Académique Documents
Professionnel Documents
Culture Documents
Student Guide
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax
numbers are listed on the Cisco Web site at www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia
Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary
India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands
New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia
Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine
United Kingdom United States Venezuela Vietnam Zimbabwe
Copyright " 2011, Cisco Systems, Inc. All rights reserved. CCIP, the Cisco Powered Network mark, the
Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet Quotient, iQ
Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness Scorecard, Networking Academy,
ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We
Work, Live, Play, and Learn, Discover All Thats Possible, The Fastest Way to Increase Your Internet Quotient, and
iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,
CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press,
Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,
Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the
Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast,
StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or
its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (0203R)
Course Level
This course provides a fundamental level of information pertaining to
the Cisco ASR 9000 Series family of products.
Prerequisites
The following courses are prerequisites:
Basic knowledge of router installation and some experience with
installation tools
Routing protocol configuration experience with Border Gateway
Protocol (BGP), Intermediate System-to-Intermediate System (IS-
IS), and Open Shortest Path First (OSPF)
Knowledge of Layer 2 IEEE switching and related protocols
Strong knowledge of MPLS configuration or multicast
configuration experience
Knowledge of Cisco router security implementation, including
authentication, authorization, and accounting (AAA) and TACACS
Experience troubleshooting Cisco routers in a large network
environment
Additional Information
Cisco Systems Technical Publications
Day 2
Module 6 Cisco IOS XR Operations
Lab 3 Cisco IOS XR Operations
Module 7 IOS XR Security
Lab 4 IOS XR Security
Module 8 IOS XR Routing Protocols
Lab 5 IS-IS Routing Configuration
Lab 6 OSPF Routing Configuration
Lab 7 iBGP Routing Configuration
Module 9 Route Policy Language
Lab 8 Route Policy Language
Day 3
Module 10 Layer 3 Multicast
Lab 9 Layer 3 Multicast
Module 11 MPLS
Lab 10 MPLS
Module 12 Layer 3 VPN
Lab 11 Layer 3 VPN
Module 13 Cisco ASR 9000 Layer 2 Architecture
Day 4
Overview
Description
The course introduces you to the Cisco ASR 9000 Series Aggregation
Services Router. The chassis options, features, and functionality are
described in detail. The modules are both theoretical and practical in
scope. Although some of the modules focus on the technology and
features of the platform, most of the modules deal specifically with the
tasks associated with configuring and deploying the Cisco ASR 9000
Aggregation Services Router. Hands-on lab exercises allow you to
practice and use the knowledge and skills gained during this course to
perform measurable tasks.
Objectives
After completing this course, you will be able to do the following:
List and describe the major features and benefits of a Cisco ASR
9000 series router
List and describe the major features and benefits of Cisco IOS XR
operating system
Understand data flow through the Cisco ASR 9000 series router
Configure Cisco ASR 9000, back out of configuration changes, and
restore older versions of configuration
Install Cisco IOS XR operating system, Package Information
Envelopes (PIEs) and Software Maintenance Updates (SMU)
Configure the Cisco IOS XR security features in an owner SDR
Configure routing protocols and Route Policy Language in a
complex multi-AS environment
Configure Multiprotocol Label SwitchTraffic Engineering
(MPLSTE) on a Cisco ASR9000 series router Configure Layer 2
Multicast features
Overview
Description
This module provides an overview of the Cisco ASR 9000 Series
Aggregation Services Routers (Cisco ASR 9000). It includes a system
description, a list of hardware components, and an introduction to network
applications and deployment scenarios.
Objectives
After completing this module, you will be able to:
Describe the Cisco ASR 9000 features and functions
List and describe different chassis types, control cards, and traffic-
carrying cards
Describe Cisco ASR 9000 network applications
Describe Cisco ASR 9000 deployment scenarios
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 1/3
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 1/4
RSP
RSP cards contain the switch fabric that interconnects the LC cards. They
also provide chassis management and control. Typically, two RSPs are
deployed per-chassis to support control plane redundancy.
RSP
RSP
Applications
Flexible Ethernet Edge
The CISCO ASR 9000 is focused on the Metro Ethernet and broadband
transport market space. It aggregates Ethernet from the customer edge
and can transport the Ethernet frames using native Ethernet, IP, or
MPLS. It can also provide Layer 3 service (L3VPNs, Internet access, and
so on). This flexibility allows the Cisco ASR 9000 to perform a variety of
network functions. It can be deployed by service providers and enterprises
alike.
This slide gives one example of a Cisco ASR 9000 deployment, providing
LAN extension and Layer 3 service access between two geographically
dispersed customer sites.
Applications
Connection-
Connection-oriented,
Layer 2 VPN
VPN A topology VPN A
VPN A
Customer equipment
VPN A
VPN A
IP/MPLS
Layer 2 or Layer 3
VPN network
VPN A
VPN A
Pseudowires
VPN C VPN A and C
Carrier Ethernet
Network
CE PE PE CE
A UNI is the demarcation between the customer edge (CE) and the
provider edge (PE)
Ethernet service is what Service Providers (SP) provides between UNIs
Ethernet Line service (E-Line) point-to-point
Ethernet LAN service (E-LAN) multipoint
Core
Distributed PE Single PE
UNI UNI
Service provider responsibility
Content Farm
Policy Control Plane (per subscriber)
Residential
Access Aggregation/Distribution Edge
MSPP
VoD TV VoIP
Cable
STB
U-PE
Business BRAS/BNG Core Network
ETTx Ethernet/ Digital MPLS /IP
Corporate
IP/MPLS Program DPI
Insertion
DSL
Residential Cisco ASR
9000
Content Farm
PE-Agg or
N-PE MSE
PON
STB
VoD TV VoIP
L3
High speed internet
RAN backhaul L2 EoMPLS backhaul
Base Station
Controller
VoD Servers
BRAS
Core
PE-AGG N-PE
MSE
L2 VPN
L3 VPN
Business VPN
Video and voice L2 EoMPLS backhaul HSI
L3/MPLS edge distributed for L3 VPN, L2 VPN, VPLS VoD
efficient multicast and Broadcast TV
resiliency Business VPN
RAN backhaul
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 1/18
E-OAM (IEEE 802.3ah): Ethernet link layer OAM is a vital component of EOAM
that provides physical-link OAM to monitor link health and assist in fault
isolation. Along with 802.1ag, Ethernet link layer OAM can be used to assist in
rapid link-failure detection and signaling to remote end nodes of a local failure.
IPv4 Routing: Cisco IOS XR software supports a wide range of IPv4 services and
routing protocols, including Border Gateway Protocol (BGP), Intermediate System-
to-Intermediate System (IS-IS), Open Shortest Path First (OSPF), static routing,
IPv4 Multicast, Routing Policy Language (RPL), and Hot Standby Router Protocol
(HSRP) and Virtual Router Redundancy Protocol (VRRP) features.
IPv6 Routing: Cisco IOS XR software supports IPv6 services including OSPFv3
and static routing.
MPLS L3VPN: The IP VPN feature for MPLS allows a Cisco IOS Software or
Cisco IOS XR software network to deploy scalable IPv4 Layer 3 VPN backbone
services. An IP VPN is the foundation that companies use for deploying or
administering value-added services, including applications and data hosting
network commerce and telephony services to business customers.
Multicast
IPv4 PIM-SM, PIM-SSM
IGMP v2/v3 snooping
OAM
E-OAM (IEEE 802.3ah)
E-OAM (IEEE 802.1ag), also supported on bundle interfaces
MPLS OAM
Layer 3 routing
IPv4 Routing
IPv6 Routing
MPLS L3VPN
NSF: NSF support for BGP, OSPF, IS-IS, MPLS-TE, LDP, and T-LDP allows
traffic to continue to be forwarded if a failure occurs. This feature requires
neighboring nodes to be NSF-aware.
NSR: NSR maintains OSPFv2 and LDP sessions and state information across
stateful switchover (SSO) functions as well as ISSU support on a provider-
edge device providing MPLS VPN services.
QoS
H-QoS: Four-level H-QoS support is provided for EVCs with the following
hierarchy levels
MPLS TE
MPLS TE
MPLS TE Preferred Path
High availability
MPLS TE FRR
Bidirectional Forwarding Detection (BFD)
Link aggregation bundles
NSF
NSR
Manageability
Cisco IOS XR Software manageability
Cisco Active Network Abstraction (ANA)
Security
Layer 2 ACLs
Layer 3 ACLs
Many critical security features are supported:
! Standard 802.1ad Layer 2 Control Protocol (L2CP) and bridge-protocol-data-
unit (BPDU) filtering
! MAC limiting per EFP or bridge domain
! Unicast, multicast, and broadcast storm control blocking on any interface or
port
! Dynamic Host Configuration Protocol (DHCP) Snooping
! Control-plane security
Traffic mirroring: Traffic Mirroring copies traffic from one or more Layer 2
interfaces or sub-interfaces, including Layer 2 link bundle interfaces/sub-
interfaces, and sends the copied traffic to one or more destinations for analysis
by a network analyzer.
SynchE: Provides a PHY-level frequency distribution mechanism through the
GE/10GE ports from external timing references.
IP Fast Reroute: Provides subsecond IP fast convergence for both IS-IS and
OSPF routing protocols in a properly designed network topology.
IPv6 IS-IS: Support for IPv6 addresses in the Integrated IS-IS routing
protocol.
Y.1731: The first phase of Y.1731 implementation and supports the collection
of round-trip delay and jitter results using IEEE 802.1ag loopback packets and
ITU Y.1731 Delay Measurements.
Video Monitorng: Video monitoring is a service to monitor application
(mainly video) traffic quality by measuring per-flow statistics on the router.
The feature provides scalable and efficient inline monitoring of flows.
MoFRR: Multicast-only FRR (MoFRR) is a Cisco IOS XR innovation to
improve multicast network convergence times. The basic idea of MoFRR is to
send a secondary join to a different upstream interface. The network then
receives two copies of the multicast video stream over two separate and
redundant paths through the network. When a primary path fails, it can
switch over to the backup path instantly without issuing a new PIM join.
Hardware
A9K-SIP-700 line card
A9K-8T and A9K-2T20GE line cards
Feature Licensing
Layer 2
Traffic mirroring
MPLS-TE Path protection
Synchronous Ethernet
Layer 3
BGP Fast Convergence or Prefix Independent Convergence (PIC)
BFD support for HSRP/VRRP
NSR for BGP
IP Fast Reroute (IP FRR)
IPv6 IS-IS
OAM and Monitoring
Y.1731 Performance Monitoring
Inline Video Monitoring (also known as Media Monitoring)
Multicast
Per-flow Multicast only Fast Reroute (MoFRR)
IGMP Snooping enhancements
QoS
H-QoS over link aggregation groups
Hardware
16x10GE LC
Layer 2
Layer 3 load balancing over Layer 2 link aggregation group enhancement
MST Access Gateway also supported over link bundles
MST topology tracking
Provider Backbone Bridging (PBB or 802.1ah)
Policy Based Forwarding (PBF or VLAN hopping)
Layer 2 Protocol Tunneling (L2TP) support
802.1ak or Multicast VLAN registration-lite (MVRP-lite)
MPLS-TE auto-bandwidth
BGP-AD with Label Distribution Protocol (LDP) signaling
MPLS L3VPN
Multicast VPN (mVPN)
IPv6 6PE/VPE
OAM and Monitoring
CFM supported over link aggregation bundle interfaces
CFM supported over link aggregation bundle member interfaces
Y.1731 Alarm Indication Signal (AIS) support
Cisco Netflow v9
__________________________________________________________________
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 1/27
__________________________________________________________________
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 1/28
__________________________________________________________________
Check Release Notes for Cisco ASR 9000 Series Aggregation Services Routers for
Cisco IOS XR Software Release 4.0.0 for SIP-700 feature enhancement details.
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 1/30
__________________________________________________________________
Check Release Notes for Cisco ASR 9000 Series Aggregation Services Routers for
Cisco IOS XR Software Release 4.0.1 for SIP-700 feature enhancement details.
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 1/31
Cisco Cisco
ASR Cisco Cisco ASR
9000 12000 12000 9000
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 1/32
Documentation References
Use the URLs listed the on the slide to locate additional information on the
Cisco ASR 9000 Series Aggregation Series Routers.
Summary
Introduction to the Cisco ASR 9000 Series Aggregation Services Routers
In this module, you learned to:
Overview
Description
This module describes the Cisco ASR 9000 series chassis hardware
features and functions, including the field-replaceable units (FRUs) and
components.
Objectives
After completing this module, you will be able to:
List the features and functions of the Cisco ASR 9000 Series Chassis
List and describe the features and functions of the FRUs and
components that comprise the Cisco ASR 9000 chassis
List and describe the features and functions of the Cisco ASR 9006 and
ASR 9010 chassis:
! Route Switch Processor cards
! Switch fabric
! Line Cards
! Cooling system
! Power system
Dimensions:
Width: 18.9 in. (48.1cm)
Fits 19 in. rack
Depth: 28.9 in. (73.5cm) Rear air
Fits 800mm ETSI cabinet exhaust
Height: 17.5 in. (44.5cm)
Fits 10 RU or ! rack
Two system
Weight: 230 lbs (104.33 kg)
fan trays
Slots: Side
4x Line Card slots air
pitch 1.775 in.; LC 14.5 in. X 21.5 in. intake
2x RSP slots
pitch 1.5 in.
Three
Cooling:
Cable modular
Two fan trays
Redundant cooling management power
supplies
Power:
AC or DC Power Shelf
Redundant power modules
Power:
Two AC or DC Power Shelves Six modular
Redundant power modules power supplies
Key points:
Data forwarding is fully distributed on the line cards.
The Control plane is split among RSP and LC CPUs (each LC has the same
type of CPU as the RSP).
Layer 2 protocols, BFD, CFM, Netflow run on the LC CPU to support
higher scale.
____________________________ Note _________________________
Throughout this course the Fabric Interface chip on the line cards is
referred to as the Fabric Interface ASIC (FIA), Fabric Interface, and
Fabric I/O interchangeably.
The Switch Fabric chip is referred to as Switch Fabric ASIC or Fabric
interchangeably.
__________________________________________________________________
Backplane
NPU NPU NPU NPU NPU NPU NPU NPU NPU NPU NPU NPU
10GE XFP
10GE XFP
10GE XFP
10GE XFP
10GE XFP
10GE XFP
10GE XFP
10GE XFP
10GE XFP
10GE XFP
10GE XFP
10GE XFP
10 x 10 x 10 x 10 x
SFP SFP SFP SFP
Redundant AC or DC power
AC or DC power modules
Single power bus bar
Chassis backplane
Special components on cards or modules, such as DC-to-DC converters
or electromagnetic interference (EMI) filters
Power Architecture
The Cisco ASR 9000 chassis power architecture uses a load balancing
power bus to provide:
Redundant power for all components in the chassis
Redundancy for both AC- or DC-powered chassis
Power Architecture
Description Value
Rated input voltage 200240 VAC nominal (range: 180 to 264 VAC)
220240 VAC (UK)
Description Value
ASR 9000 AC
Power Connections
ASR 9000 DC
Power Connections
The Cisco ASR 9006 and ASR 9010 have two fan trays
All Cisco ASR 9000 Series routers use inlet and outlet air vents and
bezels with impedance carriers to control air flow and temperature
monitored by temperature sensors to prevent chassis over heating.
Operating software controls the cooling system by monitoring the
temperature sensors and sending alarms that can cause the system to
power down if temperature gets to high.
All Cisco ASR 9000 Series routers use air filters to keep the chassis
components clean and cool, air flow restriction can occur if filter gets
dirty.
The Cisco ASR 9000 Series power modules have cooling fans separate
from the chassis cooling.
Filter
Front Filter
Rear
Implements many of the control plane operations for the entire chassis and
performs the following:
Monitors temperature and voltage of other cards and modules in the
entire chassis
During discovery RSPs and line cards are located in the chassis and the
lowest slot RSP becomes the active RSP and the DSC.
Secure Domain Router
2011 Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 2/16
RSP Arbitration
Active and Standby
When the RSP is booted, the Active RSP becomes the designated shelf
controller (DSC)
RSP Arbitration
Compact Flash
Alarm Cutoff and LAMP Test
Eight discrete LEDs
! Power Fail (FAIL)
! Critical Alarm (CRIT)
! Major Alarm (MAJ)
! Minor Alarm (MIN)
! Synchronization (SYNC)
! Internal Hard Disk Drive (HDD)
MGMT
ETH 0
MGMT Management
ETH 1
Management Network RJ-45 Ethernet Port 1
Ethernet Port 0 Con
AUX
RJ-45
Console Port BITS 0
BITS0 and BITS1
BITS 1 (building integration
RJ-45 timing supply)
Auxiliary Port ALARM
PID/VID
Compact Flash:
Removable media
ACO
Lamp
Reset
Fail Sync
Critical HDD
Major CF
Minor ACO
RSPHardware Components
The opposite page shows a block diagram of a RSP (RSP).
Route Switch Processor Memory: comprised of the following:
DRAM, bank 1 and 2 (two 2-GB or 4-GB memory cards)
An 8GB memory version of the RSP is also available
Hard Disk, 70-GB SAS HDD
CPU: dual-core power PC processors runs at 1.5 GHz.
Hard Disk Drive: 70-G hard disk drive (HDD) is an SAS (Serial Attached
SCSI) hard disk used for gathering debug information, such as core dumps
and error log data from the RSP or LCs.
Compact Flash: RSP card provides one Compact flash slot that provide
up to 4-GB of flash storage. The Compact flash card is accessible externally
and removable, and allow you to transfer images and configurations to
them.
Switch Fabric: switch fabric is configured as a single stage of switching
with multiple parallel planes. Each fabric plane is a single-stage, non-
blocking, packet-based store-and-forward switch. The fabric is responsible
for getting packets from one LC to another, but it has no packet processing
capabilities. The switch fabric is 1+1 redundant, deployed as two fabric
planes on each of the redundant RSPs. Each RSP is capable of delivering
80 Gbit/s per slot switching capacity to meet the chassis throughput goals,
allowing for full redundancy.
RSPHardware Components
Switch Fabric
Switch Fabric
Controller
Dual-Core
Route Processor
Punt FPGA
4 or 8 Gigabit DRAM
Compact Flash
The RSP card physically contains both the management/control plane and
the Switch Fabric. They are logically separated.
RSPBlock Diagram
The CPU, System controller, Timing, backplane Ethernet and the Switch
Fabric modules such as Switch Fabric 0/1, Fabric I/O, and
Scheduler/Arbiter are the main components of the RSP card:
CPU: RSP uses a Dual Core Power PC Processor 1.5 GHz
DRAM: two 2-GB memory cards (or two 4-GB memory cards)
Hard Disk Drive: SAS 70 GB
Compact Flash: 2 GB or 4 GB
Flash: Internal 4 GB
System controller: Provides the interfaces between (CPU, AUX, NVRAM,
Boot flash, and Alarms) on the RSP.
NVRAM: 512 KB
Boot flash: 128 MB
Timing: Building Integrated Timing Supply (BITS) external timing or
internal Strat-3 clock.
Switch Fabric: Takes packets from one of the Fabric I/O under control of
the Scheduler/Arbiter.
Fabric I/O: Communicates with Fabric Scheduler/Arbiter to setup the
transfer of data through the Fabric.
Fabric Scheduler/Arbiter: Provides control setup for data transfer
through the Fabric.
Backplane Ethernet: Ethernet Out of Band Communications (EOBC):
Control Plane communications between cards in the chassis.
Backplane CAN bus: monitors the environment (voltage and
temperature), controls soft start of the 5-V and 3.3-V DC-to-DC converters,
controls the alphanumeric front-panel displays, and also holds information
unique to this particular card such as the serial number, hardware part
number, and revision.
RSPBlock Diagram
BITS / telco
SETS / Strat-3 Clock Time clocking to
Sync 0 / 1
BITS/DTI Control Line Cards
DTI / UTI FPGA and Other
Backplane
RSP
SAS Hard Timing
Disk Drive DRAM
4 GB Fabric I/O to
Switch Fabric Other RSP
External Fabric I/O
Switch
Fabric I/O
Compact Flash Punt Fabric
CPU FPGA 0 Fabric
Internal Dual Core Connection to
Flash 4 GB Processor Switch Line Cards
Fabric
RGMII
Fabric 1
Mgmt Ether 0/1 Scheduler
PHY GMII GMII VOQ Arb Fabric Arb
UART
Console UART
Backplane Ethernet
Aux Ether EOBC to
Switch Line Cards
Front Panel
System EOBC to
PHY
Controller Other RSP
FPGA, CPLD,
drivers, etc.
CAN Backplane
Pwr Cntrl Quack Controller CANbus
Alarms
CANbus
NVRAM Boot Flash Serial to/from
512K 128M Line Card
Consoles
Scheduler/
Arbiter
Arbiter
Fabric I/O
Fabric I/O RSP0
Active RP (40G LC)
40G LC 40G LC
Switch
Fabric 0
Switch
Fabric 1
Arbiter
Fabric I/O
Fabric I/O RSP0
(40G LC)
40G LC
Switch
Fabric I/O Fabric 0
80G LC Switch
Fabric 1
Arbiter
RSP1
Standby RP
Switch
Fabric 0
Switch
1 Fabric 1
3
Arbiter
Fabric I/O Fabric I/O
(unicast fabric plane) 4 3 2 1
(LC) 4 (LC)
Switch
Fabric 0
2 Switch
Fabric 1
Arbiter
Unicast traffic is sent across first available fabric link to destination which maximize efficiency.
Each frame (or superframe) contains resequencing logic which is used to reorder frames at the
egress LC.
Latency is measured in nanoseconds.
Switch
Fabric 0
A Switch
A Fabric 1
A B
A
B
Fabric I/O (Multicast fabric plane) Fabric I/O C1 B2 A3 B1 A2 A1
(LC) B (LC)
Step 3:
Fabric GrantFabric scheduler tells requesting LC request
accepted for data transfer by destination LC
Step 4:
Transfer DataRequesting LC sends data to destination LC
Step 5:
AcknowledgeDestination LC tells fabric scheduler transfer
complete available for next arbitration
Scheduler
3 Bellagio2
VoQ Arbiter 2
CPU
PuntPath
1 FPGA
Octopus
Fabric I/O
5
Santa
Switch
Fabric
Cruz
0
NPU
NP3c0 4 4 NPU
NP3c0
Bridge Bridge
Fabric Fabric
FPGA Octopus
I/O 4 Santa
Switch
4 Octopus
I/O
FPGA
NP3c1
NPU Fabric NP3c1
NPU
Cruz
1
LC0 LC7
SUP-A !
!
! !
! !
Scheduler
Bellagio2
Scheduler
VoQ Arbiter
NPU
NP3c0
4 4 CPU 4 NP3c0
NPU
Fabric
PuntPath Fabric Bridge
4 Octopus
Bridge Octopus
Octopus FPGA Fabric I/O FPGA
FPGA
I/O I/O
NP3c1
NPU NP3c1
NPU
Santa
Switch
LC4 Fabric LC11
Cruz
0
Punt Path Packets
Santa
Switch Arbitration Credits/Grants
Fabric
Cruz
1 20Gbs Fabric Links
SUP-B
Superframes
It is inefficient to add a switch fabric header to many smaller packets that
are all destined to the same egress NPU. Multiple unicast packets that are
destined for the same egress LC are grouped into superframes totaling less
than 2000 bytes.
Because there could be a very large combination of multicast destinations,
multicast packets are neither put into superframes nor are they arbitrated
through the VOQ mechanism.
Multicast has its own dedicated data path through the switch fabric.
Superframes
40-port GE
20-port GE + two-port 10 GE
4-port 10 GE
8-port 10 GE (oversubscribed)
There are two types of 80G Ethernet LCs:
8-port 10 GE
16-port 10 GE (oversubscribed)
The 40Gb, eight-port 10GE card is oversubscribed but it can process up to
60Gbps of traffic. In similar fashion, the 80Gb, 16-port 10GE card can
process up to 120Gbps of ingress traffic.
The LCs are available in multiple scale versions.
Standard, CWDM, & DWDM XFPs/SFPs/SFP+ available
IPoDWDM G.709 FEC/EFEC support
GE - SFP Optics (T, S, L, and Z)
TenGE XFP Optics (LR, ZR, and ER)
Ethernet LCNPU
NPU Forwarding Engine
The NPU forwarding engine has two forwarding paths, one for ingress and
one for egress. The paths allow the user to implement different features.
Packets are sent from the forwarding engine to the bridge chip and out
through the fabric interface. Fabric scheduler transfers data from VoQs
when the Fabric Grant is returned from the accepting or destination LC.
Ethernet LC-NPU
To the Bridge
Ingress Processing
and Fabric
I/O Interface
Optics
Interface
Framers
Optics
Egress Processing
! Each NPU has Four Main Associated memories TCAM , Search/Lookup memory , Frame/buffer memory
and statistics memory
Lookup Memory is used for storing FIB tables, Mac address table and Adjacencies
Stats memory is used for all interface statistics, forwarding statistics etc
! E/B/L line card have different TCAM , Stats and Frame Memory size, which give different scale number
of the QoS queues and L2 sub-interfaces per line card
To support mix of the line cards without impacting the system wide scale including routing,
multicast, MAC address, L3 interface, MPLS label space scale
The fixed interface front end hosts user ports. The fixed interfaces adapt
the user traffic flowing between the fixed interfaces and the NP-3
forwarding engine.
Bridge CHIP
The Bridge chip provides the glue that attaches the NPU network
processors to the Fabric Interface. Key Bridge functions include:
NPU 2
PHY
xGE Optics 10 ports GE
Network
Bridge-
FPGA 1
Processor xGE Optics 1 port 10 GE
Backplane
NPU 3
Network PHY
xGE Optics 2 ports 10 GE
Processor xGE Optics
One Fabric
2 Gbyte
eUSB flash interface
CANbus PCIe
I/O Daughter Card
Controller
Processor
EOBC GigE All Ethernet
LCs have the
Local Busses to Bridge
2 Gbyte 128M
Control
FPGAs FPGAs, Optics, Fabric I/O, and same control
DRAM Flash so on hardware.
A9K-8T/4-E/B/L A9K-40G-E/B/L
PHY 3
PHY 7
NPU0 NPU0
PHY 2
PHY 6
NPU1 NPU1
FI/O FI/O
PHY 1
PHY 5
NPU2 NPU2
PHY 0
PHY 4 NPU3 NPU3
Oversubscribed
Note: Bridge FPGAs and LC control hardware are not shown for simplicity
2011 Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 2/31
Fabric
I/O
Bridge Bridge
0 1
Bridge- 1
PHY
NPU is based
NPU 2 xGE Optics
0
on the 80G LC
NPU 3 PHY xGE Optics type:
Bridge- 2 NPU 4 PHY xGE Optics 1 port 10 GE
Fabric Interface
PHY
NPU 5 xGE Optics
2 ports 10 GE
1
Backplane
Bridge- 3
NPU 6 PHY xGE Optics
2 Gbyte
eUSB flash
CANbus PCIe
I/O Daughter Card
Controller
Processor
EOBC GigE
Two Fabric
2 Gbyte 128M
Control Local Busses to Bridge
FPGAs, Optics, Fabric I/O, and
interfaces
FPGAs
DRAM Flash so on
A9K-8T-E/B/L A9K-16T/8-B
PHY
PHY NPU0 PHY NPU0
Fabric PHY Fabric
PHY NPU1 PHY NPU1
I/0 PHY
I/0
PHY NPU2 0 PHY NPU2 0
PHY
PHY NPU3 PHY NPU3
PHY
PHY NPU4 PHY NPU4
PHY NPU5 Fabric PHY
NPU5 Fabric
PHY
I/0 PHY
I/0
PHY NPU6 1 PHY NPU6 1
PHY
PHY NPU7 PHY NPU7
Oversubscribed
Note: Bridge FPGAs and LC control hardware are not shown for simplicity
2011 Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 2/34
Fabric Fabric
I/O 0 I/O 1
16 x
10 2&8 5 & 10 6 & 13 0 & 12 3 & 11 1&9 4 & 14 7 & 15
GE
8x
10 5 3 4 2 0 1 7 6
GE
LC Interface number
CPU Fabric
PHY NPU0 I/O
PHY NPU1
B0 Fabric Fabric
I/O
PHY NPU2 I/0 0
B1
Arbiter
PHY NPU3
RSP0
PHY NPU4
Fabric
I/O
PHY NPU5 B2
Fabric
PHY NPU6 B3 I/0 1 Fabric
I/O
Ethernet LC Counters
This slide illustrates various commands that can be used to display packet
counters for different components of the Ethernet LCs.
Ethernet LC Counters
LC Scale Selection
The following flowchart illustrates the key decision making criteria in
choosing a particular scale size for a given LC type.
Up to three memory options for each line card:
Extended (or high queue)
Base (medium queue)
Low (low queue)*
The different memory options have different QoS queue scale and L2 sub-
interface scale values. Ethernet Flow Points (EFPs) represent endpoints of
Layer 2 services and are discussed in the Layer 2 Architecture module.
All other system wide scale is the same across different type of the line
cards, including FIB, MAC address, Bridge-domain, L3 sub-interface, VRF,
and so on. Support for a matching set of system-wide scale across a mix of
different LC types allows for mixed LCs support within the same chassis.
All line cards have the same basic hardware features.
Contact your Cisco Representative for the latest scale and capacity
information. Use the below specifications only as a guideline:
32K EFPs/ sub-interfaces (non-bundle) per LC
16K on 40G Base LCs
64K EFPs/ sub-interfaces (non-bundle) per chassis
8K bridge-domains per LC and per chassis
8K EFPs per bridge-domain
512K MAC addresses per LC and per chassis
16K static MACs
LC Scale Selection
LC Scale Selection Guidelines
Contact your Cisco Representative for the latest scale and capacity
information. Use the below specifications only as a guideline.
Yes
Plan to enable G.709 Purchase an Advanced Optical
framing on an License per LC
interface?
Yes
Purchase an Advanced
Plan to enable Video
Video License per chassis
monitoring on the
chassis?
Summary
Cisco ASR 9000 Series Hardware
In this module, you learned to:
List the features and functions of the Cisco ASR 9000 Series Chassis
List and describe the features and functions of the FRUs and
components that comprise the Cisco ASR 9000 chassis
List and describe the features and functions of the Cisco ASR 9006 and
ASR 9010 chassis:
! Route Switch Processor cards
! Switch fabric
! Line Cards
! Cooling system
! Power system
Overview
Description
This module introduces you to the Cisco IOS XR software architecture,
high availability (HA) and scalability. You will learn about specifically
applicable features that are specific to each platform.
Objectives
After completing this module, you will be able to:
Describe the Cisco IOS XR modular software architecture
The kernel is replicated across the router infrastructure. The services and
client applications can be distributed across the infrastructure for both
single chassis and CRS-1 multishelf hardware configurations. The
infrastructure includes :
XR 12000
CRS-1 ASR 9000
Series
Route
RP. DRP PRP RSP
processors
Service
SP - -
processors
Shelf controller SC - -
Services
Routing Protocol
Application
modules modules
modules
(BGP, OSPF) (IP)
Runs on
multiple
CPUs
Distributed infrastructure
High Availability
High availability in Cisco routing systems is a combination of hardware
redundancy, and the software and operational components that take
advantage of that hardware.
Components
Kernel
Plane separation
Fault tolerance and isolation
Checkpoint support for process restart
Process-level redundancy
Process restart and recoveryRP failover
Route processor failover
Nonstop forwarding
Minimum Disruption Restart (MDR)
In Service Software Upgrade (ISSU) capability
Kernel
Plane separation
Fault tolerance and isolation
Checkpoint support for process restart
Process-level redundancy
Process restart and recoveryRP failover
Route processor and distributed RP failover
Nonstop forwarding
Minimum Disruption Restart (MDR)
In-Service Software Upgrade (ISSU) capability
Kernel
The QNX Neutrino microkernel has these main features:
Multiprocessor
Small memory footprint
Memory protection
Preemptive fast context switch times
Reliabilityindependent component load/control
Portable Operating System Interface (POSIX)
In the Cisco IOS XR architecture, processes run in their own separate
process spaces. Almost every process can be independently started or
stopped. Failures in processes do not directly affect the operation of other
processes.
Kernel
PO
S
Distributed processing Microkernel: I Message queues
C Threads X
File system Scheduling
Lightweight messaging
I Debug
S Timers Synchronization
Event management C
O
Plane Separation
RIP BGP
IS-IS RIP
BGP
OSPFIS-IS
RIP
Control Plane
Routing policy
Process mgmt
Control plane
Plane Separation
OSPFIS-IS
PIM
Control Plane
Routing Policy
Control plane
IGMP PIM
Routing Policy
Control plane
RIB IGMP
PIM
L2 driversRIB IGMP
IPC mech.
ACL
L2 Drivers RIB
FIB ACL
L2 Drivers
QoS FIB
ACL
LPTSQoS
System services
FIB
Data plane
Host services
LPTSQoS
Version 4.0.1
Data plane
Host
PFI Services
LPTS
Memory mgmt.
Interfaces
Memory-protected microkernel
PFI
Data plane
Host Services
CLI
InterfacesPFI
SNMPCLI Interfaces
XMLSNMP
Netflow CLI
XMLSNMP
AlarmNetflow
H/W abstraction
SSH
Perf. Mgmt.
Alarm
Management plane
SSH
Mi
Perf. Mgmt.
cr
Distributed subsystems/processes
o k
Management plane
SSH
er
ne
l
High Availability
39
Cisco IOS XR Software Overview Module 3
Cisco IOS XR
Management
Control
plane
plane
Data
plane
(Process fails)
Checkpoint
shared
New memory
instance store
of Recover state
process
Active RP/DRP
Process-Level Redundancy
Process-level redundancy is implemented by a system manager process
creating the standby process. Because the active process created the
standby process, the active process has all the information it needs to
communicate (privately) with the standby process. Symbolic links and
abstract names are used to identify the processes. Clients do not see the
standby process until the active goes away.
If a process fails and it has created a standby process, a system-level
process called QNet Symlink Manager (QSM) and a library called Event
Connection Manager (ECM) are used to reestablish links from the clients
to the processes.
QSM provides:
Process-Level Redundancy
Client
Standby
process Standby process
Client
Process A Process A
1 1
Process B Process B
2 Checkpt
1 Checkpt
process
2 process
Process C 3 Process C
Process D 4
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course nameModule 0/17
Failed RSP is
reloaded to
Active
Standby
become new RSP
RP/PRP/RSP
standby RSP
On active RSP
failure, standby
Checkpointed RSP becomes
active
Standby
RSP
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 3/18
Nonstop Forwarding
The main objective of Cisco nonstop forwarding (NSF) is to continue
forwarding IP packets following a route processor (RP/PRP/RSP)
switchover. NSF works with the stateful switchover (SSO) behavior to
minimize the time a network is unavailable to its users following a
switchover. Cisco NSF helps to suppress route flaps, reducing network
instability.
Cisco NSF is supported by the Border Gateway Protocol (BGP), Open
Shortest Path First (OSPF), Intermediate System-to-Intermediate System
(IS-IS), and MPLS protocols for routing. The routing protocols, enhanced
with NSF capability and awareness, can detect a switchover and take the
necessary action to continue forwarding network traffic and recover route
information from peer devices.
The IS-IS protocol can be configured to use state information, that has
been synchronized between the active and standby RPs, to recover route
information following a switchover, rather than information received from
peer devices.
Each protocol depends on Cisco IOS XR forwarding processes to continue
forwarding packets during switchover while the routing protocols rebuild
the Routing Information Base (RIB) tables. After the routing protocols
have converged, the control processes update the Forwarding Information
Base (FIB) table and remove outdated route entries. In turn, the control
processes update the LCs with the new FIB information.
Nonstop Forwarding
ASR9KE For Print!!
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 3/18
What is it?
A critical piece in ISSU
A way to restart or reload software while hardware
continues to function
! Upgrade MDRUsed to upgrade or downgrade
maintenance releases
! Failure MDRUsed to recover from software failures
before reloading
MDR Goal?
Maintenance release upgrades should be
! Hitless
! Cause the minimum hit to forwardingless than control
protocol timeouts
MDR has some limitations. These limitations are those that require
additional processing outside the basic packet processing.
The current limitations include:
No processing of IPv4, IPv6, or Label Switch Path (LSP) ping packets
MDR limitations:
IPv4, IPv6, or LSP ping packets are not processed
IPv4 packets with options, except router alert and IGMP, are dropped
IPv6 packets that require fragmentation are dropped
IPv6 packets with optional headers are dropped
IPv6 ICMP and link local destination address packets are dropped
IGMP group join and leave messages are not processed
IPv4 ICMP packets destined to MSC are dropped
No ICMP packets sent for:
! TTL expiration
! No route (ingress)
! Fragmentation required but DF bit set (egress)
! Incomplete adjacency (egress)
FRR failovers not supported
Forwarding plane statistics and Netflow data are lost
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course nameModule 0/31
Multi-
ISSU MPLS
cast
Forwarding
Base
HFR Admin
OS
Line card
Scalability
A key feature of Cisco IOS XR is its scalability, providing complete
distributed processing of routing protocols, data forwarding plane,
management plane, and infrastructure services to support carrier-class
router systems such as the Cisco CRS-1 Routing System.
Features
Some of the scalability features include:
Adjacency management
Multi-stage forwarding
Forwarding Information Base tables
Distributed interface management
Distributed configuration management
Scalability Features
Adjacency management
Multi-stage forwarding
Forwarding Information Base tables
Distributed interface management
Distributed configuration management
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course nameModule 0/37
Adjacency Management
An adjacency is a mapping of the next-hops Layer 3 address to the Layer 2
rewrite needed to get the packet to the next-hop. In traditional Cisco IOS
routers, adjacency management is done in the RP.
With Cisco IOS XR software, the adjacency control plane runs in the LC
and not in the RP. Adjacency management is done locally on every card for
interfaces resident on that card. One LC does not know about adjacencies
on other LCs. The RP does not keep any adjacency information; it pulls it
from the LC when you request the information.
On the ingress LC the receive Adjacency Information Base (AIB) contains
the destination address and associated parameters to get the packet to the
egress LC or line card, based on the forwarding information found in the
Forwarding Information Base (FIB) tables.
In the egress LC, the transmit adjacency table contains the Layer 2 rewrite
to be applied on the packet before sending it out.
Adjacency Management
Route Processor
Interface ARP/Map!
manager tables!
Adjacency
Line card information
base!
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course nameModule 0/35
Multi-stage Forwarding
Cisco CRS-1
The Cisco XR12000 uses N-stage forwarding which loosely follows the 2-
stage forwarding model but forwarding decisions are made primarily on
the ingress linecard. The ingress linecard does a Layer 3 (IPv4, IPv6, and
MPLS) lookup which yields the egress slot and a ppIndex. The packet is
then forwarded to the egress slot. The egress linecard does a L3 features
lookup and a ppIndex lookup which produces the outgoing interface for
forwarding the packet.
____________________________ Note _________________________
The feature lookup is done only for IPv4 packets. It is not executed for
IPv6 and MPLS packets
__________________________________________________________________
The egress LC does a ppIndex lookup in the forwarding ASIC but its not a
FIB lookup. Instead of a FIB lookup, a ppIndex lookup is done to obtain
forwarding information which produces the outgoing interface for
forwarding the packet, similar to the way a label lookup is done on LFIB.
A ppIndex is nothing but a context advertised by egress line card to all
ingress line cards. The adjacency index in IOS is analogous to ppIndex but
they are not the same. Other features such as MSB, PBR, and L2VPN need
to use a similar mechanism even on a pure 2-Stage platform such as the
CRS-1 and ASR9000.
This mechanism allows forwarding feature parity with other Cisco IOS XR
platforms because the ppIndex mechanism is not visible to platform
independent code.
Mullti-stage Forwarding
ASR9KE Multi-stage Forwarding (Cont.)
Ingress Feature Ordering Egress Feature Ordering
Incoming packet
from wire Interface Packet from Fabric
Forwarding
Classification
Lookup
ACL
Classification L2 Rewrite
QOS Lookup
Fwding lookup
ACL Action
IFIB Lookup *
Packet to Wire
QOS Action
ACL action
QOS Action
Packet to Fabric
IFIB action *
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 3/18
ASR 9000
The Cisco ASR 9000 Router uses Cisco IOS-XR softwares two-stage
forwarding model, in which the ingress card executes ingress features
associated with the interface and subscriber on which the packet arrived,
then does a routing or switching lookup to derive an adjacency that gives
the egress line card1 and port information, and then uses that adjacency to
send the packet to the egress line card. At the egress line card, the
destination address will be looked up again, so that packet processing can
be resumed in order to complete the egress feature set. In addition to
reducing the amount of state that must be sent along with the packet from
ingress to egress, the two-stage lookup helps to localize information; with
the second lookup, information thats only of interest to the egress card can
more effectively be localized to the egress card.
Line Card
1
Actually, the adjacency points to not just the card, but one of network processors on the egress card.
336 Version 4.0.1 Cisco ASR 9000 Essentials
Module 3 Scalability
Route Processor LC LC
CPU PSE
AIB Ifmgr
LDP
LSD
RSVP
Switch fabric
GSP FIB
BCDL Hardware
process
FIB
BGP
RIB
OSPF
ISIS
Static
routes
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course nameModule 0/43
Interface manager
global database
LC LC
Interface manager Interface manager
Interfaces Interfaces
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course nameModule 0/44
Route
Processor
Configuration manager
LC LC
L2/L3 L2/L3
applications and applications and
H/W drivers H/W drivers
Hardware Hardware
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course nameModule 0/45
Summary
Cisco IOS XR Software Overview
In this module, you learned to:
Overview
Description
This module shows you the basics of Cisco IOS XR software and how to
create an initial configuration.
Objectives
After completing this module, you will be able to:
Describe the configuration file system
Describe login access
Configuration Operations
Two-Stage Configuration
Cisco IOS XR software introduces a two-stage configuration method.
In the first stage, you make, change, add to, or subtract from the running
configuration of the router, creating a target configuration. The running
configuration is not affected. The configuration is entered, the syntax is
checked for correctness, and then the configuration is stored, discarded, or
applied.
In the second stage, you commit the target configuration and make it part
of the running configuration.
Cisco IOS XR software also has Extensible Mark-Up Language (XML)
application program interface (APIs), which compose an interface that can
be used to configure the router. Companies can write applications to obtain
billing, error, traffic, and policing information through the XML interface.
Two-Stage Configuration
Config database
First stage Second stage
Router#> Config t
commit
Config agents
Target
Running config
config
CLI/XML
An exact copy of the CFS is also maintained on the standby RP. The copy
helps preserve the router configuration state during and after a
redundancy switchover.
Saving Configuration Changes
New binary
configuration
created; router uses
it to boot up
following reload
Username: cisco
Password: lab
:router#
Login
EXEC mode
Configuration Modes
Configuration mode is the starting point for system configuration and is
also used to enter configuration submodes to configure specific elements,
such as interfaces or protocols.
Configuration submodesFrom the configuration mode, you can
enter other, more specific command modes. These modes are available
based on your assigned access privileges and include protocol-specific,
platform-specific, and feature-specific configuration modes
POS configuration submodePacket over Sonet/SDH (POS)
configuration submode is used to configure such things as cyclical
redundancy check (CRC) and transmit delay
Router configuration submodeRouter configuration submode is
used to select and configure a routing protocol, such as BGP, OSPF, or
IS-IS
! Router submode configurationRouter configuration submodes
are accessed from the router configuration mode.
Username, User Group, Task Group configuration submodes
From these submodes, you configure users, and non-default user and
task groups, to set access privileges.
Configuration Modes
Configuration mode
Administration Modes
Administration mode is currently used to configure secure domain routers
(SDRs) and to install Cisco IOS XR software. In addition, there are a
number of commands that are not available in EXEC mode.
Administration EXECEnter the administration EXEC mode from
EXEC mode. Administration EXEC mode is used primarily to display
system-wide parameters, install software, and manage and monitor
system resources. These operations are available only to users with the
required root-system level access. When non-owner SDRs have been
configured, EXEC mode provides visibility into only the owner SDR.
You can install packages on either a per SDR basis or across the entire
platform, and set the configuration register.
Administration configurationEnter administration configuration
mode from administration EXEC mode. This modes primary
application is to configure non-owner SDRs, control individual card
slots (for example, you can turn power to a slot on and off), and
configure the administration plane over the control Ethernet for multi-
chassis systems. These operations are available only to those users who
have root-system privileges.
SDR configurationEnter SDR configuration to specify a non-
owner SDR to be provisioned and enter non-owner SDR
configuration mode. Here you configure the non-owner SDRs
resources, such as line cards
Administration Modes
Login
Administration configuration
mode
Per SDR software installations
SDR configuration
Config-register settings submode
Upgrades
Secure Domain Router management
EXEC :router#
Interface
:router(config)# interface pos 0/2/0/0
submode :router(config-if)#
config:
Protocol and :router(config)# router bgp 140
submode :router(config-bgp)# address-family ipv4
config: :router(config-bgp-af)#
:router# admin
Admin :router#(admin)#
MGMT
ETH 1
RP/0/RSP0/CPU0:router#
Con
Console AUX
Connection
RP = route processor card
BITS 0
BITS 1
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 04/18
Cust A
Provider
Cust B
Network
Cust C
Initial Configuration
Considerations
When initially installing a router that runs Cisco IOS XR software, there
are some initial configuration considerations. Important things to include
in the configuration are:
Management IP interfaces on RP cards and IPv4 virtual address
Hostname for easy router recognition and potential inclusion in a
domain name server
Interfaces that the router will serve, such as loopback and network
links
Routing protocols and routes, such as static and default routes
Configuration Considerations
Management interfaces
! RP Ethernet
! Virtual IP address
Hostname
Interfaces
! Loopback
! Network
Routing protocols and routes
! Static
! Default route
Telnet server
Management Interfaces
The out-of-band IP addresses for router management purposes are
assigned to Ethernet ports on RPs. The RPs for Cisco CRS-1 Routers are
always located in RP Slot 0 and Slot 1 in the LCC. Similarly, the RSPs for
Cisco ASR 9000 routers are located in RSP slot 0 and slot 1. The RPs for a
Cisco XR12000 Router can be located in any available line card slot, but
the prompt is always the same.
The Management Ethernet ports on the RPs are commonly connected to
the same subnet and are assigned unique addresses in that address space.
Although this is not required for proper operation of the Management
Ethernet, the design and utility of the IPv4 virtual address assumes this
scenario.
Configuring Management Ethernet
Management Interfaces
ASR9KE - Management Ethernet Interfaces
Management
ASR 9006 RSP s in chassis Ethernet
Connection
slots 0 and 1 MGMT
ETH 0
MGMT
ETH 1
AUX
BITS 1
!mgmtEth0/RSP1/CPU0/0
(Cont.)
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 04/18
:router# configure
:router(config)# interface MgmtEth0/RSP0/CPU0/0
:router(config-if)# ipv4 address 172.21.116.10/24
:router(config-if)# no shutdown
:router(config-if)#
Interface mode
Set the IP version
!IPv4 or IPv6 address
!Mask
Activate the interface
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 04/18
Configuring Hostname
The hostname identifies a router on the network. Although devices can be
uniquely identified by their Layer 2 and Layer 3 addresses, such as an IP
address, it is often simpler to remember network devices by a hostname.
This name is used in the CLI prompt, in our lab configuration filenames,
and, in general, to identify the router on the network.
To configure the hostname, enter the hostname command in global
configuration mode, followed by the name of the router.
Configuring Hostname
Configuring Hostname
Create a hostname
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 04/18
Interface command
Assign IP address
Visible as interface
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/27
Shared port adapters (SPA) interfaces use the same numbering format but
subslot specifies the secondary slot on the SIP in which the SPA is
installed and port specifies the interface number on the SPA.
A SIP-800 installed in LC slot 4 containing a 4-port OC-3c/STM-1 POS
SPA installed in subslot 3 with a connection in port 2, would be identified
as:
interface pos0/4/3/2
____________________________ Note _________________________
The numbering format discussed here applies to all Cisco IOS XR
supported platforms.
__________________________________________________________________
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/29
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/30
Interface command
!Rack/slot/subslot/port
!Assign IP address
!Activate the interface
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/31
Protocol configuration
Choose address family
! IPv4 or IPv6
! Unicast or multicast
Destination prefix and mask
Next hop address or outgoing interface
:router(config)# commit
:router(config)#
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# interface pos 0/5/0/1 pos crc 16
RP/0/0/CPU0:router(config-if)# abort
RP/0/0/CPU0:router#
!
end
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 04/18
Displaying Interfaces
The show interface command presents the statistics for interfaces that
are configured on the router, in slot order and by interface type and
instance number. The brief keyword, as shown in the slide, presents a
summary of one line for each interface configured. The physical interface
display is in the form rack/slot/module/port.
Displaying Individual Interfaces
Displaying Interfaces
ASR9KE - For Print!!
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 04/18
Displaying IP Interfaces
The show ipv4 interface command presents a list of all interfaces, their
IPv4 addresses, if configured, and the status of both the interface and the
protocol.
To display specific information about individual interfaces, use a show
interface command that includes the protocol address family (IPv4 or
IPv6) and the specific interface instance. The slide provides an example.
Displaying IP Interfaces
ASR9KE - For Print!!
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 04/18
RP Redundancy
Displaying Redundancy
The status of RP redundancy of the router is displayed using the show
redundancy command. The display shows which RP is the active RP and
which is the standby RP. The display further shows the status of the
standby RP, along with the most recent reload and boot information.
Should the standby RP need to become the active RP, you can make the
switch by entering the redundancy switchover command and
confirming the switchover.
Displaying Redundancy
ASR9KE For Print!!
Display the
ASR9KE current redundancy state
RSP Redundancy (Cont.)
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 04/18
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 04/18
Summary
Cisco IOS XR Configuration Basics
In this module, you learned to:
Overview
Description
This module teaches you to select, prepare, install, activate, and deactivate
Cisco IOS XR software packages.
Objectives
After completing this module, you will be able to:
Describe the Cisco IOS XR packaging model
Summarize the process of downloading new software and patches
Software Packages
RP LC
Multi- Optional
Doc Diags MPLS
cast
Manage- Optional
Security
ability
Routing
Multi-
MPLS
cast Line card
Mandatory
Forwarding
Routing
Base
OS-MBI
Line card
Mandatory
Forwarding
Admin
Base
OS-MBI
Implementation locations
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/4
Line card
Line card drivers
Routing
RIB, BGP, ISIS, OSPF, EIGRP, RIP, RPL
Administration
Resource management: rack, fabric, SDR
Base
Interface manager, system database, checkpoint services,
configuration management, other slow-changing components
OS-MBI
Kernel, file system, memory management, and other slow-changing core components
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/6
Following are some examples of the PIE files you might use for the
operation of a Cisco CRS-1 router:
hfr-mini-p.pie-x.y.z
hfr-mpls-p.pie-x.y.z
hfr-k9sec-p.pie-x.y.z
hfr-mcast-p.pie-x.y.z
hfrk-mgbl-p.pie-x.y.z
hfr-doc-p.pie-x.y.z
Cisco XR12000 Series Routers
Following are some examples of the PIE files you might use for the
operation of a Cisco XR 12000 Series router:
c12k-mini.pie-x.y.z
c12k-mpls.pie-x.y.z
c12k-k9sec.pie-x.y.z
c12k-mcast.pie-x.y.z
c12k-mgbl.pie-x.y.z
c12k-doc.pie-x.y.z
Cisco ASR 9000 Series Routers
Following are some examples of the PIE files you might use for the
operation of a Cisco ASR 9000 Series router:
asr9k-mini-p,pie-x.y.z
asr9k-mpls.pie-x.y.z
asr9k-k9sec.pie-x.y.z
asr9k-mcast.pie-x.y.z
asr9k-mgbl.pie-x.y.z
asr9k-doc.pie-x.y.z
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/8
ISIS ISIS
SMU updated
BGP OSPF
BGP
OSPF OSPF
Mcast Mcast
RIP All other packages RIP
remain the same
EIGRP EIGRP
Routing Routing
Forwarding Forwarding
Admin Admin
Base Base
OS-MBI OS-MBI
Example: comp-hfr-mini.pie-x.y.z
Example: c12k-mini.pie-x.y.z
Bootable Code
Core bundle packages are delivered to you in two compressed forms ! .vm
and .pie files.
Files with the .vm extension are bootable files that contain bootup code and
mandatory package software, such as the Unicast Core Bundle. Using the
TURBOBOOT procedure, these files may be used to boot the router for the
first time or for emergency recoveries from a corrupt boot disk. This
process also installs a mandatory set of feature packages.
Bootable Code
Bootable entities
!.vm files are bootable core OS
!Shipped with new routers
!Examples:
" hfr-mini-p.vm-x.y.z
Routing " c12k-mini.vm-x.y.z
" asr9k-mini.vm-x.y.z
Line card
Base
OS-MBI
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/12
Software Versioning
Base Package Versions
SMU versions are based on the software package associated with the SMU
and the Distributed Defect Tracking System (DDTS) number addressed by
the SMU. The version scheme is:
<package name>-<package version>.<primary DDTS>-<SMU version
number>
Composite SMU Versions
Composite SMUs are SMUs that apply to more than one software package.
These files have an additional prefix comp- that identifies them as
composite SMUs. The version scheme is:
comp- <composite number>.<primary DDTS>
Software Versioning
Release ! major.minor.maintenance
Software Storage
Cisco IOS XR software is installed on the RPs boot device, which is
typically flash disk0: in the router. You can download software prior to its
actual installation. The downloaded software may be stored on a different
media device, such as the optional flash disk1: or harddisk:, until it is
ready to be installed.
Software Storage
ASR9KE - Software Storage
MGMT
ETH 1
Con
AUX
BITS 0
BITS 1
ALARM
PID/VID
disk0:
ACO
Lamp
Reset
Fail Sync
HDD
Major CF
Minor ACO
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 05/18
1
2
Installdb
Server
disk0:
3
Use the clock update-calendar command to set the hardware clock from
the system clock.
The clock read-calendar copies the hardware clock settings into the
system clock. Use the show calendar command to verify the calendar
settings.
or
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/26
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 05/18
- Verifying LC Status
- Verified LC Status : [OK] : [OK]
[... output omitted]
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/30
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 05/18
asr9k-mpls-p-4.0.1
asr9k-mpls-p V4.0.1[Default] Asr9k MPLS Pie bundle
[composite package]
[root package, grouped contents]
Vendor : Cisco Systems
Desc : Asr9k MPLS Pie bundle
Build : Built on Wed Dec 15 09:18:20 UTC 2010
Source : By sjc-lds-524 in /auto/srcarchive4/production/4.0.1/asr9k/workspace for
pie
Card(s): RP, NP24-4x10GE, NP24-40x1GE, NP40-40x1GE, NP40-4x10GE, NP40-8x10GE,
NP40-2_20_COMBO, NP80-8x10GE, NP80-16x10GE, A9K-SIP-700, A9K-SIP-500
Restart information:
Default: Supported
parallel impacted processes restart cards
Size Compressed/Uncompressed: 4921KB/12MB (38%)
Components in package asr9k-mpls-p-4.0.1, package asr9k-mpls-p:
iosxr-mpls-4.0.1
Software Installation
The installation of Cisco IOS XR software has several steps. Some of these
steps can be combined. The installation process is discussed on the next
several pages.
Activating Packages
The add function previously discussed makes the software package
available to be activated on the router.
install activate Command
The install activate command activates the new software features in the
package that was unpacked with the install add command. Activating a
package adds it to the software configuration for a card type. By default,
packages are activated for all compatible card types. You can activate or
deactivate a package for all compatible card types, or for a specific location.
install activate test Option
Activating Packages
ASR9KE - Activating Packages
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 05/18
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 05/18
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 05/18
Deactivating Packages
It may be desirable for you to take a package out of the activated software
configuration.
install deactivate Command
The install deactivate command turns off the package features for a card
or card type. If an earlier version of the package exists, you can downgrade
the package by activating the earlier package version. The older version of
the package then becomes the active package.
__________________________ CAUTION _______________________
A feature package cannot be deactivated if other active
packages need it to operate.
__________________________________________________________________
SMUs can be deactivated to remove the updates from the software
configuration. Packages and SMUs can be deactivated based on card
location or by SDR.
____________________________ Note _________________________
When executed from the Admin EXEC mode, packages are deactivated
router-wide.
__________________________________________________________________
install deactivate test Option
Deactivating Packages
ASR9KE - For Print!!
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/75
Removing Packages
When a new release has been installed, the old release can be removed. So
that the installation database integrity is maintained, deleting the
directories from the boot disk must only be done using the install
commands.
install remove Command
The install remove name command must be executed from the same
mode or location from which the package was added. This command
removes an inactive package from the location in which it was previously
installed. If a package name is not specified, this command removes all
inactive packages. The command completely removes the packages and all
associated configurations from an SDR.
____________________________ Note _________________________
This command must be preceded by the install deactivate and install
commit commands and executed from the same mode or location from
which it was originally installed.
__________________________________________________________________
install remove test Option
Use the test keyword to verify the effects of the package removal operation
and determine whether the operation can be completed.
Removing Packages
ASR9KE - Removing Packages
Remove any inactive packages
:router(admin)# install remove inactive
Install operation 541 '(admin) install remove inactive' started by user
'cisco' via CLI at 16:02:23 UTC Tue
Jul 05 2011.
Info: This operation will remove the following packages:
Info: disk0:iosxr-mpls-4.0.1 One package with two directory
Info: disk0:asr9k-mpls-p-4.0.1 structures being removed
Info: After this install remove the following install rollback points
will no longer be reachable, as the required
Info: packages will not be present:
Info: 534, 535
Proceed with removing these packages? [confirm]
The install operation will continue asynchronously.
RP/0/RSP0/CPU0:PE2(admin)#Install operation 541 completed successfully at
16:02:30 UTC Tue Jul 05 2011.
Directory of disk0:
Directory of disk0:
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 05/18
ASR9KE
Displaying - Displaying
Installation Log Entries Installation Log Entries
(Cont.)
:router(admin)# show install log 450 verbose
Tue Jul 5 16:08:44.716 UTC
Install operation 450 started by user 'cisco' via CLI at 18:36:20 UTC Tue Mar 15
2011.
(admin) install remove inactive
Install operation 450 completed successfully at 18:36:40 UTC Tue Mar 15 2011.
Install logs:
Install operation 450 '(admin) install remove inactive' started by user
'cisco' via CLI at 18:36:20 UTC Tue Mar 15 2011.
Info: This operation will remove the following packages:
Info: disk0:asr9k-mcast-3.9.1
Info: disk0:asr9k-mpls-3.9.1
Info: After this install remove the following install rollback points
will no longer be reachable, as the required
Info: packages will not be present:
Info: 416, 422, 427, 429, 441, 444
Proceed with removing these packages? [confirm]
User Response: 'y'
Install operation 450 completed successfully at 18:36:40 UTC Tue Mar 15
2011.
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 05/18
Installation Recovery
You can recover from a software installation by using a rollback process
that returns the active software to a previous version.
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/119
Installation Rollback
You can easily roll back software changes with Cisco IOS XR software.
install rollback Command
Installation Rollback
Info: SDR SDR1: Removing the incompatible configuration from the running configuration
Info: SDR SDR1: Use the "show configuration removed 20110415125159.cfg"
Info: command to view the removed config.
:router(admin)# exit
:router# show config removed 20110415125159.cfg
!! IOS XR Configuration 4.0.1
mpls ldp
router-id 10.3.3.3
nsr
graceful-restart
log
graceful-restart
session-protection
nsr
!
!
end
The slide provides a summary of the install commands that are available,
where they can be executed, and what they do.
Command Summary
install add Adds package to disk0: of all SDRs
install activate Activates packages on selected SDRs, selected locations, or all locations
show install act, inact, Executed in Admin EXEC and any SDR; in Admin EXEC shows all SDRs;
commit in specific SDR shows only packages in that SDR
show install pie-info Shows package information from the source location of the package to be
installed
show install log Shows installation log entries; keywords provide detail, if necessary
show install rollback Shows rollback points and specific information about rollback
Summary
Cisco IOS XR Installation
In this module, you learned to:
Overview
Description
This module introduces you to other operational Cisco IOS XR features,
including making, checking, and verifying changes; rolling back
configurations; and troubleshooting configurations.
Objectives
After completing this module, you will be able to:
Explain configuration processes
Operations
Router operations encompass a variety of configurations and best practices
that are locally defined by the customer.
Configure a domain name and domain name server (DNS) for your router
to make contacting other devices on your network more convenient.
Telnet, HTTP, and XML Services
For security, all host services are disabled by default, but can be optionally
enabled. You can:
Enable the XML agent, which in turn enables XML Common Object
Request Broker Architecture (CORBA) agent services so that you can
manage and configure the router using an XML interface
Preconfiguration
Preconfiguration lets you configure certain interface types before they are
inserted into the router. Preconfigured interfaces are not verified or
applied until the actual interface with the matching location
(rack/slot/module) is inserted into the router. When the anticipated line
card (LC), is inserted and the interfaces are created, the precreated
configuration information is verified and, if successful, immediately is
applied to the routers running configuration.
____________________________ Note _________________________
Only physical interfaces can be preconfigured.
Specifying an interface name that already exists and is configured (or
an abbreviated name like e0/3/0/0) is not permitted.
__________________________________________________________________
You are expected to provide names during preconfiguration that match the
name of the interface that will be created. If the interface names do not
match, the preconfiguration cannot be applied when the interface is
created. The interface names must begin with the interface type that is
supported by the router and for which the drivers have been installed, such
as Ethernet or Packet over SONET/SDH (POS).
Online Insertion and Removal
Preconfiguration
Prior to
installing line
card, its
configuration
can be entered
Configure resources not yet
present
Reduce down time
Improve operational tasks such
as OIR
CLI
:router# config
:router(config)# controller preconfigure sonet 0/4/0/0 clock source line
:router(config)# interface preconfigure POS 0/4/1/0
:router(config-if-pre)# ipv4 address 1.1.1.1 255.255.255.0
:router(config-if-pre)# encapsulation ppp
Logging
Cisco IOS XR software provides logging services for monitoring and
troubleshooting the router. The type of logging information and the
destination of the log messages can be configured. For example, you can
direct information messages to the system console and log debugging
messages in a network server. In addition, you can define correlation rules
that group and summarize related events, generate complex queries for the
list of logged events, and retrieve logging events through an XML
interface.
The slide shows the currently available logging possibilities.
The sample messages show the information that can be used to determine
what action, if necessary, to take; how to correlate message types; and
which messages to send to which collector.
The message breakdown is:
CategoryMessage category code (see Cisco IOS XR System Error
Messages documentation for further information)
GroupMessage group code; hardware device, protocol, or software
module
Logging
Logging (for Print)
:router(config)# logging ?
A.B.C.D or X:X::X IP v4/v6 address of the logging host
WORD Name of the logging host
archive logging to a persistent device(disk/harddisk)
buffered Set buffered logging parameters
console Set console logging
correlator Configure properties of the event correlator
disable Disable console logging
events Configure event monitoring parameters
facility Modify message logging facilities
history Set history logging
hostnameprefix Hostname prefix to add on msgs to servers
localfilesize Set size of the local log file
monitor Set monitor logging
source-interface Specify interface for source address in logging transactions
suppress Configure properties for the event supression
suppress Suppress logging behaviour
trap Set trap logging
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/8
Sample of messages
%Category-Group-Severity-Mnemonic: Message
text
Severity categories
Configuration Operations
There are commands you can use to manage your configuration sessions.
After the configuration session is over, you exit the session. This exit
causes the session to become unlocked. At this point, the router can be
configured by other users.
CLI
Config
database
Running
config
:router# configure
:router(config)# interface pos 0/5/0/1
:router(config-if)# pos crc 32
:router(config-if)# ipv4 address 192.168.101.1/24
:router(config)# clear
:router(config)# show config
Building configuration...
end
[OK]
:router(config-un)#
:router# configure
:router(config)# interface pos 0/5/0/1
:router(config-if)# pos crc 32
:router(config-if)# abort
:router#
:router# config
:router(config)# taskgroup bgp
:router(config-tg)# hostname routerxyz
:router(config)# commit
% Failed to commit one or more configuration items during an
Pseudo-atomic operation. All changes made have been reverted.
Please issue 'show configuration failed' from this session to view
the errors
:router# config
:router(config)# taskgroup bgp
:router(config-tg)# hostname routerxyz
:router(config)# commit best-effort
:routerxyz(config)#
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/19
Commit Keywords
The commit command offers these optional keywords:
replaceLets you replace an entire running configuration with the
target configuration
commentLets you add a comment that is displayed when looking at
committed change information
labelLets you label a change, when committing it; the label is
displayed when viewing committed change information
confirmedLets you back out a configuration automatically if the
change results in instability, or for any other good reason. A value
between 30 and 300 seconds is required, and a second commit must be
entered to make the change persistent
Replace
! Replace entire running configuration with target configuration
commit replace
Comment line
! Add text information to the change
! Shows up when looking at rollback details
commit comment comment
Label line
! Assigns a name to the change
! Shows up when looking at the change
commit label label
Confirmed seconds
! Minimum of 30 seconds and a maximum of 300 seconds
! Requires second commit or change is backed out
commit confirmed 30-300
:P4hjk(config)# hostname P4
:routerhjk(config)# commit label renameP4 comment rename back to P4
:P4# show config commit list 1 detail
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/22
Configuration Sessions
Configuration sessions can be managed, if necessary. This management
can be helpful if an exclusive session is left open and prevents another
operator from making changes.
The show configuration sessions command displays the running
configuration sessions. The offending session can be removed by using the
clear configuration session command.
When a session is cleared the following message appears on that session:
% Failed to commit .. As an error (Unknown) encountered during
commit operation. Changes may not have been committed:
Configuration Sessions
Configuration Sessions (for Print)
Config database
Running config
Config log
Each commit generates record CommitID# 100
CommitID# 099
with CommitID or label CommitID# 098
Each CommitID is a rollback point
Commit database stores up to 100 CommitID# 001
rollback points
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/29
Another way you might use to see the changes made recently would be to
show the changes since a particular change. You would do this by using the
keyword, since Label/ID. This command is inclusive, also. The changes are
not shown in the order of their order of commitment, but are displayed in
the order they would appear in the running configuration.
:router(config)# commit
:router#
:router#
System Backup
The system backup feature is provided as a method of protecting the router
software using a backup disk. This feature is sometimes referred to as
Golden Disk.
Backup Requirements
Prior to performing the backup process, there are several prerequisites
that must be met:
System Backup
ASR9KE - System Backup
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 06/18
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/45
Process Management
Overview
Cisco IOS XR software is a distributed operating system as opposed to a
monolithic type of operating system. As part of the design, many individual
processes are active during router operation. Occasionally processes can
experience problems. You can manage some of the processes; only the
operating system can access others. This is to protect the integrity of
Cisco IOS XR software.
As part of the resiliency of Cisco IOS XR software, processes may stop and
restart themselves. As a default, there is a preprogrammed, pre-set limit of
how many times during a predetermined period of time a process may stop
and restart. You can manage those processes that do not have pre-set
limitations.
You can use show commands and process commands to manage the
processes.
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/46
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 06/18
Process Control
You can use several actions to manage processes. Process control is only
available to a user with root-system access and commands are available in
the administration plane.
The use of process commands should be used in consultation with
Cisco Systems, Inc. technical support.
Process Control
:router(admin)# process ?
0-4294967295> job id
WORD Name of the executable
crash crash a process
mandatory set mandatory settings
node set node reboot settings
restart restart a process
shutdown kill/stop a process
start start a process
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/49
Process Restartability
Due to its modular architecture, Cisco IOS XR software processes can be
independently started and shut down for maintenance or upgrade.
Restartability is based on the following features:
Process independence
Process placement
Distributed processes
Process restart is an inherent part of the process separation built into the
software architecture:
No single process failure brings the router down
Card-level redundancy is used when process restart fails
Processes with dynamic state use checkpoint, checkpoint mirroring,
and database mirroring, or obtain their state from neighbors
Restarting processes contact other processes to reconcile external
inconsistencies
Typically, restarting one process does not cause or require other
components to restart (The exception is a new software installation)
Process restart occurs automatically when a switchover occurs between the
active and standby RPs or when particular software packages are being
upgraded. During a system upgrade, a particular package might be
upgraded without stopping router operation. Only the processes that are
part of that package are restarted when activating the newly installed
package.
Non-essential processes can also be restarted manually if a network event
occurs. If troubleshooting indicates that a particular process has stopped,
you can restart that process.
Show process commands display the status of the processes and process
commands control processes.
Process Restartability
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 06/18
Summary
Cisco IOS XR Operations
In this module, you learned to:
Overview
Description
This module teaches you Cisco IOS XR authentication, authorization, and
accounting, along with router security administration and access control
list configuration using the command-line interface (CLI).
Objectives
After completing this module, you will be able to:
List Cisco IOS XR security features
Summarize Cisco IOS XR security package features
Describe security database implementation
Describe task-based authorization
Describe predefined task groups and user groups
Describe usergroup and taskgroup configuration
Explain and implement site-defined group and user configuration
Describe user configuration
Explain control plane and management plane protection
Default Services
Services, such as Telnet and TFTP, must be explicitly configured; they are
not on by default. Rate and session limiting of incoming CLI connections
using Telnet, SSH, HTTP, and so on, is available.
Layered Defense
! ASICs
! OS and infrastructure
" Kernel
" Memory protection
" Restartable processes
! Division of planes
" Control plane security
" Management plane security
" Data plane security
Key chains
! Software that contains cryptographic keys
Key chain management
! Creates and maintains shared secret keys
" Keys used by applications
Certificate Authority
Certificate authority (CA) interoperability supports the IP Security
(IPSec), Secure Socket Layer (SSL), and Secure Shell (SSH) protocols. CA
interoperability permits Cisco IOS XR devices and CAs to communicate so
that your Cisco IOS XR device can obtain and use digital certificates from
the CA. Although IPSec can be implemented in your network without the
use of a CA, using a CA provides manageability and scalability for IPSec.
IP Security (IPSec)
IP Security (IPSec) provides security for the transmission of sensitive
information over unprotected networks, such as the Internet. IPSec acts at
the network layer, protecting and authenticating IP packets between
participating IPSec devices (peers), such as Cisco routers.
Secure Shell
Secure Shell (SSH) is a protocol and an application that provides a secure
replacement to the Berkeley r-tools. The protocol secures sessions using
standard cryptographic mechanisms, and the application can be used
similarly to the Berkeley rexec and rsh tools.
Two versions of SSH are available: SSH Version 1 (SSHv1) and
SSH Version 2 (SSHv2). SSHv1 uses Rivest, Shamir, and Adelman (RSA)
keys, and SSHv2 uses Digital Signature Algorithm (DSA) keys.
Cisco IOS XR software supports both SSHv1 and SSHv2.
Software Authentication
Ensures that software being installed on router is safe
Requires that installed software be in PIE format
! Verifies that software on flash cards is not compromised
Image Validation
Each Cisco CRS-1 is shipped with embedded Cisco CA-root
public certificate
Additional software installed on the Cisco CRS-1 contains:
! Cisco root certificate
! Digital signature signed by authorized Cisco Release Engineering
with Cisco CA-root certificate
Each PIE is validated against the embedded root certificate
SAM blocks unauthorized executables from running on router
Install 205: [ 0%] Idle timeout on this line will now be resumed for synchronous
install operations
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 07/18
Control Planes
The admin plane has complete responsibility (administrative and non-
administrative) for the physical and owner secure domain router, and
certain other administrative responsibility for all other non-owner secure
domain routers.
The admin plane is accessible to only the root-system user. A non-owner
SDR is accessible to the root-system user, root-lr user of a non-owner SDR ,
and individual users for that specific non-owner SDR. Individual users
should not be given access to any SDR that is not directly associated with
them.
Authentication
Authentication is the process of identifying a user or an application
requesting access to the router and ensuring the identity through the use
of passwords. Cisco IOS XR does authentication by comparing the
incoming user ID and password with what is stored in a security database.
Authorization
Authorization is the process of granting a user access to router resources.
Cisco IOS XR uses tasks, task groups, and associated user groups to
determine the accessibility of resources for a user.
Accounting
Accounting is the process of tracking user activity and the amount of
resources being consumed. Cisco IOS XR provides a method of collecting
and sending security server information used for billing, auditing, and
reporting, such as user identities, start and stop times, executed
commands (such as PPP), number of packets, and number of bytes.
Cisco IOS XR software supports both the TACACS+ and RADIUS methods
of accounting.
Method Lists
Because AAA data may be stored in variety of places, configuration of
method lists may be used to define the order of preference for the source of
the AAA data. More than one method list may be defined and applications
may use different ones. For example, console and auxiliary ports may use
one method list, while another method list may be assigned to vty access. If
no method list is defined, the application uses a default method list. If
there is no default, the local database is always used.
Accounting
database
SysDB
Authentication
Authorization
Accounting
SysDB
The security server should be configured with the secret key shared with
the router and IP addresses of the clients.
User Group Management
User groups created in an external server are not the same as the AAA
user group concept. External TACACS+ or RADIUS group structures are
not recognized by the router. The management of the external server user
groups is independent from the router. Configuration of user groups is
defined by the design of the external server product.
The remote user or group profiles may contain attributes that indicate
router groups to which a user or users may belong. The remote groups may
also define individual tasks.
Task Group Management
Task groups are defined by lists of permitted task IDs for each type of
action (read, write, execute, debug). The task IDs are defined in the router.
AAA subsystem IP
CLI network
ADMIN
Task IDs define permission to perform tasks. Task IDs are added to the
task groups to define a security policy. Tasks IDs (rights) are pooled into a
task group that is then assigned to users.
Task Groups
A task group is defined by a collection of task IDs for each class of action.
Task groups are defined so that multiple rights can be pooled together into
a rights policy.
Security policy
Task IDs
Task
Groups
User
Groups
Users
Task-Based Authorization
Task-based authorization employs the concept of a task ID as its basic
element.
Every router control, configuration, and monitoring operation is defined by
a particular set of task IDs. Task IDs are common to both the command-
line interface (CLI) and the application program interface (API). A given
CLI command or API invocation is associated with at least one or more
task IDs. These associations are hard-coded within the router and may not
be modified. Task IDs grant permission to perform certain tasks; task IDs
do not deny permission to perform tasks.
Users are associated with sets of task IDs that define the breadth of their
authorized access to the router.
The system verifies that each CLI command and API invocation conforms
to the task ID permission list for the user. It compares the associated task
IDs for a user with the task IDs associated with the CLI or API invocation;
if the compared task ID sets conform, the user is allowed to run the
operation.
Task ID Samples
Task IDs grant permission to perform tasks and are one, all, or some
combination of the following:
RPermits only a read operation
WPermits a change (or write) operation and allows an implicit read
EPermits an access operation, such as ping or Telnet
DPermits a debug operation
Task ID operations with R/W mean that both operations must be applied.
Multiple task ID operations are separated by commas and mean that the
operations should be applied to the respective task. An example is the
copy access-list ipv4 command, which requires read and write for the acl
task, and execute for the filesystem task.
If no operation is specified for a task, then no specific user association to
the task is required.
Task-Based Authorization
Task IDs
Represent router control, configuration, and monitoring
operations
Define permissions
Each operation on router is a task with a unique task ID
! Config is a task
! Reload is a task
! CLI commands and API invocations
Task group contains a list of task IDs
User group associated with task groups
Users are associated with user groups
Only users assigned with the right task IDs can execute those
tasks
Security Configuration
Cisco IOS XR software provides operational tasks to implement security
policy and grant access based on local requirements. Cisco Systems, Inc.
has also created task groups and user groups with permissions and access
that may suit your particular situation.
taskgroup ospf-admin
task read ospf
task write ospf
usergroup ospf-users
taskgroup ospf-admin
username joesmith
password <password>
group ospf-users
Task Groups
A task group is defined by a collection of task IDs. Task groups contain
task ID lists for each class of action.
Each user group is associated with a set of task groups applicable to the
users in that group. A users task permissions are derived from the task
groups associated with the user groups to which that user belongs.
Task Groups are either:
Task Groups
:router(config)#taskgroup isis-admin
:router(config-tg)#task read isis
:router(config-tg)#task write isis
:router(config-tg)#task read rib
:router(config-tg)#task write rib
:router(config)#taskgroup igpadmin
:router(config-tg)#inherit taskgroup ospf-admin
:router(config-tg)#inherit taskgroup isis-admin
Inherit other task group rights (bgpadmin can do IGP configs, too)
User Groups
A user group defines a collection of users that share a set of attributes,
such as access privileges. Each user may be associated with one or more
user groups. User groups have a list of task groups that define the
authorization for the members of the group. All tasks are permitted by
default for root-system users.
Authentication
Authentication is accomplished by comparing the user ID and the user-
provided password with the information stored in a security database for
the user.
Authentication of Root-System Users
The root-system user is configured in the admin plane and has visibility
into any secure domain routers. To support this feature, the default SDR
AAA database is defined for the admin plane.
Authentication of SDR Owner
An SDR owner can log in to only those nodes belonging to the specific
secure domain router associated with that SDR owner. If the user is a
member of the SDR owner group, then the user is authenticated as an SDR
owner. All secure domain routers have their own SDR owner groups.
Authentication of SDR User
User Groups
sysadminSystem administrators
! For control and monitoring all system parameters
" Write AAA, manageability, logging, and others
" Cannot configure network protocols
Users
User attributes form the basis of router user access. Each router user is
associated with the following:!
User ID (ASCII string) that identifies the user uniquely across an
administrative domain
Password of an arbitrary length, stored encrypted; the maximum
length of a password is 253 characters
List of user groups (at least one) of which the user is a member (thereby
enabling attributes such as task IDs)
Users
Configuring Users
Each user is identified by a username that is unique across the
administrative domain. Each user should be made a member of at least one
user group. Deleting a user group may orphan the users associated with
that group.
The username command provides username and password authentication
for login purposes only. It provides the method of assigning a user to a user
group.
To create users with passwords, follow these steps:
1. Configure a username to add users who can access the system
2. Configure the password for the user defined with the username
command. Passwords have two levels: password and secret
! PasswordLower security
! Unencrypted uses a parameter value of 0; means enter the
password in clear text and is the default
! Encrypted uses a parameter value of 7; means enter the
password in encrypted format
! SecretHigher security
! Unencrypted uses a parameter value of 0; means enter the
password in clear text and is the default
! Encrypted uses a parameter value of 5; means enter the
password in encrypted format
Secret overrides and ignores password, even if password has been
set.
3. Associate the user with one or more groups that will give them the
privileges they need
When a sign-on process is started on an inbound access line that has
password protection, the process prompts for the password. If the user
enters the correct password, the process presents the normal privileged
prompt. The user can try three times to enter a password before the
process exits and returns the terminal to the idle state.
Configuring Users
Configure a user
:router(config)#username adam
Assign a password
0 means enter unencrypted (default)
7 means enter encrypted
:router(config-un)#password [0 | 7] <password>
:router(config-un)#
:router(config-un)#group routeadmin
What is MPP?
With MPP, interfaces can be designated as management interfaces.
Restricting the management interfaces has some benefits:
Improved performance for data packets on nonmanagement interfaces
Network scalability
Fewer ACLs to restrict traffic are needed
SSh, v1 and v2
SNMP, all versions
Telnet
TFTP
HTTP and HTTPS
A single, control-plane management-plane command, as illustrated on
the following page, is used to invoke the management protocol on the
inband interfaces in the router.
____________________________ Note _________________________
By configuring only SSH on the POS interface, all other management
protocols are denied on that interface.
__________________________________________________________________
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/61
Summary
Cisco IOS XR Security
In this module, you learned to:
List Cisco IOS XR security features
Summarize Cisco IOS XR security package features
Describe security database implementation
Describe task-based authorization
Describe predefined task and user groups
Describe user and task group configuration
Explain and implement site-defined group and user configuration
Describe user configuration
Explain control plane and management plane protection
Overview
Description
This module covers the Cisco IOS XR software implementation of the Open
Shortest Path First (OSPF) protocol, the Intermediate System-to-
Intermediate System (IS-IS) protocol, and the Border Gateway Protocol
(BGP). Only configuration of the IPv4 address family is discussed.
Objectives
After completing this module, you will be able to:
Describe IS-IS, OSPF, and BGP features in Cisco IOS XR software
Feature Support
Hierarchical configuration
show running-config router isis
Multiple IS-IS instances
Each instance ! Level 1 area, Level 1 and Level 2 area, or Level 2
area only
MPLS-TE configured for one instance only
Multitopology is the default behavior
Separate IPv4 and IPv6 topologies
Single (combined IPv4 and IPv6) topology can be configured
IS-IS supports only IP routing
No CLNS routing
router isis
(config-isis)
address-family interface
(config-isis-af) (config-isis-if)
address-family
(config-isis-if-af)
Configuring IS-IS
An IS-IS instance is enabled from global configuration mode (prompt:
config). You can specify multiple IS-IS routing instances in each router.
All IS-IS configuration commands are configured under an IS-IS routing
instance.
Step 2Configure the IS-IS network entity title and optionally other
parameters in router submode
(config-isis)#
net nsap
The metric-style command causes IS-IS to generate and accept either old-
style 6-bit metrics (narrow keyword) or new-style 24-bit metrics (wide
keyword). MPLS-TE use of IS-IS requires the new-style wide metrics.
Repeat steps 5 through 8 as necessary for each interface in this IS-IS instance
Configuration Example
The topology and configuration on the opposite page are part of the
courses lab environment. In subsequent pages of this module, the PE3
router is used as the target for examining basic IS-IS operation using
various CLI commands.
Configuration Example
Configuration Example
PE3 P1
.3 192.168.113 .11
10.3.3.3 10.11.11.11
GigE 0/2/0/1
GigE 0/2/0/2
.3
Level 1
Area 49.0001
192.168.123
P2
.12
10.12.12.12
IS-IS Status
2011, Cisco Systems, Inc. All rights reserved. Version 3.9.1 Cisco ASR 9000 Series EssentialsModule 08/16
Interface Operation
The show isis interface command displays the operational status of
interfaces configured with IS-IS. If not qualified with either the instance
name or interface, it shows interfaces for all IS-IS instances.
For each interface, the first line of output indicates the status of the
interface (enabled or disabled), followed by the status of adjacency
formation (enabled or disabled), the status of prefix advertisement
(enabled or disabled), and whether Bidirectional Forwarding Detection
(BFD) is enabled or disabled, along with the minimum generation interval
in milliseconds and the number (multiplier) of times a BFD packet can be
missed before the interface is declared down.
The circuit section starts with the operational IS-IS circuit type (level-1,
level-2, or level-1-2) and the configured circuit type. They are followed by
the media type (LAN or point-to-point) and an internal 8-bit circuit
number. Then, if the circuit type is point-to-point (P2P), there is an
internal 32-bit extended circuit number and how much time remains before
the next point-to-point hello (IIH) will be transmitted out this interface.
The next sections summarize Level 1 or Level 2 operation, or both. First
there is a count of adjacencies. Then, if the circuit type is LAN, there is a
LAN ID, the local and DIS router priorities, and the time (in seconds) in
which the next LAN hello message is sent. Finally, in all cases, there is the
interval at which the link-state packet (LSP) transmission rate (and by
implication the reception rate of other systems) is to be reduced.
The CLNS I/O section starts with the operational protocol state (up or
down) and the maximum transmission unit (MTU) size. Then if the media
type is LAN, there is the subnetwork point of attachment (SNPA) or MAC
address of the neighbor and the status of Level 1 and Level 2 membership
in Layer 2 multicast groups.
The IPv4 topology section starts with the state (enabled or disabled)
followed by the status of adjacency formation (enabled or disabled), the
status of prefix advertisement (enabled or disabled), the Level 1 and Level
2 metrics, and, the state of MPLS LDP (enabled or disabled)
synchronization follows.
The IPv4 address family section starts with the state (enabled or disabled)
followed by the protocol state (up or down), addresses on this interface
used by the neighbor for next-hop forwarding, and prefixes associated with
this interface included in advertised LSPs.
The final information for each interface is the time remaining before the
next LSP is transmitted, the state of LSP transmissions (idle or active),
and the current limit of back-to-back LSPs that can be transmitted in the
stated time interval.
Interface Operation
Interface Operation (For Print)
Display IS-IS interfaces
#
show isis interface [type instance]
--More--
Level-1
Adjacency Count: 1
LAN ID: PE3.01
Priority (Local/DIS): 64/64
Next LAN IIH in: 302 ms
LSP Pacing Interval: 33 ms
PSNP Entry Queue Size: 0
(entries omitted)
2011, Cisco Systems, Inc. All rights reserved. Version 3.9.1 Cisco ASR 9000 Series EssentialsModule 08/19
Neighbor Adjacencies
The show isis neighbor command displays the current status of neighbor
adjacencies. If not qualified with the instance instance-id keyword and
argument, the command shows all neighbors on all IS-IS interfaces for all
IS-IS instances.
Each neighbor is listed by its system ID, followed by the local interface
name, subnetwork point of attachment (MAC address if LAN or *PtoP* if
point-to-point), adjacency state, time remaining (hold time) before
declaring adjacency down, adjacency type (L1, L2, or L12), and whether the
neighbor supports the IETF-style nonstop forwarding.
Adding the detail keyword to the command provides additional
information about each neighbor adjacency, including area addresses, IPv4
or IPv6 addresses of the network connecting the neighbor, whether IPv4 or
IPv6 (or both) topologies are supported to the neighbor, and the length of
time the adjacency has been up.
Neighbor Adjacencies
Neighbor Adjacencies
Display IS-IS neighbors
#
show isis neighbors [detail]
2011, Cisco Systems, Inc. All rights reserved. Version 3.9.1 Cisco ASR 9000 Series EssentialsModule 08/20
Feature Support
BGP
Area 2 EIGRP Area 3
IS-IS
RIP NSSA
Static ASBR
Internal
Internal
Virtual ABR
ABR Link
Area 0 Area 4
Backbone Stub
ABR ABR
Internal
Internal
BBone
Passive
Area 1
Standard OSPFv2 (IPv4) and OSPFv3 (IPv6)
Hierarchical CLI
Hierarchical CLI is the grouping of related network component
information at defined hierarchical levels - OSPF router, area, and
interface:
router ospf lab
area 0
interface pos0/4/0/1
The router configuration prompt tells you the level you are on in the
configuration hierarchy. The following router prompt indicates that you
are in OSPF router (ospf), area (ar), and interface (if) configuration
submode:
RP/0/0/CPU0:router(config-ospf-ar-if)#
CLI Inheritance
In Cisco IOS XR software, most OSPF interface parameter values can be
inherited from a higher level of the OSPF configuration hierarchy. With
CLI inheritance support, you do not have to explicitly configure a
parameter for an area or interface if it was defined at a higher level, unless
you want to set a different value. For example, some parameters, like the
hello interval of interfaces in the same area, can be inherited from the area
or router configuration level:
If the hello interval command is configured at the interface configuration
level, use the interface-configured value; else
If the hello interval command is configured at the area configuration
level, use the area-configured value; else
If the hello interval command is configured at the router OSPF process
configuration level, use the OSPF process-configured value; else
Use the default value.
router ospf
(config-ospf)
Interface
parameter
inheritance area
(config-ospf-ar)
interface virtual-link
(config-ospf-ar-if) (config-ospf-ar-vl)
Configuring OSPFv2
An OSPF instance is enabled from the global configuration mode (prompt:
config). You can configure multiple OSPF routing instances in each SDR.
All OSPF configuration commands are configured under an OSPF routing
instance.
(config-ospf)#
area area-id
:router(config-ospf)# area 0
:router(config-ospf-ar)#
If ABR, repeat these steps as necessary for each area in the OSPF instance
Area Types
In Cisco IOS XR software, a normal OSPF area is configured if the area ID
is 0 (the backbone area) or, if the area ID is nonzero, neither the stub nor
nssa commands are used in that area configuration. This type of area
allows external routes to be flooded through the area.
The stub command used in the area configuration submode defines stub
area operation. A stub area does not allow the flooding of external routes
within the area.
____________________________ Note _________________________
All routers with interfaces configured in the area must have the area
configured as a stub area or else adjacencies do not form between
routers within the area.
__________________________________________________________________
The stub no-summary command is used in area configuration submode
on an area border router (ABR) of a stub area, creating what is sometimes
referred to as a totally stubby area. A totally stubby area operates as a
stub area, with the addition that summary routes from other areas are
inhibited at the area border router (ABR). Instead, the ABR floods only a
summary default route into the area.
The nssa command used in area configuration submode defines not-so-
stubby area (NSSA) operation. A not-so-stubby area does not allow the
flooding of external routes originating from other areas, but does allow
external routes to be flooded within the NSSA if they originate from an
autonomous system boundary router (ASBR) within the NSSA.
____________________________ Note _________________________
Similar to stub areas, all routers with interfaces configured in the area
must have the area configured as NSSA.
__________________________________________________________________
Area Types
Stub area
stub
:router(config-ospf-ar)# stub
dead-interval seconds
:router(config-ospf-ar-if)# dead-interval 40
Repeat these steps as necessary for each interface in this OSPF area
Network Types
In Cisco IOS XR software, an interface configured for OSPF defaults to a
specific OSPF network type defining adjacency operation with neighbors
on that network. The network command allows you to override the default
OSPF network type.
The broadcast keyword indicates that the attached network supports
data-link broadcast (or multicast) that allows OSPF neighbors to discover
one another without prior knowledge of each others IP addresses. All
Ethernet interfaces (MgmtEth, GigabitEthernet, and TenGigE) default to
OSPF broadcast type.
The non-broadcast keyword indicates that the attached network is full-
mesh, but does not support broadcast [also known as nonbroadcast, multi-
access (NBMA)] such that neighbor addresses must be configured using the
neighbor command. No interfaces default to this network type.
The point-to-point keyword indicates that there are only two routers on
the attached network such that any OSPF packet transmitted out the
interface is sent to the other router. POS interfaces default to OSPF point-
to-point type.
The passive command disables OSPF protocol operation on the interface.
The interface does not send OSPF packets nor does it process any that are
received; no neighbor adjacencies are formed. The attached network is
considered part of the area topology and is identified as a stub network in
the router LSA.
Network Types
(config-ospf-ar-if)#
network {broadcast | non-broadcast | point-to-point}
Nonbroadcast network
:router(config-ospf-if)# network non-broadcast
Passive network
passive [enable | disable]
:router(config-ospf-if)# passive enable
Authentication Types
No authentication of OSPF neighbors is performed unless the
authentication command is used to establish a specific authentication
type. The authentication command can be used in interface configuration
submode for a specific OSPF interface, but could also be used in the area
configuration for all interfaces in that area or in the router configuration to
apply to all interfaces in all areas for that OSPF instance (process).
The authentication null command is normally not necessary (because no
authentication is the default) unless it is being used to override a specific
authentication type established at some higher level of the configuration
hierarchy. For instance, if password authentication was set at the router
level for all interfaces but no authentication was needed on a specific
interface, the authentication null command could be used at the
interface level to override the password authentication setting.
To enable password authentication use the authentication command
with no keyword. The authentication-key command must be used to set
the clear-text password exchanged between neighbors on the interface.
To enable MD5 authentication use the authentication message-digest
command. The message-digest-key command must be used along with
this command to establish keying information for the MD5 operation.
____________________________ Note _________________________
MD5 key-id/key pairs must match between adjacent neighbors for
authentication to succeed. It is not enough for just the keys to match,
because it is the key IDs that are exchanged and not the keys
themselves.
__________________________________________________________________
To more easily manage the rollover of keys and enhance MD5
authentication for OSPF, you can configure a container of keying
information called a keychain. Each keychain entry comprising the
following attributes: generate/accept time, key identification, and key. Use
the keychain keyword and keychain-id to reference the keychain
containing the MD5 keying information. The keychain can be modified at
any time to add or delete keying information without reconfiguring OSPF
usage.
____________________________ Note _________________________
Changes to the system clock can impact the validity of the keys in a
referenced keychain.
__________________________________________________________________
Authentication Types
(config-ospf-ar-if)#
authentication [message-digest [keychain keychain-id] | null]
Password authentication
authentication-key [clear | encrypted] password
:router(config-ospf-ar-if)# authentication
:router(config-ospf-ar-if)# authentication-key ourpwd
Configuration Example
The topology and configuration on the opposite page is part of our lab
environment. In subsequent pages of this OSPF section, the PE3 router is
used as the target for examining basic OSPF operation using various CLI
commands.
Configuration Example
PE3 P11
.3 192.168.113 .11
10.3.3.3 10.11.11.11
GigE 0/2/0/1
GigE 0/2/0/2
.3
Area 0
192.168.123
P12
.12
10.12.12.12
interface Loopback0
ipv4 address 10.3.3.3 255.255.255.255
!
interface GigabitEthernet 0/2/0/1
ipv4 address 192.168.113.3 255.255.255.0
!
interface GigabitEthernet 0/2/0/2
ipv4 address 192.168.123.3 255.255.255.0
!
router ospf lab PE3
nsf ietf Configuration
area 0
authentication message-digest
message-digest-key 1 md5 encrypted 01100F175804
interface Loopback0
passive enable
!
interface GigabitEthernet 0/2/0/1
!
interface GigabitEthernet 0/2/0/2
!
!
!
OSPF Status
--More--
Interface Operation
The show ospf interface command displays the operational status of
interfaces configured with OSPF. If not further qualified, it shows all
OSPF interfaces for all OSPF instances.
For each interface, the first line of output indicates the status of the
physical port (up or down) and the status of the datalink protocol running
on that port (up or down). This output is followed by the configured IPv4
address, area, instance (process ID), router ID, network type, cost, and
transmit delay.
Immediately following (at State) is the adjacency state of the interface,
which depends on the network type, protocol state, and current
adjacencies. Then the configured timer values for hello interval, dead
interval, wait, and retransmit interval are listed, followed by the state
(enabled or not) of NSF and how much time remains before the next hello
will be transmitted out this interface.
The next four lines (starting with Index) deal with the state of flood
queues, which is currently not documented for customer use. Following is a
neighbor count and a list of neighbors by router ID. Finally, a count of
neighbors for whom hellos are being suppressed (due to demand circuit) is
shown.
Interface Operation
Neighbor Adjacencies
The show ospf neighbor command displays the operational status of
neighbor adjacencies. If not further qualified, it shows all neighbors on all
OSPF interfaces for all OSPF instances.
Each neighbor is listed with its router ID and priority, followed by the
adjacency and neighbor states. Then the time remaining before OSPF
declares the neighbor dead (adjacency down), the neighbors address, and
the local interface associated with this adjacency are displayed. The
following line shows how long this neighbors adjacency has been up.
Adding the detail keyword to the command provides additional
information about each neighbor adjacency, such as area, number of
adjacency state changes, designated router (DR) and backup designated
router (BDR) [only valid on broadcast and nonbroadcast networks], hello
packet options, and retransmission status.
Neighbor Adjacencies
Feature Support
router bgp
(config-bgp)
af-group session-group
(config-bgp-afgrp) (config-bgp-sngrp)
address-family address-family
(config-bgp-nbr-af) (config-bgp-nbrgrp-af)
Configuring iBGP
BGP is enabled from global configuration mode (prompt: config).
After BGP has obtained a router ID, it continues to use it even if a better
router ID becomes available. This usage avoids the flapping of BGP
sessions, which occurs when changing a BGP router ID. However, if the
router ID currently in use becomes invalid (because its configuration is
changed), BGP selects a new router ID (using the rules described) and all
established peering sessions are reset.
Other parameters specific to the general operation of BGP are set directly
in router configuration submode. Commands exist to customize the
operation of BGP for optional functions such as route reflection,
confederations, graceful restart, and route dampening. With others you can
originate a default route using redistribution, set the Multi Exit
Discriminator (MED) on routes that do not have one, and adjust the
default keepalive and hold timers for neighbor peer sessions.
(config-bgp)#
address-family ipv4 {unicast | multicast | tunnel | mdt}
address-family ipv6 {unicast | multicast}
address-family {vpnv4 | vpnv6} unicast
Step 6Configure neighbor AS (same as local for iBGP) and optionally other
parameters like description in neighbor submode
(config-bgp-nbr)#
remote-as autonomous-system-number
(config-bgp-nbr-af)#
Repeat Step 5 through Step 8 for all routers in local AS (iBGP neighbors)
Configuration Example
The topology and configuration on the opposite page is part of the courses
lab environment. In subsequent pages of this module, the PE3 router is
used as the target for examining basic BGP operation using various CLI
commands.
Because this is a full-mesh iBGP topology, it would be typical for all the
iBGP neighbors to have the same configuration commands. Notice how use
of the neighbor group internal reduces the configuration of the two BGP
neighbors.
Configuration Example
PE3 P11
.3 192.168.113 .11
10.3.3.3 10.11.11.11
gigE 0/2/0/1
gigE 0/2/0/2
.3
AS 65000
192.168.123
P12
.12
10.12.12.12
interface Loopback0
ipv4 address 10.3.3.3 255.255.255.255
!
interface gigE 0/2/0/1
ipv4 address 192.168.113.3 255.255.255.0
!
interface gigE 0/2/0/2
ipv4 address 192.168.123.3 255.255.255.0
!
router bgp 65000
address-family ipv4 unicast
! PE3
neighbor-group internal
remote-as 65000 Configuration
password encrypted 121A0C041104
update-source Loopback0
address-family ipv4 unicast
!
!
neighbor 10.11.11.11
use neighbor-group internal
description P11 router
!
neighbor 10.12.12.12
use neighbor-group internal
description P12 router
!
!
Effective Configuration
Legend:
[!] inherited from
n:<group> neighbor group
s:<group> session group
a:<group> address family group
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco IOS XR CommonModule 0/64
--More--
Summary
Routing Protocols
In this module, you learned to:
Overview
Description
This module teaches the basics of the Routing Policy Language (RPL). It
describes RPL architecture and defines syntax. A methodology to convert
route maps to RPL policies is also illustrated.
Objectives
After completing this module, you will be able to:
Define RPL sets and policies
RPL Overview
Background
The Routing Policy Language (RPL) has been designed to provide a single,
straightforward language in which all routing policy needs can be
expressed. Classic Cisco IOS route maps have inherent scaling issues
because of their non-modular structure. Reuse of common policy is not
possible, because there is no way to refer from one route map to another. In
a large scale service provider environment the router could possibly need
support for thousands of route maps with their implied redundancy.
RPL was developed to support large-scale routing configurations. It greatly
reduces the redundancy that is inherent in previous Cisco IOS routing
policy configuration methodsroute maps and lists. RPL simplifies large-
scale network configuration by reducing the number of configuration
statements required to maintain routing policies in the network. RPL
configurations are modular, more concise, and more scalable. These
improvements streamline routing policy configuration, reduce system
resources required to store and process these configurations, and simplify
troubleshooting.
Background
Fundamental Capabilities
The RPL has several fundamental capabilities that differ from those
present in traditional Cisco IOS route map and prefix list-oriented
configuration.
The first of these capabilities is the ability to build policies in a modular
form. Common blocks of policy can be defined and maintained
independently. These common blocks of policy can then be applied from
other blocks of policy to build complete (hierarchical) policies. This
capability can reduce the amount of configuration information that needs
to be maintained.
Neither looping nor recursion within a hierarchical policy structure is
allowed. That is, a policy block may not apply itself directly or indirectly
through another policy block that it applies.
Another fundamental capability is that common blocks of policy can be
parameterized. This allows for policies that share the same logical
structure but differ in the specific route attribute values that are set or
matched against to be maintained as independent blocks of policy.
Hierarchical policy structures may have as many layers as desired, with an
arbitrary number of parameters passed block to block. Parameters may
also be passed through a policy block to another block applied from within.
Fundamental Capabilities
Modularization
Common blocks of policy
Defined and maintained independently
Apply from other blocks to build complete policies
Looping/recursion is not allowed
Parameterization
Same logical policy structure but different matched or
set route attribute values
Value passed as parameter by applying block
Parameters can be passed through a policy block
As many layers of hierarchy or parameters as needed
Infrastructure
Supporting RPL are four main components involved in configuring and
running policies:
Configuration front-end (CLI)Is the mechanism to enter and
modify policies. RPL configurations are committed to the router in the
same way that other configurations are committed and may be
displayed using the normal configuration show commands.
Policy RepositoryCompiles created or modified policies into a form
that the execution engine can understand. During this process it
verifies the policies to be sure they can be executed properly. The Policy
Repository also tracks policy use and notifies the appropriate policy
clients when in-use policies are modified.
Policy execution engineIs responsible for running policies as
requested by the policy client. It can be thought of as receiving a route
from a policy client and executing the policy against the specific route
data.
Policy clients (the routing protocols)Call the policy execution
engine at the appropriate times to have a given policy applied to a
specific route and then carry out some number of actions. These
actions may include deleting the route from further consideration,
passing it along as a candidate for the best route, or advertising a
modified route as appropriate.
Infrastructure
CLI
Editor
Syntax check
filter
attach routes
policies
Clients
(protocols)
RPL Description
Basic Building Blocks
The policy language provides two kinds of persistent, namable objects: sets
and policies. Legal names for these objects can be any sequence of the
upper and lowercase alphabetic characters; the numerals 09; and the
punctuation characters period, hyphen, and underbar. A name must begin
with a letter or numeral.
There are five kinds of sets: AS path, community, extended community,
prefix and route distinguisher set.
[ . . . Policy statements . . . ]
end-policy
or:
prefix-set name
end-set
Route Policy
Language
route-policy name
[policy statements] Route Policies Policy Sets
end-policy
Extended Route
Community
AS Path Sets Community Prefix Sets Distinguisher
Sets
Sets Sets
as-path-set name community-set name prefix-set name
[set elements] [set elements] [set elements]
end-set end-set end-set
Hierarchical Policy
Policy statements are processed sequentially in the order in which they
appear in the configuration. Policies that hierarchically reference other
policy blocks are processed as if the referenced policy blocks had been
directly substituted inline. Policies may refer to other policies such that
common blocks of policy may be reused. This is accomplished by using the
apply statement.
In the simple example on the facing page, the apply statement in policy
two causes policy one to be applied, setting the Multi Exit Discriminator
(MED) attribute to 100 in any BGP route processed by policy two.
Continuing execution of policy two sets the community to 10:100. This is an
example of a hierarchical policy.
____________________________ Note _________________________
You may have as many levels of hierarchy as you want; there is no
arbitrary limit. However, many levels of hierarchy may be difficult to
maintain and understand. Because policy application is dynamic, changes
to one policy affect all those policies that reference it directly or indirectly.
__________________________________________________________________
Hierarchical Policy
route-policy one
set med 100
end-policy
route-policy two
apply one
set community (10:100)
end-policy
Parameterized Policy
In addition to supporting reuse of policy blocks using the apply statement,
you can also define policies that allow for parameterization of some of the
attributes. The trivial example on the facing page contains a
parameterized policy one which takes one parameter, $medval.
Parameters always begin with a dollar sign, followed by alphanumeric
characters.
Parameters can be substituted into any attribute that takes a parameter.
In this case, we are passing a 16-bit MED value as a parameter. The
parameterized policy can then be used with different parameterizations as
shown. In this manner, policies that share a common logical structure but
use different values in some of their individual statements can be
implemented as a common module.
Parameterized Policy
route-policy two
apply one (10)
end-policy
route-policy three
apply one (20)
end-policy
Global Parameters
RPL supports the definition of systemwide global parameters that can be
used inside policy definition. Global parameters are configured as follows:
policy-global
glbpathtype `ebgp'
glbtag `100'
end-global
The global parameter values can be used directly inside a policy definition
similar to the local parameters of parameterized policy. In the following,
the global parameters gbpathtype and glbtag are used by the tagpath
policy.
route-policy tagpath
if path-type is $glbpathtype then
set tag $glbtag
endif
end-policy
When the name of a parameter passed into policy conflicts with a global
parameter name, the local parameter takes precedence effectively masking
off the conflicting global parameter. Global parameters are also prevented
from being deleted if the name is referred to in any policy.
Global Parameters
policy-global
glbpathtype ebgp
glbtag 100
end-global
route-policy tagpath
if path-type is $glbpathtype then
set tag $glbtag
end-policy
Sets
In an RPL context, the term set is used in its mathematical sense to mean
an unordered collection of unique elements. The policy language provides
sets as a container for groups of values for matching purposes within
conditional expressions.
Named sets are defined at global configuration level and referenced from
conditionals within policy definitions. The named sets are defined using
as-path-set, community-set, extcommunity-set, prefix-set and rd-set
type statements. The set elements are bracketed between the set type
statement and an end-set statement, with set elements separated by
commas:
prefix-set pfset1
10.1.1.0/24,
10.2.2.0/24
end-set
This inline set above matches exactly the same prefixes as the named set
pfset1, but does not require the extra effort of creating a named set
separate from the policy that uses it. Inline sets are used when the number
of elements is small and the set does not need to be referenced from other
policies.
____________________________ Note _________________________
Null (empty) sets such as:
prefix-set backup
# currently no routes are defined
end-set
Sets
Prefix Set
A prefix-set holds IPv4/IPv6 prefix match specifications, each of which has
four parts: an address, a mask length, a minimum matching length, and a
maximum matching length. The address is required, but the other three
parts are optional.
The address is a standard dotted-decimal IPv4 address or hexadecimal
IPv6 address. The mask length, if present, follows the address and is
separated from it by a slash. It is a positive decimal integer in the range
from 0 to 32 for IPv4 and from 0 to 128 for IPv6. If a prefix match
specification has no mask length, then the default mask length is 32 (IPv4)
or 128 (IPv6).
The optional minimum matching length follows the address and optional
mask length and is expressed as the keyword ge (mnemonic for greater
than or equal to), followed by a positive decimal integer in the range from 0
to 32 (IPv4) or 0 to 128 (IPv6). Finally, the optional maximum matching
length follows the rest and is expressed by the keyword le (mnemonic for
less than or equal to), followed by yet another positive decimal integer in
the range from 0 to 32 (IPv4) or 0 to 128 (IPv6). A syntactic shortcut for
specifying an exact length for prefixes to match is the eq keyword,
mnemonic for equal to.
The default minimum matching length is the mask length. If a minimum
matching length is specified, then the default maximum matching length is
32 (IPv4) or 128 (IPv6). Otherwise, if neither minimum nor maximum is
specified, the default maximum is the mask length.
____________________________ Note _________________________
Prefix sets may contain prefix specifications for both IPv4 and IPv6
using dotted-decimal and colon-separated hexadecimal formats,
respectively. However, IPv6 matching on destination, source, and next
hop and setting of IPv6 next hops is supported only at BGP attach
points.
__________________________________________________________________
Prefix Set
The first element of the prefix-set matches only one possible value,
10.0.1.1/32 or the host address 10.0.1.1. The second element matches only
one possible value, 10.0.2.0/24. The third element matches a range of prefix
values, from 10.0.3.0/28 to 10.0.3.255/32. The fourth element matches a
range of values, from 10.0.4.0/24 to 10.0.4.240/28. The fifth element
matches prefixes in the range from 10.0.5.0/26 to 10.0.5.252/30. The sixth
element matches any prefix of length 28 in the range from 10.0.6.0/28
through 10.0.6.240/28.
The following prefix-set consists entirely of illegal prefix match
specifications:
prefix-set ILLEGAL
10.1.1.1 ge 16,
10.1.2.1 le 16,
10.1.3.0/24 le 23,
10.1.4.0/24 ge 33,
10.1.5.0/25 ge 29 le 28
end-set
AS Path Set
This inline form set matches exactly the same AS paths as the named set
shown on the facing page, but does not require the extra effort of creating a
named set separate from the policy that uses it:
(ios-regex '_42$', ios-regex '_127$')
The two regular expressions in this set match an AS path originating in
either AS 42 or AS 127.
AS Path Set
as-path-set aset1
ios-regex _42$,
ios-regex _127$
end-set
Community Set
A community-set holds community values for matching against the BGP
community attribute. Each 32-bit community value is expressed as two 16-
bit unsigned decimal integers in the range 0 to 65535, separated by a colon.
The inline form of a community-set supports parameterization. Each 16-bit
portion of the community may be parameterized:
$as:34
12:$tag1
$as:$tag1
Community Set
community-set cset1
12:34,
15:*,
internet,
private-as:33,
[200..206]:68,
ios-regex _10:[0-9]0_
end-set
Conditional Statements
The if-then-else statements provide a set of conditions and actions
- conditions come after the if or elseif
- actions come after the then or else
In its simplest form, an if statement uses a conditional expression to
decide which actions or dispositions should be taken for the given route.
For example:
if as-path in as-path-set-1 then
drop
endif
The previous example indicates that any routes whose as-path is in the set
as-path-set-1 shall be dropped. The contents of the then clause may be an
arbitrary sequence of policy statements:
if (origin is igp) then
set med 42
prepend as-path 73 5
endif
elseif
The RPL also provides a conditional syntax using the elseif keyword to
string together a sequence of tests:
if med eq 150 then
set local-preference 10
elseif med eq 200 then
set local-preference 60
else
set local-preference 0
endif
Conditional Statements
Nested Conditionals
The statements within an if statement may themselves be if statements,
as shown in the following example:
if community matches-any (12:34, 56:78) then
if med eq 8 then
drop
endif
set local-preference 100
endif
The previous policy example sets the value of the local-preference attribute
to 100 on any route that has a community value of 12:34 or 56:78
associated with it. However, any of those routes that also have a MED
value of 8 are dropped.
Nested Conditionals
Boolean Conditions
In the previous section, describing conditional if statements, all of the
examples used simple Boolean conditions that evaluated as either true or
false. The RPL also provides means to build compound conditions from
simple conditions by means of three Boolean operators: negation (not),
conjunction (and), and disjunction (or). In RPL, negation has the highest
precedence, followed by conjunction, and then by disjunction. Parentheses
may be used to group compound conditions to override precedence or to
improve readability.
The following simple condition:
med eq 42
is true if and only if the value of the MED in the route is 42; otherwise, it is
false.
A simple condition may also be negated using the NOT operator:
not next-hop in (10.0.2.2)
Boolean Conditions
Compound Conditions
A compound condition is a Boolean condition followed by the AND or OR
operator, itself followed by a Boolean condition:
med eq 42 and next-hop in (10.0.2.2)
Compound Conditions
Drop Condition
All route policies have a default action to drop a route under evaluation
unless it is accepted. In RPL, this is determined when the route is modified
(such as set) or explicitly accepteded (pass or done). If policy execution
reaches a drop or done statement, it is stopped unlike what happens with
the pass command after which execution continues.
Applied (hierarchical) policies implement this drop condition behavior as
though the applied policy were pasted into the point where it is applied. As
an example, consider a policy to allow all routes in the 10 net and set their
local-preference to 200 while dropping all other routes:
route-policy two
if destination in (10.0.0.0/8 ge 8 le 32) then
set local-preference 200
endif
end-policy
route-policy one
apply two
end-policy
At first it may seem that policy one will drop all routes because it neither
contains an explicit pass statement nor modifies a route attribute.
However, because the applied policy two does set an attribute, the net
result is that policy one passes routes with destinations in net 10 and drop
all others. It is the same as if policy one were written:
route-policy one
if destination in (10.0.0.0/8 ge 8 le 32) then
set local-preference 200
endif
end-policy
Drop Condition
This example drops only routes that originally had the MED set to 42; all
other routes will have their MED set to 42. A route that had an initial
MED of 15 will have its MED set to 42 upon exiting evaluation but will not
be dropped, because the conditional compares the MED value of 15 in the
original route, not the modified value.
C Conditional A Action
* This table is not a complete list of available attributes
Attach Point
Policies do not become useful until they are applied to routes. For that to
happen, they need to become known to routing protocols. As an example, in
Border Gateway Protocol (BGP), there are several places in which policies
can be used; the most common of these is in defining neighbor import and
export policy:
neighbor ip-address
address-family ipv4 unicast
route-policy name {in|out}
Attach Point
neighbor 10.3.3.3
address-family ipv4 unicast
route-policy policyA in
route-policy policyB out
ip prefix-list 101
10 permit 10.48.0.0/16 le 32
20 permit 172.48.0.0/19
30 permit 192.168.3.0/24
ip prefix-list 102
10 permit 172.16.10.0/24
20 permit 192.168.8.0/21
30 permit 192.168.32.0/21
ip community-list 1
10 permit 10:11
ip community-list 2
10 permit 10:12
ip community-list 3
10 permit 10:13
ip community-list 4
10 permit 10:14
Direct Translation
First take the ip prefix-list command and translate it into the RPL
prefix-set command. Only the network content of the statements, not the
sequence numbers or permit/deny, is retained with commas separating
each network. RPL uses the end-set command to show where the set ends.
The ip community list command similarly changes to the RPL
community-set command. The communities are entered in a similar
fashion under the community-set command but again without any
sequence number or permit/deny.
Direct Translation
route-map sample1 permit 10 Convert the first route map to a RPL route-
match ip address prefix-list 101
match community 1
policy. Use a simple condition (if and else if
set metric 11 in this example) for every match clause in the
set community 12:34 additive route map and an action statement (in this case
route-map sample1 permit 20 set) for every set command in the route map.
match ip address prefix-list 101
match community 2
set metric 12 route-policy policy1
set community 12:34 additive if destination in ps101 and community matches-any cs1 then
set med 11
route-map sample1 permit 30 set community (12:34) additive
match ip address prefix-list 101 elseif destination in ps101 and community matches-any cs2 then
match community 3 set med 12
set metric 13 set community (12:34) additive
set community 12:34 additive elseif destination in ps101 and community matches-any cs3 then
set med 13
route-map sample1 permit 40 set community (12:34) additive
match ip address prefix-list 101 elseif destination in ps101 and community matches-any cs4 then
match community 4 set med 14
set metric 14 set community (12:34) additive
set community 12:34 additive elseif destination in ps101
set med 100
route-map sample1 permit 50 set community (12:34) additive
match ip address prefix-list 101 endif
set metric 100 end-policy
set community 12:34 additive
Nest Conditionals
Common operations in both the policies can now be coalesced by nesting
the conditionals, testing the destination address only once, and setting the
community only once. The nesting resolves the redundant testing and
setting operations into a single precondition for the rest of the logic.
Nest Conditionals
route-policy policy1
if destination in ps101 then
apply common (34)
pass
endif
end-policy
route-policy policy2
if destination in ps102 then
apply common (35)
pass
endif
end-policy
route-policy policy-name
. . .
end-policy
Thus, instead of each line being an individual command, each policy or set
can be thought of as a configuration object that can be manipulated as a
unit using the edit command.
After entering the edit command, a copy of the set or policy is copied to a
temporary file and the MicroEmacs,Vim, or Nano editor is launched. After
editing the policy object and quitting the editor, the policy object will be
parsed and checked for syntax errors.
If there are errors, an error message is displayed, followed by a disposition
query:
Continue editing? [no]:
If you answer yes, the editor continues on in the text buffer from where
you left off. If you answer no, the running configuration is not changed and
the editing session ends.
If there are no errors, the configuration change is committed and the
editing session ends.
This command lists, by attach point type, all attach points that use the
specified policy.
show rpl route-policy name references [brief]
This command lists all policies that reference (apply) the named policy.
The brief keyword limits the output to just a summary table and not the
detailed information for the named policy.
show rpl route-policy name uses {all | policies | sets} [direct]
This command lists named policies, sets or both used by the specified
policy.
show rpl route-policy states
This command lists all named policies that are in the specified operational
state.
Summary
Routing Policy Language
In this module, you learned to:
Overview
Description
This module covers the Cisco IOS XR software implementation of multicast
routing and associated protocols.
Objectives
After completing this module, you will be able to:
Describe and configure Multicast Routing
Describe Internet Group Management Protocol (IGMP) and examine
basic operation
Describe Protocol Independent Multicast sparse mode (PIM-SM),
source specific mode (PIM-SSM), and bidirectional PIM (Bidir-PIM)
Describe and configure static RP, Boot Strap Router (BSR), and Auto-
RP operation
Configure basic PIM-SM functionality and examine operation
Introduction
Multicast routing is a bandwidth-conserving technology that reduces
traffic by simultaneously delivering a single stream of information to
potentially thousands of recipient hosts. It allows a host to send packets to
a subset of all hosts as a group transmission rather than to a single host,
as in unicast transmission, or to all hosts, as in broadcast transmission.
Packets delivered to group members are identified by a single multicast
group address. Multicast packets are delivered with the same reliability
(best-effort) as unicast packets.
The multicast environment consists of senders and receivers. Any host,
regardless of whether or not it is a member of a group, can send to a group.
However, only the members of a group receive the message. A multicast
address is chosen for the receivers in a multicast group. Senders use that
group address as the destination address of a datagram to reach all
members of the group. Membership in a multicast group is dynamic; hosts
can join and leave at any time. A host can be a member of more than one
multicast group at a time. Membership in a group can change constantly. A
group that has members may have no activity.
Routers use Internet Group Management Protocol (IGMP) (IPv4) and
Multicast Listener Discovery (MLD) (IPv6) to learn whether members of a
group are present on their directly attached subnets. Hosts join multicast
groups by sending IGMP or MLD report messages.
Introduction
Implementation
The Cisco IOS XR hierarchically structured CLI groups each multicast
protocol configuration. Basic multicast operation is configured under the
multicast routing configuration submode and interfaces must be explicitly
enabled.
IGMP operation is enabled automatically when an interface is configured
for multicast routing. Cisco IOS XR defaults IGMP to version 3 operation.
Versions 1 and 2 can be configured per interface.
Protocol Independent Multicast (PIM) operation is enabled automatically
when an interface is configured for multicast routing. Cisco IOS XR
software supports PIM sparse mode (SM), source specific multicast (SSM),
and bidirectional (bidir) PIM operation. Dense mode (DM) operation is
supported only for auto-RP behavior that is specific to Cisco.
Multicast Source Discovery Protocol (MSDP) is used to connect multiple
PIM-SM domains, allowing multiple sources for a group to be known to all
rendezvous points.
____________________________ Note _________________________
IPv6 multicast configuration and operation is not covered in this
course.
__________________________________________________________________
Implementation
Hierarchical configuration
Specific router protocol modes
Interfaces must be explicitly enabled for multicast
! IGMP/MLD and PIM enabled simultaneously
IGMP
Defaults to Version 3
! Versions 2 and 1 can be configured
PIM
Supports SM, SSM and Bidir operation
Static RP, Auto-RP, and BSR configurations
MSDP
Connects PIM SM domains by advertising group sources
:router(config)# multicast-routing
(config-mcast-default-ipv4) that is the default mode of operation is IPv4 if IPv6 is not specifically
selected.
Configuration Example
The topology and configuration on the opposite page is part of our lab
environment. In subsequent pages of this module, the PE3 router is used
as the target for examining basic multicast operation using various CLI
show commands.
Configuration Example
PE3 P1
.3 192.192.13 .1
10.3.3.3 10.1.1.1
POS 0/4/0/0
POS 0/3/0/1
.3
192.168.23
.2
10.2.2.2
P2
interface Loopback0
ipv4 address 10.3.3.3 255.255.255.255
!
interface POS0/3/0/1
ipv4 address 192.168.23.3 255.255.255.0 PE3
!
interface POS0/4/0/0
Configuration
ipv4 address 192.168.13.3 255.255.255.0
!
multicast-routing address-family ipv4
interface all enable
!
IGMP Interfaces
The show igmp interface command displays the operational status of
interfaces configured with IGMP. If not further qualified, it shows all
IGMP interfaces for all IGMP instances.
For each interface, the first line of output indicates the status of the
physical port (up/down) and the status of the datalink protocol running on
that port (up/down). That is followed by the configured IPv4 address, mask,
IGMP version, and configured timer values:
IGMP Interfaces
2011, Cisco Systems, Inc. All rights reserved. Version 34.0.1 Course Name Module 0/12
PIM source
RP RP
register message
(*,G)
Multicast (*,G)
data flow (S, G)
* = all sources
G = Mcast group
S = Source
(*,G)
(*,G) Receiver (S, G) Receiver
Reg
(*,G) (*,G)
ister
(*,G) (*,G)
(*,G) (*,G)
(S, G) (S, G)
Designated Router
The designated router (DR) is responsible for sending PIM register, join
and prune messages toward a rendezvous point (RP) to inform it about
host group membership on a local network. If there are multiple PIM-SM
routers on a LAN, a designated router must be elected to avoid duplicating
multicast traffic for connected hosts.
Generally the PIM router with the highest IP address becomes the DR for
the LAN, unless you force the DR election by use of the dr-priority
command. Setting the DR priority of the PIM interfaces allows you to
control the election such that the router with the highest priority is elected
as the DR.
The example on the facing page shows a multiaccess network with Router
A (10.0.0.253) and Router B (10.0.0.251) connected. Host A (10.0.0.1) on
the same network has registered its interest in receiving multicast traffic
to Group G using IGMP. Only Router A, having been elected as the PIM
designated router (DR), sends joins to the RP to construct the shared tree
for Group G. If Host A were to begin to source multicast traffic to the
group, the DRs responsibility would then be to send PIM Register
messages to the RP.
Designated Router
RP
(*, G) Join
DR Non-DR
10.0.0.253 10.0.0.251
10.0.0.0/24
10.0.0.1
Rendezvous Point
In PIM sparse mode, one or more routers operate as a rendezvous point
(RP). An RP is a single common root placed at a chosen point of a shared
distribution tree. The location of an RP can either be configured statically
in each PIM router, or learned through a dynamic mechanism such as
Bootstrap Router (BSR) or Ciscos Auto-RP. PIM DRs forward data from
directly connected multicast sources to the RP for distribution down the
shared tree. Data is forwarded to the RP in one of two ways:
Encapsulated in register packets and unicast directly to the RP by the
first-hop router operating as the DR
Multicast forwarded per the Reverse Path Forwarding (RPF) algorithm,
if the RP has itself joined the source tree
The RP address is used by first-hop routers to send PIM register messages
on behalf of a host sending a packet to the group. The RP address is also
used by last-hop routers to send PIM join and prune messages to the RP to
inform it about group membership.
A PIM router can be an RP for more than one group. Only one RP address
per group can be used at a time within a PIM domain. The conditions
specified by an optional access list determine for which groups the router is
an RP.
Rendezvous Point
Configuring a Static RP
On non-RP routers, the following steps configure the address of a static RP:
1. Enter router PIM configuration mode.
2. Set the address of the rendezvous point.
No specific configuration needs to be done on the RP router.
Configuring Static RP
2011, Cisco Systems, Inc. All rights reserved. Version 34.0.1 Course Name Module 0/25
Configuring BSR
In order to configure BSR on a PIM router:
1. Enter router PIM configuration mode.
2. Configure one or more routers as a candidate for BSR.
3. Configure one or more routers to advertise itself as a candidate RP to
the BSR.
4. (Optional) To avoid exchanging BSR messages between PIM domains,
turn off messages on an interface that connects to another domain.
Configuring BSR
Auto-RP
Auto-RP
Configuring Auto-RP
In a PIM domain using Auto-RP, at least one router must operate as an RP
candidate and another router must operate as an RP mapping agent. The
RP and mapping agent could be the same router. Usually more that one
router is configured for each to provide redundancy in the Auto-RP
operation.
In order to configure auto-RP operation:
1. Enter router PIM configuration mode and define the address family.
2. Configure the router to announce itself as an RP candidate by sending
messages to the default CISCO-RP-ANNOUNCE multicast group
(224.0.1.39).
3. Configure the router as RP mapping agent on a loopback interface.
Configuring Auto-RP
2011, Cisco Systems, Inc. All rights reserved. Version 34.0.1 Course Name Module 0/30
Bidirectional PIM
In Bidirectional PIM (Bidir-PIM) operation, the PIM-SM packet forwarding
rules are augmented, allowing traffic to be passed up the shared tree
toward the RP. To avoid multicast packet looping, Bidir-PIM introduces a
new mechanism called designated forwarder (DF) election, which
establishes a loop-free SPT rooted at the RP.
The procedure for joining the shared tree of a bidirectional group is almost
identical to that used in PIM SM. A key difference is that, for bidirectional
groups, the role of the DR is assumed by the DF for the RP.
Bidirectional PIM
RP
(*,G)
Data from source flows up shared
tree (*, G) to RP
Data flows down shared tree to
receivers
No registration process (*,G) Receiver
(*,G)
(*,G) (*,G)
Source/Receiver Source
Interface Information
Neighbor Information
Information is displayed about the PIM neighbors with the show pim
neighbor command.
The significant fields of the sample output are:
Neighbor AddressIP address of the PIM neighbor (an asterisk
indicates a local interface address, not a neighbor address)
InterfaceInterface type and number over which the neighbor is
reachable
UptimeDuration of time the entry has been in the PIM neighbor
table
ExpiresTime remaining time until the entry is removed from the IP
multicast routing table
DR priDesignated router priority sent by the neighbor in its hello
messages
If this neighbor is elected as the designated router (largest IP address)
on the network connected by the interface, it is annotated with (DR)
in the command output.
FlagsIndicates with a B if the neighbor is capable of bidirectional
PIM mode operation
Neighbor Information
Group Mappings
The show pim group-map command displays the multicast PIM group
mapping table. The groups can be filtered by multicast group address or
domain name (ip-address-name) and can be further detailed with group
information source (info-source).
The group ranges are listed from most specific to least specific, in
descending order. A more specific group range mapping overrides a less
specific one. The significant fields in the output are:
Group RangeMulticast group range that is mapped
ProtoMulticast forwarding mode
ClientHow the client was learned
GroupsNumber of groups from the PIM topology table
RP addressIP address of the rendezvous point
Group Mappings
Summary
Multicast Routing
In this module, you learned to:
Overview
Description
This module discusses the implementation and configuration of MPLS in
the Cisco IOS XR operating system software.
Objectives
After completing this module, you will be able to:
Describe Cisco IOS XR MPLS implementation
Explain MPLS forwarding infrastructure
Generalized MPLS
GMPLS extends MPLS to provide the control plane, signaling, and routing
for devices that switch traffic in packet, time, wavelength, or fiber
networks. The common control plane simplifies network operation and
management by automating provisioning from end-to-end. GMPLS
provides the expected level of quality of service (QoS) that is needed in
these networks.
Two versions
MPLS
! Control plane for packet switching
! Label switch paths
! Label distribution protocol
! Traffic engineering
" Dynamic configuration
" Explicit configuration
Generalized MPLS
The Cisco IOS XR software implementation includes control plane support
for packet-switch capable (PSC), lambda-switch capable (LSC), and fiber-
switch capable (FSC) devices.
Data plane
! Label imposition (push), disposition (pop), swapping
MFI Architecture
The MFI basic elements are:
Label Switching Database (LSD)Resides on both the primary and
standby route processors (RPs)
Label Forwarding Database (LFD)Resides on both the RPs and
the linecards
The control plane implements both the LSD and the LFD.
The data plane implements a part of the LFD and performs MPLS
encapsulation (encap) and decapsulation (decap).
MFI Architecture
MFI architecture
Basic elements
! Label Switching
Control plane
LDP MPLS-TE
Database (LSD)
! Label Forwarding LSD
Database (LFD)
! MPLS encapsulation and NetIO
decapsulation routines APPL
LFD
FIB
Control plane
! LSD APPL MPLS
! LFD encap/ encap/
Data plane
decap decap
Data plane
! LFD
! MPLS encap and decap HW ASIC
(LFIB)
The LSD:
Allocates or deallocates labels
Creates a relationship between the forwarding path identifier (FPI) and
rewrites
Maintains a rewrite database by interacting with the LFD
Implements an application programming interface (API) for
applications to interact with MFI rewrites
Manages interfaces for MPLS
The LFD:
Accepts LSD rewrites
Works with Cisco Express Forwarding (CEF) to keep the output chain
correct during rewrites
Links rewrites to the correct forwarding tables
The resulting label forwarding tables are part of LFD.
The LSD on the active RP distributes the label information to the standby
RP (SRP) and to all line cards that require the information. The line card
stores the forwarding information.
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/11
RP SRP
LC LC LC
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/12
Forwarding updates
! UpdatesNumber of forwarding updates (including BCDL
messages) sent from LSD to LFIB using the internal bulk content
download (BCDL) mechanism
! MessagesNumber of BCDL messages
Labels in use
! ReservedNumber of labels currently needed and being used
! LowestLowest label number in LFIB
! HighestHighest label number in LFIB
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/16
targeted hello
R1
R3
traffic primary link traffic
link hello
session
R2
R1 R4
traffic
max-metric
adv.
R3
Configuring LDP
The parameters to get basic MPLS LDP running are explained on the next
several pages.
Enabling LDP
To bring up the MPLS LDP protocol, use the mpls ldp command in global
configuration mode. The MPLS configuration follows a hierarchical
configuration method similar to the rest of the routing protocols.
When LDP is enabled on an interface, the LDP process starts neighbor
discovery by sending link hello messages on the interface, which may
result in eventual session setup with discovered neighbors. The link hello
has an LDP identifier.
If LDP is enabled on traffic engineering tunnel interfaces, targeted
discovery procedures are used instead of link discovery procedures.
Enabling LDP
LDP Router ID
The link hello identifier is used to establish a neighbor peer session.
Establishing an LDP session between two neighbors requires a TCP
session connection.
The router-id command specifies an alternate IP address to use as the
LDP router ID. IP addresses selected as the LDP router ID must be
advertised by the IGP to a neighboring router.
LDP uses the router ID in the following order:
1. Configured LDP router ID
2. Selected as the primary IPv4 address of the highest numbered
configured IP address
____________________________ Note _________________________
We always recommend that you configure at least one loopback address
and that the router ID be a loopback address.
When a router has multiple links connecting it to a peer device, the
router must advertise the same transport address in the LDP
discovery-hello messages it sends on all such interfaces.
__________________________________________________________________
LDP Router ID
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/21
LDP Neighbors
Sessions between neighbors can be managed using some of these
parameters.
Discovery Timers
The LDP discovery hello timer specifies how long to hold a session without
hearing an advertisement from the neighbor. The default value of 15
seconds can be changed with the discovery hello holdtime command.
Likewise, the discovery hello interval command lets you change the
time between neighbor hellos from its default value of 5 seconds.
Security
LDP Neighbors
:router(config-ldp)# explicit-null
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/24
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Course NameModule 00/26
LDP Parameters:
Role: Active
Protocol Version: 1
Router ID: 10.1.1.1
Null Label: Implicit
Session:
Hold time: 180 sec
Keepalive interval: 60 sec
Backoff: Initial:15 sec, Maximum:120 sec
Global MD5 password: Disabled
Discovery:
Link Hellos: Holdtime:30 sec, Interval:15 sec
Targeted Hellos: Holdtime:90 sec, Interval:10 sec
Graceful Restart:
Enabled
Reconnect Timeout:120 sec, Forwarding State Holdtime:180 sec
Targeted Hellos:
10.1.1.1 -> 10.3.3.3 (active), xmit/recv
LDP Id: 10.3.3.3:0
Hold time: 90 sec (local:90, peer:90 sec)
Label forwarding
information base:
Net: 172.16.95.0
Local label: 150 172.16.95.0
Remote labels: P1 PE5 CE5
P2 250
PE4 450
PE5 50
CE4 PE4 P2
0.0.0.0/0 , rev 29
local binding: label:IMP-NULL
remote bindings : Assigned
lsr:10.2.2.2:0, label:IMP-NULL
locally
lsr:10.3.3.3:0, label:IMP-NULL
10.1.1.1/32 , rev 2
local binding: label:IMP-NULL Assigned
remote bindings :
lsr:10.11.11.11:0, label:47
remotely;
lsr:10.2.2.2:0, label:16001 learned
lsr:10.3.3.3:0, label:16001
10.2.2.2/32 , rev 69
local binding: label:16001
remote bindings :
lsr:10.11.11.11:0, label:46
lsr:10.2.2.2:0, label:IMP-NULL
lsr:10.3.3.3:0, label:16002
10.3.3.3/32 , rev 87 EXP-NULL
local binding: label:16021 if lsr does not
remote bindings : want PHP
lsr:10.11.11.11:0, label:76
lsr:10.2.2.2:0, label:16019
lsr:10.3.3.3:0, label:IMP-NULL Some entries
omitted for clarity
MPLS-enabled interfaces
! LDP enabled
! Traffic engineering tunnel supported
! Protocol status
What is it?
Traffic engineering (TE) is the use of statistical techniques to attempt to
control network traffic. Observation of traffic to measure and determine its
characteristics and type is the first step. Using the observed information, a
model is created to predict traffic patterns. Implementing engineering of
traffic in the network means allocating resources, such as bandwidth and
queues, and then queuing traffic by characteristic.
What is it?
Use statistical techniques to control network traffic
! Observation
" Measure
" Characterize
! Model
" Predict
! Implement
" Allocate resources
" Queue traffic
IS-IS example:
Sets up signaling
Enter the RSVP context
Set the interfaces to be used
Set the total bandwidth available per interface for reservation
! Default is 75% of link bandwidth (when no amount is specified)
:router(config)# rsvp
:router(config-rsvp)# interface gigE 0/2/0/1
:router(config-rsvp-if)# bandwidth
% of link b/w
for all other traffic
TE
Physical tunnels
link Unused b/w
for other
RSVP RSVP signaled
bandwidth traffic: DSCP
gigE 0/2/0/1
P1 PE1 CE1
10.1.1.1
CE2 PE2 P2
10.2.2.2
IGP Id: 10.1.1.1, MPLS TE Id: 10.1.1.1 Router Node (OSPF lab area 0)
Creating Tunnels
When the infrastructure to support tunnels is in place, the first step in
MPLS-TE is to create a tunnel, which is an interface and is configured in
interface configuration submode.
P1 PE1 CE1
CE2 PE2 P2
P1 PE1 CE1
10.1.1.1
CE2 PE2 P2
P1 PE1 CE1
CE2 PE2 P2
10.2.2.2
10.1.1.1
From here
CE2 PE2 P2
10.2.2.2
To configure a path option for an MPLS traffic engineering tunnel, use the
path-option command in tunnel configuration submode.
You can configure several path options for a single tunnel. For example,
several explicit path options and a dynamic option can exist for one tunnel.
Path setup preference is for lower (not higher) numbers, so option 1 in the
example on the slide is preferred.
Paths are either dynamic, meaning they set up automatically and seek out
the best path based on the underlying IGP, or they are explicit, indicating
you configure the tunnel manually from origination point to destination
point, including all the interim routers.
192.168.111.11
P1 PE1 CE1
192.168.112.2
Alternate
CE2 PE2 P2
Setting Priority
There are two priority settings, setup and hold.
Setup priority is used when signaling a label switched path (LSP) for the
tunnel, to determine which existing tunnels can be preempted. Valid
values are from 0 to 7, where a lower number indicates a higher priority.
Therefore, an LSP with a setup priority of 0 can preempt any LSP with a
non-0 priority.
Hold priority is associated with an LSP for the tunnel, to determine if it
should be preempted by other LSPs that are being signaled. Valid values
are from 0 to 7, where a lower number indicates a higher priority. The
lower the priority value, the less likely the tunnel will be preempted.
The default tunnel priority is 7.
Tunnel priority
! Setup
! Hold
:PE1(config-if)# priority 1 1
:PE1(config-if)#
10.1.1.1
P1 PE1 CE1
CE2 PE2 P2
10.2.2.2
10.1.1.1
P1 PE1 CE1
Used in
IGP here
CE2 PE2 P2
10.2.2.2
Summary of TE tunnels
:PE1# show mpls traffic-eng tunnels summary
Signalling Summary:
LSP Tunnels Process: running
RSVP Process: running
Forwarding: enabled
Head: 1 interfaces, 1 active signalling attempts, 1 established
0 explicit, 1 dynamic
4 activations, 3 deactivations
0 recovering, 0 recovered
Mids: 0
Tails: 1
Periodic reoptimization: every 3600 seconds, next in 763 seconds
Periodic FRR Promotion: every 300 seconds, next in 32 seconds
Periodic auto-bw collection: disabled
System Information::
Tunnels Count : 1
Tunnels Selected : 1
Bandwidth descriptor legend:
B0 = bw from pool 0, B1 = bw from pool 1, R = bw locked, H = bw held
Downstream::
Global Pool Sub Pool
----------- ----------- Additional b/w
Reservable BW[0]: 749000 0 kbits/sec information omitted
Reservable BW[1]: 749000 0 kbits/sec
Displaying Statistics
To see the statistical information about link admissions, use the show
mpls traffic-eng link-management statistics command with
appropriate keywords. LSP admission and upstream and downstream link
admission statistics are shown. These are broken into Path and
Reservation (RESV) categories.
Setup RequestsNumber of requests for setup
Displaying Statistics
Summary
Multiprotocol Label Switching (MPLS)
In this module, you learned to:
Overview
Description
This module discusses the basic implementation of Layer 3 Virtual Private
Networks in the Cisco IOS XR operating system software.
Objectives
After completing this module, you will be able to:
Describe Layer 3 virtual private networks (L3VPNs) and L3VPN
components
Customer Requirements
A typical customer who would be interested in Layer 3 VPN service might
have the following requirements:
A connection between two distant offices. The slide shows a customer
needing a connection between Boston, MA and Washington, DC.
The connection should be:
! Secure, so that data is not seen by either the service provider or
other customers using the service provider backbone
! Private, so that the customer does not need to change addressing
schemes and its addresses dont interfere with other customer
addresses
! Reliable, so that the customers network remains available no
matter what happens to the service provider network, and customer
data is available
Private addresses must be available so that network renumbering is
not required
A network infrastructure so that the customer does not have to create
and fund their own infrastructure
Customer Requirements
Connection
between Boston
and Washington,
DC locations
Connection to be: P PE
! Secure Boston
! Private Service provider
! Reliable network
Terms to Understand
Terms used in conjunction with creating VPNs in Cisco IOS XR software
are:
Virtual private network (VPN)
! Private data network that uses a shared infrastructure
! Default VRF
! Global routing table or public RIB; part of basic operating
system
Terms to Understand
! as-number:nn
! as-number is 16-bit autonomous system
! nn is 32-bit number
! ip-address:nn
! ip-address is 32-bit number
! nn is 16-bit number
! Prefixes are advertised with an export RT
! RT matched against an import target for inclusion in VRF
Site of Origin (SoO)
VPNv4
route
exchange
Core IGP
P1 PE1 CE1
Boston
Core IGP
Core IGP
routing Routing
protocol
Washington, DC
P2 PE2
CE2
Core IGP
3. VPNv4 prefix
propagated by P1 PE1 CE1
MP-BGP to
other PE Boston
Service provider
network: OSPF,
MP-BGP
Washington, DC
P2 PE2 CE2
5. IPv4 update
sent to CE
4a. PE matches the RT
with correct VRF 4b. RD removed by PE, 4c. IPv4 address
resulting in original 32-bit installed in VRF RIB
IPv4 address
ation
Label A IP packet
2
Label A = Destination VRF label 3
Label B,C = MPLS label Label B Label A IP packet 1
IP packet
4 PE1
P1 CE1
Label C Label A IP packet Boston
MPLS
Washington, DC
P2 PE2 CE2
5
Label A IP packet IP packet
Label A IP packet
6 7
Configuration
The configuration of L3VPNs involves several steps within several
configuration modes of Cisco IOS XR software. You must compile several
pieces of information and create documentation to accomplish this task
successfully.
Configuration Requirements
The requirements for a core network to support L3VPNs are:
What to Configure
On a PE router running Cisco IOS XR software, the following pieces will be
configured:
VPN definitionA specific VRF definition completed in global
configuration mode
PE to CE definitionA specific VRF definition within the routing
protocol used to exchange routes and on the interfaces to the CE
PE to PE definitionA definition within BGP that identifies neighbors
that will participate in the VPN
VPN, BGP, and MPLS relationship definitionA specific entry in the
BGP base definition and the neighbor definition that makes basic BGP
become MP-BGP and interrelates BGP to MPLS
Configuration
Configuration Steps
The steps to successfully creating the L3VPN on the PE are:
1. Define the VPN by creating a VRF in global configuration mode
2. Assign the VRF to an interface facing the customer (CE)
3. Create a routing relationship with the CE
! Add the VRF under the protocol definition
Configuration Steps
VRF Configuration
To configure a VRF for the definition of the L3VPN, enter the vrf name
command in global configuration mode. The address-family command is
required, and the options are either IPv4 or IPv6 unicast. Route targets are
set up to determine routes to import into the VRF and export to BGP. The
description command is optional and is limited to 1022 characters.
The import and export commands may be used with route policies, also.
Route policies can be in addition to, or in place of, route targets in the VRF
address family. If policies are to be used, they must be defined first.
VRF Configuration
VRF Configuration
:PE1(config)# vrf GROUP_1
:PE1(config-vrf)# description L3VPN for GROUP_1
:PE1(config-vrf)# address-family ipv4 unicast
:PE1(config-vrf-af)# import route-target 65000:2
:PE1(config-vrf-af)# export route-target 65000:2
VRF name
Description is optional
P1 PE1 CE1
Address family defines traffic type
BGP route targets define VRF inclusion
! Route policies may be used
P2 PE2 CE2
Configuration
from PE1
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/18
P2 PE2 CE2
Configuration
from PE1
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/18
!Static route
!Next-hop address
P2 PE2 CE2
Configuration
from PE1
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/18
BGP Configuration
Your first step in making BGP recognize VPN configuration is to set up a
connection with MPLS. This is done by entering the address-family
vpnv4 unicast command. This effectively provides access to the extended
communities; that is, lets MP-BGP add the necessary VPNv4 and extended
community information to the packets and forward them using MPLS.
Once again, create a VRF using the vrf name command.
Next, define a route distinguisher using either of these options:
as-number:nn or ip-address:nn
Let the system define its own unique route distinguisher by selecting
the auto keyword
The redistribute command lets the routes in the VRF be advertised by
the routing protocol by BGP.
____________________________ Note _________________________
A new address-family is a new capability, which can only be negotiated
during BGP session establishment, adding the VPNv4 address-family
definition to an existing active BGP configuration will cause the BGP
session to that neighbor to terminate.
__________________________________________________________________
BGP Configuration
P1 PE1 CE1
Turn on the MPLS relationship
! VPNV4 address family
Consistent VRF name
! RD is arbitrary; could be set automatically
! Address family definition for traffic type
! Allow the routes from the CE to be carried to P2 PE2 CE2
other interested PEs
Configuration
from PE1
BGP Configuration
For the VPN information to be exchanged with PEs participating in the
VPN, the MP-BGP connection is established using the address-family
vpnv4 unicast command under the specific participating neighbor
definitions.
____________________________ Note _________________________
A new address-family is a new capability, which can only be negotiated
during BGP session establishment, adding the VPNv4 address-family
definition to an existing active BGP configuration will cause the BGP
session to that neighbor to terminate.
__________________________________________________________________
P2 PE2 CE2
Configuration
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1
from PE1
Cisco ASR 9000 EssentialsModule 12/18
P1 PE1 CE1
0/2/0/28
:PE1# show run int gigE 0/2/0/28
interface gigabitEthernet 0/2/0/28
vrf GROUP_1
ipv4 address 172.16.12.2 255.255.255.0
P2 PE2 CE2
Display the configured customer interface
IP address assigned to VRF, not interface Displayed
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1
from PE1
Cisco ASR 9000 EssentialsModule 12/18
The BGP autonomous definition that will carry the VPN must be defined
for VPNv4 address family traffic.
Finally, be sure that the BGP PE neighbor definitions, for which sessions
are required, have the necessary VPNv4 address family definition, so that
advertisements can be forwarded.
VPN routes
!Routes are not in default RIB
Note reference to VRF default next hop
router static
vrf Group_1
address-family ipv4 unicast
10.255.12.0/24 GigabitEthernet0/2/0/28
VRF: GROUP_1
You can display detailed information about specific routes in the VPN. The
slide on the opposite page shows BGP and MPLS information.
You can verify the prefixes that are being imported into the VRF by using
the show bgp vrf name imported-routes. The display indicates the best
path and validity of the entries and the neighbor that provided the routes
Ping CE to CE
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/18
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/18
Summary
Layer 3 Virtual Private Networks
In this module, you learned to:
Describe Layer 3 virtual private networks (L3VPN) and L3VPN
components
Implement a basic L3VPN using Cisco IOS XR software
Overview
Description
This module provides a detailed description of the Layer 2 service
architecture supported by the Cisco ASR 9000, including an overview of
terminology, service building blocks, and an illustration of Layer 2 service
implementation.
Objectives
After completing this module, you will be able to:
Describe Carrier Ethernet concept
Content Farm
Policy Control Plane (per subscriber)
Residential
Access Aggregation/Distribution Edge
MSPP
VOD TV SIP
Cable
STB
VOD TV SIP
CE
CE: UNI
Customer equipment
Router or IEEE 802.1 bridge or switch CEN
UNI:
UNI
User-network interface CE
UNI CE
Gigabit Ethernet or 10GE
Demarcation between customer and provider
Carrier Ethernet network:
Provides Metro Ethernet service between CEs
May use various transports/media
CE CE
CE
UNI UNI
UNI
Multipoint-to-multipoint Rooted-multipoint
Point-to-point
UNI UNI
CE UNI CE UNI UNI
CE UNI
CE CE
CE
mapping
Multiple L2 frame types Multiple L2 services
Flexible PE
CE1 CE2
CE U-PE
CE U-PE
PE-Agg
Core
CE
U-PE N-PE P
U-PE
CE
PE Roles
Multilayered Provider Edge
PE Roles
VPN
Virtual: Multiple services share physical media
Private: Each service is logically independent
Layer 2 VPN
Ethernet point-to-point or multipoint connectivity between
customer LAN sites or service endpoints
Layer 3 VPN
IP connectivity or routing between service endpoints or
gateways
Cisco service
Metro Ethernet Forum IETF (MPLS) IEEE
name
Ethernet private QinQ, .1ad Ethernet wire
E-Line line (EPL) service (EWS)
(point-to- Virtual private
point) wire service
Ethernet virtual .1Q Ethernet relay
(VPWS)
private line service (ERS)
(EVPL)
Transparent QinQ, .1ad Ethernet
LAN service multipoint service
(TLS) Virtual private (EMS)
E-LAN
LAN service
(multipoint) Ethernet virtual .1Q Ethernet relay
(VPLS)
connection multipoint service
service (EVCS) (ERMS)
What is an EFP?
EFP = Service Instance
What is an EFP?
What Is an EFP?
G0/0/0/1.4 l2
EFP transport
EFP
EFP Interface Physical Ethernet interface
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/16
Double tagged frame: First VLAN tag must be unique, second VLAN tag
can be any unique value or a list or range
encapsulation dot1q vlan-id second-dot1q {any | vlan-
id[,vlan-id[- vlain-id]]}
Default tag: match all frames tagged or untagged that are not matched by
other more specific service instances. Similar concept as class-default in
the QoS MQC
encapsulation default
Untagged: match untagged frames
encapsulation untagged\
EFP Attributes
Service Architecture
The slide on the next page shows the model used to describe an EFP in this
module. Filters are applied on ingress and egress, partly to ensure that
only traffic appropriate to that EFP is allowed to pass, and partly to ensure
that the packets passed to the Tag Operations (manipulations such as
pushing/popping tags) are suitable for the operations to be performed.
Note that, logically, another filter is can be applied on egress. This filter is
the same as the ingress filter, and ensures that traffic leaving via this EFP
conforms to the same criteria as the ingress traffic (with allowances made,
of course, for source/destination MAC addresses being the other way
around). No Egress filtering is the default.
____________________________ Note _________________________
Cisco IOS XR Software Release 3.7.3 introduces EFP Egress Filtering
on the Cisco ASR 9000. The purpose of egress EFP filtering feature is
to implement a way of filtering EFP egress traffic, ensuring that all the
egress traffic on a given EFP complies with the ingress matching
criterion.
By using the ethernet egress-filter command, you can configure
egress EFP filtering in either global or Layer 2 subinterface mode as
follows:
ethernet egress-filter strict configures Egress EFP Filtering
in global configuration mode.
ethernet egress-filter {strict | disabled} configures Egress
EFP Filtering in Layer 2 subinterface mode.
__________________________________________________________________
EFP Attributes
QoS, multicast, OAM, and security features are bound to service instances
Ingress filter Egress filter
EFP
Tag ops
From Filter
physical Towards a
interface xconnect or
Ingress bridge-
Tag ops
domain LC NPU
Filter
Egress
NPU
EFP Implementation
The encapsulation command (along with the match command) sets the
format for packets entering and leaving this EFP. Packets with tags
matching the encapsulation specification are allowed into this EFP, and all
packets that leave will generally match the encapsulation specification.
The encapsulation command takes the following forms, and produces the
corresponding ingress filters. In the absence of any tag manipulation, the
egress filter are the same as the ingress filter (with the exception that
source and destination MAC matching are swapped).
EFP Implementation
EFP Creation
From global configuration mode, enter subinterface configuration mode to
begin EFP creation. Specify the subinterface as a l2transport EFP with
the l2transport command.
In subinterface configuration mode, specify the encapsulation type of the
outer tag as dot1ad, dot1q, or untagged, or use a default tag scheme to
accept any unmatched frames.
EFP Creation
One EFP can match unique VLAN tags, lists of VLAN tags, or ranges of
VLAN tags. It can match untagged frames, single-tagged frames, double-
tagged frames, 802.1q, QinQ, or 802.1ad.
Default frame matching can be used to accept all tagged or untagged
frames that are not matched by other more specific EFPs (much like class-
default in MQC).
Encapsulation classification: 802.1Q (type 0x8100) and 802.1ad (type
0x88a8) can co-exist on the same physical port. Ingress classifier is
Ethertype-aware (802.1Q vlan 10 can be mapped to a different service than
802.1AD vlan 10).
200
400 11
Match outer 400,
400 17
inner list: 11,17,34
400 34
10
10 50
10 50
10 50 4
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/24
EFP 1
10
VLAN 10
10 200 EFP 2
Interface
S-VLAN 10
10 100 C-VLAN 100
EFP 3
S-VLAN 10
10 130
C-VLAN 128-133
VLAN 10
VLAN 10
VLAN 20
VLAN 20
VLAN 50
Untagged Default
EFPs Interface
Use a default EFP to match all tagged and untagged traffic on a port (all-
to-one bundling):
VLAN 10
VLAN 20
VLAN 50 Default
Untagged
Interface EFP Interface
Note: Bundles are treated like another physical port. EFPs on a bundle
are equivalent to EFPs on a physical interface.
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/27
This example shows the CLI options and the steps for configuring Gigabit
Ethernet subinterface 10.10 as a Layer 2 transport EFP that will filter
ingress frames from the parent interface that are double-tagged with an
outer 802.1q tag of 10 and an inner dot1q tag of x.
This example shows the CLI options and steps for configuring gigabit
Ethernet subinterface 0.20 as a l2transport EFP that will filter ingress
frames from the parent interface that are double tagged with an outer
802.1ad tag of 20 and an inner dot1q tag of x.
Exact match
The exact keyword means that there cannot be another tag
following the top tag
:router(config)# interface gigabitEthernet 0/1/0/0.25 l2transport
:router(config-subif)# encapsulation dot1q 1000 exact
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/31
After an EFP match, a push operation can be applied to any packet. There
are no restrictions on the filter that comes before a push operation.
A push operation takes as its parameters a list of tags: for each tag, the
following must be specified:
The VLAN id to be pushed
Push a tag DA SA 20 DA SA 25 20
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/34
After an EFP match, a pop operation can be applied to remove the outer
VLAN tag from a frame with one or more VLAN tags. One or two tags can
be popped.
Pop a tag DA SA 50 20 DA SA
DA SA 200 10 DA SA 30
Translate a tag
Options are 1:1, 1:2, 2:1, 2:2
Useful for customer VLAN overlap
:router(config)# interface gigabit ethernet 0/2/0/0.200 l2transport
:router(config-subif)# encapsulation dot1q 200 second-dot1q 10
:router(config-subif)# rewrite ingress tag 2-to-1 dot1q 30
DA SA 30 DA SA 40 50
L2VPN
CE
CE
EFPs
Specify p2p
bridge-domain
corresponding
parameters interface or neighbor interfaces or VFI
IGMP snooping
:router(config)# l2vpn
:router(config-l2vpn)# ?
.
bridge Configure bridge commands
logging Enable cross-connect logging
pw-class Pseudowire class template
pw-status Enable PW status
xconnect Configure cross connect commands
Cross-connect or bridge options
PW-class can also be configured
:router(config-l2vpn)# xconnect group CUSTOMER_A p2p SERVICE_1
:router(config-l2vpn-xc-p2p)# ?
. .
interface Specify the attachment circuit
neighbor Specify the peer to cross connect
:router(config)# l2vpn
:router(config-l2vpn)# xconnect group CUSTOMER_A p2p SERVICE_1
:router(config-l2vpn-xc-p2p)# interface gigabitEthernet 0/1/0/0.10
:router(config-l2vpn-xc-p2p)# interface gigabitEthernet 0/2/0/10.20
To check physical interface state (for example, up, up), port settings (for example,
MTU, duplex), counters:
show gigabitEthernet 0/2/0/1 or tenGigE 0/4/0/1
show ethernet trunk
To check subinterface state, encapsulation and rewrite settings, counters:
show gigabitEthernet 0/2/01.1
To check for correct cross-connect segment state (AC-AC, AC-PW, or PW-PW):
show l2vpn xconnect
show l2vpn xconnect summary
show l2vpn forwarding
To check EFP details including AC state, VLANs, PW details, and counters:
show l2vpn xconnect detail
show ethernet tags
To check bridge-domain and VFI configurations:
show l2vpn bridge-domain
show running-config l2vpn
Ingress Egress
interface Service mapping interface
(cross-connect, bridge,
and so on)
Tier 1 Tier 2 input Ingress Tier 1 Egress Tier 2
input features VLAN output EFP output
features re-writes matching rewrites features
Ingress QoS, Egress filter
Ingress Ingress Egress 2
interface filter 1 Egress QoS,
ACLs
classify ACLs
Point-to-point Multipoint
1 E-Line E-LAN
3
Local connect Local bridging
Single-
Two EFPs (on same Two or more EFPs (on platform
platform) connected using same platform) connected
using
native Ethernet in a bridge-domain using
Ethernet
native Ethernet
EoMPLS VPLS bridging
EFPs (on different Two or more EFPs (on Multiple-
platforms) connected with different platforms) in a platform
a PW bridge-domain connected using MPLS
by a PW mesh
2 Bridge-domain
4
No MAC learning
Transparent tunnel MAC learning
IGMP snooping
Split-horizon
EFPs MPLS PW
L2
2 PW
P2P EoMPLS
tunnels
IP
interface
GE or 10GE
ports Ingress LC Switch fabric Egress LC
EVCs
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/48
Putting
Putting it All3,Together
it All Together- 4
EFPs
Ethernet
frames
L2
MPLS
MP Ethernet
bridge-domain
3 uplink
L2
BD
EFPs
PW
tunnels
MP VPLS
4 L2
MPLS
PWs
BD EoMPLS
VFI
IP
interface
GE or 10 GE
ports Ingress LC Switch fabric Egress LC
EVCs
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 12/49
3
encapsulation dot1q 2
l2vpn Local E-LAN
bridge group TEST3
bridge-domain TEST3
int g0/1/0/1.10
int g0/1/0/0.20
4
encapsulation dot1q 301 second-dot1q 10
l2vpn VPLS E-LAN
bridge-group TEST4
bridge-domain TEST4
int g0/1/0/0.40
vfi TEST4
neighbor 10.2.2.2 pw-id 1
neighbor 10.3.3.3 pw-id 2
Bundle AC supported: Y
System capability:
Security config supported: Y
VPLS Max MAC addresses: 512000
DHCP snooping supported: Y
VPLS Max bridge-domains: 8192
VPLS Static MAC filter supported: Y
VPLS Max attachment circuits: 64000
VPLS MAC configs on bridge port supported: Y
VPLS Max pseudowires: 32000
VPLS Flooding config on bridge port supported: Y
RSI bit size: 14
Flood unknown unicast disable supported: Y
Per-AC drop counters supported: Y
IGMP snooping supported: Y
VPLS Preferred path allowed: Y
VPLS MAC Aging Default Timer Value: 300
VPLS Preferred path fallback enable allowed: Y
VPLS MAC Aging Min Timer Value: 300
VPLS Preferred path fallback disable allowed: Y
VPLS MAC Aging Max Timer Value: 30000
MAC withdrawal allowed: Y
VPWS Max attachment circuits: 64000
Max attachment circuits per bridge-domain: 16384
VPWS Max pseudowires: 64000
VPLS Max virtual forwarding interfaces: 32000
VPWS Preferred path fallback enable allowed: Y
VPLS Max virtual forwarding interfaces per bridge-domain: 1
VPWS Preferred path fallback disable allowed: Y
VPLS Max pseudowires per bridge-domain: 512
VPLS allowed: Y
VPLS Max pseudowires per virtual forwarding interface: 512
VPLS Default MAC limit: 4000 [DEFAULT]
VPWS PW redundancy supported: Y
Split Horizon Group supported: Y [DEFAULT]
VPLS Access PW supported: Y
VPLS Max MAC addresses per bridge-domain: 512000
VPWS allowed: Y
VPWS Max xconnects: 64000
Summary
Cisco ASR 9000 Layer 2 Architecture
In this module, you learned to:
Overview
Description
This module provides a detailed description of the point-to-point Layer 2
services supported by the Cisco ASR 9000 Series Aggregation Services
Router. This includes an overview of local and Ethernet over Multiprotocol
Label Switching (EoMPLS) Ethernet-Line service and service resiliency
features.
Objectives
After completing this module, you will be able to:
Describe and configure local E-line service
P P
CE PE PE CE
(GE) (GE) (GE) (GE) (GE)
Cisco Cisco
ASR Cisco Cisco ASR
9000 12000 12000 9000
Ethernet or
Cust A Ethernet or MPLS Access Cust A
Loc 1 MPLS Access IP or MPLS Loc 2
Core and
and Aggregation
Aggregation
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 14/18
EVC
AC AC
Switch
Ingress LC fabric Egress LC
EFP1 EFP2
int gig0/1/0/0.10 l2transport int gig0/2/0/2.10 l2transport
encapsulation dot1q 10 encapsulation dot1q 10
rewrite ingress tag < > rewrite ingress tag < >
l2vpn
xconnect group CUSTOMER_A p2p SERVICE_1
interface gig0/1/0/0.10
interface gig0/2/0/2.10
Local Switching
To check the configuration the following commands are useful:
Local Switching
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 14/18
AC/PW/XC States
Attachment Circuit (AC) states:
Up (UP)
Down (DN)-Segment is configured, interface has been configured for
l2transport, but local interface is down.
Unresolved (UR)-Segment has not been configured or l2transport has
not been configured on the interface.
Connected (CO)-Service is available, interface has been configured for l2
transport, but interface is not up and AToM is not ready to distribute
labels.
Local Up (LU)-Local AC is up, but remote AC or PW is not ready.
Remote Up (RU)-Remote AC/PW are up, but local AC or PW is not
ready.
Admin down (AD)-Layer 2 interface is administratively down.
AC/PW/XC States
RU Remote AC/PW are up, but local AC/PW are not ready
x
Link failure
CE PE
Bundle-Ether 100
gig 0/2/0/3
gig 0/2/0/4
ASR 9000
CE PE
Bundle-Ether 101
gig 0/2/0/20
gig 0/2/0/21
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 14/18
RP/0/RSP0/CPU0:PE1#bundle-hash bundle-e 50
Calculate Bundle-Hash for L2 or L3 or sub-int based: 2/3/4 [3]: 2
Enter traffic type (1.VPWS, 2.VPLS) : [1]: 1
Enter traffic direction (1.AC-to-PW, 2.PW-to-PW, 3.any-to-AC): [1]: 1
Enter PW VC label in decimal (20-bit value) :16001
Another? [y]: n
MPLS
uplink
MPLS PW PW
tunnels
L2
EFP P2P EoMPLS
GE or 10GE
port MPLS
Ingress LC Switch fabric Egress LC network
What Is a Pseudowire?
Ethernet-over-MPLS (EoMPLS) provides a tunneling mechanism for
Ethernet traffic through an MPLS-enabled Layer 3 core and encapsulates
Ethernet PDUs inside MPLS packets (using label stacking) to forward them
across the MPLS network. The basic idea involves assigning short, fixed-
length labels to packets at the ingress of an MPLS cloud (based on the
concept of forwarding equivalence classes [FEC]). Throughout the interior of
the MPLS domain, the labels attached to packets are used to make
forwarding decisions.
A Label Switch Path (LSP) is the resulting virtual path between Label
Switch Routers (LSRs), in an MPLS network. An LSP is defined by labels
at the LSRs. PEs usually act as LSRs. LSRs use signaling to communicate
label usage and packets are switched based on labels attached to each
packet.
The MPLS architecture does not assume a single label distribution protocol.
LSPs may be signaled with Label Distribution Protocol (LDP) or targeted
LDP (T-LDP) for LSP tunnels and the Resource Reservation Protocol
(RSVP) (for MPLS-Traffic Engineering [MPLS-TE] tunnels) across the
MPLS Packet Switched Network (PSN).
Layer 2 transport services over MPLS are implemented through the use of
two-level label switching between the edge routers. The label used to route
the packet over the MPLS backbone to the destination PE is called the
tunnel label. The label used to determine the egress interface is referred to
as the VC label.
Redundancy options include backup PW and TE preferred path.
When tunneling over MPLS network, Cisco uses the term AToM: Any
Transport over MPLS. When tunneling over IP, L2TPv3 is used (not
supported currently on the Cisco ASR 9000).
What Is a Pseudowire?
MPLS
CE Access CE
Customer 1 Customer 1
Access PE PE
PH Pseudowire header
THTunnel header
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 14/18
What Is a Pseudowire?
MPLS
Ingress LC Switch fabric Egress LC
uplink
MPLS PW
MPLS neighbor
10.2.2.2
PW
tunnels
2. Create EFP
MPLS VC Type
The Cisco ASR 9000 supports manual VC type configuration for point-to-
point EoMPLS VCs. However, for VPLS or the bridge-domain spoke or
access PWs, the VC type is always 5, which is not user configurable.
By default, the Cisco ASR 9000 uses VC type 5 for both EoMPLS and VPLS
VC. It can negotiate to be VC type 4 automatically based on the peers VC
type for point-to-point EoMPLS. However, for VPLS or spoke/access PW, it
is always VC type 5.
Most vendors platforms support VC type 5 for VPLS and H-VPLS. If
interoperability is an issue, try popping outer VLAN tags.
MPLS VC Type
Pseudowire VC Type 5
The default VC Type is Type 5 (Ethernet). VC types used on EoMPLS
pseudowires can be configured to Type 4 (Ethernet VLAN) using the pw-
class command.
VLAN tag information from the ingress 802.1q frame is copied to the VC
label. At egress, the VC label data is used to rewrite the egress VLAN tag.
If the EoMPLS VC type is 5, no additional VLAN tag is added to the frame
after the configured rewrite operations.
For EoMPLS cross-connects, ingress VLAN (single or double) tags must be
popped. The VLAN tags after the rewrite tag configuration are treated as
payload for EoMPLS and will be tunneled regardless of VC type.
Summary: The rewrite ingress tag configuration is independent of VC type
for EoMPLS configuration. It is used to decide which VLAN tag is tunneled
as payload. Based on VC type, a random service delimiter VLAN tag maybe
added (for VC type 4), which should be removed and replaced by a peer PE
device based on its UNI configuration.
Pseudowire VC Type 5
INTF 1
PE2
PE1
INTF 1
MPLS
l2vpn l2vpn
xconnect group CISCO p2p SERVICE_1 xconnect group CISCO p2p SERVICE_1
interface GigabitEthernet0/0/0/4.1 interface GigabitEthernet0/0/0/5.1
neighbor 10.2.2.2 pw-id 22 neighbor 10.1.1.1 pw-id 22
Pseudowire VC Type 4
VLAN (Type 4) packets are untagged and VLAN-ID can change.
With VC type 4, an additional dummy (random) VLAN tag is added before
PW encapsulation. The peer PE removes the dummy tag and rewrites it
based on its UNI configuration before sending it to CE device.
If the service-delimiter VLAN tag is not popped before mapping into the
PW, it can cause duplicated (double) VLAN tags to be sent to the peer PE. If
the peer PE is not capable of removing these extra tags, they will be passed
as on UNI, and eventually they are dropped at the CE device.
Pseudowire VC Type 4
INTF 1
PE2
PE1
INTF 1
MPLS
l2vpn
l2vpn
xconnect group CISCO p2p SERVICE_1
xconnect group CISCO p2p SERVICE_1
interface GigabitEthernet0/0/0/5.1
interface GigabitEthernet0/0/0/4.1
neighbor 10.1.1.1 pw-id 22
neighbor 10.2.2.2 pw-id 22
pw-class TYPE4
pw-class TYPE4
Pop outer Pop outer
VC type 4 tag tag
10 tag 10
Type 4 - dummy
tag added
INTF 1
PE2
PE1
INTF 1
MPLS
l2vpn l2vpn
xconnect group CISCO p2p SERVICE_1 xconnect group CISCO p2p SERVICE_1
interface GigabitEthernet0/0/0/4.1 interface GigabitEthernet0/0/0/5.1
neighbor 10.2.2.2 pw-id 22 neighbor 10.1.1.1 pw-id 22
pw-class TYPE4 pw-class TYPE4
VC type 4 No pop!
Tag mismatch
10 10 tag 10 10
Single-tag frame
Dummy-tag frame
Un-popped tag(s)
treated as data
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 14/18
Forwarding plane
details
RP/0/0/CPU0:PE1#sh l2vpn forwarding detail location 0/2/cpu0
Local interface: Bundle-Ether100.2, Xconnect id: 0xfffc0004, Status: up
Segment 1
AC, Bundle-Ether100.2, status: Bound
Statistics:
packets: received 273340, sent 126
bytes: received 18589010, sent 9601
packets dropped: PLU 0, tail 0
bytes dropped: PLU 0, tail 0
Segment 2
MPLS, Destination address:10.2.2.2: pw-id 101, status: Bound
Pseudowire label: 16023
Statistics:
packets: received 126, sent 273340
bytes: received 9601, sent 18589010
packets dropped: MTU 0, tail 0
bytes dropped: MTU 0, tail 0
PW MTU Settings
The Ethernet MTU is the size of the largest frame, minus the 4-byte frame
check sequence (FCS) that can be transmitted on the Ethernet network.
Every physical network along the destination of a packet can have a
different MTU.
The Cisco ASR 9000 can adjust the MTU automatically based on the EFP
VLAN tag encapsulation and the VLAN tag manipulation configuration.
The default payload MTU is 1500 bytes which excludes VLAN tags. If
VLAN tag encapsulation is single tag, the MTU will be adjusted to 1504
bytes. MTU is part of the PWE3 T-LDP signaling message. If the MTU on
the two devices does not match, then the PW will not come up. There are
two options to work out the MTU mismatch issue:
Option 1: pop VLAN tag. This is recommended configuration which
applies to most cases
Option 2: Change the per sub-interface MTU size
Although Option 1 is the preferred configuration, in certain cases, VLAN
tag rewrite is not allowed or cannot match on both sides. In those cases
MTU configuration is required.
The Cisco ASR 9000 supports per-sub-interface MTU configuration on the
control plane. This is used for PW signaling purposes only. The ASR 9000
system does not enforce the per sub-interface MTU configuration in the
data plane.
PW MTU Setting
PW MTU Settings
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 14/18
Pseudowire Redundancy
If a CE or PE node fails, or an attachment circuit goes down, the PW goes
down and the L2VPN service that uses the PW also goes down.
With PW redundancy, a backup PW is created that can be tied to a different
remote PE box or a different attachment circuit on the same remote PE box,
depending on which component is being protected. When the primary PW
goes down, normally due to PE node failure or attachment circuit failure, it
can quickly switch over to the backup PW.
One-way PW redundancy:
PE node or AC redundancy is only unidirectional (it is one-way PW
redundancy).
Two-way PW redundancy:
Having redundant PEs or ACs on both sides is called two-way PW
redundancy, which is supported currently.
Allows dual-homing of two local PEs to two remote PEs
Four PWs: 1 primary & 3 backup provide redundancy for a dual-homed
device on both sides.
Two-way PW redundancy requires multichassis LAG (MC-LAG) on the
access side (MC-LAG is outside the scope of this course).
Pseudowire Redundancy
Backup
PW
PE3
CE1 PE1
(backup
PE)
Primary
PW
1
2 3
PE2 CE2
(primary
Solves L2VPN service failures: PE)
PW Redundancy Configuration
Use the backup neighbor command to specify a backup PW to the same
neighbor or to a different neighbor.
A backup delay (optional) can be set in pw-class configuration mode.
____________________________ Note _________________________
When configuring PW backup, make sure you create a return-path PW
from the backup PE. This step is not shown in the slide.
__________________________________________________________________
The l2vpn switchover neighbor <ip-address> <pw-id> command
applied to the current active PW can be used to force a manual switchover.
PW Redundancy Configuration
PW Redundancy Verification
Use the show l2vpn xconnect command to display cross-connect details
including backup PW configuration.
Traffic is always blocked on one PW for loop prevention, using the active or
inactive state of the pair of PWs being used. The backup PW is held in the
standby state, eliminating any loops between PEs.
In case of failures, status indications from lower-layer protocols (VCCV) and
peer PEs trigger a PW switchover. The backup PW to the redundant PE
becomes active.
The l2vpn switchover xconnect neighbor A.B.C.D pw-id X command
(for example, l2vpn switchover xconnect neighbor 10.5.5.5 pw-id 1) on
the active PW can be used to force a manual switchover between active and
backup PWs.
PW Redundancy Verification
State of Backup
PW will be
DOWN unless
Primary PW
fails
PE1# sh l2vpn xconnect
Legend: ST = State, UP = Up, DN = Down, AD = Admin Down, UR = Unresolved,
LU = Local Up, RU = Remote Up, CO = Connected
Use the show l2vpn xconnect detail command to show the status
of fallback (that is, enabled or disabled).
P1
LDP
PE2
PE1
Summary
Cisco ASR 9000 Point-to-point Layer 2 Services
In this module, you learned to:
Overview
Description
This module provides a detailed description of the Multipoint Layer 2
services supported by the Cisco ASR 9000 Series Aggregation Services
Router. This includes an overview of local and Virtual Private LAN
(VPLS) Ethernet-LAN (E-LAN) services, and service resiliency.
Objectives
After completing this module, you will be able to:
Describe how attachment circuits (ACs), Ethernet flow points (EFPs),
bridge-domains (BDs) and multiprotocol label switching (MPLS) are
involved in building Layer 2 services
Describe and configure local E-LAN and VPLS service
Describe and configure VPLS autodiscovery and resiliency features
In the hands-on lab that accompanies this module, students create local
multipoint and virtual private LAN service (VPLS) E-LAN configurations,
logically connecting three pods. A separate VPLS established with BGP
PW autodiscovery is also configured.
Ethernet OAM (E-OAM) and Connectivity Fault Management (CFM) or
service-based OAM are added to the local multipoint and VPLS services in
later labs.
P P
CE1 PE1 PE2 CE2
(GE) (GE) (GE) (GE)
VPLS
Cisco mesh Cisco
ASR Cisco ASR
9000 12000 9000
PE3 CE3
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 14/3
E-LAN Service
E-LAN connects many user-network interfaces (UNIs) together with a
virtual bridge. UNIs can exist locally on a single port, line card (LC), or
platform. UNI connections can also be configured to extend over an MPLS
network to other UNIs on other geographically dispersed provider-edge
(PEs) devices in the network.
E-LAN Service
UNI 1 UNI 2
CE Carrier Ethernet CE
Network
UNI 4 UNI 3
CE CE
Multipoint-to-multipoint connection
MP Ethernet
bridge-domain 3
EFPs
EFPs L2 L2
BD
Split
horizon
group
MPLS
MP VPLS 4 uplink
MPLS PW
L2 PWs tunnels
BD VFI
GE or 10GE
ports Ingress LC Sw itch fabric Egress LC
BD
The bridge-domain (BD) concept is used to differentiate the notion of
VLAN as an encapsulation from VLAN as a broadcast domain. A BD
defines a multiport broadcast domain. Thus, the VLANs within the BD
have local significance per port. VLAN tags can be reused on separate
services.
BD attributes are as follows:
Layer 2 broadcast domain consisting of a set of physical or virtual
ports, or both.
Data frames are switched within a BD based on their destination
MAC address. Multicast, broadcast, and unknown-destination unicast
frames are flooded within the BD. A learned address is aged out.
MAC limits can be configured per BD or per BD port.
Static MAC address support.
Traffic storm control.
Many Layer 2 features are applied per BD such as DHCP snooping
and Internet Group Management Protocol (IGMP) snooping.
BD
used to enable or
disable bridging SHG
EFPs
EFPs L2 L2
BD
SHG
Create EFPs
(config)# l2vpn
(config-l2vpn)# bridge group BG_1
(config-l2vpn-bg)# bridge-domain BD_1 EFP not in a SHG
(config-l2vpn-bg-bd)# interface g0/2/0/25.1
(config-l2vpn-bg-bd)# interface bundle-eth100.3 EFPs in an SHG if desired
(config-l2vpn-bg-bd-ac)# split-horizon group
(config-l2vpn-bg-bd)# interface bundle-eth101.2
(config-l2vpn-bg-bd-ac)# split-horizon group
Clear BD MAC
Tables
BD show Commands
The following slide shows the output of show l2vpn bridge-domain
commands.
BD show Commands
The following slide shows the output of the show l2vpn bridge-domain
detail command.
RP MAC cache
must be update
using CLI.
Entries in the MAC table are aged out; the aging time is configurable
The MAC table size is configurable on an EFP or bridge-domain level
Configuration command is set per-AC OR per-BD MAC limit
Configuration options perform the following actions when MAC
table limit reached:
Syslog msg (default)
Limit Flood (stop learning)
Limit No-flood (stop learning and disable flooding)
Shut BD/AC
Static MAC addresses
Ability to statically configure MAC addresses
Simulates dynamically learned mac addresses; can be configured
both on AC and PW
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 14/14
The MAC limit includes both static MACs and dynamically learned MACs.
The static MACs are subtracted from the MAC limit passed to NP to be used for dynamic
MACs.
Current MAC limit is configured/default MAC limit minus static MACs not configured
at port level
This command does not require a Bridge-domain to be specified but a name can be
used within the command syntax in order to filter the output.
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 14/17
If MAC is missing in MAC table then look at MAC table in np struct 18 to verify that MAC is
missing there also or not. Caveat : Same MAC can be learnt on multiple bridges so 2 bytes bridge
id in little-endian format must be added to the search key make it unique for the bridge. To get
bridge id use the following command. show l2vpn bridge bd-name xxx
VPLS architecture
PE PE
CE CE
Tunnel LSP
Pseudowire
CE
MPLS
Split horizon
group uplink
MPLS PW
L2 PWs tunnels
BD VFI
MP VPLS
GE or 10GE
ports Ingress LC Switch fabric Egress LC
MPLS
PW
mesh
BD VFI
EFPs
Virtual switching
instance (VSI)
(config)# l2vpn
(config-l2vpn)# bridge group BG500 VFI config
(config-l2vpn-bg)# bridge-domain BD500 mode
(config-l2vpn-bg-bd)# interface g0/1/0/0.500
(config-l2vpn-bg-bd)# interface g0/2/0/0.500
VFI PW mesh to all
(config-l2vpn-bg-bd)# vfi 500
neighbors
(config-l2vpn-bg-bd-vfi)# neighbor 1.1.1.2 pw-id 1
(config-l2vpn-bg-bd-vfi)# neighbor 1.1.1.3 pw-id 1
(config-l2vpn-bg-bd-vfi)# neighbor 1.1.1.4 pw-id 1
Broadcast frame
Broadcast frames
PE3 received on a PW
are not forwarded
to other PWs in
Full Mesh of PW to guarantee frame delivery the same VFI
MAC Address
withdrawal
X
X
MAC Address
withdrawal
On by default
Speeds up convergence process upon PE or AC failure
Otherwise PE relies on MAC address aging timer
Upon failure
PE removes locally learned MAC addresses
Send LDP address withdraw (RFC 3036) to remote PEs in VPLS
(using the Directed LDP session)
New MAC List TLV is used to withdraw addresses
PEs not supporting LDP MAC address TLV silently ignore it
Drawbacks:
No hierarchical scalability, scaling issues
Full mesh causes classic - N*(N-1) / 2 concerns
Direct attachment
EFP attachment circuits
Hierarchical or H-VPLS comprising of two access
PW attachment circuits:
Ethernet Edge (EE-H-VPLS): QinQ tunnels
MPLS Edge (ME-H-VPLS): PWE3 PWs (EoMPLS)
MPLS Core
Ethernet Ethernet
(VLAN/Port/EFP) Full Mesh PWs + LDP (VLAN/Port/EFP)
MPLS Ethernet
l2vpn
bridge group BG_10
bridge-domain BD_10 Optional MAC aging
mac aging time 200 setting
!
MPLS Core
1 2
802.1q QinQ
3 QinQ 802.1q
Access Tunnel Full Mesh PWs + LDP Tunnel Access
Vlan 802.1q
1 Data MAC1 MAC2 VPLS
CE Customer
Vlan Vlan QinQ
2 Data MAC1 MAC2 SP Edge
CE SP
Vlan Pseudo Wire
QinQ Ethernet 3 Data MAC1 MAC2 VC
CE SP Core
QinQ EFP
interface gigabitEthernet0/1/0/10.500 l2transport
encapsulation dot1q 20 second-dot1q 25
l2vpn QinQAC
Bridge-domain
bridge group BG18
bridge-domain BD180
!
interface GigabitEthernet0/1/0/10.500 VFI with neighbor
PW mesh
! configured
vfi VFI1800
neighbor 18.18.18.15 pw-id 8000
neighbor 55.55.5.5 pw-id 7000
MPLS MPLS
Access Access
MPLS Core
1 2
MPLS
802.1q MPLS 3 Pseudo 802.1q
Access Pseudo Wire Full Mesh PWs + LDP Wire Access
1 Vlan 802.1q
Data MAC1 MAC2
CE Customer H-VPLS
2 Vlan MPLS PW
Data MAC1 MAC2 VC1 Label 1
CE SP Edge
3 Vlan Pseudo Wire
Spoke PW Data MAC1 MAC2 VC2
CE SP Core
MPLS configuration
(config)# mpls ldp on the interface that
(config-ldp)# interface gigabitEthernet0/5/0/10 connects the spoke
PW
l2vpn Bridge-domain PW AC
bridge group BG_1000
bridge-domain BD_1000
!
!
neighbor 11.11.11.1 pw-id 1111 VFI with neighbor
! PW mesh
vfi VFI1000 configured
neighbor 12.12.12.15 pw-id 5000
neighbor 45.45.5.5 pw-id 2000
Configure EFPs
matching, rewrite, QoS, ACL, etc.
Create a L2VPN Bridge-domain
Attach the EFPs to an bridge-domain
Within the bridge-domain, create a VFI with a PW mesh
connecting all neighbors
Optionally:
configure MAC learning/limiting features
List of VFIs:
VFI 10
PW: neighbor 10.2.2.2, PW ID 102, state is up ( established )
PW class not set, XC ID 0xfffc0006
Encapsulation MPLS, protocol LDP
VFI details
PW type Ethernet, control word disabled, interworking none
PW backup disable delay 0 sec
Sequencing not set
VFI PW details
MPLS Local Remote
------------ ------------------------------ -------------------------
Label 143994 16027
Group ID 0x0 0x7
LDP information
Interface 20 20
MTU 1500 1500
Control word disabled disabled
PW type Ethernet Ethernet
VCCV CV type 0x2 0x2
(LSP ping verification) (LSP ping verification)
VCCV CC type 0x6 0x6
(router alert label) (router alert label)
(TTL expiry) (TTL expiry)
------------ ------------------------------ -------------------------
MIB cpwVcIndex: 5
Create time: 16/12/2010 22:49:48 (1w5d ago)
Last time status changed: 16/12/2010 22:49:54 (1w5d ago)
MAC withdraw message: send 0 receive 0
Static MAC addresses:
Statistics:
packets: received 192, sent 519058
bytes: received 14627, sent 35297592
IGMP Snooping profile: none
PW: neighbor 10.3.3.3, PW ID 102, state is up ( established ) (additional info omitted)
VPLS Troubleshooting
Follow these guidelines to help troubleshoot and verify your VPLS
configuration:
Traffic is down, but bridge, AC, and PW are up. Why?
Check counters.
Determine which LC or interface is dropping the traffic.
Get counters on interface and subinterface.
VPLS Troubleshooting
VPLS Auto-Discovery
BGP for PW auto-discovery: Auto-discovery, by nature, requires the VPN
information to be distributed to all members of a VPN multipoint
mechanism. BGP is well-suited for this purpose..
BGP for signaling: BGP is also used in signaling to exchange label bindings
and for convey MTU and state changes.
References:
VPLS with BGP Auto-discovery and BGP Signaling:
RFC 4761: Virtual Private LAN Service (VPLS) Using BGP for
Auto-Discovery and Signaling
VPWS with BGP Auto-discovery and BGP Signaling:
draft-kompella-l2vpn-l2vpn-02.txt: Layer 2 Virtual Private
Networks Using BGP for Auto-discovery and Signaling
VPLS Auto-Discovery
Problem:
Manual PW mesh creation for each PE.
Manual addition or deletion of new PEs is CLI-intensive
Increased costs and misconfiguration
Solution:
VPLS BGP Auto Discovery finds PEs within the same VPLS domain and
automatically detects when new PEs are added or removed from the
VPLS domain.
! BGP-AD (RFC 4761)
BGP Autodiscovery can also be used with VPWS
! draft-kompella-l2vpn-l2vpn-02.txt
BGP-AD Terminology
The following slide defines terminology important to VPLS and virtual
private wire service (VPWS) BGP-AD configuration.
BGP-AD Terminology
VPN-id
A representation of a BD or xconnect in the discovery database that stores all AD
information pertaining to the VPN (RD, RT, and so on). It must be unique within the
box because it is a key to index into the database. It is not distributed to other PEs
in the network.
RD (Route Distinguisher)
RD is a prefix that is added to the packet originating from the customer end to
distinguish traffic streams from different customers. RD must be unique within a
box, and it will be advertised to other PEs.
RT (Route Target)
Identifier of a VPLS bridge in a BGP network.
Export route target is the RT that is going to be in the network layer reach ability
information (NLRI) advertised to other PEs
Import route target is what the PE compares with the RT in the received NLRI. The
RT in the received NLRI has to match the import RT to decide that they belong to
the same VPLS service.
VFI can have multiple export or import RTs.
Multiple VFIs within a box can have the same RTs.
PE1
CE3 PE3 CE1
MPLS Core
3.3.3.3 1.1.1.1
LDP config
PE3 PE1 BGP config
mpls ldp mpls ldp
router-id 3.3.3.3 router-id 1.1.1.1
interface GigabitEthernet0/2/0/3 interface GigabitEthernet0/3/0/0
! !
router bgp 100 router bgp 100 AF L2VPN config 1
bgp router-id 3.3.3.3 bgp router-id 1.1.1.1
address-family l2vpn vpls-vpws address-family l2vpn vpls-vpws
neighbor 1.1.1.1 neighbor 3.3.3.3
remote-as 100 remote-as 100
update-source Loopback0 update-source Loopback0
address-family l2vpn vpls-vpws address-family l2vpn vpls-vpws
AF L2VPN config 2
3.3.3.3 1.1.1.1
PE3 PE1
Autodiscovery
l2vpn l2vpn
attributes
bridge group GR1 bridge group GR1
bridge-domain BD1 bridge-domain BD1
interface GigabitEthernet0/1/0/1.1 interface GigabitEthernet0/1/0/2.1
vfi VF1 vfi VF1
vpn-id 100 vpn-id 100 VPN id is locally
autodiscovery bgp autodiscovery bgp significant
rd auto Signaling rd auto
route-target 1.1.1.1:100 attributes route-target 1.1.1.1:100
signaling-protocol bgp signaling-protocol bgp
ve-id 3 ve-id 5
RT must
ve-id must be unique per match peer
PE within same VFI
Redundant links,
single N-PE
Redundant links,
redundant N-PE MPLS core
AC Redundancy Overview
For native Ethernet networks, the Cisco ASR 9000 router supports the
widely deployed, standards-based Layer 2 redundancy protocol IEEE
802.1s, MST protocol.
For MPLS L2VPN services, to provide redundancy as well as to avoid
Layer 2 forwarding path loops, traditional Layer 2-based redundancy
protocols like MST do not apply. The challenge is that the Layer 2 access
and Layer 3 MPLS aggregation networks are disconnected from the
redundancy-protocol, control-plane point of view. However, from the data-
plane point of view, native Layer 2 access and L2VPN virtual circuit in
aggregation networks are combined to provide Layer 2 service for the end
user. This requires a mechanism to connect the control plane as well as the
data plane between the access and aggregation networks. MST Access
Gateway provides this mechanism.
AC Redundancy Overview
Blocked for
Instance 2
Ethernet
network with Root (Instance 1)
an MST
domain
configured
Root (Instance 2)
CE U-PE
Blocked for
Instance 1
VPLS mesh
Block segment Propagate TCNs creates a
of logical L2 loop logical loop
Isolate access
domain
control
protocols
Ethernet
U-PE
CE
MST access
gateway
Requirements:
Need to block Layer 2 PE-CE segment
Need to propagate TCNs from access to VPLS and vice-versa
Need to isolate access network control protocols
H- VPLS PW Redundancy
If a PW failure occurs, the Access ring reconverges, blocked links will move
to forwarding and U-PE2 sends a VPLS MAC withdrawal messages to all
other PEs.
Upon recovery, the active link will return to blocking, U-PE1 sends
another VPLS MAC withdrawal message.
H-VPLS PW Redundancy
H-VPLS PW Redundancy
Primary PW
N-PE1 N-PE2
U-PE1
Backup PW
BPDU sent
Equal cost with zero
BPDU cost to root
received,
Layer 2 loop
detected,
block access
link
U-PE
CE
BPDU sent MST access
with zero gateway
cost to root
PEs send pre-set BPDU hellos with zero cost to root. The root is
statically configured.
Access devices see a Layer 2 loop as a result of pre-set BPDUs and
blocks the link.
To block a specific link, Access switches must have port costs set.
F1 U-PE1 N-PE2
Link failure CE1
Link originally MST access
blocked moves gateway
to forwarding
If failure occurs at F1, F2, or F3 the Access ring reconverges, the blocked link
moves to forwarding and U-PE1 will send VPLS MAC withdrawal messages to all
other PEs
Upon recovery, the blocked link returns to blocking, U-PE1 sends a VPLS MAC
withdrawal
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 14/54
interface GigabitEthernet1/1/1
CE2
switchport mode trunk 1
spanning-tree mst 0,2 cost 100000
MST
access
CE2 Instance 1
gateway
spanning-tree mode mst
spanning-tree mst configuration High link cost for MST
name CISCO instances 0 and 2
revision 1
instance 0
instance 1 vlan 101,103,105,107
instance 2 vlan 102, 104, 106, 108
interface GigabitEthernet2/2/2
High link cost
switchport mode trunk
spanning-tree mst 1 cost 100000
for MST
instance 1
Summary
Cisco ASR 9000 Multipoint Layer 2 Services
In this module, you learned to:
Describe how attachment circuits (ACs), Ethernet flow points (EFPs),
bridge-domains (BDs) and multiprotocol label switching (MPLS) are
involved in building Layer 2 services
Describe and configure local E-LAN and VPLS service
Overview
Description
This module provides a detailed description of the Operations
Administration, and Management (OAM) features.
Objectives
After completing this module, you will be able to:
Describe and configure link-based OAM features (Ethernet-OAM or E-
OAM)
Describe and configure service-based OAM features (Connectivity Fault
Management or CFM)
Describe and configure MPLS OAM
CFM
E-OAM
MPLS OAM
P P
CE1 PE1 PE2 CE2
(GE) (GE) (GE) (GE)
VPLS
Cisco mesh Cisco
ASR Cisco ASR
9000 12000 9000
PE3 CE3
UNI Ethernet or
Cust A
IP or MPLS Cisco UNI
Loc 1 MPLS Access ASR
and Core
9000
Aggregation
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 16/18
Business Business
Backbone Backbone
Bridges Bridges
Provider Access
Bridges PWs
MPLS OAM
Residential E-OAM Residential
(802.3ah) IP/MPLS
OAM frames, called OAM protocol data units (PDUs), use the slow protocol
destination MAC address 0180.c200.0002. They are intercepted by the
MAC sublayer and cannot propagate beyond a single hop within an
Ethernet network. The frame transmission rate is limited to a maximum
of 10 frames per second; therefore, the impact of OAM on normal
operations is negligible. (Standardized: IEEE 802.3ah, clause 57, now in
IEEE 802.3-2005).
CE CE
802.3ah OAM
PDUs
E-OAM
(802.3ah)
E-OAM Discovery
Discovery is the first phase of Ethernet OAM and it identifies the devices
in the network and their OAM capabilities. Discovery uses information
OAM PDUs. During the discovery phase, the following information is
advertised within periodic information OAM PDUs:
OAM mode: Conveyed to the remote OAM entity. The mode can be
either active or passive and can be used to determine device
functionality.
OAM configuration: Advertises the capabilities of the local OAM
entity. With this information a peer can determine what functions
are supported and accessible; for example, loopback capability.
OAM PDU configuration: Includes the maximum OAM PDU size for
receipt and delivery. This information along with the rate limiting
of 10 frames per second can be used to limit the bandwidth
allocated to OAM traffic.
Platform identity: Combination of an organization unique identifier
(OUI) and 32-bits of vendor-specific information. OUI allocation,
controlled by the IEEE, is typically the first three bytes of a MAC
address.
Discovery includes an optional phase in which the local station can accept
or reject the configuration of the peer OAM entity. For example, a node
may require that its partner support loopback capability to be accepted
into the management network.
Discovery
OAM OAM
X
MAC MAC
PHY PHY
link-monitor
action
remote-loopback
mib retrieval
required remote
E-OAM configuration
802.3 OAM Configuration
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 16/18
Operational status:
Port status: Operational
Loopback status: None
Interface mis-wired: N Remote E-
OAM
Remote client
setting
Additional
------------- configuration
MAC address: 0024.98e8.20da not shown
Vendor (OUI): 00.00.0C (Cisco)
.
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 16/18
.
.
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 16/18
Connectivity
Connectivity Fault(CFM
Fault Management Management
or 802.1ag)
(CFM or 802.1ag)
Customer Domain
Provider Domain
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 16/18
CE CE
Operator A Operator B
Service Provider
Customer
CE Operator A Operator B CE
Continuity check
Loopback
Traceroute
Alarm indication signal (AIS)
The MEP IDs must be unique for each MA.
CE Operator A Operator B CE
MEP MEP
MEP MEP
CE Operator A Operator B CE
MEP MIP MIP MEP MEP MIP MIP MIP MIP MEP
Up or Down MEPs
CFM Continuity Check is the main protocol used for end-to-end fault detection
and notification. CFM MEPs are the active components of this protocol, because
they send continuity check messages (CCMs).
Inward-facing MEPs are referred to as UP MEPs in CFM standard. They can
send CCMs even if the port where a CCM is configured is down.
Outward-facing MEPs are referred to as DOWN MEPs in CFM standard. They
cannot send CCMs if the port where a CCM is configured is down.
Up or Down MEPs
UP/Down MEPs
Per link
DOWN MEPs are used for DOWN MEP
services spanning a single link Bridge 1 Bridge 2
can be used with Layer 2 and Bridge Bridge Bridge Bridge
Layer 3 interfaces
Port Port Port Port
UP MEPS are commonly used for Relay Relay
Entity Entity
services across multiple
switches for end-to-end Monitored area
connection with bridge-domain
or cross-connect Layer 2
interfaces UP MEP
Per service
Monitored area
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 16/18
CE Operator A Operator B CE
Catalogue and
Catalogue Catalogue Terminate
1 2 3
Continuity Check Message
X
(CCM)
CE Operator A Operator B CE
S D
MEP MIP MIP MEP
CE Operator A Operator B CE
6
S 4 D
2
MEP MIP MIP MEP
1 3 5 1, 3, 5
X Linktrace Message (LTM)
Y 2, 4, 6
Linktrace Reply (LTR)
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 16/18
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 16/18
CFM-show CCM
The show ethernet cfm ccm-learning-database command shows the
CFM CCM details including the CFM domain and service, the source MAC
address, and the interface on which it is configured.
The show ethernet cfm int statistics location command displays CFM
statistics for a particular LC.
CFM-show CCM
CFM-Ping
Use the CFM ping command to ping a CFM maintenance point to check
for connectivity.
CFM-Ping
CFM-Ping
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 16/18
MPLS OAM-VCCV
Virtual Circuit Connection Verification (VCCV) is an L2VPN Operations,
Administration, and Maintenance (OAM) feature that allows network
operators to run IP-based provider edge-to-provider edge (PE-to-PE)
keepalive protocol across a specified pseudowire to ensure that the
pseudowire data path forwarding does not contain any faults. The
disposition PE receives VCCV packets on a control channel, which is
associated with the specified pseudowire. The control channel type and
connectivity verification type, which are used for VCCV, are negotiated
when the pseudowire is established between the PEs for each direction.
MPLS Embedded ManagementLSP Ping/Traceroute and AToM VCCV
can detect when an LSP fails to deliver user traffic.
You can use MPLS LSP Ping to test LSP connectivity for IPv4 Label
Distribution Protocol (LDP) prefixes, traffic engineering (TE)
Forwarding Equivalence Classes (FECs), and AToM FECs.
You can use MPLS LSP Traceroute to trace the LSPs for IPv4 LDP
prefixes and TE tunnel FECs.
AToM VCCV allows you to use MPLS LSP Ping to test the Pseudo-Wire
(PW) section of an AToM virtual circuit (VC).
Internet Control Message ProtocolVCCV pings are used to verify or trace
PE-PE tunnel LSPs, similar to ICMP (IP) ping in the following ways:
Sequence number
Timestamps
Sender identification
Full identification of FEC, based on the application
Variable length for MTU discovery
Support for tunnel or path tracing
Multiple reply modes
Reference: IETF draft-ietf-lsp-ping-01.txt
PSN
CE PE1 PE2 CE
Attachment Attachment
Circuit Circuit
MPLS-TE tunnel
One tunnel can serve many pseudo-wires.
MPLS LSP ping is sufficient to monitor the PSN tunnel (PE-
PE connectivity), but not PWs inside of tunnel.
Trace/Verify packets take same path as data packets
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 16/18
Summary
Cisco ASR 9000 Operations, Administration and Maintenance (OAM)
In this module, you learned to:
Overview
Description
This module defines the Layer 2 multicast features offered by the
Cisco ASR 9000 router. It begins with an overview of multicast concepts
including sources, receivers, and groups for both Layer 2 and Layer 3.
Internet Group Management Protocol (IGMP) snooping implementation.
Control-plane and data-plane architecture are discussed. The final section
gives deployment examples and shows the corresponding CLI commands.
Objectives
After completing this module, you will be able to:
Describe the fundamentals of Layer 2 multicast
Describe Cisco ASR 9000 Layer 2 multicast control plane
Describe Cisco ASR 9000 Layer 2 multicast data plane
Configure Layer 2 multicast parameters
Source Receivers
P P
ASR ASR
9000 9000
ASR
9000
Multipoint Layer 2 Connection
Routers Switches
G1
(PIM) (IGMP snooping)
G2
(S1,G1)
G1 G2
Sources
G1
G2 Receivers
(IGMP)
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 16/4
By default, L2 Broadcast
G1
switches treat Source
multicast traffic as
unknown or
Group 1 Data
broadcast and G1
must flood the
frame to every port Default
Router
G1,G2
This will happen
with every Group 2 Data
multicast packet
being sent from the G2
router
Receivers
IGMP
PIM SSM in Snooping in
Layer 2 edge
Layer 3 Core Home
gatewa y
Streaming
Video Home
Channels gatewa y
Super
HeadEnd
IP
Metro
Backbone Aggregation
Network
VoD Servers Home
gatewa y
Video Headend
Home
gatewa y
Receivers
EFP Bridge-domain
EFPs G1
IGMP snooping
G2
Multicast traffic
Multipoint VPLS
Source Multicast G2
router
IGMP MPLS IGMP
BD
PW or
VFI TE
IGMP snooping
EFPs
LC1
NPU
IGMP B0
Switch Fabric
NPU
Interface
1
Fabric
NPU
B1 IGMP Snooping
NPU 2
3
4 L2FIB RP
L2FIB
NP3
Fabric Interface
B1
LC1 NP2
Multicast
NP3 2 4 NPU replication
B0
Fabric Interface
Source
NP2 1 NP1
IGMP joins replicate
B0 each copy
NP0
NP1
B1
3 per interface
4
Switch with a
NP0 LC3
Fabric receiver
NP3
Fabric Interface
B1
NP2
NP1
B0
NP0
LC2
NP3
Fabric Interface
2 B1
Multicast LC1 NP2
Source NP3 2
1
B0 IGMP joins
Fabric Interface
NP2 NP1
B0
3
IGMP joins 2 NP0
4
NP1
B13
Switch
NP0 LC3
4 Fabric
NP3
Fabric Interface
B1
NP2
Uniform egress multicast replication
independent of port location for both Layer NP1
B0
2 and Layer 3 multicast traffic NP0
Fabric Interface
B1 port
LC1 2 NP2
Multicast NP3 2
Source B0
Fabric Interface
NP2 1 NP1 M1
M2
NP0 IGMP joins
NP1 3 M3
B1 4
Switch
NP0 LC3
Fabric
NP3 M4
Fabric Interface
B1
2 3 On Egress Line card - NP2
replicate packet to all NPUs
who have a member port NP1
B0
NP0
Implementation
On the Cisco IOS XR CLI running on the Cisco ASR 9000 router, IGMP
snooping is enabled per BD, using profiles.
An empty BD profile attached to a BD is the minimum configuration
required to implement IGMP snooping. To disable snooping, simply
remove the profile with the no command.
More specific implementations can be created by attaching separate port-
level profiles.
Guidelines:
An empty profile configures IGMP snooping on the bridge
domain and all ports under the bridge using default
configuration settings.
A bridge domain can have only one IGMP snooping profile
attached to it (at the bridge domain level) at any time. Profiles
can be attached to ports under the bridge, one profile per port.
Port profiles are not in effect if the bridge domain does not have
a profile attached to it.
IGMP snooping must be enabled on the bridge domain for any
port-specific configurations to be in effect.
If a profile attached to a bridge domain contains port-specific
configuration options, the values apply to all of the ports under
the bridge, including all mrouter and host ports, unless another
port-specific profile is attached to a port.
When a profile is attached to a port, IGMP snooping
reconfigures that port, disregarding any port configurations that
may exist in the bridge-level profile.
Implementation
Hierarchical configuration:
Create a IGMP snooping profile
Attach the profile to a bridge-domain or to ports under a bridge-
domain
Profile usage:
Empty profile attached to a bridge-domain will enable IGMP
snooping on all attached ports. One profile per bridge-domain.
To disable, detach the profile.
Separate profiles can be attached to ports under the bridge-
domain to configure port-level features. One profile per port.
If a profile attached to a bridge-domain contains port-specific
configuration, this will supersede any port profile configuration,
unless a port-specific profile is added later.
Bridge-domain profile
Port profile
Enables IGMP snooping with
attributes defined in profile to Port profile
bridge domain
1 Config
2
MP
bridge group
bridge-domain
IGMP snooping IGMP snooping profile
profile
1 Interfaces or VFI
router(config)# igmp snoop profile DEFAULT
When hosts want to leave a multicast group, they can either ignore the
periodic general IGMP queries (called a silent leave), or they can send a
group-specific leave message.
Proxy reporting
sent with System
Mrouter Mrouter IP address
port port
General
Mrouter Query
Join
Port
1 IGMPSN
Report
Suppression
DB
Processing
1 2 3
Host Host Host
Immediate Leave
Specifies that state learned on a port can be removed immediately on receipt
of a IGMPv2 leave report or equivalent IGMPv3 membership report. This
feature should only be configured on ports attached to a single host.
Static Group
Configures a static group or (included source-group) on the port.
Mrouter
Statically configures the port to which the profile is attached to be an
mrouter port.
Router Guard
Filters multicast protocol packets originated by routers. Disallows the port
to which the profile is attached from becoming mrouter port.
Bridge Domains: 4
IGMP Snooping Bridge Domains: 2
Ports: 12
IGMP Snooping Ports: 10
Mrouters: 1
STP Forwarding Ports: 0
IGMP Groups: 2
Member Ports: 3
IGMP Source Groups: 0
Static/Include/Exclude: 0/0/0
Member Ports (Include/Exclude): 0/0
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 17/18
Profile Modifications
Modifications to profile are not propagated to referenced BDs or bridge
ports.
Profile must be detached and reattached.
Use the no igmp snooping command to remove a BD profile.
An alternate procedure is to create a new profile incorporating the desired
changes and attach it to the bridges or ports, replacing the existing profile.
This deactivates IGMP snooping and then reactivates it with parameters
from the new profile.
Profile Modifications
Profile Modifications
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 17/18
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 17/18
Summary
ASR 9000 Layer 2 Multicast
In this module, you learned to:
Overview
Description
This module describes Cisco ASR 9000s Quality of Service (QoS)
architecture and its software and hardware implementation. It provides
an example of a QoS implementation on E-Line and E-LAN services. A.
brief description of modular QoS CLI (MQC) implementation steps is
given.
Objectives
After completing this module, you will be able to do the following:
Describe the data flow from ingress LC to egress LC across the
backplane and switch fabric
Describe the implementation of modular QoS including classification,
policing, marking, queuing, shaping and scheduling components
Implement QoS on L2VPN services using IOS XR MQC
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 18/18
Four NPUs per LC, each NPU has at least one Traffic Manager
32k queues per Traffic Manager
Two TMs used on egress NPU, 1 TM used on ingress NPU
Four NPU x 32k Queues per NPU x two TMs = 256k Queues on
Egress per LC
Four NPU x 32k Queues per NPU x one TM = 128k Queues on
Ingress per LC
256k +128k = 384k Queues per LC total (ingress + egress)
384k Queues per LC x 10 slots => 3M Queues per chassis
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 18/18
EVC1
PQ1 VoIP Bearer + Control
Business Critical
Up to 16k EVCs with H-
BW
QOS per linecard
Customer - egress
BW Internet Best Effort
Up to 256k 2R3C policers,
hierarchical policing
Ingress and egress H-QOS
EVC 2
PQ1 VoIP Bearer + Control
PQ2 Telepresence
with hierarchical shaping
Port BW Internet Best Effort Dual Priority scheduling
with priority propagation
for minimum latency and
EVC1 jitter
VoIP Bearer + Control PQ1
Business Critical BW Customer - ingress Flexible & granular
Internet Best Effort BW classification: Full Layer 2,
Full Layer 3/4 IPv4, IPv6
(even for L2 services)
ANCP driven shapers for
EVC 2
Classification Classification
Policing, Policing,
marking, marking,
queuing and queuing and
scheduling scheduling
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 18/18
Ingress Egress
interface Service mapping interface
(cross-connect, bridge,
and so on)
Tier 1 Tier 2 input Ingress Tier 1 Egress Tier 2 output
input features VLAN output EFP features
features re-writes matching rewrites Egress filter
Ingress QoS, 2
Ingress Ingress Egress Egress QoS,
interface filter 1 ACLs
ACLs
classify
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 18/18
CPU Fabric
PHY NPU0 ASIC
PHY NPU1
B0 Fabric
FI/0 0 ASIC
PHY NPU2
B1
Arbiter
PHY NPU3
RSP0
PHY NPU4
Fabric
ASIC
PHY NPU5 B2
FI/O 1 Fabric
PHY NPU6 B3 ASIC
PHY NPU7
RSP1
Ingress NPU performs QoS classification and/or marking of packet fields with
set command
Egress NPU performs egress classification, queuing and scheduling based on
ingress marking.
NPU NPU
HP HP HP HP HP
LP LP LP LP LP
Priority propagation ensures consistent, predictable, low-latency queue
performance
High priority and low priority awareness on Bridge and Fabric I/O chips
2011, Cisco Systems, Inc. All rights reserved. Version 4.0.1 Cisco ASR 9000 EssentialsModule 18/18
Congestion avoidance
Not all QoS techniques are appropriate for your network environment.
The Cisco ASR 9000 MQC CLI is used to:
Classify traffic with class-maps
Create traffic policies for particular class-maps
Attach policies to interfaces
1. Create class-
1 Classify Attach a policy
maps class-map 3 tointerface
an (sub)
2. Create policy- specify match interface
maps criteria
3. Apply a policy- 2 Create Policy specify a service-policy
map to
interface or policy-map specify input or
subinterface. output
specify a class
specify actions
EVC
AC AC
3 Switch 3
Ingress LC fabric Egress LC
EFP1 EFP2
int g0/1/0/0.10 int g0/2/0/2.10
service-policy input < > service-policy output < >
Global configuration
# class-map < >
match < >
1
# policy-map < >
class < >
priority-level < >
police < >
Unclassified traffic (traffic that does not meet the match criteria specified
in the traffic classes) is treated as belonging to the default traffic class.
If the user does not configure a default class, packets are still treated as
members of the default class. However, by default, the default class has no
enabled features. Therefore, packets belonging to a default class with no
configured features have no QoS functionality. These packets are then
placed into a first in, first out (FIFO) queue and forwarded at a rate
determined by the available underlying link bandwidth. This FIFO queue
is managed by a congestion avoidance technique called tail drop.
Port
Apply a shared policy among two EFPs on the same port with parent
shape/bandwidth/BRR and child class based queuing.
Same service-policy applied to all member EFPs.
All traffic from all policy instance members are subject to this
common policy instance.
Requires a new key-word to the service-policy comand:
service-policy output/input <name> shared-policy-instance <name>
PE1
EFP #1 for EoMPLS
PE2
EFP #2 for VPLS
EoMPLS E-Line
PE1 PE3
VPLS E-LAN
PE2
PE4
EFP#1 - EoMPLS
Cos5 P1 50Mbps
Cos3 P2 50Mbps
Customer - ingress
Cos1 BW 50Mbps
Best Effort EFP#2 VPLS
Port Class-level queues
EFP# 2 - VPLS
Cos5 P1 50Mbps
Cos3 P2 50Mbps
Cos1 BW 50Mbps
Best Effort
EFP#1 - EoMPLS
Child-level P1 50Mbps Class Map:
queues P2 50Mbps Child-level class-map and
Best Effort 50Mbps policy-map to be shared by
both EoMPLS and VPLS
EFPs
Parent-level
EFP# 2 - VPLS
Cos5 P1 50Mbps Class Map:
policer P2 50Mbps Parent-level class-map and
Cos3
Cos1 BW 50Mbps policy-map applied to
Best Effort child-level classes
Match on VLAN ID
Grandparent- Cos5
level policer Cos3
Cos1
Cos5
Parent-level class-
Cos3 map and policy-map
Cos1 applied class-default
policy-map GRANDPARENT_SHAPER
service-policy PARENT_LEVEL_SHAPER
shape average 350 mbps Shape both EoMPLS
bandwidth remaining ratio 200 and VPLS traffic to
!
class class-default 350Mbps total
! Assign a bandwidth
Interface gigabitEthernet 0/2/0 remaining ratio of 200.
(config)
Grandparent- Cos5
level policer Cos3
Cos1
Cos5
Apply the final QoS
Cos3 policy statement to
Cos1 two different EFPs.
The In-Place Policy Modification feature allows you to modify a QoS policy
even when the QoS policy is attached to one or more interfaces. When you
modify the QoS policy attached to one or more interfaces, the QoS policy is
automatically modified on all the interfaces to which the QoS policy is
attached. A modified policy is subject to the same checks that a new policy
is subject to when it is bound to an interface.
If the policy-modification is successful, the modified policy takes effect on
all the interfaces to which the policy is attached. The configuration session
is blocked until the policy modification is complete.
However, if the policy modification fails on any one of the interfaces, an
automatic rollback is initiated to ensure that the pre-modification policy is
in effect on all the interfaces. The configuration session is blocked until the
rollback is complete on all affected interfaces.
Additional QoS reference:
http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.0/qos/c
onfiguration/guide/qc40asr9kbook.html
Summary
ASR 9000 Quality of Service
In this module, you learned to:
Describe the data flow from ingress LC to egress LC across the
backplane and switch fabric
Describe the implementation of modular QoS including classification,
policing, marking, queuing, shaping and scheduling components