Central Services Topology

> Question:  Have also seen comments in foreeum like. The best practice for this Hub and Spoke is to use TWO VRF in Hub site – “From-Spoke” and “To-Spoke”


This is immaterial implementation detail. Some shops do this, because their automation system abstracts VRF into set of import/export statements and clients share set and hubs share different set. Also if you have hub and spoke in the same PE, you’re going to need another name, if not, single name is fine, but may be more difficult to automate as name does not imply config.


ipv4 vrf hubs

  route-target export 42:hubs

  route-target import 42:spokes

ipv4 vrf spokes

  route-target export 42:spokes

  route-target import 42:hubs


Now the problem with this approach is that if you have >1 spokes in the same PE, they are able to communicate to each other. To workaround this, you’ll need ‘half duplex VRF’, where ingress and egress RIB/FIB are different.

Packets coming from spokes look at FibA, packets going to spokes look at FibB. FibA has only route to hubs, FibA has only routes to spokes.


ip vrf spokesIn

  route-target import 42:hubs

ip vrf spokesOut

  route-target export 42:spokes

ip vrf hubs

   route-target export 42:hubs

   route-target import 42:spokes



int Spoke1

  ip vrf forwarding spokesIn downstream spokesOut int Spoke2

  ip vrf forwarding spokesIn downstream spokesOut int Hub1

  ip vrf hubs

int Hub2

  ip vrf hubs


Matching EXP bits in ME3600

For anyone else in the future who may be experiencing a similar issue:

Problem turned out to be QoS ACL matching conditions. Docs here state:


“Not all IP ACL options are supported in QoS ACLs. Only these protocols are supported for permit actions in an IP ACL: TCP, and UDP

Although you can configure many options in ACLs, only some are supported for QoS ACLs.

For permit protocol , the supported keywords are: tcp , and udp .
For source and destination address, the supported entries are ip-address , any , or host .
For match criteria, the supported keywords are dscp or tos . You can also specify a time-range.”

I ended up having to modify the ACLs to only match on IP and remove the ICMP ACE and it works.

Working on ME3600X-24FS on 15.4(3)S6a and I am testing out a very simple QoS
policy and it’s not working. Here’s my config:

class-map match-all ING-EF-CLASS
match access-group name EF-CLASS-ACL
class-map match-all ING-EF-CLASS-EXP
match mpls experimental topmost 5
ip access-list extended EF-CLASS-ACL
permit udp any any dscp ef
permit udp any any dscp cs5
permit udp any any precedence critical
permit icmp any any dscp ef
deny ip any any
policy-map ING-UPLINK
set ip dscp ef
set mpls experimental topmost 5
interface GigabitEthernet0/24
no switchport
mtu 9800
ip address
ip mtu 9100
ip router isis
mpls ip
mpls mtu 9100
service-policy input ING-UPLINK
It seems that every packet on the wire is matching the class ‘ING-EF-CLASS-
ME3600X#sh policy-map interface
Service-policy input: ING-UPLINK
Class-map: ING-EF-CLASS (match-all)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: access-group name EF-CLASS-ACL
set dscp 46
Class-map: ING-EF-CLASS-EXP (match-all)
1710 packets, 175484 bytes
30 second offered rate 1000 bps, drop rate 0000 bps
Match: mpls experimental topmost 5
set mpls exp topmost 5
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0000 bps, drop rate 0000 bps
Match: any

Cisco, NBAR2 Live Updates

NBAR2 Live Updates

Protocol Pack 30 is now available on CCO!

Please Note: minimal required release for protocol pack 28 and up is now:
IOS XE 3.16.4bS Version 15.5(3)Sb4, IOS 15.5(3)M4a.

So- what is new, you ask?

Brand new protocols support:
Splunk: platform for collecting and analyzing machine-generated big data, Google-Downloads: Google downloads and updates services
Webex-Control: WebEx protocol control and signaling traffic
Web-Analytics: Web and mobile analytics and customer engagement platforms.
Office 365 updates.
For 3.16.4 users: Introduced granular app detection over QUIC.
Added support for Wifi-Calling on specific operators.
Various improvements and identification enhancements– Gmail, Crashplan, Mysql, Microsoft-SMS, NTP, Teamspeak.
A bunch of bug fixes, see full list in documentation page
And obviously all of pp 28.0, 29.0 content we released last months:
Cisco IPA-SLA (Internet Protocol Service Level Agreement) recognition.
IKE version 2 support.
Strengthening of Vmware-vSphere, Webex-meeting, Ms-SMS, Cisco-Spark, Acano, apple cloud apps detection.
For 3.16.4 IOS-XE / 15.5(3)M4a IOS users: integrated SIP and DNS-SRV engines updates. Newer versions of the engines improve media sessions, audio-video separation and services detection significantly.
We want to hear what you think!
Got anything you want to share with us? Let us know. We want to hear what you need, what works great for you and what we could do even better. Reply to this email, we’ll take it from there…

Check it out on Cisco.com software download page


ASR-920 – Netflow

Restrictions for Netflow Monitoring for ASR 920 Series Routers

*         Netflow monitoring supports only the 7 keys-Source IP, Destination IP, Layer 3 protocol type, TOS, source port, destination port and input logical interface to identify or classify the flow for both IPv4 and IPv6 unicast traffic. All other keys are notsupported.

*         MPLS and BGP-based netflow is not supported.

*         Non-key fields supported are packets and bytes (collect counter packets and collect counter bytes)

*         Only routed ports (IP Ethernet, BDI) and EFP are supported.

*         EFP flow monitoring can be configured only after configuring bridge-domain on the EFP service instance.

*         Flow monitoring of multicast traffic is not supported.

*         Maximum of 16K flows can only be learnt due to FPGA limitations. Though, Netflow supports 16K entries, flows monitored are lower due to hash collisions.

*         FPGA monitor only 1Gbps traffic rate (with minimum frame size of 100 byte). The accounting is accurate only when the overall traffic monitored is within 1Gbps.

*         At interface level, MVPN/MLDP/SPAN/PBR feature cannot be enabled on the same interface with Netflow configuration.

*         Permanent and aggregate flow caches are not supported due to FPGA limitations.

Configuration of caches entries number is not supported.

*         SADT/BFD feature cannot co-exist with Netflow configurations for the following routers:

o    ASR-920-12CZ-A

o    ASR-920-12CZ-D

o    ASR-920-4SZ-A

o    ASR-920-4SZ-D

o    ASR-920-12SZ-IM

o    ASR-920-16CZ-IM

2 port 100 gig module – ASR9000

cards will work with A9K-RSP-4G. However, the RSP2 has only 92G fabric (4x23G lines), so you will need 2xRSP to come even close to the line rate of 200G (on Trident it’s 2x23G per FIA per RSP so max. 184G with dual-FIA 8xNP linecard + dual RSP2 vs. on Typhoon it’s 8x23G lines /with RSP2/ or 8x55G /with RSP440+/ from LC fabric resulting in the same 184G with two RSP2).


If you lose one RSP, you will get only half the throughput. Luckily with Typhoon you are not tied to 2x23G per FIA to RSP so you can still operate at 92G throughput no matter what port/FIA the traffic comes through (as the Typhoon LC has own fabric connecting FIAs to RSPs fabric) as opposed to Trident, where you are limited to 2x23G per FIA to single RSP2 so if the FIA has two NPs connected, those two NPs can serve only 46G to ports attached to them. For details check BRKSPG-2904 from Xander back from 2013.


Another thing you need to watch is what IOS XR you need to run the cards (for A9K-2X100GE-TR/SE it’s min. 4.2.0) but for certain CFP modules higher version will be required – e.g. CFP-100G-ER4 needs XR 5.1.1.



ASR920 vs NCS5000

Cisco live on-demand library is a good starting point:
 – just search for “920” and it will return two presentations (although I was expecting more than just 2 presos on these),  there are some comparisons as well as scaling numbers.

Well there are only 3 branches in ASR900 family tree as far as I know,
900 Series (902 & 903),
920 Series,
901 Series,
but yes I guess it’s fair to say they are very different to each other.

Regarding the NCS5k(or QFX counterpart), the same rule apply as always, there’s a reason why these are so darn cheap compared to high-end platforms(like e.g. NCS6k), there are architectural sacrifices that were made during the platform development resulting in numerous limitations and only once all these are understood the device can be considered for a given environment.

ASR9K Upgrade

admin install add tftp://x.x.x.x/asr9k-mini-px.pie-5.3.2 synchronous

admin install activate disk0:asr9k-mini-px.pie-5.3.2 synchronous

admin install



install remove inactive




Also beware of



recently did a upgrade on two ASR9k1’s from 4.2.3 to 5.1.3

Thou I didn’t have the space issue, Here is 1 things you can try before hand –

‘admin install remove inactive’

Befogging upgrading you may will want to install the following SMU’s





You will need to install the fpd so it will upgrade the fed upon boot or manually.

had ‘fpd auto-upgrade’ in my admin config. So it did it automatically

This is what we installed after we did the pre-requs:










It’s also possible to re-partitioning the disk to get some extra space(300M). Executing the re-partitioning is not service impacting.



1 2 3 8