QinQ

service instance 940 ethernet

description description TEST_OUTER_940_Inner_942

encapsulation dot1q 940 second-dot1q 942

rewrite ingress tag pop 2 symmetric

bridge-domain 942

 

interface Vlan942

description TEST_OUTER_INNER_TAGs

mtu 9100

ip address 10.97.97.1 255.255.255.252

no ip proxy-arp

end

 

 

#ping 10.97.97.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.97.97.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

 

#sh mac address-table dyn bridge-domain 942

Mac Address Table

——————————————-

 

BD      Mac Address       Type        Ports

—-    ———–       ——–    —–

942    5087.89fd.d320    DYNAMIC     Gi0/24+Efp940

 

 


 

http://www.cisco.com/c/dam/en/us/td/docs/switches/metro/me3600x_3800x/software/design/guide/ME3600x_Design_Guide.pdf

 

http://www.cisco.com/c/dam/en/us/td/docs/switches/metro/me3600x_3800x/software/design/guide/CE2-0_certification_v1.pdf

 

http://d2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKSPG-2209.pdf


A Catalyst Switch will only look at the first VLAN Tag(Outter), it doesn’t care about the inner vlan tag and will forward the frame on. Just watch your MTU Size, because you lose 4btyes to the inner vlan tag.

 

A Good Example. http://blog.jhe.co/2009/11/dot1q-tunneling.html

 


http://supportforums.cisco.com/sites/default/files/legacy/8/2/1/96128-ASR%209000%20Multiple%20Services%20onthe%20same%20port%20example.jpg

 

Look at the Routed VPLS/EoMPLS section

 

http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-1_2_ey/configuration/guide/3800x3600xscg/swmpls.html#pgfId-1260366

 

What you are looking for a is a VPLS Routed Interface Configuration, just association the VPLS instance with the bridge group. I have never tried this, so I could be wrong, but it’s worth a shot.

 

Try adding this. This creates’ a VPLS Instance and associates it to the Bridge Group 941.

l2 vfi TESTING manual

vpn id 941

bridge-domain 941

 

Then under your VLAN Interface associate the VLAN Interface with the VPLS Instanace.

interface Vlan941

xconnect vfi TESTING   <<<<<<<<<<<< ADD THIS

description INNER_OUTER_TAG_TEST

mtu 9100

ip address xxx.xxx.xxx.xxx 255.255.255.252  no ip proxy-arp

 

 

Also watch your MTU Size’s a mismatch can cause the VPLS instance to be down. You can check it with “show mpls l2transport vc vcid 941 detail”

 

This looks good

 

interface GigabitEthernet0/24   <- Connects to 4500X

service instance 940 ethernet

description description Inner_outer_tag_test_Outer_940_Inner_941

encapsulation dot1q 940 second-dot1q 941

rewrite ingress tag pop 2 symmetric

bridge-domain 941


Here is a step by step,

 

Step By Step Description                        Commands “semi-colon is a new line”

————————————————————————————————————————–

  1. Create a Bridge Group l2 vfi TESTING manual;  vpn id 820;  bridge-domain 820
  2. Go to the interface interface g0/0/11
  3. Incoming frame Outter 800, inner 20 encapsulation dot1q 800 second-dot1q 20
  4. Removed Both Taggs 800 and 20 rewrite ingress tag pop 2 symmetric
  5. Put Unttagged Frame in Bridge Group 820 bridge-domain 820

Global Config

6a. ASR920 Created L3 Routed Interface  bridge-group 820; interface bdi820

6b. ME3800 Create L3 Routed Interface           interface vlan 820

6b. ME3800 Connect Interface to BridgeGroup     xconnect vfi TESTING

  1. Assigned IP Address to the Interface ip address 192.168.0.2 255.255.255.0

 

 


 

Cisco 4500X Provider Port

Cisco 4500X Port to ME3800.

Cisco ME3800 Port Config

 

 

 

 

I Did lab this up on a ASR920, the commands should be fairly close, I noted the difference between the ASR920 and ME3800

 

Carrier Side: QinQ Interface Outer VLAN 800 InnerVLAN 20 IP 192.168.0.1/24

 

l2 vfi TESTING manual

vpn id 820

bridge-domain 820

 

interface GigabitEthernet0/0/11

no ip address

negotiation auto

service instance 820 ethernet

encapsulation dot1q 800 second-dot1q 20

rewrite ingress tag pop 2 symmetric

bridge-domain 820

 

!!! ON A ASR920

bridge-domain 820

interface BDI820

ip vrf forwarding TESTING2

ip address 192.168.0.2 255.255.255.0

no shut

 

!!!!ON A ME3800

int vlan 820

xconnect vfi TESTING

ip address 192.168.0.2 255.255.255.0

no shut

 

 

ASR920#ping vrf TESTING2 192.168.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

 

ASR920#show mac-address-table bdomain 820

 

Nile Mac Address Entries

 

BD    mac addr        type     ports

———————————————————————————————-

820   0012.448e.8062  DYNAMIC  Gi0/0/11.Efp820

 

 

ASR920#sh ip arp vrf TESTING2

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  192.168.0.1             2   0012.448e.8062  ARPA   BDI820

Internet  192.168.0.2             –   00f2.8bdd.603f  ARPA   BDI820

 


 

 

You must do switchport commands

Services Instance is just a number, we keep it the same as the VLAN Id Under the Service Instance you specify the VLAN ID with endcapsulation dot1q x Rewrite ingress Tag POP 1 symmetric  — This removes the first VLAN Tag on in incoming frame, if you do pop 2, it removes the 2 VLAN Tags.

 

First Example is VPLS with Bridge Domains. Bridge domain ID does not have to the same as the VLAN Id Second Example is EoMPLS XConnect

 

VPLS

——

l2 vfi  VPLS1 manual

vpn id 41

bridge-domain 41

neighbor 1.2.3.4 encapsulation mpls

 

interface GigabitEthernet0/19

switchport trunk allowed vlan none

switchport mode trunk

mtu 9180

 

!VPLS Example

service instance 41 ethernet

encapsulation dot1q 41

rewrite ingress tag pop 1 symmetric

bridge-domain 41

 

!EoMPLS Example

service instance 117 ethernet

encapsulation dot1q 117

rewrite ingress tag pop 1 symmetric

xconnect 3.4.5.6 275 encapsulation mpls pw-class L2VPN

xconnect <Remote router IP> <Unique ID in the AS>

 

Thanks for the quick reply – We use service instances quite a bit, but only popping first tag, then creating vlan int (for vrf), or PW….so fairly basic stuff 🙂

 

In this circumstance, where we would receive vlan 800 as outer tag, and we want to access inner vlans 10,20,30 how would this look under a service instance?

 

  1. Something like?

 

service instance 800 ethernet

description description LINK_TO_CARRIER_X_VIA_4500X

encapsulation dot1q 800 second-dot1q 10,20,30

rewrite ingress tag pop 2 symmetric

bridge-domain ?

 

 

or a separate service instance and pop inner vlans on each one?

 

service instance 800 ethernet

description description LINK_TO_CARRIER_X_VIA_4500X

encapsulation dot1q 800 second-dot1q 10

rewrite ingress tag pop 2 symmetric

bridge-domain 10

 

service instance 801 ethernet

description description LINK_TO_CARRIER_X_VIA_4500X

encapsulation dot1q 800 second-dot1q 20

rewrite ingress tag pop 2 symmetric

bridge-domain 20

 

 

You are probably better using a service instance for each vlan. Then you can send each VLAN where ever.

 

service instance 800 ethernet

description description LINK_TO_CARRIER_X_VIA_4500X

encapsulation dot1q 800 second-dot1q 10

rewrite ingress tag pop 2 symmetric

bridge-domain 10

 

service instance 801 ethernet

description description LINK_TO_CARRIER_X_VIA_4500X

encapsulation dot1q 800 second-dot1q 20

rewrite ingress tag pop 2 symmetric

bridge-domain 20

CSR1000v – AWS

Ook voor de CSR1000v als startpunt de datasheet (Table 6 t/m 9):

http://www.cisco.com/c/en/us/products/collateral/routers/cloud-services-router-1000v-series/datasheet-c78-733443.html?cachemode=refresh

 

Release Notes:

http://www.cisco.com/c/en/us/td/docs/routers/csr1000/release/notes/csr1000v_3Srn.html#pgfId-3017606

 

Licensing  (in de configuration guide):

http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/csr1000Vswcfg/csroverview.html#pgfId-1132773

Lees meer

A9K-RSP440 SFP+ ports

>> So I am guessing they are normal ports which can be configured to be cluster ports and could used normally to link up to rest of the network?

>

They are not, as far as I’m aware. Very much the opposite to 6500/7600supervisors. Certainly there are no ‘interfaces’ that I can configure on RSP-440!

Correct, they are only for nV clustering, and control-plane only at that.  You still need to use line card 10G ports for data plane clustering.

Cisco 6500-E and Modules

1- As far as I understood, If we use SUP-2T on C6513-E, the Fabric Switch Capacity will be 80Gbps(2x40Gbps Channels). Is this correct?

yes in 11 slots

2- We can install WS-x6748-SFP on this setup with DFC4. Is this Correct?

Yes

3- Can we install WS-x6708-10G on this setup with DFC4 or Not?

6708 does not have DFC4 or CFC modes, so is not compatible with sup2t, you can use ws-6908-10g.

4- If no then can we use WS-x6716-10G with DFC4?

Yes

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Config_Notes/OL_24918.pdf
C6708-10GE-3CXL Local Switching:

http://www.gossamer-threads.com/lists/cisco/nsp/145906

 

Only 69xx modules  are  40 or more  per channel, all the 67xx and the upgraded 67xx ones with dfc4 (rebadged to 68xx) will still be 20 per channel, the DFC does not matter, the fabric asic and hardware on the older modules is all 20g per channel (40g total on dual channel cards).

Cisco EEM

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/command/eem-cr-book/eem-cr-e1.html#wp2241131084

A state is not an event.
A state *change* is an event.

ip sla 1
  icmp-echo 1.1.1.1 source-ip 1.1.1.2
  vrf GREEN
  tag SITE-DOWN
  frequency 5
!
ip sla schedule 1 life forever start-time now !
event manager applet SITE-DOWN
  description Site 1.1.1.1 is down
  event ipsla operation-id 1
  action 1.0 syslog priority critical msg "ALERT: Site 1.1.1.1 is down"
!

And here is what I see when I look the status of the IP SLA entry and the EEM entry.  IP SLA looks fine, the EEM isn’t triggering despite being registered.

rtr5#sh ip sla statistics 1

IPSLAs Latest Operation Statistics
IPSLA operation id: 1

Latest RTT: NoConnection/Busy/TimeoutLatest operation start time: 11:42:21 EST Mon Jan 18 2016 Latest operation return code: Timeout Number of successes: 0 Number of failures: 301 Operation time to live: Forever !
rtr5#sh event manager policy registered
No.  Class     Type    Event Type          Trap  Time Registered
    Name
1    applet    user    ipsla               Off   Mon Jan 18 11:24:46
2016  SITE-DOWN
  operation-id {1}
  maxrun 20.000
  action 1.0 syslog priority critical msg "ALERT: Site 1.1.1.1 is down"
!
rtr5sh event manager statistics polic
Average        MaximumNo.  Class     Triggered   Suppressed  Run Time       Run Time       Name
-------------------------------------------------------------------------------
1    applet    0           0           0.000          0.000
SITE-DOWN
  event {} ipsla

MPLS and links with limited MTU size

When deal with Mtu issues on all out site to site vpn.  Gre plus IPSec plus other uses up 60 to 90 bytes.

There are some good docs on cisco site. Standard solution for tcp flows is, … for the constrained or tunnel int.

"IP Mtu 1400"
"IP tcp adjust-mss 1360"

This will cause the tcp 3way setup to negotiate a 1360byte mss which then fits into the 1500 byte max physical Mtu size.

In theory, setting the Mtu to 1400 will also cause the pmtu discovery process to auto adjust as well.  This is hit or miss, depending on stack and if icmp is being filtered in the path.

Windows tries hard to guess the Mtu and usually sets the do not frag bit on most packets.   The above usually works. But we often find some non-tcp app defaults to 1500 bytes anyway.  Since windows sends it with do not frag, the router drops it. To fix this use a route-map to clear the DF bit.  I only do this for udp now.  Seems a good compromise.

All this would be done on your Cpe or other edge router. Tunnelled ddos mitigation vendors also do this to avoid Mtu issues.

IP-SLA

 

You are missing a bit more specifics on your event definition… It just doesn’t match a reaction event from IP SLA.

 

If you look here:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/command/eem-cr-book/eem-cr-e1.html#wp2241131084

 

You can see that there are quite a few options to set what exactly you want to trigger on with regards to IP SLA.

I think you have to define reactions or triggers to match on IP SLA related events (events being state transitions… up to down, down to up, threshold limits, etc)

 

To be honest, I got best results from EEM and IP SLA by EEM matching on the syslog messages IP SLA produces…

 

 

working on an EEM script which is triggered by an IP SLA down

> state on an ASR1000 running IOS-XE 3.11.1S.  While the IP SLA entry

> detects the state properly, the EEM does not trigger.  I’m not finding

> anything relevant on the bug toolkit, and I am not seeing anything

> with my Google-fu.

>

> Here’s the configuration:

>

> ip sla 1

>   icmp-echo 1.1.1.1 source-ip 1.1.1.2

>   vrf GREEN

>   tag SITE-DOWN

>   frequency 5

> ip sla schedule 1 life forever start-time now !

> event manager applet SITE-DOWN

>   description Site 1.1.1.1 is down

>   event ipsla operation-id 1

>   action 1.0 syslog priority critical msg “ALERT: Site 1.1.1.1 is down”

> !

>

> And here is what I see when I look the status of the IP SLA entry and

> the EEM entry.  IP SLA looks fine, the EEM isn’t triggering despite

> being registered.

>

>

> rtr5#sh ip sla statistics 1

> IPSLAs Latest Operation Statistics

>

> IPSLA operation id: 1

>         Latest RTT: NoConnection/Busy/Timeout Latest operation start

> time: 11:42:21 EST Mon Jan 18 2016 Latest operation return code:

> Timeout Number of successes: 0 Number of failures: 301 Operation time

> to live: Forever !

> rtr5#sh event manager policy registered

> No.  Class     Type    Event Type          Trap  Time Registered

>     Name

> 1    applet    user    ipsla               Off   Mon Jan 18 11:24:46

> 2016  SITE-DOWN

>   operation-id {1}

>   maxrun 20.000

>   action 1.0 syslog priority critical msg “ALERT: Site 1.1.1.1 is down”

> !

> rtr5sh event manager statistics policy

>

>                                         Average        Maximum

> No.  Class     Triggered   Suppressed  Run Time       Run Time       Name

>

> ——————————————————————————-

> 1    applet    0           0           0.000          0.000

> SITE-DOWN

event {} ipsla

 

 


 

>(Specifically what I’m looking for is something that hooks into IP SLA

>or Ethernet OAM/CFM and takes a link out of IGP routing if packet loss

>crosses a certain threshold – we recently had a carrier break their

>metro network in interesting ways, leading to 50% packet loss, which

>was enough to effectively take the site offline, but IGP stubbornly

>clung to “I have seen a keepalive!”)

 

something like this could get you started, Gert?

 

1) Trigger based on SNMP interface error counters.

Rate is always calculated per second. Average factor identifies number of data points (one for each poll-interval) will be averaged for calculation of rate. Average factor needs to be a minimum of 2.

 

event manager applet INTERFACE-ERROS trap event snmp oid ifEntry.14.XX get-type exact entry-op ge entry-val 10 entry-type rate average-factor 2 poll-interval 5 action 20.0 syslog msg “disabling Gigxxx due to errors”

action 30.0 cli command “enable”

action 30.1 cli command “config terminal”

action 40.0 cli command “interface Gig XX”

action 50.0 cli command “ip ospf cost 9999”

action 60.0 cli command “end”

 

and a reverse to reduce the cost back in case error rates falls below a threshold?

 

you can also trigger based on IP-SLA, for example below trigger

 

2) Trigger based on RTT delay mib:

Use RTT delay mib associated with RTR probes to trigger when the delay is too long. rttMonLatestJitterOperRTTSum shows the sum of delays for probes sent during the last interval. By default 10 probes are sent. To trigger on 10ms RTT delay trigger value must be set below 100.

 

event manager applet TEST3-SNMP-RTT-Delay trap event snmp oid rttMonLatestJitterOperRTTSum.1 get-type exact entry-op ge entry-val 90 entry-type value exit-op le exit-val 20 poll-interval 10 […]

 

for Ethernet OAM/CFM, you could hook EEM into the syslog messages produced by the syslog? You can also parse the syslog string using regexp, check the applet I found somewhere:

 

event manager applet TunnelLost

event syslog occurs 1 pattern “OSPF-5-ADJCHG.*on Tunnel.*FULL to DOWN”

period 1

action 100 regexp “on (Tunnel[0-9]+) from” “$_syslog_msg” match ifname  action 200 if $_regexp_result eq 1  action 210  cli command “show interface $ifname | include Description:”

 

Veranderen host naam TRA

Changing the Hostname of a Leader Appliance:
1. SSH to the CLI of the Leader Appliance
2. Stop services on the Leader appliance: “services sp stop”
3. Rename the appliance: “service sp device rename old_name new_name”
4. Set the new name on the device: “system name set new_name”
5. Start SP services: “service sp start”
6. Save the configuration: “config write”

1 5 6 7 8