Ended up with the following for DSL customers using DS-Lite:

 

block size 512

max blocks per user 16

block timeout 120

address-sharing-ratio 8:1

 

avg usage is 34 ports per block and 1,3 blocks per address, but the top 1% are at least x10.

 

Some years ago we had started with more relaxed numbers (to be on the safe side), but last year we squeezed them a little. No complaints until now.

 

Mon Feb 29 14:25:16.812 CST

Building configuration…

!! IOS XR Configuration 5.3.1

service cgn cgn1

service-location preferred-active 0/3/CPU0  service-type nat44 nat1

portlimit 5000

alg ActiveFTP

inside-vrf six

!

!

!

end

 

RP/0/RSP0/CPU0:eng-lab-9k-1(config-cgn-invrf)#bulk-port-alloc ?

size  Bulk size for allocation.

Should be greater or equal to one fourth of the port limit

and less than twice the port limit.

For optimum results, should be close to half the port limit RP/0/RSP0/CPU0:eng-lab-9k-1(config-cgn-invrf)#bulk-port-alloc size ?

none  No bulk allocation

8     Allocate 8 ports in bulk

16    Allocate 16 ports in bulk

32    Allocate 32 ports in bulk

64    Allocate 64 ports in bulk

128   Allocate 128 ports in bulk

256   Allocate 256 ports in bulk

512   Allocate 512 ports in bulk

1024  Allocate 1024 ports in bulk

2048  Allocate 2048 ports in bulk

4096  Allocate 4096 ports in bulk

vrf export route-policy doesn’t seem to directly deny prefixes from advertisement… but according to this one site you can indirectly deny prefixes… it seems that vrf export route-policy is mainly used to more granularly assign rt’s and add rt’s to rt’s (additive).

http://www.akbintel.com/mediawiki/index.php/VRF/Config#export_map

http://nagendrakumar-nagendra.blogspot.com/2011/09/mpls-vpn-vrf-export-map.html

Thought it was pretty clever to not put a route-target export x:x and then whichever prefixes are denied in the export route-policy will drop out of the route-map logic, and this will not be advertised since there isn’t a route-target export statement in the vrf.  Cool.

For some reason especially on3.7 code we have also seen this message on ports which are left no shut, and they have an SFP in it.

That’s because they introduced DOM support for some transceivers:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/ol-37xe-4500x.html#pgfId-2796909

http://www.cisco.com/c/en/us/products/collateral/security/pix-500-series-security-appliances/pix_eos.html

 

As of July 28, 2008, Cisco PIX Security Appliance platforms/bundles are no longer being sold. Customers can still purchase accessories and licenses until January 27, 2009.

It is important to note that Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013.

Based on understanding, the CPU on 1001-X is more powerful and can handle more concurrent session establishments. It also has 2 10G interfaces which can come in handy. However, the queue-count is considerably lower in the 1001s which makes QoS difficult, depending on your policies. I would recommend a 1002-X if you are looking at ASR 1K.

 

Have a look at this document here for more details:

 

http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/datasheet-c78-731640.html

This is a live working 897 using QinQ over VDSL:

 

 

interface Ethernet0

no ip address

!

interface Ethernet0.400

encapsulation dot1Q 101 second-dot1q 400  ip vrf forwarding test  ip address 1.1.1.2 255.255.255.252 !

interface Ethernet0.401

encapsulation dot1Q 101 second-dot1q 401  ip vrf forwarding test-2  ip address 2.2.2.2 255.255.255.252

 

 

#show ver | i IOS

Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.5(3)M, RELEASE SOFTWARE (fc1)

 

#show ver | i C897

Cisco C897VA-K9

 

#show license

Index 1 Feature: advipservices

Period left: Life time

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

 

 

#show controllers VDSL 0 | i VDSL

Controller VDSL 0 is UP

Trained Mode:   G.993.2 (VDSL2) Profile 17a

Here are some pictures of the ASR920 Console kit A920-CONS-KIT-S

 

 

The Adapter Plugs in the Top Left USB Console Port and we have it wired up to a Perle IOLAN SCS48C console server using a rollover cable.

 

Here are some pictures of  it, since I can only find a brief mention of it in all the cisco docs.

 

http://imgur.com/a/w8clL

service instance 940 ethernet

description description TEST_OUTER_940_Inner_942

encapsulation dot1q 940 second-dot1q 942

rewrite ingress tag pop 2 symmetric

bridge-domain 942

 

interface Vlan942

description TEST_OUTER_INNER_TAGs

mtu 9100

ip address 10.97.97.1 255.255.255.252

no ip proxy-arp

end

 

 

#ping 10.97.97.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.97.97.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

 

#sh mac address-table dyn bridge-domain 942

Mac Address Table

——————————————-

 

BD      Mac Address       Type        Ports

—-    ———–       ——–    —–

942    5087.89fd.d320    DYNAMIC     Gi0/24+Efp940

 

 

---

 

http://www.cisco.com/c/dam/en/us/td/docs/switches/metro/me3600x_3800x/software/design/guide/ME3600x_Design_Guide.pdf

 

http://www.cisco.com/c/dam/en/us/td/docs/switches/metro/me3600x_3800x/software/design/guide/CE2-0_certification_v1.pdf

 

http://d2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKSPG-2209.pdf

---

A Catalyst Switch will only look at the first VLAN Tag(Outter), it doesn’t care about the inner vlan tag and will forward the frame on. Just watch your MTU Size, because you lose 4btyes to the inner vlan tag.

 

A Good Example. http://blog.jhe.co/2009/11/dot1q-tunneling.html

 

---

http://supportforums.cisco.com/sites/default/files/legacy/8/2/1/96128-ASR%209000%20Multiple%20Services%20onthe%20same%20port%20example.jpg

 

Look at the Routed VPLS/EoMPLS section

 

http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-1_2_ey/configuration/guide/3800x3600xscg/swmpls.html#pgfId-1260366

 

What you are looking for a is a VPLS Routed Interface Configuration, just association the VPLS instance with the bridge group. I have never tried this, so I could be wrong, but it’s worth a shot.

 

Try adding this. This creates’ a VPLS Instance and associates it to the Bridge Group 941.

l2 vfi TESTING manual

vpn id 941

bridge-domain 941

 

Then under your VLAN Interface associate the VLAN Interface with the VPLS Instanace.

interface Vlan941

xconnect vfi TESTING   <<<<<<<<<<<< ADD THIS

description INNER_OUTER_TAG_TEST

mtu 9100

ip address xxx.xxx.xxx.xxx 255.255.255.252  no ip proxy-arp

 

 

Also watch your MTU Size’s a mismatch can cause the VPLS instance to be down. You can check it with “show mpls l2transport vc vcid 941 detail”

 

This looks good

 

interface GigabitEthernet0/24   <- Connects to 4500X

service instance 940 ethernet

description description Inner_outer_tag_test_Outer_940_Inner_941

encapsulation dot1q 940 second-dot1q 941

rewrite ingress tag pop 2 symmetric

bridge-domain 941

---

Here is a step by step,

 

Step By Step Description                        Commands “semi-colon is a new line”

————————————————————————————————————————–

1. Create a Bridge Group l2 vfi TESTING manual;  vpn id 820;  bridge-domain 820
2. Go to the interface interface g0/0/11
3. Incoming frame Outter 800, inner 20 encapsulation dot1q 800 second-dot1q 20
4. Removed Both Taggs 800 and 20 rewrite ingress tag pop 2 symmetric
5. Put Unttagged Frame in Bridge Group 820 bridge-domain 820

Global Config

6a. ASR920 Created L3 Routed Interface  bridge-group 820; interface bdi820

6b. ME3800 Create L3 Routed Interface           interface vlan 820

6b. ME3800 Connect Interface to BridgeGroup     xconnect vfi TESTING

7. Assigned IP Address to the Interface ip address 192.168.0.2 255.255.255.0

 

 

---

 

Cisco 4500X Provider Port

Cisco 4500X Port to ME3800.

Cisco ME3800 Port Config

 

 

 

 

I Did lab this up on a ASR920, the commands should be fairly close, I noted the difference between the ASR920 and ME3800

 

Carrier Side: QinQ Interface Outer VLAN 800 InnerVLAN 20 IP 192.168.0.1/24

 

l2 vfi TESTING manual

vpn id 820

bridge-domain 820

 

interface GigabitEthernet0/0/11

no ip address

negotiation auto

service instance 820 ethernet

encapsulation dot1q 800 second-dot1q 20

rewrite ingress tag pop 2 symmetric

bridge-domain 820

 

!!! ON A ASR920

bridge-domain 820

interface BDI820

ip vrf forwarding TESTING2

ip address 192.168.0.2 255.255.255.0

no shut

 

!!!!ON A ME3800

int vlan 820

xconnect vfi TESTING

ip address 192.168.0.2 255.255.255.0

no shut

 

 

ASR920#ping vrf TESTING2 192.168.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

 

ASR920#show mac-address-table bdomain 820

 

Nile Mac Address Entries

 

BD    mac addr        type     ports

———————————————————————————————-

820   0012.448e.8062  DYNAMIC  Gi0/0/11.Efp820

 

 

ASR920#sh ip arp vrf TESTING2

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  192.168.0.1             2   0012.448e.8062  ARPA   BDI820

Internet  192.168.0.2             –   00f2.8bdd.603f  ARPA   BDI820

 

---

 

 

You must do switchport commands

Services Instance is just a number, we keep it the same as the VLAN Id Under the Service Instance you specify the VLAN ID with endcapsulation dot1q x Rewrite ingress Tag POP 1 symmetric  — This removes the first VLAN Tag on in incoming frame, if you do pop 2, it removes the 2 VLAN Tags.

 

First Example is VPLS with Bridge Domains. Bridge domain ID does not have to the same as the VLAN Id Second Example is EoMPLS XConnect

 

VPLS

——

l2 vfi  VPLS1 manual

vpn id 41

bridge-domain 41

neighbor 1.2.3.4 encapsulation mpls

 

interface GigabitEthernet0/19

switchport trunk allowed vlan none

switchport mode trunk

mtu 9180

 

!VPLS Example

service instance 41 ethernet

encapsulation dot1q 41

rewrite ingress tag pop 1 symmetric

bridge-domain 41

 

!EoMPLS Example

service instance 117 ethernet

encapsulation dot1q 117

rewrite ingress tag pop 1 symmetric

xconnect 3.4.5.6 275 encapsulation mpls pw-class L2VPN

xconnect <Remote router IP> <Unique ID in the AS>

 

Thanks for the quick reply – We use service instances quite a bit, but only popping first tag, then creating vlan int (for vrf), or PW….so fairly basic stuff 🙂

 

In this circumstance, where we would receive vlan 800 as outer tag, and we want to access inner vlans 10,20,30 how would this look under a service instance?

 

1. Something like?

 

service instance 800 ethernet

description description LINK_TO_CARRIER_X_VIA_4500X

encapsulation dot1q 800 second-dot1q 10,20,30

rewrite ingress tag pop 2 symmetric

bridge-domain ?

 

 

or a separate service instance and pop inner vlans on each one?

 

service instance 800 ethernet

description description LINK_TO_CARRIER_X_VIA_4500X

encapsulation dot1q 800 second-dot1q 10

rewrite ingress tag pop 2 symmetric

bridge-domain 10

 

service instance 801 ethernet

description description LINK_TO_CARRIER_X_VIA_4500X

encapsulation dot1q 800 second-dot1q 20

rewrite ingress tag pop 2 symmetric

bridge-domain 20

 

 

You are probably better using a service instance for each vlan. Then you can send each VLAN where ever.

 

service instance 800 ethernet

description description LINK_TO_CARRIER_X_VIA_4500X

encapsulation dot1q 800 second-dot1q 10

rewrite ingress tag pop 2 symmetric

bridge-domain 10

 

service instance 801 ethernet

description description LINK_TO_CARRIER_X_VIA_4500X

encapsulation dot1q 800 second-dot1q 20

rewrite ingress tag pop 2 symmetric

bridge-domain 20