis Example 18 8 SSO BFD with an ISIS Client on Router 2 Router 2 router isis net 99 0000 0000 0002 00 nsf ietf nsf interval 0 bfd all interfaces int g1 0 0 1 no ip redirect encap dot1q 101 ip address 192 168 1 2 255 255 255 0 ip router isis bfd interval 999 min_rx 999 multiplier 5 no bfd echo int g1 0 0 2 no ip redire...

Page 388: ...1 Qinq interface interface GigabitEthernet1 1 0 1 no ip redirect encapsulation dot1q 101 second dot1q 500 ip address 20 1 1 1 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo dot1q interface interface GigabitEthernet1 1 0 5 no ip redirect encapsulation dot1q 105 ip address 20 1 5 1 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo ATM interface interface ATM4 0 0...

Page 389: ...er PE1 mpls ldp graceful restart mpls label protocol ldp interface Loopback0 ip address 1 1 1 1 255 255 255 255 interface GigabitEthernet2 0 0 ip address 50 0 0 1 255 0 0 0 negotiation auto mpls ip mpls label protocol ldp router ospf 50 router id 1 1 1 1 log adjacency changes nsf ietf network 1 1 1 1 0 0 0 0 area 0 network 50 0 0 0 0 255 255 255 area 0 mpls ldp router id Loopback0 force 4 vpns for...

Page 390: ...9 min_rx 999 multiplier 5 no bfd echo ATM interface interface ATM8 0 0 1 point no ip redirect pvc 1 101 encapsulation aal5snap ip vrf forwarding vpn1002 ip address 20 1 2 2 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo Serial interface interface serial5 0 0 1 1 no ip redirect ip vrf forwarding vpn1004 ip address 20 1 4 2 255 255 255 0 bfd interval 999 min_rx 999 multiplier 5 n...

Page 391: ...2 2 remote as 75 neighbor 2 2 2 2 update source Loopback0 address family ipv4 no synchronization redistribute connected neighbor 2 2 2 2 activate no auto summary exit address family address family vpnv4 neighbor 2 2 2 2 activate neighbor 2 2 2 2 send community both exit address family address family ipv4 vrf vpn1001 redistribute ospf 1 vrf vpn1001 exit address family address family ipv4 vrf vpn100...

Page 392: ...18 88 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 18 SSO BFD Configuration Examples of SSO BFD ...

Page 393: ...whether the error parameter associated with the selected link has exceeded its predefined threshold The LNM feature is described in the following sections Feature History of Link Noise Monitoring page 19 1 Restrictions for Link Noise Monitoring page 19 1 Configuration Tasks for Link Noise Monitoring page 19 2 Verification Example for Link Noise Monitoring page 19 5 Feature History of Link Noise Mo...

Page 394: ...rated by the RP increases the load on the router CPU and the syslog server A low duration value averages out errors and leads to inaccurate results The Cisco 10000 series router only supports a maximum of 4000 TI links An LC supports 336 T1 links and a SPA supports 772 T1 links When many events are exchanged between the LC and RP some events can get lost The LNM feature does not account for lost e...

Page 395: ...ber The T1 interface number from 1 to 28 minor warn Enables link warning minor monitoring on the link major warn Enables link warning major monitoring on the link remove Enables Link Removal monitoring on the link lcv value The Line Code Violation LCV threshold value in bit error per second The valid range on a T1 link is 5 to 1544 seconds The valid range on an E1 link is 7 to 2048 seconds The def...

Page 396: ...sonet Router config controller clock source internal Router config controller path 1 controller t3 Router config controller exit Router config controller t3 7 0 0 1 Router config controller t1 1 channel group 0 timeslots 1 24 Once a T1 E1 is created LNM can be configured using span CLI Router config controller t1 1 bert Start BERT test channel group Specify a channel group mapping on a T1 interfac...

Page 397: ...managing noisy T1 spans Ð yellow Yellow Alarm Configuration for a T1 Example of a Syslog Message The following is a sample output of a generated fault notification on a serial interface LNM 3 MINWARNEXCEED Interface Serial7 0 0 1 1 0 noise exceeded above minor warning threshold Verification Example for Link Noise Monitoring Example 3 shows the sample output when the LNM feature is configured Use t...

Page 398: ...sco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 19 Configuring Link Noise Monitoring About Link Noise Monitoring 15 Channel not configured for E1 T1 16 Channel not configured for E1 T1 ...

Page 399: ...cing the number of networks that need managing Cisco nonstop forwarding NSF with stateful switchover SSO is effective at increasing availability of network services Cisco NSF with SSO provides continuous packet forwarding even during a network processor hardware or software failure In a redundant system the secondary processor recovers control plane service during a critical failure in the primary...

Page 400: ...ayer 2 packets over MPLS See the Standards and RFCs section on page 20 5 for the specific standards that AToM follows This benefits the service provider who wants to incorporate industry standard methodologies in the network Other Layer 2 solutions are proprietary which can limit the service provider s ability to expand the network and can force the service provider to use only one vendor s equipm...

Page 401: ... MPLS Note Functionally both HDLC over MPLS and Frame Relay port to port connections are the same Cisco IOS Release Description Required PRE 12 2 28 SB This feature was introduced on the Cisco 10000 series router PRE2 12 2 31 SB2 Support was added for the PRE3 PRE3 12 2 31 SB2 Ethernet to VLAN over AToM Bridged functionality was added PRE2 PRE3 12 2 33 SB The following L2VPN features were added on...

Page 402: ... AToM is directly mapped to a TE tunnel Note For L2VPN LS it is not necessary to configure The label distribution protocol to be Label Distribution Protocol LDP Label switched paths LSPs between the PE routers using the mpls ip command Supported Line Cards Table 20 1 lists line cards supported by the Cisco 10000 series router Table 20 1 Cisco 10000 Series Line Cards that Support L2VPN Transport Ty...

Page 403: ...rcuit is smaller than the size of MTU in the core The following L2VPN features are not supported ATM cell switching of any kind ATM AAL5 PDU mode Fragmentation and reassembly as defined in PWE3 Fragmentation and Reassembly draft ietf pwe3 fragmentation 05 txt February 2004 Sequence number support in the control word Tunnel stitching Pseudowire termination Standards and RFCs L2VPN conforms to the i...

Page 404: ...trol plane state and data plane provisioning information for the attachment circuits ACs and AToM pseudowires PWs are checkpointed to the standby RP to provide NSF for AToM L2VPNs Table 20 3 MIBs Supported by L2VPN Transport Type MIB ATM AAL5 SDU support over MPLS MPLS LDP MIB MPLS LDP MIB my ATM MIB ATM MIB my CISCO AAL5 MIB CISCO AAL5 MIB my Cisco Enterprise ATM Extension MIB CISCO ATM EXT MIB m...

Page 405: ...ting debug messages for AToM show acircuit checkpoint command To display the AC checkpoint information show mpls l2transport checkpoint command To display if checkpointing is allowed the quantity of AToM VCs that were bulk synced on the active RP and the quantity of AToM VCs that have checkpoint data on the standby RP show mpls l2transport vc detail command To display details of VC checkpointed in...

Page 406: ... en US docs ios 12_2s feature guide fsatomha html wp1098561 Restrictions for NSF SSO L2VPN For information on this topic see the Restrictions for AToM NSF section in the NSF SSO Any Transport over MPLS and Graceful Restart document at http www cisco com en US docs ios 12_2s feature guide fsatomha html wp1068923 Configuring NSF SSO L2VPN For information on this topic see the How to Configure AToM N...

Page 407: ...net1 1 0 xconnect 10 9 9 9 123 encap mpls pw class atom_eth interface POS6 1 0 ip address 10 1 1 1 255 255 255 0 mpls ip mpls label protocol ldp clock source internal crc 32 interface Loopback0 ip address 10 8 8 8 255 255 255 255 no shutdown router ospf 10 nsf ietf network 10 8 8 8 0 0 0 0 area 0 network 19 1 1 1 0 0 0 0 area 0 ip cef redundancy mode sso mpls ldp graceful restart mpls ip mpls labe...

Page 408: ...use it conflicts with the connect command Interworking is not supported on HDLC PPP interfaces Only same speed interfaces should be connected to avoid arbitrary packet drops due to a higher speed interface overrunning a lower speed one For some HDLC PPP applications which are sensitive to time delay the PE may introduce some network delay enough to prevent the HDLC PPP link from coming up because ...

Page 409: ...asks and Examples You can configure the L2VPN Local Switching HDLC PPP feature on a PE router using the following steps 1 config t 2 interface serial slot subslot port channel id 3 encapsulation hdlc 4 interface serial slot subslot port channel id 5 encapsulation hdlc 6 connect connection name interface interface The following example shows you how to configure the L2VPN Local Switching HDLC PPP f...

Page 410: ...Relay over MPLS page 20 28 Configuring Frame Relay to Frame Relay Local Switching page 20 31 Configuring HDLC and PPP over MPLS page 20 36 Estimating the Size of Packets Traveling Through the Core Network page 20 37 Setting Experimental Bits with AToM page 20 38 Configuring QoS Features page 20 40 Setting Up the Pseudowire AToM Circuit The successful transmission of the Layer 2 frames between PE r...

Page 411: ...hod as part of the xconnect command The pseudowire class configuration group specifies the characteristics of the tunneling mechanism including Encapsulation type Control protocol Payload specific options Step 2 Router config interface interface type interface number Defines the interface or subinterface on the PE router Step 3 Router config if encapsulation encapsulation type Specifies the encaps...

Page 412: ...ommand Example 20 4 shows sample output for this command Example 20 4 show mpls l2transport vc Command Output Router show mpls l2transport vc Local intf Local circuit Dest address VC ID Status ATM1 0 ATM AAL5 1 100 4 4 4 4 100 UP Configuring ATM to ATM PVC Local Switching The following ATM line cards are supported for Cisco 10000 series routers 4 port OC 3 STM 1 8 port E3 DS3 Command Purpose Step ...

Page 413: ...th PE routers to enable OAM cell emulation After you enable OAM cell emulation on a router you can configure and manage the ATM VC in the same manner as you would a terminated VC A VC that is configured with OAM cell emulation can send loopback cells at configured intervals toward the local CE router The endpoint can be either of the following End to end loopback which sends OAM cells to the local...

Page 414: ...ommands beginning in global configuration mode Command Purpose Step 1 Router config interface type slot port Specifies the interface by type slot and port number and enters interface configuration mode Step 2 Router config if pvc name vpi vci l2transport Creates or assigns a name to an ATM PVC The l2transport keyword indicates that the PVC is a switched PVC instead of a terminated PVC Enters L2 Tr...

Page 415: ... OAM Cell Emulation on an ATM PVC In Example 20 8 the show atm pvc command shows that OAM cell emulation is enabled on the ATM PVC Example 20 8 show atm pvc Command Output Router show atm pvc 5 500 ATM4 1 0 200 VCD 6 VPI 5 VCI 500 UBR PeakRate 1 AAL5 LLC SNAP etype 0x0 Flags 0x34000C20 VCmode 0x0 OAM Cell Emulation enabled F5 End2end AIS Xmit frequency 1 second s OAM frequency 0 second s OAM retry...

Page 416: ... class and enters VC class configuration mode Step 2 Router config vc class encapsulation layer type Configures the ATM adaptation layer AAL and encapsulation type Step 3 Router config vc class oam ac emulation enable ais rate Enables OAM cell emulation for AAL5 over MPLS The ais rate variable lets you specify the rate at which AIS cells are sent The range is 0 to 60 seconds The default is 1 secon...

Page 417: ...am ac emulation enable 30 oam pvc manage interface atm1 0 pvc 1 200 l2transport class vc oamclass xconnect 13 13 13 13 100 encapsulation mpls Example 20 11 shows how to configure OAM cell emulation for ATM AAL5 over MPLS in VC class configuration mode The VC class is then applied to an interface One PVC is configured with OAM cell emulation at an AIS rate of 10 That PVC uses the AIS rate of 10 ins...

Page 418: ...re port is automatically placed in promiscuous mode The promiscuous mode is removed only when the last Ethernet over MPLS in VLAN mode circuit associated with that controller is removed The AToM control word is supported However if the peer PE router does not support a control word the control word is disabled This negotiation is done by LDP label binding Ethernet packets with hardware level cycli...

Page 419: ... Ethernet over MPLS in port mode enter the following commands beginning in global configuration mode Command Purpose Step 1 Router config interface gigabitethernet slot interface subinterface Specifies the Gigabit Ethernet subinterface and enters subinterface configuration mode Make sure the subinterface on the adjoining CE router is on the same VLAN as this PE router Step 2 Router config subif en...

Page 420: ...ample 20 13 show mpls l2transport vc Command Output Router show mpls l2transport vc Local intf Local circuit Dest address VC ID Status Gi4 0 1 Eth VLAN 2 11 1 1 1 2 UP Gi8 0 1 Ethernet 11 1 1 1 8 UP If you issue the show mpls l2transport vc detail command the output is similar as shown in Example 20 14 Example 20 14 show mpls l2transport vc detail Command Output Router show mpls l2transport vc det...

Page 421: ... Q in Q AToM In Metro Ethernet deployment in which CE routers and PE routers are connected through an Ethernet switched access network packets that arrive at PE routers can contain up to two IEEE 802 1q VLAN tags one inner VLAN tag which identifies the customer and another outer VLAN tag which denotes the customer s service provider This technique of allowing multiple VLAN tagging on the same Ethe...

Page 422: ...onnection Rewriting Inner and Outer VLAN Tags on QinQ Frames When managing incoming AToM Ethernet QinQ traffic the Cisco 10000 edge router 1 Strips off the MPLS labels 2 Allows the customer to rewrite both the inner and outer VLAN IDs before sending the packets to the egress QinQ interface Note this capability is provided only for AToM like to like Ethernet QinQ traffic Support for these features ...

Page 423: ...interface GigabitEthernet1 0 0 201 encapsulation dot1q 201 second dot1q any xconnect 23 0 0 16 430 encapsulation mpls Note Ambiguous inner VLAN IDs are not supported in this release Verifying QinQ AToM Example 20 17 shows the command output of the show mpls l2transport vc command which is used to verify the VC set up in EoMPLS QinQ mode Example 20 17 show mpls l2transport vc Command Output Local i...

Page 424: ...CE2 in an up state 5 When the remote link and EoMPLS connection is restored the PE2 router enables the transmit laser 6 The CE2 router brings up its downed interface Restrictions for Configuring Remote Ethernet Port Shutdown The following restrictions pertain to the Remote Ethernet Port Shutdown feature For Cisco IOS Release 12 2 33 SB this feature is implemented for port mode Ethernet over MPLS c...

Page 425: ...height Gigabit Ethernet MAC Controller address is 0009 b68f 9b18 bia 0009 b68f 9b18 MTU 1500 bytes BW 1000000 Kbit DLY 10 usec router sh ip interface brief Interface IP Address OK Method Status Protocol FastEthernet0 0 0 24 3 8 1 YES NVRAM up up GigabitEthernet1 0 0 unassigned YES NVRAM L2 Tunnel remote down up GigabitEthernet2 0 0 30 1 1 1 YES manual up up Enter show controller and show controlle...

Page 426: ...MPLS in the following ways Configuring Frame Relay over MPLS with DLCI to DLCI Connections page 20 28 Configuring Frame Relay over MPLS with Port to Port Connections page 20 29 Enabling Other PE Devices to Transport Frame Relay Packets page 20 30 Configuring Frame Relay over MPLS with DLCI to DLCI Connections To configure Frame Relay over MPLS with DLCI to DLCI connections enter the following comm...

Page 427: ...th Port to Port Connections interface serial5 0 encapsulation hdlc xconnect 10 0 0 1 123 encapsulation mpls Step 6 Router config connect connection name interface dlci l2transport Defines connections between Frame Relay PVCs and enters connect submode Using the l2transport keyword specifies that the PVC will not be a locally switched PVC but will be tunneled over the backbone network The connectio...

Page 428: ...ble LMI reports that the status is Active which means that all interfaces line protocols and core segments are operational between the reporting device and the Frame Relay end user device If any of those components is not available the LMI reports a status of Inactive Note Only the DCE and NNI interface types can report LMI status Figure 20 6 is a sample topology that illustrates how LMI works Fig...

Page 429: ...g configuration instructions see the Configuring the LMI section of the Configuring Frame Relay document Configuring Frame Relay to Frame Relay Local Switching Frame Relay switching is a means of switching packets based upon the data link connection identifier DLCI which can be looked upon as the Frame Relay equivalent of a MAC address You perform the switching by configuring your router or access...

Page 430: ...0 0 1 2 0 101 Command Purpose Step 1 Router config frame relay switching Enables Permanent Virtual Circuits PVCs switching on a Frame Relay DCE device or a Network to Network Interface NNI Step 2 Router config interface type number Specifies an interface and enters interface configuration mode Step 3 Router config if encapsulation frame relay cisco ietf Enables Frame Relay encapsulation cisco Cisc...

Page 431: ... this keyword when connecting to another vendor s equipment across a Frame Relay network Step 4 Router config if frame relay intf type dce dte nni Optional Enables support for a particular type of connection dce data communications equipment dte data terminal equipment nni network to network interface Step 5 Router config if frame relay interface dlci dlci switched Optional Creates a switched PVC ...

Page 432: ...d Output Router show connection frame relay to frame relay ID Name Segment 1 Segment 2 State 1 fr2fr Se3 0 0 1 1 0 100 Se3 0 0 1 2 0 200 UP Example 20 27 shows the output of the show frame relay pvc command which shows a switched Frame Relay PVC Example 20 27 show frame relay pvc Command Output Router show frame relay pvc 16 PVC Statistics for interface POS5 0 Frame Relay NNI DLCI 16 DLCI USAGE SW...

Page 433: ...tions Policy Map Actions Frame Relay DLCI Interface bandwidth no queue limit no priority no shape no random detect no set ip prec dscp N A set qos group yes set discard class yes set atm clp N A set fr de no set cos no police yes set mpls exp topmost N A set mpls exp imposition N A Table 20 5 Frame Relay Output Disposition Router Policy Map Actions Policy Map Actions Frame Relay DLCI Interface ban...

Page 434: ... PPP over MPLS The following restrictions pertain to the PPP over MPLS feature Asynchronous interfaces Are not supported The connections between the CE and PE routers on both ends of the backbone must have similar link layer characteristics The connections between the CE and PE routers must both be synchronous Multilink PPP MLP Is not supported Interface configuration You must configure PPP on rou...

Page 435: ...l word for all supported transport types by default MPLS Label Stack The MPLS label stack size depends on the configuration of the core MPLS network AToM uses one MPLS label to identify the AToM VCs VC label Therefore the minimum MPLS label stack is 1 for directly connected AToM PE routers which are PE routers that do not have a P router between them If LDP is used in the MPLS network the label st...

Page 436: ...the size of packets The example uses the following assumptions The edge MTU is 1500 bytes The transport type is Ethernet VLAN which designates 18 bytes for the transport header The AToM header is 4 bytes because the control word is always used The MPLS label stack size is 2 because LDP is used The MPLS label size is 4 bytes Example 20 28 Estimating the MTU for Packets Core MTU Edge MTU Transport h...

Page 437: ...l transport types except Ethernet over MPLS in VLAN mode Router config cmap match any For Ethernet over MPLS in VLAN mode only Router config cmap match cos cos value Specifies that all packets are matched cos value is from 0 to 7 up to four CoS values can be specified in one match cos statement Step 3 Router config cmap policy map policy name Specifies the name of the traffic policy to configure a...

Page 438: ...packets tunneled onto a particular AToM VC to carry different MPLS experimental bit values The match cos command is only configurable on Ethernet VLAN subinterfaces Example 20 30 Setting EXP Bits Using the match cos Command class map match any match_cos_low match cos 0 1 2 3 class map match any match_cos_high match cos 4 5 6 7 policy map ether clp policy class match_cos_low set mpls experimental 1...

Page 439: ...N A N A N A N A set cos N A N A N A N A police yes yes yes yes set mpls exp topmost N A N A N A N A set mpls exp imposition yes yes yes yes Table 20 9 Output Disposition Router Policy Map Actions Policy Map Actions Interface ATM Ethernet Frame Relay HDLC and PPP bandwidth yes yes yes yes queue limit yes yes yes yes priority yes yes yes yes shape yes yes yes yes random detect yes discard class only...

Page 440: ... no IEE 802 1P bits no yes no no Access list no no no no QoS group N A N A N A N A Discard class N A N A N A N A Input interface yes yes yes yes Protocol no no no no RTP no no no no atm clp no no no no MAC address no no no no Frame Relay DLCI no no no no VLAN ID no no no no Packet length no no no no DE bit Frame Relay no no no no Table 20 11 Output Disposition Router Class Map Match Criteria Match...

Page 441: ...ble 20 11 Output Disposition Router Class Map Match Criteria continued Match Criteria Interface ATM Ethernet Frame Relay HDLC and PPP Command Displays show mpls l2transport Information about AToM VCs that have been enabled to route Layer 2 packets on a router including platform independent AToM status and the AToM capabilities of a particular interface show pxf cpu atom PXF specific forwarding ATo...

Page 442: ... Serial8 0 0 1 1 0 no ip address encapsulation frame relay no fair queue frame relay lmi type q933a frame relay intf type dce interface Serial8 0 0 1 1 0 1 point to point ip address 192 1 1 1 255 255 255 0 frame relay interface dlci 17 interface Serial8 0 0 1 1 0 2 point to point ip address 192 1 2 1 255 255 255 0 frame relay interface dlci 18 PE1 Configuration for LDP and AToM VC Enabling LDP mpl...

Page 443: ... 0 0 1 1 0 17 l2transport xconnect 2 2 2 2 1 pw class pw_atom1 connect atom2 Serial8 0 0 1 1 0 18 l2transport xconnect 2 2 2 2 2 pw class pw_atom1 PE2 Configuration Enabling LDP mpls ldp graceful restart timers neighbor liveness 300 mpls ldp graceful restart timers max recovery 600 mpls ldp graceful restart mpls ldp router id Loopback0 force mpls label protocol ldp Define Loopback address for LDP ...

Page 444: ...g PE1 Configuration The PE1 router shows two AToM VCs are up router show mpls l2tran vc Local intf Local circuit Dest address VC ID Status Se8 0 0 1 1 0 FR DLCI 17 2 2 2 2 1 UP Se8 0 0 1 1 0 FR DLCI 18 2 2 2 2 2 UP router show mpls l2tran vc 1 det Local interface Se8 0 0 1 1 0 up line protocol up FR DLCI 17 up Destination address 2 2 2 2 VC ID 1 VC status up Output interface PO4 0 0 imposed label ...

Page 445: ...ed pseudowire is up again the circuit is switched back to the preferred pseudowire The preferred path subcommand also has an disable fallback option so that no random pseudowire is chosen if the preferred path goes down The circuit is down until the preferred path pseudowire comes back up However in the 12 2 33 SB release by default the preferred path sub command has the disable fallback option Th...

Page 446: ...ack0 no ip directed broadcast tunnel destination 10 16 16 16 tunnel mode mpls traffic eng tunnel mpls traffic eng priority 7 7 tunnel mpls traffic eng bandwidth 1500 tunnel mpls traffic eng path option 1 dynamic interface gigabitethernet0 0 0 no ip address no ip directed broadcast no negotiation auto interface gigabitethernet0 0 0 1 encapsulation dot1Q 222 no ip directed broadcast xconnect 10 16 1...

Page 447: ... no ip directed broadcast interface gigabitEthernet3 1 ip address 10 0 0 2 255 255 255 0 no ip directed broadcast mpls traffic eng tunnels mpls ip no cdp enable ip rsvp bandwidth 15000 15000 interface gigabitEthernet3 3 no ip address no ip directed broadcast no cdp enable interface gigabitEthernet3 3 1 encapsulation dot1Q 222 no ip directed broadcast no cdp enable mpls l2transport route 10 2 2 2 1...

Page 448: ...20 50 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 20 Configuring L2 Virtual Private Networks Any Transport over MPLS Tunnel Selection ...

Page 449: ...2 2 33 XNE the Cisco 10000 series router also supports routed interworking This chapter describes the following L2VPN interworking features Bridged Interworking Routed Interworking Bridged Interworking Bridged interworking is used when Layer 2 L2 packets are considered without regard for Layer 3 contents No routing participation by the Internet Service Provider ISP exists In Cisco IOS Release 12 2...

Page 450: ...2 Verifying the Configuration page 21 3 Configuration Examples of Ethernet to VLAN Bridged page 21 3 Configuring L2VPN Interworking To enable L2VPN Interworking you must add the interworking command to the list of commands that comprise of the pseudowire The interworking command cause ACs to be terminated locally SUMMARY STEPS 1 enable 2 configure terminal 3 pseudowire class name 4 encapsulation m...

Page 451: ...red path not configured Default path active Tunnel label 17 next hop 10 1 1 3 Output interface Fa4 0 0 imposed label stack 17 20 Create time 01 43 50 last status change time 01 43 33 Signaling protocol LDP peer 10 9 9 9 0 up MPLS VC labels local 16 remote 20 Group ID local 0 remote 0 MTU local 1500 remote 1500 Remote interface description Sequencing receive disabled send disabled VC statistics pac...

Page 452: ...considerations are to be kept in mind Address resolution packets ARP inverse ARP and IPCP are punted to routing protocol Therefore NSP at the PE router must provide the following functionality for address resolution Ethernet PE device acts as a proxy ARP server to all ARP requests from the CE router The PE router responds with MAC address of its local interface PE config t interface atm 2 0 0 pvc ...

Page 453: ...cast link as a P2P link Restrictions for Routed Interworking Routed interworking has the following restrictions Maximum numbers of AC supported are 16K Fragmentation is not supported Multipoint FR and ATM interface ACs are not supported Both bridged and routed interworking do not support QinQ interworking QoS classification on IP tos dscp and other IP header fields is not supported Security ACL LI...

Page 454: ... IOS Release 12 2 33 SB the Ethernet VLAN to ATM AAL5 local switching has the following restrictions The following translations are only supported and other translations are dropped Ethernet without LAN FCS AAAA030080C200070000 Spanning tree AAAA030080C2000E ATM encapsulation type supported for bridged interworking is aal5snap However ATM encapsulation types supported for routed interworking are a...

Page 455: ...re not supported Individual AAL5 ATM cells are assembled into frames before being sent across the pseudowire Non AAL5 traffic such as OAM cells is punted to be processed at RP level A VC that has been configured with OAM cell emulation on the ATM PE router using the oam ac emulation enable CLI command can send end to end F5 loopback cells at configured intervals toward the CE router When the pseud...

Page 456: ... packet over AAL5 using Bridged encapsulation In ATM to Ethernet direction the ATM header and bridged encapsulation get discarded and the Layer 2 packet is sent out with Ethernet encapsulation Figure 21 3 shows the protocol stack for ATM to Ethernet local switching bridged interworking The ATM side has an encapsulation type as aal5snap 270309 ATM CE ATM PE Eth PE Eth CE ATM Ethernet VLAN MPLS Emul...

Page 457: ... encapsulating the L2 packet over AAL5 using Bridged encapsulation In the ATM to VLAN direction the ATM header and bridged encapsulation are discarded and the L2 packet is sent out with a VLAN header inserted following the destination source MAC addresses The protocol stack for ATM to VLAN local switching is shown in Figure 21 3 The ATM side has an encapsulation type of aal5snap ATM AAL5 to Ethern...

Page 458: ...ridged Interworking The ATM side has an encapsulation type of aal5snap Figure 21 5 Protocol Stack for ATM to Ethernet AToM Bridged Interworking Without VLAN Header ATM AAL5 to Ethernet VLAN 802 1Q AToM Bridged Interworking This interworking type provides interoperability between ATM attachment VC and Ethernet VLAN attachment VC connected to different PE routers Bridged encapsulation is used corres...

Page 459: ...he ATM PE router it is required when the ATM CE router does an inverse ARP It is not required when the ATM CE router is configured using P2P subinterfaces or static maps When packets arrive from the Ethernet CE router the Ethernet PE router removes the L2 frame tag and then forwards the IP packet to the egress PE router using IPoMPLS encapsulation over the pseudowire The Ethernet PE router makes t...

Page 460: ...figurations and their examples ATM AAL5 to Ethernet Port page 21 12 ATM AAL5 to Ethernet VLAN 802 1Q page 21 13 ATM AAL5 to Ethernet Port You can configure the ATM AAL5 to Ethernet Port feature on a PE router using the following steps 1 config t 2 interface atm slot subslot port 277385 ATM CE ATM PE Eth PE Eth CE ATM Ethernet MPLS Emulated VC of type TBD ATM Routed IPv4 PDU 802 1Q Encap MPoMPLS En...

Page 461: ...ion aal5snap interface gigabitethernet 5 1 0 connect atm enet gigabitethernet 5 1 0 atm 2 0 0 0 200 interworking ip ATM AAL5 to Ethernet VLAN 802 1Q You can configure the ATM AAL5 to Ethernet VLAN 802 1Q feature on a PE router using the following steps 1 config t 2 interface atm slot subslot port 3 pvc vpi vci l2transport 4 encapsulation aal5snap 5 interface fastethernet gigabitethernet slot subsl...

Page 462: ...e following steps 1 config t 2 mpls label protocol ldp 3 interface Loopback name 4 ip address local ip address local mask 5 pseudowire class name 6 encapsulation mpls 7 interworking ethernet ip 8 interface atm slot subslot port 9 pvc vpi vci l2transport 10 encapsulation aal5snap 11 xconnect remote ip address vc id pw class name You can configure the ATM AAL5 to Ethernet Port feature on a PE2 route...

Page 463: ...erworking ip interface atm 2 0 0 pvc 0 200 l2transport encapsulation aal5 xconnect 10 0 0 200 140 pw class atm eth The following example shows how to configure the ATM AAL5 to Ethernet Port feature on a PE2 router using routed interworking config t mpls label protocol ldp interface Loopback200 ip address 10 0 0 200 255 255 255 255 pseudowire class atm eth encapsulation mpls interworking ip interfa...

Page 464: ...following example shows how to configure the ATM AAL5 to Ethernet VLAN 802 1Q feature on a PE1 router using bridged interworking config t mpls label protocol ldp interface Loopback100 ip address 10 0 0 100 255 255 255 255 pseudowire class atm vlan encapsulation mpls interworking ethernet interface atm 2 0 0 pvc 0 200 l2transport encapsulation aal5snap xconnect 10 0 0 200 140 pw class atm vlan The ...

Page 465: ...on Tasks and Examples page 21 23 Prerequisites of Ethernet VLAN to Frame Relay Interworking Before you configure Ethernet VLAN to Frame Relay Interworking on a network you must enable Cisco Express Forwarding Restrictions for Ethernet VLAN to Frame Relay Interworking In Cisco IOS Release 12 2 33 SB the Ethernet VLAN to Frame Relay LS has the following restrictions The following translations are on...

Page 466: ...it is configured to send a Cisco encapsulation The PVC status signaling works the same way as in the like to like case The PE router reports the PVC status to the CE router based upon the availability of the pseudowire The attachment circuit maximum transmission unit MTU must match when connected over MPLS Only FR DLCI mode is supported FR port mode is not supported If the Ethernet frame includes ...

Page 467: ...Figure 21 12 Protocol Stack for FR to Ethernet Local Switching Bridged Interworking The PE router automatically supports translation of both Cisco and IETF FR encapsulation types traveling from the CE but translates only to IETF when sending to the CE router This is not a problem for the Cisco CE router because it can manage IETF encapsulation on receipt even if it is configured to send a Cisco en...

Page 468: ...onnected to different PE routers Bridged encapsulation is used corresponding to the Bridged Ethernet Interworking mechanism For an FR to Ethernet Port case the interworking function is performed at the PE connected to the FR attachment VC based on multiprotocol interconnect over Frame Relay Figure 21 13 The Interworking is implemented similar to an ATM to Ethernet case Figure 21 13 Network Topolog...

Page 469: ...nserts a VLAN header into the Ethernet frames traveling from the MPLS cloud The frames sent on the pseudowire with VC type 5 are Ethernet frames without the VLAN header The Figure 21 15 shows the protocol stack for FR to VLAN AToM Bridged Interworking Figure 21 15 Protocol Stack for FR to VLAN AToM Bridged Interworking 270322 FR CE FR Link FR PE Eth PE Eth Ethernet MPLS Emulated VC of Q 922 Addres...

Page 470: ...e IP packets are encapsulated over FR using routed encapsulation based on RFC 2427 The address resolution is also done at the Ethernet PE router by configuring static ARP on the Ethernet CE router or by implementing proxy ARP on the Ethernet PE router If a proxy ARP is used the IP address of the remote CE router can be learned dynamically or can be statically configured in the PE router Cisco IOS ...

Page 471: ...el 4 encapsulation frame relay 5 frame relay intf type dce 6 frame relay interface dlci DLCI switched 7 interface fastethernet gigabitethernet slot subslot port 8 no ip address 9 connect connection name fastethernet gigabitethernet slot subslot port serial slot subslot port channel channel interworking ethernet ip Note The order of the interfaces in the connect command is not important Note For co...

Page 472: ...he connect command is not important The following example shows how you can configure the FR DLCI to Ethernet VLAN 802 1Q feature on a router using bridged interworking config t frame relay switching interface serial 2 0 0 1 encapsulation frame relay frame relay intf type dce frame relay interface dlci 100 switched interface gigabitethernet 5 1 0 3 encapsulation dot1q 2 connect fr vlan gigabitethe...

Page 473: ...s not include the interworking ethernet command because it is treated as like to like and also because the attachment circuit is already an Ethernet port However when configuring routed interworking the PE2 configuration does include the interworking ip command The following example shows how to configure the FR DLCI to Ethernet port feature on a PE1 router using routed interworking config t mpls ...

Page 474: ...t subslot port channel channel DLCI l2transport 14 xconnect remote ip address vc id pw class name To configure the FR DLCI to Ethernet VLAN 802 1Q feature on a PE2 router use the following steps 1 config t 2 mpls label protocol ldp 3 interface Loopback name 4 ip address local ip address local mask 5 pseudowire class name 6 encapsulation mpls 7 interworking ethernet ip 8 interface fastethernet giga...

Page 475: ...21 30 ATM to Frame Relay Routed Interworking To perform routed interworking the ATM and FR PE router must be configured Routing protocols must also be configured to operate in the P2P mode ATM packets arriving from the ATM CE router are translated into IP encapsulation over the pseudowire When packets arrive from the FR CE router the FR PE router removes the L2 framing and forwards the IP packet t...

Page 476: ...ps 1 config t 2 interface atm slot subslot port 3 pvc vpi vci l2transport 4 encapsulation aal5snap 5 interface serial slot subslot port channel channel 6 encapsulation frame relay 7 frame relay interface dlci DLCI switched 8 connect connection name atm slot subslot port vpi vci serial slot subslot port channel channel interworking ip The following example shows how to configure the ATM AAL5 to FR ...

Page 477: ...seudowire class name 6 encapsulation mpls 7 interworking ip 8 interface atm slot subslot port 9 pvc vpi vci l2transport 10 encapsulation aal5snap 11 xconnect remote ip address vc id pw class name To configure the FR DLCI to ATM AAL5 feature on a PE2 router use the following steps 1 config t 2 mpls label protocol ldp 3 interface Loopback name 4 ip address local ip address local mask 5 pseudowire cl...

Page 478: ...serial 2 0 0 1 encapsulation frame relay frame relay intf type dce frame relay interface dlci 567 switched connect mpls serial 2 0 0 1 567 l2transport xconnect 10 0 0 100 150 pw class atm fr Verifying L2VPN Interworking To verify the L2VPN status local switching use the following commands show connection all name id elements port show pxf cpu atom circuits interface vcci To view the L2VPN statisti...

Page 479: ...LP Determines the Link a Bundle Joins page 22 6 IP Addresses on MLP Enabled Links page 22 7 Valid Ranges for MLP Interfaces page 22 8 MLP Overhead page 22 9 Configuration Commands for MLP page 22 9 MLP over Serial Interfaces page 22 13 Single VC MLP over ATM Virtual Circuits page 22 15 Multi VC MLP over ATM Virtual Circuits page 22 16 MLP Based Link Fragmentation and Interleaving page 22 27 Config...

Page 480: ...g mechanisms send the real time packets between fragments of the larger nonreal time packets For more information about link fragmentation and interleaving see the Fragmenting and Interleaving Real Time and Nonreal Time Packets chapter in the Cisco 10000 Series Router Quality of Service Configuration Guide MLP can provide increased redundancy by allowing traffic to flow over the remaining member l...

Page 481: ...s used to identify the member links of the MLP bundle Restrictions for MLP Bundles The router supports links equal to T1 E1 or less for MLPPP bundling You cannot bundle high speed links for example E3 because the router can store only 50 ms of data based on the E1 speed MLP Bundles and PPP Links MLP works with fully functional Point to Point Protocol PPP interfaces An MLP bundle can consist of a P...

Page 482: ...ot match any known bundle MLP creates a new bundle for the user System Limits for MLP Bundles Table 22 1 lists the system limits for MLP bundles Note The multilink interface ranges described in Table 22 1 require Cisco IOS Release 12 2 28 SB or later releases For releases earlier than Cisco IOS Release 12 2 28 SB the valid multilink interface range is 1 to 2 147 483 647 Types of MLP Bundle Interfa...

Page 483: ...oint in time Multilink group interfaces are dedicated to specific remote users and are primarily used in leased line environments in which you already know where all of your physical links are connected and the number of users is primarily defined by the number of physical connections your system has Multilink group interfaces allow you to track a specific user s activity By examining a user s ass...

Page 484: ...PP authentication mechanisms for example PAP or CHAP learn the PPP username The endpoint discriminator is an option negotiated by the Link Control Protocol LCP Therefore a bundle consists of all of the links that have the same PPP username and endpoint discriminator A link that does not provide a PPP username or endpoint discriminator is an anonymous link MLP collects all of the anonymous links in...

Page 485: ...e directly to that link interface and it might try to route packets directly to that link bypassing the MLP bundle This behavior occurs because IP considers an interface to be up for IP traffic whenever IP is configured on the interface and the interface is up MLP intercepts and discards these misdirected frames This condition occurs frequently if you use a virtual template interface to configure ...

Page 486: ... to point pvc 0 32 ppp multilink group 1 vbr nrt 128 64 20 encapsulation aal5mux ppp Virtual Template1 interface atm 2 0 0 2 point to point pvc 0 33 ppp multilink group 1 vbr nrt 128 64 20 encapsulation aal5mux ppp Virtual Template1 interface Virtual Template1 no ip address keepalive 30 ppp max configure 110 ppp max failure 100 ppp multilink ppp timeout retry 5 ip local pool mlpoa_pool 100 1 1 1 1...

Page 487: ...e 22 10 ppp multilink fragment delay Command page 22 10 ppp multilink interleave Command page 22 11 ppp multilink fragment disable Command page 22 12 ppp multilink group Command page 22 12 For more information about MLP based link fragmentation and interleaving see the Cisco 10000 Series Router Quality of Service Configuration Guide interface multilink Command To create and configure a multilink b...

Page 488: ...mand is disabled Usage Guidelines The ppp multilink command applies only to interfaces that use Point to Point Protocol PPP encapsulation When you use the ppp multilink command the first channel negotiates the appropriate Network Control Protocol NCP layers such as the IP Control Protocol and IPX Control Protocol but subsequent links negotiate only the Link Control Protocol LCP and MLP ppp multili...

Page 489: ...lue or 30 milliseconds if the fragment delay has not been configured The ppp multilink fragment delay command is configured under the multilink interface The value assigned to the delay max argument is scaled by the speed at which a link can convert the time value into a byte value ppp multilink interleave Command To enable interleaving of real time packets among the fragments of larger nonreal ti...

Page 490: ...ultilink interface and the following message displays Warning ppp multilink fragment disable or ppp multilink fragment maximum will be ignored since multilink interleaving or fragment delay has been configured and have higher precedence To completely disable fragmentation you must do the following Router config if no ppp multilink fragment delay Router config if no ppp multilink interleave Router ...

Page 491: ... reduces transmission latency across WAN links Increased redundancy MLP allows traffic to flow over the remaining member links when a port fails By configuring an MLP bundle that consists of T1 lines from more than one line card if one line card stops operating the part of the bundle on the other line cards continues to operate Link fragmentation and interleaving The MLP fragmenting mechanism frag...

Page 492: ...if all of the links are the same type such as T1 or E1 The router supports a maximum of 1250 bundles per system and a maximum of 2500 member links per system The valid multilink interface ranges are from 1 to 9999 Release 12 2 28 SB and later and from 1 to 9999 and 65 536 to 2 147 483 647 Release 12 2 31 SB2 and later For example Router config interface multilink 8 Interleaving is supported on all...

Page 493: ...ntact and MLP sends the packets to a special transmit queue allowing the packets to be sent earlier than other packet flows The MLP interleaving mechanism sends the real time packets between the fragments of the nonreal time packets For more information about link fragmentation and interleaving see the Fragmenting and Interleaving Real Time and Nonreal Time Packets chapter in the Cisco 10000 Serie...

Page 494: ...ty of Service Configuration Guide Multi VC MLP over ATM Virtual Circuits The Multi VC MLP over ATM virtual circuits VCs feature enhances the MLP over Serial interfaces feature by enabling you to configure multilink Point to Point Protocol MLP on multiple ATM VCs By doing so you can aggregate multiple data paths for example PPP over ATM encapsulated ATM VCs into a single logical connection called a...

Page 495: ... keepalive 30 For example Router config if ppp max configure 110 Router config if ppp max failure 100 Router config if ppp timeout retry 5 Router config if keepalive 30 For more information see the Scalability and Performance chapter in this guide Restrictions and Limitations for Multi VC MLP over ATM VCs A maximum of 10 member links is supported per bundle MLP over ATM member links are restricted...

Page 496: ...upport MLP and link fragmentation and interleaving LFI to allow high priority low latency packets to be interleaved between fragments of lower priority higher latency packets Voice over IP VoIP is an example of a low latency service In the Cisco 12 2 33 SB release the MLP on LNS feature is introduced for asymmetric digital subscriber line ADSL deployments where the upstream bandwidth BW is low The...

Page 497: ...e Cisco IOS 12 2 33 SB release multilink interface based configuration was used to distinguish between single and multi member bundles However for the virtual access based bundle interface you can no longer use the interface number range to distinguish between single and multi member bundles because the bundles are generated dynamically in the Cisco IOS 12 2 33 SB release To distinguish single and...

Page 498: ...e their fragments packets buffered while waiting for the slower link Because the reassembly table stores descriptors each entry represents one fragment or a whole packet if fragmentation is not in effect The amount of time each fragment takes to get transmitted is equal to the configured fragment delay which is independent of link bandwidth If fragmentation is not in effect the transmit time depen...

Page 499: ...lability and Performance chapter in this guide PXF Memory and Performance Impact for MLP on LNS PXF performance is measured as follows Packet buffer usage The number of packet buffers available on the PRE3 is 832K small buffers for packet sizes of 768 bytes or less and 120K large buffers for packet sizes greater than 768 bytes With full scaling of 12280 bundles 2040 multilink and 10240 single link...

Page 500: ...processing demand exceeds the available contexts nonpriority packets are dropped Scenario 1 A bidirectional rate of 64kbps per link Table 22 5 shows the speed performance of a 64kbps link 2040 multilink bundles 2 5 and 10 links per multilink bundle 10240 single link bundles 200 byte packet size in both directions 100 byte fragment size fragmentation for ingress only Note A fragmentation delay of 2...

Page 501: ... supported for MLP bundled L2TP members or on the underlying tunnel interface All member L2TP sessions within the same bundle belong to the same physical interface and the same L2TP tunnel QoS on multiple member MLP bundles is not supported If any MLPoLNS bundles are negotiated on the Gigabit Ethernet or ATM VC interface applying a service policy on the Gigabit Ethernet or ATM VC tunnel interface ...

Page 502: ...erface Configuring MLP on LNS You can refer to the following sections for configuring MLP on LNS Required Configuration Tasks for LNS page 5 29 Optional Configuration Tasks for LNS page 5 30 For a configuration example of the MLP on LNS feature see the Configuration Example for MLP on LNS page 22 39 MLPoE LAC Switching In the Cisco IOS 12 2 33 SB release MLP bundling on LNS was supported In the Ci...

Page 503: ... packets However from Cisco IOS Release 12 2 33 XNE onwards to reduce any delay in sending high priority packets the router processes high priority packets as soon as they arrive Point to Point Protocol over Ethernet PPPoE sessions in the MLPoE at PTA feature are handled as follows All variations of PPPoE such as PPPoEoE PPPoEoA PPPoEo802 1Q and PPPoEoQinQ are usable as member links for MLPoE bund...

Page 504: ...MLPoE at PTA page 22 27 Configuration Examples of MLPoE at PTA page 22 41 Prerequisites of MLPoE at PTA The Cisco 10000 series router must be the PTA router Restrictions of MLPoE at PTA In Cisco IOS Release 12 2 33 XNE the MLPoE at PTA feature has the following restrictions Interaction with L2TP is not supported Only single member MLP bundles are supported The ppp multilink links maximum 1 command...

Page 505: ...equirements of real time traffic Smaller real time packets are not multilink encapsulated Instead the MLP interleaving mechanism provides a special transmit queue priority queue for these delay sensitive packets to allow the packets to be sent earlier than other packet flows Real time packets remain intact and MLP interleaving mechanisms send the real time packets between fragments of the larger n...

Page 506: ...from an MLP Bundle page 22 36 Changing the Default Endpoint Discriminator page 22 37 Creating an MLP Bundle Interface To create an MLP bundle interface enter the following commands beginning in global configuration mode Table 22 8 Requirements for Configuring MLP Type MLP Bundle Member Links Virtual Template Service Policy MLP over Serial Required Required Not required Not required Single VC MLP o...

Page 507: ...nd later Note For releases earlier than Cisco IOS Release 12 2 28 SB valid values are from 1 to 2 147 483 647 Step 2 Router config if ip address address mask Specifies the IP address and subnet mask assigned to the interface address is the IP address mask is the subnet mask for the associated IP address Step 3 Router config if ppp chap hostname hostname Optional Identifies the hostname sent in the...

Page 508: ...requires Cisco IOS Release 12 2 28 SB and later releases Step 2 Router config if ppp max configure retries Specifies the maximum number of configure requests to attempt before stopping the requests due to no response retries specifies the maximum number of retries Valid values are from 1 to 255 The default is 10 retries We recommend 110 retries Step 3 Router config if ppp max failure retries Confi...

Page 509: ...dle that information becomes active again To add serial member links to an MLP bundle enter the following commands beginning in global configuration mode Command Purpose Step 1 Router config interface serial slot module port channel controller number Specifies the interface that you want to add to the MLP bundle Enters interface configuration mode slot module port identifies the line card The slas...

Page 510: ...recommend 5 seconds Step 6 Router config if keepalive period Enables keepalive packets to be sent at the specified time interval to keep the interface active period specifies a time interval in seconds The default is 10 seconds We recommend 30 seconds Step 7 Router config if ppp chap hostname hostname Optional Identifies the hostname sent in the Challenge Handshake Authentication Protocol CHAP cha...

Page 511: ...o point subinterface Enters subinterface configuration mode Step 4 Router config subif ppp chap hostname hostname Optional Identifies the hostname sent in the Challenge Handshake Authentication Protocol CHAP challenge hostname is the name of the bundle group This name uniquely identifies the bundle Note If you configure this command on the bundle and its member links specify the same identifier fo...

Page 512: ...ti VC MLP over ATM to identify the virtual template This protocol is supported on ATM PVCs only aal5ciscoppp specifies the AAL and encapsulation type for Cisco PPP over ATM Supported on ATM PVCs only aal5snap specifies the AAL and encapsulation type that supports Inverse ARP Logical Link Control Subnetwork Access Protocol LLC SNAP precedes the protocol datagram virtual template number is the numbe...

Page 513: ...4 Router config if atm vc vbr nrt 512 256 20 Router config if atm vc encapsulation aal5snap Router config if atm vc protocol ppp Virtual Template 1 Router config if atm vc ppp multilink group 1 Router config interface atm 6 0 0 2 point to point Router config if no ip address Router config if pvc 0 35 Router config if atm vc vbr nrt 512 256 20 Router config if atm vc encapsulation aal5snap Router c...

Page 514: ...e bundle and its member links specify the same identifier for both the bundle and the member links Step 3 Router config if ppp multilink group group number Moves this interface to the MLP bundle you specify group number identifies the multilink group Change this group number to the new MLP group group number Valid values are MLP over Serial 1 to 9999 Release 12 2 28 SB and later or from 1 to 9999 ...

Page 515: ...nfig if ppp multilink endpoint hostname cambridge Step 3 Router config if no ppp multilink Disables multilink for the link Step 4 Router config if no ppp chap hostname Removes PPP authentication Command Purpose Command Purpose Router config if ppp multilink endpoint hostname ip ip address mac lan interface none phone telephone number string char string Overrides or changes the default endpoint dis...

Page 516: ...erfaces In the example 1 0 0 1 0 and 1 0 0 2 0 subinterfaces are added to the Multilink1 bundle Example 22 5 Configuring MLP on Serial Interfaces interface Multilink1 ip address 100 1 1 1 255 255 255 0 no keepalive ppp multilink ppp multilink group 1 interface serial 1 0 0 1 0 no ip address encapsulation ppp ppp chap hostname m1 ppp multilink ppp multilink group 1 interface serial 1 0 0 2 0 no ip ...

Page 517: ...med Virtual Template1 is applied to PVC 0 36 and PVC 0 37 Example 22 7 Configuring Multi VC MLP over ATM VCs interface Multilink2 ip address 100 1 2 1 255 255 255 0 ppp multilink ppp multilink group 2 interface ATM5 0 0 no ip address no atm ilmi keepalive interface ATM5 0 0 3 point to point pvc 0 36 ppp chap hostname m2 ppp multilink group 2 vbr nrt 128 64 20 encapsulation aal5mux ppp Virtual Temp...

Page 518: ...stname LAC1 1 local name LNS1 1 lcp renegotiation always l2tp tunnel receive window 100 L2tp tunnel password 0 cisco l2tp tunnel nosession timeout 30 l2tp tunnel retransmit retries 7 l2tp tunnel retransmit timeout min 2 l2tp tunnel retransmit timeout max 8 interface GigabitEthernet2 0 0 ip address 210 1 1 3 255 255 255 0 negotiation auto hold queue 4096 in interface Virtual Template500 ip unnumber...

Page 519: ...iate to ip 192 168 125 54 local name LACoe_LFI l2tp tunnel password 0 lab username LNSoe_LFI nopassword bba group pppoe global virtual template 800 vendor tag dsl sync rate service interface GigabitEthernet4 0 0 no ip address negotiation auto interface GigabitEthernet4 0 0 1 encapsulation dot1Q 800 pppoe enable group global interface GigabitEthernet4 1 0 ip address 192 168 125 53 255 255 255 0 neg...

Page 520: ...ress 1 0 0 1 255 255 0 0 negotiation auto interface GigabitEthernet1 0 0 1 encapsulation dot1Q 2 pppoe enable group PPPoE no snmp trap link status interface Virtual Template3 ip unnumbered Loopback3 peer default ip address pool MLPoEpool ppp authentication pap ppp multilink ppp multilink links max 1 ppp multilink interleave ppp multilink fragment delay 8 service policy output policy_mlpoe_out serv...

Page 521: ...terfaces configured on the router Router show interfaces virtual access number configuration Displays status traffic data and configuration information about the virtual access interface you specify Note This command currently displays statistics for system traffic only Statistics for bundle traffic do not display For information about bundle traffic see the show interfaces or show ppp multilink c...

Page 522: ...his information includes headers and trailers for High Level Data Link Control HDLC and PPP over ATM The link level encapsulation bytes also include multilink subheaders for example sequence numbers if they are used Note Multilink subheaders are not part of the packet encapsulation because it exists at the bundle level Multilink subheaders are part of the encapsulation that is added to fragments b...

Page 523: ...icitly in receive class 0 and transmit class 0 Example 22 13 Sample Output for the show ppp multilink Command Router show ppp multilink Multilink3 bundle name is multilink_name 3 Endpoint discriminator is multilink_name 3 Bundle up for 3d21h total bandwidth 128 load 1 255 Receive buffer limit 24384 bytes frag timeout 1000 ms Bundle is Distributed 0 0 fragments bytes in reassembly list 1 lost fragm...

Page 524: ...d the remainder is consumed in framing overhead Previously the weight also controlled the size of the fragments generated for that link However Cisco IOS software now computes a separate fragment size value Frag size The size of the largest fragment that can be generated for that link It is the size of the MLP payload carried by a fragment and does not include MLP headers or link level framing Uns...

Page 525: ...d Interleaving Cisco 10000 Series Router Quality of Service Configuration Guide Fragmenting and Interleaving Real Time and Nonreal Time Packets Link Fragmentation and Interleaving for Frame Relay and ATM Virtual Circuits Release 12 1 5 T feature module Cisco IOS Quality of Service Solutions Configuration Guide Link Efficiency Mechanisms Link Efficiency Mechanisms Overview Link Fragmentation and In...

Page 526: ...22 48 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 22 Configuring Multilink Point to Point Protocol Connections Related Documentation ...

Page 527: ...s and line cards Access facing or subscriber facing deployment connects the Cisco 10000 Series router to the subscriber edge This setup typically has only one active member link on a GEC bundle interface The remaining links in the GEC bundle serve as passive links Traffic is sent only through the active member link while the passive link is used as a backup when the active member link fails This a...

Page 528: ... line cards QoS policies supported only on GEC member links PRE2 and PRE3 12 2 33 SB This feature is supported on native line cards1 and the SPA Interface Processor SIP and Shared Port Adapters SPA 2 on the Cisco 10000 Series router 1 1 Port GE Half height and 1 Port GE Full height 2 2 Port GE Half height and 5 Port GE Half height PRE3 and PRE4 12 2 33 SB The following Gigabit EtherChannel enhance...

Page 529: ...bit Ethernet ports with either a full height GE line card or half height GE line card is not supported A maximum of 4 Gigabit Ethernet SPAs form a GEC bundle Each SPA interface must have the same bay number and port number assuming the representation is GigabitEthernetSlotNumber BayNumber Port Number For example in the case of SPAs Gi1 2 1 can be bundled with Gi5 2 1 but Gi1 2 1 cannot be bundled ...

Page 530: ...be applied only on member links Service policies with or without queuing actions can be applied only on the GEC bundle interface Input QoS for GEC subinterface Input QoS applied on GEC bundle interface and on member main interfaces If the service policy is applied on a GEC bundle subinterface the aggregate ingress traffic on the GEC bundle subinterface is subject to this service policy GEC member ...

Page 531: ... at member link is used only when dot1Q subinterfaces are defined on the GEC bundles and not when QinQ subinterfaces are defined on the GEC bundle Input Quality of Service QoS on member links is not supported for QinQ subinterfaces The classification criteria of match input interface port channel is not supported Instead packets are classified by matching them with member links Configuration Examp...

Page 532: ...lan_2_4 Shape 150 mbps Step 5 Apply this policy on the GEC member links Interface Gig3 0 0 Service policy input mega_ingress Service policy output mega_egress Interface Gig4 0 0 Service policy input mega_ingress Service policy output mega_egress Configuration Example for Applying QoS on GEC Bundle Subinterfaces Example 23 1 shows how QoS is applied on GEC bundle subinterfaces Example 23 1 Applying...

Page 533: ...the set interface command is restricted in the set clause for PBR on GEC bundle interfaces Only the IP address for the next hop can be specified Configuring IEEE 802 1Q and QinQ Support on GEC Bundle Support for both dot1Q and QinQ subinterfaces is available for GEC bundle interfaces Configuring subinterface on a GEC bundle interface is similar to a normal Gigabit Ethernet interface configuration ...

Page 534: ...tion 802 1Q Virtual LAN Vlan ID 20 ARP type ARPA ARP Timeout 04 00 00 Last clearing of show interface counters never Example 23 3 show running config Command for the GEC Bundle Subinterface router show running config interface port channel 1 1 Building configuration Current configuration 134 bytes interface Port channel1 1 encapsulation dot1Q 20 second dot1q 200 ip address 3 0 0 1 255 255 255 0 en...

Page 535: ...w cisco com en US docs ios 12_2sb feature guide sbb_mvpn html wp1040907 Configuration Tasks and Examples For configuration information and examples see the How to Configure Multicast VPN IP Multicast Support for MPLS VPNs section in the How to Configure Multicast VPN IP Multicast Support for MPLS VPNs at http www cisco com en US docs ios 12_2sb feature guide sbb_mvpn html wp1041284 Configuring PPP...

Page 536: ...a_group_1 interface Port channel32 2 encapsulation dot1Q 20 pppoe enable group bba_group_1 Command Purpose Step 1 router config interface port channel number Creates a GEC bundle Step 2 router config lacp max bundle 1 8 Sets the maximum number of active links per GEC bundle For PPPoE sessions maximum number of active links is one Step 3 router config lacp fast switchover Retains PPPoX sessions inc...

Page 537: ...pgrade Process feature guide at http www cisco com en US docs ios 12_2sb feature guide sb_issu html Configuring 8 Member Links per GEC Bundle A maximum of 8 configured member links per GEC bundle and 64 port channels are supported on the Cisco 10000 Series router The number of member links per GEC bundle has been increased from 4 to 8 in the Cisco IOS Release 12 2 15 BX Configuration Tasks The fol...

Page 538: ...e are considered to be part of the same flow that is mapped to one bucket Each bucket is associated with both primary and secondary member links The bucket points to the active interface in the pair either primary or secondary Multiple VLAN flows can be mapped to the same bucket if their primary and secondary member links mapping is the same Restrictions for VLAN Based Load Balancing Only static m...

Page 539: ...ondary member links the HQF related resources such as class queues and the logical BLTs usage would double and therfore reduce the scalability of the QoS If the member link corresponding to the VLAN is not over subscribed there is no impact on the traffic of other VLANs when new VLANs are added on the functional port channel With the VLAN group QoS feature the class queues are created on all the m...

Page 540: ...ual load balancing method globally to all GEC interfaces Configuration Example This section provides the following configuration examples Configuration Example of VLAN Based Load Balancing page 23 14 Configuration Example for Applying VLAN QoS on GEC Bundle Subinterfaces page 23 15 Configuration Example for Using the VLAN Group Feature to Apply QoS page 23 16 Note When service policy is applied to...

Page 541: ... 0 no sh Configuration Example for Applying VLAN QoS on GEC Bundle Subinterfaces Example 23 6 shows how VLAN QoS is applied on GEC bundle subinterfaces Example 23 6 Applying VLAN QoS on GEC Bundle Subinterfaces Class map match any dscp_20_30 Match dscp 20 30 Class map match any dscp_40 Match dscp 40 Policy map police_dscp Class dscp_20_30 Police 50 3000 3000 conform action transmit exceed action d...

Page 542: ...channel 1 load balancing vlan no sh Step 2 Create VLAN subinterfaces as follows interface port channel 1 1 encapsulation dot1q 2 primary gig2 0 0 secondary gig3 0 0 ip add 3 0 0 1 255 255 255 0 no sh interface port channel 1 2 encapsulation dot1q 3 primary gig2 0 0 secondary gig3 0 0 ip add 3 1 0 1 255 255 255 0 no sh interface port channel 1 3 encapsulation dot1q 4 primary gig2 0 0 secondary gig3...

Page 543: ...on Guide OL 2226 23 Chapter 23 Configuring Gigabit EtherChannel Features Configuring VLAN Based Load Balancing Step 5 Apply the policy on the port channel bundle Interface port channel 1 Service policy input mega_ingress Service policy output mega_egress ...

Page 544: ...23 18 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 23 Configuring Gigabit EtherChannel Features Configuring VLAN Based Load Balancing ...

Page 545: ...ation Library located at the following URL http www cisco com en US products sw iosswrel ps1839 products_feature_guide09186a00805766e4 html This chapter the following information for the IPv6 feature Feature History for IPv6 page 24 1 Supported Features page 24 1 Limitations for IPv6 page 24 3 IPv6 Extended ACLs page 24 4 Feature History for IPv6 Supported Features The Cisco 10000 series routers s...

Page 546: ...al IPv4 over IPv4 tunnels Maximum of 1000 IPIP or GRE tunnels HA ISSU coexistence IPv6 support is RPR IPv6 Unicast Forwarding The Cisco 10000 series router maintains the following global unless otherwise specified IPv6 specific packet counters forwarded number of IPv6 packets forwarded no adjacency number of IPv6 packets punted due to adj_index 0 Statistics per VCCI will be collected for this spec...

Page 547: ...yword to specify this protocol as a matching criterion The match ip dscp and match ip precedence commands apply only to IPv4 traffic The match dscp and match precedence commands apply to both IPv4 and IPv6 traffic For marking packets the set ip dscp and set ip precedence commands have been changed to set dscp and set precedence They now apply to both IPv4 and IPv6 traffic ICMP handling and generat...

Page 548: ...n IPv4 Prerequisites In Cisco IOS Release 12 2 13 T and 12 0 23 S or later releases for backward compatibility the ipv6 access list command with the deny and permit keywords in global configuration mode is still supported however an IPv6 ACL defined with deny and permit conditions in global configuration mode is translated to IPv6 access list configuration mode See the Create and Apply IPv6 ACL Ex...

Page 549: ...tion type doh number doh type dscp value flow label value fragments log log input mobility mobility type mh number mh type reflect name timeout value routing routing type routing number sequence value time range name or deny protocol source ipv6 prefix prefix length any host source ipv6 address operator port number destination ipv6 prefix prefix length any host destination ipv6 address operator po...

Page 550: ...doh type dscp value flow label value fragments log log input mobility mobility type mh number mh type routing routing type routing number sequence value time range name undetermined transport Example Router config ipv6 acl permit tcp 2001 0DB8 0300 0201 32 eq telnet any reflect reflectout Example Router config ipv6 acl deny tcp host 2001 0db8 1 1 any log input Specifies permit or deny conditions f...

Page 551: ...t 300 time left 296 sequence 2 IPv6 access list outbound evaluate udptraffic evaluate tcptraffic Note For a description of each output display field see the show ipv6 access list command in the IPv6 for Cisco IOS Command Reference document Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Rou...

Page 552: ...ing TCP or UDP packets are permitted on Ethernet interface 0 by the OUTBOUND list the INBOUND list uses the REFLECTOUT list to match evaluate the returning incoming TCP and UDP packets ipv6 access list OUTBOUND permit tcp 2001 0DB8 0300 0201 32 any reflect REFLECTOUT permit udp 2001 0DB8 0300 0201 32 any reflect REFLECTOUT deny fec0 0 0 0201 64 any ipv6 access list INBOUND evaluate REFLECTOUT inte...

Page 553: ... resources By using the Template ACL feature service providers can provision unique ACLs for up to 60 000 subscribers using RADIUS Attribute 242 Configuration of ACLs remains the same as in previous Cisco IOS versions For example the following example shows two ACLs that can be sent using Attribute 242 for two separate users ip access list extended Virtual Access1 1 1 permit igmp any host 1 1 1 1 ...

Page 554: ...ows Virtual Access1 1 1 1 1 1 1 Virtual Access1 1 2 13 1 1 2 The PXF engine knows which user a packet is coming from or going to so it can get the user IP for comparison from the IP address table Template ACLs are activated only for per user ACLs configured through RADIUS Attribute 242 Any other ACL type is not subject to Template ACL processing The Template ACL feature is enabled by default and a...

Page 555: ...00 Example 25 1 shows the configuration of Template ACL processing for individual user ACLs with 50 or fewer rules Example 25 1 Configuring a Template ACL Router config access list template 50 Router config Configuring ACLs Using RADIUS Attribute 242 Template ACL processing occurs only for ACLs that are configured using RADIUS Attribute 242 Attribute 242 has the following format for an IP data fil...

Page 556: ...l dstport cmp value Enables destination port filtering This keyword is valid only when proto is set to tcp 6 or udp 17 If you do not specify a destination port the filter matches any port cmp defines how to compare the specified value to the actual destination port This value can be or value can be a name or a number Possible names and numbers are ftp data 20 ftp 21 telnet 23 nameserver 42 domain ...

Page 557: ...guring RADIUS Features access list template Command To enable Template ACL processing use the access list template command in global configuration mode To disable Template ACL processing use the no form of the command The Template ACL feature is enabled by default The default number of rules for Template ACL status is 100 which is larger than most ACLs configured using Attribute 242 Command Purpos...

Page 558: ... higher can increase CPU utilization because the comparison task takes some CPU Note Changes in CPU utilization occur only during session initiation Steady state CPU utilization is unaffected by these changes in ACL processing Examples The following example specifies that ACLs with more than 50 rules will be considered for Template ACL status Router access list template 50 show access list templat...

Page 559: ...Output from this command includes Maximum number of rules per Template ACL Number of discovered active templates Number of ACLs replaced by those templates Command Purpose Router show access list template summary aclname exceed number tree Displays information about ACLs summary displays summary information aclname displays information about the specified ACL exceed number identifies Template ACLs...

Page 560: ...e ACL serving as the primary user of the named Template ACL Number of ACLs matching the template of the named Template ACL Current cyclic redundancy check 32 bit CRC32 value show access list template exceed number The following example shows output from the show access list template exceed number command Router show access list template exceed 49 ACL name OrigCRC Count CalcCRC 4Temp_ 120795960097 ...

Page 561: ...iguration Examples for Template ACLs Table 3 describes the significant fields shown in the display Table 3 show access list template tree Field Descriptions Field Description ACL name Name of an ACL on the Red Black tree OrigCRC Original CRC32 value Count Number of users of the ACL CalcCRC Calculated CRC32 value ...

Page 562: ...25 10 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 25 Configuring Template ACLs Configuration Examples for Template ACLs ...

Page 563: ...face increasing DoS attacks associated with IP options set in the IP header Cisco IOS routers are susceptible to DoS attacks because of the way in which the routers process IP options The hardware based forwarding engine of Cisco IOS routers cannot handle IP options therefore the forwarding engine forwards the IP options packets to the route processor RP Similarly most of the line cards forward IP...

Page 564: ... Options Selective Drop and protect the RP during a DoS attack perform the following configuration tasks Dropping Packets with IP Options page 26 2 Verifying IP Options Packets page 26 3 Dropping Packets with IP Options Use the following procedure to configure the forwarding engine to drop packets with IP options before sending them to the RP SUMMARY STEPS 1 enable 2 configure terminal 3 ip option...

Page 565: ...ets Example The following sample configuration shows how to configure the router and downstream routers to drop all the packets with IP options that enter the network Router config ip options drop Warning RSVP and other protocols that use IP Options packets may not function in drop or ignore modes end Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter ...

Page 566: ... loose source route 0 timestamp 0 extended security 0 record route 0 stream ID 0 strict source route 0 alert 0 cipso 0 ump 0 other Frags 0 reassembled 0 timeouts 0 couldn t reassemble 0 fragmented 0 couldn t fragment Bcast 12 received 3 sent Mcast 0 received 0 sent Sent 3 generated 0 forwarded Drop 0 encapsulation failed 0 unresolved 0 no adjacency 0 no route 0 unicast RPF 0 forced drop 0 unsuppor...

Page 567: ...o implement this feature Tunnel VRF page 27 1 VRF Aware VPDN Tunnels page 27 2 For more information see the GRE Tunnel IP Source and Destination VRF Membership Release 12 2 31 SB5 feature guide located at the following URL http www cisco com en US products ps6566 products_feature_guides_list html Tunnel VRF The Tunnel VRF feature allows you to terminate GRE tunnels in a virtual private network VPN...

Page 568: ...he specified VRF Before you enter the vpn command you must first create the VRF instance using the ip vrf command Different VRF aware VPDN tunnels can have overlapping IP addresses across VRF instances The ip vrf forwarding command configured in tunnel interface mode enables VRF forwarding on an interface The VRF associated with the tunnel in the ip vrf forwarding command configuration is the VRF ...

Page 569: ...0000 series router perform the following configuration tasks Configuring Tunnel VRF page 27 3 Configuring VRF Aware VPDN Tunnels page 27 4 Configuring Tunnel VRF The tunnel vrf command enables the Tunnel VRF feature by identifying the VRF in which the tunnel destination terminates When configuring this feature enter the tunnel destination command followed by the tunnel vrf command as shown in the ...

Page 570: ... 11 exit Note For Cisco IOS Release 12 2 31 SB5 and later releases when configuring VRF aware VPDN tunnels on the Cisco 10000 series router different tunnels can have overlapping IP addresses across VRF instances For more detailed information see the VRF Aware VPDN Tunnels feature module located at the following URL http www cisco com en US products ps6566 products_feature_guides_list html Configu...

Page 571: ...ciates the IP address 172 16 1 9 with the VRF named vrf second which is applied to the VPDN group named group1 vpdn group group1 request dialin protocol l2tp vpn vrf vrf second source ip 172 16 1 9 initiate to ip 172 16 1 1 The following example also enables VRF aware VPDN tunnels and associates the VRF named vpn1 with the IP address 192 64 1 4 vpdn group Test accept dialin protocol l2tp virtual t...

Page 572: ...27 6 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Chapter 27 IP Tunneling Configuration Examples ...

Page 573: ... For more information see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide Release 12 2 RADIUS IETF Attributes Table A 1 RADIUS IETF Attributes Number IETF Attribute Status 1 User Name Supported and tested 2 User Password Supported and tested 3 CHAP Password Supported and tested 4 NAS IP Address Supported and tested 5 NAS Port Supported and tested 6 Service Type Support...

Page 574: ...n DSL environment 30 Called Station ID Typically not used in DSL environment 31 Calling Station ID Supported and tested 32 NAS Identifier Supported and tested 33 Proxy Stat Not Applicable 34 Login LAT Service Not Applicable 35 Login LAT Node Not Applicable 36 Login LAT Group Not Applicable 37 Framed AppleTalk Link Not Applicable 38 Framed AppleTalk Network Not Applicable 39 Framed AppleTalk Zone N...

Page 575: ... Endpoint Supported and tested in accounting 67 Tunnel Server Endpoint Supported and tested in accounting 68 Acct Tunnel Connection Supported and tested in Cisco IOS Release 12 2 15 BX 69 Tunnel Password Supported and tested in Cisco IOS Release 12 2 15 BX 70 ARAP Password Not Supported 71 ARAP Features Not Supported 72 ARAP Zone Access Not Supported 73 ARAP Security Not Supported 74 ARAP Security...

Page 576: ... Password Expiration Typically not used in DSL environment 68 Tunnel ID Supported and tested in accounting 108 My Endpoint Disc Alias Not Applicable 109 My Name Alias Not Applicable 110 Remote FW Not Applicable 111 Multicast GLeave Delay Not Applicable 112 CBCP Enable Not Applicable 113 CBCP Mode Not Applicable 114 CBCP Delay Not Applicable 115 CBCP Trunk Group Not Applicable 116 Appletalk Route N...

Page 577: ...se Not Applicable 143 User Acct Time Not Applicable 144 Assign IP Client Not Applicable 145 Assign IP Server Not Applicable 146 Assign IP Global Pool Not Applicable 147 DHCP Reply Not Applicable 148 DHCP Pool Number Not Applicable 149 Expect Callback Not Applicable 150 Event Type Not Applicable 151 Session Svr Key Supported and tested Enables the router to match a user session with a client reques...

Page 578: ... FR Profile Name Not Applicable 181 Ara PW Not Applicable 182 IPX Node Addr Not Applicable 183 Home Agent IP Addr Not Applicable 184 Home Agent Password Not Applicable 185 Home Network Name Not Applicable 186 Home Agent UDP Port Not Applicable 187 Multilink ID Multilink is not supported 188 Num In Multilink Multilink is not supported 189 First Dest Not Applicable 190 Pre Input Octets Not Supported...

Page 579: ...ceive Secret Not Supported 216 IPX Peer Mode Not Applicable 217 IP Pool Definition Supported in Cisco IOS but not tested on the Cisco 10000 series router 218 Assign IP Pool Supported in Cisco IOS but not tested on the Cisco 10000 series router 219 FR Direct Not Applicable 220 FR Direct Profile Not Applicable 221 FR Direct DLCI Not Applicable 222 Handle IPX Not Applicable 223 Netware Timeout Not Ap...

Page 580: ...plicable 246 Callback Not Applicable 247 Data Svc Not Applicable 248 Force 56 Not Applicable 249 Billing Number Not Applicable 250 Call By Call Not Applicable 251 Transit Number Not Applicable 252 Host Info Not Applicable 253 PPP Address Not Applicable 254 MPP Idle Percent Not Applicable 255 Xmit Rate Typically not used in DSL environment Table A 3 Vendor Specific RADIUS IETF Attributes Number Ven...

Page 581: ... tested on the Cisco 10000 series router 26 9 1 12tp tunnel password Supported in Cisco IOS but not tested on the Cisco 10000 series router 26 9 1 12tp udp checksum Not Supported Store and Forward Fax Attributes 26 9 3 Fax Account Id Origin Not Applicable 26 9 4 Fax Msg Id Not Applicable 26 9 5 Fax Pages Not Applicable 26 9 6 Fax Coverpage Flag Not Applicable 26 9 7 Fax Modem Time Not Applicable 2...

Page 582: ...oice quality Not Applicable 26 9 33 h323 gw id Not Applicable Large Scale Dialout Attributes 26 9 1 callback dialstring Not Applicable 26 9 1 data service Not Applicable 26 9 1 dial number Not Applicable 26 9 1 force 56 Not Applicable 26 9 1 map class Not Applicable 26 9 1 send auth Not Applicable Miscellaneous Attributes 26 9 2 Cisco NAS Port Supported and tested 26 9 1 min links Multilink is not...

Page 583: ...Sustainable Cell Rate Supported and tested in Cisco IOS Release 12 2 15 BX 26 9 1 ip vrf id Supported and tested in Cisco IOS Release 12 2 16 BX1 26 9 1 ip ip unnumbered Supported and tested in Cisco IOS Release 12 2 16 BX1 Table A 3 Vendor Specific RADIUS IETF Attributes continued Number Vendor Specific Company Code Sub Type Number Attribute Status ...

Page 584: ...A 12 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 Appendix A RADIUS Attributes Vendor Specific RADIUS IETF Attributes ...

Page 585: ...from server to client is much faster than the transmission from the client to the server ATM Asynchronous Transfer Mode International standard for cell relay in which multiple service types such as voice video or data are conveyed in fixed length cells Fixed length cells allow cell processing to occur in hardware thereby reducing transit delays ATM is designed to take advantage of high speed trans...

Page 586: ...BWFQ you define traffic classes based on match criteria including protocols access control lists ACLs and input interfaces Packets satisfying the match criteria for a class constitute the traffic for that class A queue is reserved for each class and traffic belonging to a class is directed to the queue for that class On the Cisco 10000 series router the CBWFQ feature allows a VAI to inherit the se...

Page 587: ... service provider can then offer subscribers the ability to choose services with varying levels of bandwidth allocation DF bit Don t Fragment indicator bit A bit in an encapsulated header that indicates whether a router is allowed to fragment a packet DHCP Dynamic Host Configuration Protocol Provides a mechanism for allocating IP addresses dynamically so that addresses can be re used when hosts no...

Page 588: ...rotocol The Internet protocol used to transfer files between hosts G GE Gigabit Ethernet GRE Generic Route Encapsulation A method of encapsulating any network protocol in another protocol H high VC count Also called high VC mode A technique used to optimize processes for session scaling HGW Home Gateway Also known as L2TP Network Server LNS in L2TP contexts hop count A measure of distance between ...

Page 589: ...ecommunications Union Standardization Sector ITU T is the telecommunication standardization sector of ITU and is responsible for making technical recommendations about telephone and data including fax communications systems for service providers and suppliers L L2F Layer 2 Forwarding Protocol that supports the creation of secure virtual private dial up networks over the Internet L2TP Layer 2 Tunne...

Page 590: ...ucts the routers and the switches in the network where to forward the packets based on preestablished IP routing information MPLS VPN MPLS based virtual private network MQC Modular QoS Command line interface Also referred to as Modular CLI A platform independent CLI for configuring QoS features on Cisco products MR APS Multirouter automatic protection switching multicast Single packets copied by t...

Page 591: ...st on demand address pool See ODAP OSI Open Systems Interconnection An international standardization program to facilitate communications among computers from different manufacturers overlapping address pool See OAP P PAP Password Authentication Protocol Authentication protocol that allows PPP peers to authenticate one another The remote router attempting to connect to the local router is required...

Page 592: ...inks and allows for Ethernet PPP connections over Ethernet links PPPoEo802 1Q VLAN PPP over Ethernet over IEEE 802 1Q VLANs Allows tunneling and termination of Ethernet PPP sessions across VLAN links IEEE 802 1Q encapsulation is used to interconnect a VLAN capable router with another VLAN capable networking device The packets on the 802 1Q link contain a standard Ethernet frame and the VLAN inform...

Page 593: ...y gateways and many physical networks In the Internet each datagram is routed separately router A system responsible for making decisions about which of several paths network or Internet traffic will follow To do this it uses a routing protocol to gain information about the network and algorithms to choose the best route based on several criteria known as routing metrics routing table Information ...

Page 594: ...he first match requirements Packet headers are used to access these tables in a small fixed number of lookups independently of the existing number of ACL entries U UBR Unspecified bit rate QoS class defined by the ATM Forum for ATM networks UBR allows any amount of data up to a specified maximum to be sent across the network but there are not guarantees in terms of cell loss rate and delay UNI sig...

Page 595: ...her parts of the network connection at the home gateway VPI Virtual path identifier An 8 bit field in the header of an ATM cell The VPI together with the VCI is used to identify the next destination of a cell as it passes through a series of ATM switches on its way to its destination ATM switches use the VPI VCI fields to identify the next VCL that a cell needs to transmit on its way to its final ...

Page 596: ...Configuration Guide OL 2226 23 WFQ Weighted Fair Queuing A QoS congestion management function WRED Weighted Random Early Detection A QoS congestion avoidance function X xDSL Various types of digital subscriber lines Examples include ADSL HDLS and VDSL ...

Page 597: ...entication ppp command 5 32 5 34 5 37 authorization command 10 8 authorization network command 5 33 5 37 5 42 group server radius command 5 31 5 37 new model command 5 31 new model command 10 8 16 39 16 40 session id command 10 8 AAA CLI stop record enhancement 1 21 AAL5 1 1 AAL5 over SDU Support over MPLS 20 14 About MLP on LNS 22 19 ABR definition 1 1 accept attribute lists 16 42 accept dialin c...

Page 598: ...ubscriber Line 22 18 asymmetric digital subscriber line See ADSL asynchronous transfer mode 1 1 ATM 1 1 line cards maximum VCs supported 2 16 8 16 ATM adaptation layer See AAL5 ATM aggregation leased line architecture 1 11 ATM line cards VC scaling ATM PVC autoprovisioning 8 4 hierarchical shaping 2 8 atm over subscription factor command 8 17 atm pppatm passive command 2 19 ATM PVC autoprovisionin...

Page 599: ...rvation 8 14 statistical multiplexing 8 14 BBA 1 1 BBA group bba group command 3 21 6 4 6 9 configuration example 6 5 6 11 configuring 3 21 3 22 configuring PPPoE 6 4 6 9 bba group command 3 21 BGP 3 45 1 1 configuring to advertise networks 3 24 BGP Features 4 10 Allow AS in 4 10 AS_PATH attribute 4 10 ASN Override 4 10 BGP AS Path Filtering 4 10 BGP Max Prefix 4 10 BGP Multipath 4 11 BGP Prefix L...

Page 600: ...14 Cisco Broadband Operating System See CBOS Cisco Discovery Protocol See CDP Cisco Express Forwarding See CEF Cisco Group Management Protocol See CGMP class based WFQ See CBWFQ class of service definition 1 3 class range command 8 8 class vc command 8 7 clear ip dhcp command 10 15 ip dhcp pool name subnet command 10 16 pppoe command 6 12 vpdn tunnel command 9 10 commands aaa accounting 5 33 5 39 ...

Page 601: ...ate 5 29 ip address pool 10 11 ip address pool 10 7 ip dhcp pool 10 7 10 11 ip dhcp relay information option 3 11 3 25 ip helper address 3 27 ip local pool 10 17 ip multicast routing 15 35 ip pim dense mode 15 35 ip pim sparse dense mode 15 36 ip pim sparse mode 15 36 ip radius source interface 5 34 ip tos reflect 9 6 ip unnumbered loopback 5 29 ip vrf 4 24 5 36 ip vrf forwarding 5 32 5 34 27 2 ke...

Page 602: ...ool 10 12 10 16 ip interface 3 30 ip local pool 10 18 ip ospf database 3 46 ip protocols 3 40 ip protocols vrf 3 30 ip rip database vrf 3 46 ip route 3 40 ip route vrf 3 30 3 44 5 35 5 51 ip vrf 3 30 3 44 ip vrf detail 3 44 ip vrf interfaces 3 44 mpls forwarding table 3 41 mpls interfaces 3 40 mpls ip bindings 3 42 mpls l2transport vc 20 14 mpls tag switching forwarding table 3 42 pppoe session al...

Page 603: ...onfigurations per host 5 24 per server group 5 24 configuring VC oversubscription 8 14 Configuring L2 Virtual Private Networks 20 1 connectivity testing 3 47 constant bit rate definition 1 2 CoS definition 1 3 CPE 1 3 CPU HOG messages 2 13 create on demand PVCs and PPP sessions RP CPU usage 2 4 create on demand command 8 6 8 9 8 11 with infinite range 8 6 customer edge router See CE router custome...

Page 604: ... DLCI specifying 20 29 DLCI to DLCI connection 20 28 DNIS 1 3 DNS 1 3 domain domain name command 5 4 Domain Name Server 1 3 domain preauthorization 5 11 configuring RADIUS user profile 5 14 verifying 5 11 verifying RADIUS user profile 5 15 domain stripping 5 35 Don t Fragment bit 1 3 DoS protecting against 12 1 dout dialer 5 44 downsteam VRF 4 26 downstream rate 1 3 downstream VRF 4 22 4 24 DSCP 1...

Page 605: ... 21 1 27 IGMPv3 1 22 in service software upgrade 1 22 intelligent service architecture 1 22 interface oversubscription 1 27 IP multicast 15 33 IP over Q in Q 1 25 IP receive ACLs 1 27 12 1 IP SLAs LSP health monitor 1 23 IP unnumbered on 802 1Q VLANs 1 27 7 1 IPv6 1 23 24 1 ISA 1 22 ISSU 1 22 L2TP congestion avoidance 1 23 L2TP domain screening 1 25 LAC 5 1 communicating with RADIUS 5 11 configura...

Page 606: ...dband aggregation enhancements 1 26 queue scaling 2 7 RADIUS attribute 31 calling station ID 1 26 16 51 RADIUS attribute screening 5 24 16 39 RADIUS packet of disconnect 1 28 16 55 RADIUS server load balancing 1 24 RA to MPLS VPN 3 31 Scaling limits for L2TP tunnels 1 24 session limit per VRF 4 15 4 17 4 19 session load balancing 5 6 session load failover 5 6 sessions per tunnel limiting 5 5 5 37 ...

Page 607: ...23 4 on bundle subinterfaces 23 6 23 15 on member links 23 5 23 16 on VLAN groups 23 5 output QoS 23 4 output QoS for subinterface 23 4 restrictions 23 5 service policies 23 3 to 23 4 restrictions 23 3 GEC Gigabit EtherChannel 23 1 Generic Route Encapsulation definition 1 4 Gigabit Ethernet definition 1 4 GRE 1 4 GRE tunnel IP source and destination VRF membership feature overview 27 1 restriction...

Page 608: ...ing See IRB intelligent service architecture 1 22 interface enabling dense mode 15 35 sparse mode 15 36 outbound and IP multicast fast switching 15 34 virtual template command 5 29 interface config RADIUS attribute 2 17 2 20 3 5 3 6 4 26 interface multilink command 22 9 interface oversubscription 1 27 interface range command 6 16 interface ranges multilink 22 4 22 8 22 14 22 17 International Stand...

Page 609: ...4 12 Non VRF Internet Access 4 11 Using Static Routes in VRF 4 12 VRF interface 4 12 IPv6 VPN over MPLS 6VPE 4 7 Configuration tasks 4 9 Monitoring and maintaining 4 15 Prerequisites 4 8 Restrictions 4 9 the ipv6 unicast routing command 4 8 IPv6 VRF s 4 9 ip vrf command 4 24 5 36 ip vrf forwarding command 5 32 5 34 27 2 IRB 1 5 ISA 1 22 ISO 1 5 ISP 1 5 ISSU 1 22 ITU T 1 5 K K1 and K2 bytes 14 20 k...

Page 610: ...TM PVC 20 14 Layer 2 Local Switching feature ATM AAL5 SDU support MPLS in VC class configuration OAM cell emulation 20 18 MPLS on a PVC OAM cell emulation 20 16 ATM to ATM local switching 20 15 OAM cell emulation 20 15 layer 2 local switching feature Frame Relay to Frame Relay 20 31 supported line cards 20 14 20 31 Layer 4 Redirect scaling 2 5 LCP 9 8 1 5 LCP See Link Control Protocol LDP 3 40 lea...

Page 611: ...s control layer definition 1 6 method lists configuring RADIUS tunnel authentication method lists 5 42 default 5 27 named 5 27 5 39 MIB 1 6 MIBs CISCO ATM PVCTRAP EXTN MIB 2 14 MLP feature bundle interfaces 22 4 bundles 22 3 description of 22 1 documentation reference 1 23 groups 22 5 interface ranges 22 4 22 8 22 14 22 17 link fragmentation and interleaving 22 27 multi VC over ATM PVCs 22 16 over...

Page 612: ...25 restrictions 14 21 show and debug commands 14 27 14 30 ms chap 5 34 MTU setting in AToM 20 37 multicast 1 6 multicast VPN 1 24 Multihop feature configuration examples 9 8 monitoring 9 9 overview 9 1 restrictions 9 3 multihop feature definition 1 6 enabling multihop functionality 9 3 multihop hostname command 9 5 multiplexer 1 6 multiplexing statistical 8 14 multipoint subinterface 1 6 Multiprot...

Page 613: ...re 10 16 ODAP address allocation for PPP 10 5 allowing to obtain subnets 10 8 benefits 10 6 configuration example 10 14 10 15 configuring 10 6 configuring DHCP pool 10 7 configuring on an interface 10 10 configuring RADIUS on the Cisco 10000 router 10 9 configuring to obtain subnets through IPCP negotiation 10 11 configuring with IPCP subnet allocation protocol 10 11 defining DHCP as the global de...

Page 614: ...F AAA configuring 3 30 description 5 23 verifying 5 35 PIM configuring on an interface 15 35 enabling dense mode 15 35 sparse mode 15 36 sparse or dense mode 15 36 IP multicast feature 15 33 15 35 ping command 3 41 3 47 10 16 Point to Point Protocol See PPP point to point subinterface 1 8 policy map scaling 2 6 policy map command counting as policy map 2 6 pool group configuring 10 17 displaying s...

Page 615: ...tion example 6 10 definition 1 8 feature 6 7 verifying 6 11 PPPoE over Q in Q 1 28 PPP over MPLS 20 36 PPPoX 16 51 1 8 PPP terminated aggregation definition 1 8 to VRF RADIUS attribute screening feature 16 39 See also PTA PPP Termination Aggregation 22 18 ppp timeout authentication command 2 10 PQ 1 8 primary card 14 28 private server configuring 5 31 description 5 24 protocol command 8 3 Protocol...

Page 616: ...Endpoint 16 41 67 Tunnel Server Endpoint 16 41 69 tunnel Password 5 26 6 Service Type 16 40 16 41 7 Framed Protocol 16 40 16 41 87 NAS Port ID 16 46 8 Framed IP Address 16 56 90 Tunnel Client Auth ID 5 26 Acct Status Type 5 40 Acct Tunnel Connection 5 39 Acct Tunnel Packets Lost 5 39 IETF A 1 Tunnel Client Endpoint 5 39 Tunnel Server Endpoint 5 39 vendor proprietary A 4 vendor specific A 8 authent...

Page 617: ...ribute command 10 9 radius server attribute list command 5 38 radius server command 16 42 16 43 radius server command 2 9 radius server domain stripping command 5 35 RADIUS server load balancing 1 24 radius server retransmit command 5 11 radius server vsa command 10 9 range command 8 9 RA to MPLS VPN configuration example 3 31 See also MPLS RBE definition of 1 9 rbe nasip command 3 25 RBE to MPLS ...

Page 618: ...type RADIUS attribute 16 40 16 41 session limit command 4 16 4 19 5 36 session limit per VRF feature configuration examples 4 19 configuring 4 18 monitoring 4 21 overview 4 15 prerequisites 4 17 restrictions 4 17 verifying configuration 4 19 session load balancing feature 5 6 session load failover feature 5 6 sessions per tunnel limiting feature 5 5 5 16 verifying 5 37 shaped UBR PVCs 1 26 show ac...

Page 619: ...e Network Management Protocol 1 9 SLOF critical alarm 14 31 SLOS critical alarm 14 31 slot pairings 14 28 SNMP creating a view entry 2 14 definition 1 9 MIBs 2 13 permitting access to 2 14 snmp server community command 2 14 snmp server view command 2 14 SONET automatic protection switching APS 14 27 source vpdn template command 4 18 sparse dense mode enabling 15 36 sparse mode enabling 15 36 spoke...

Page 620: ... switch definition of 1 10 terminating from the LAC 5 36 terminating in VRF 27 1 vrf command 27 2 27 3 VRF feature 27 1 configuration examples 27 4 configuring 27 3 Tunnel Client Endpoint RADIUS attribute 5 39 tunnel client endpoint RADIUS attribute 16 41 tunnel destination command 27 3 tunnel preference attributes 5 6 Tunnel Selection 20 47 Configuration Example 20 47 debug mpls l2transport vc co...

Page 621: ...on 1 28 8 14 VBR rt 1 10 VCCI 22 20 VC class applying to a range of PVCs 8 7 applying to individual PVC 8 7 applying to PVC within a PVC range 8 8 creating with autoprovisioning enabled 8 6 parameters 8 3 vc class atm command 5 10 8 6 8 11 VCI 1 11 VCs bandwidth reservation 8 14 definition of 1 11 oversubscription 8 14 VC scaling ATM line cards ATM PVC autoprovisioning 8 4 hierarchical shaping 2 8...

Page 622: ...ration examples 4 19 detaching from a VPDN template 4 16 request dialout 9 7 template 4 16 configuring 4 17 templates nesting 4 17 tunnel authorization searches 9 5 vpdn authorize domain command 5 4 enable command 4 18 5 29 6 3 6 8 9 3 ip udp ignore checksum command 2 19 multihop command 9 3 search order command 9 5 session limit command 4 18 VPDN group accept dialin 9 1 configuring 3 19 request d...

Page 623: ... VPDN tunnels 1 25 configuration examples 27 4 configuring 27 4 description of 27 2 overlapping IP addresses 27 4 vrf id RADIUS attribute 2 17 3 5 VRF Lite 4 12 Layer 3 VPN 4 12 Multi VRF CE 4 12 VSA 16 40 definition 1 11 dout dialer 5 44 Service Type 5 44 vpdn vtemplate 5 44 W WAN 1 11 weighted fair queuing 1 12 weighted random early detection 1 12 WFQ 1 12 wide area network 1 11 working card 14 ...

Page 624: ...Index IN 28 Cisco 10000 Series Router Software Configuration Guide OL 2226 23 ...

Reviews: