Cisco 10000-2P2-2DC, 10005, 10008 Software Configuration Manual

Download

Cisco 10000 Series Router Software Configuration Guide

June, 2010

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-2226-23

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at

www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership

relationship between Cisco and any other company. (1005R)

IMPLIED, INCLUDING, WITHOUT

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco 10000 Series Router Software Configuration Guide

CONTENTS

About This Guide xxv

Guide Revision History i-xxv

Audience i-xxx

Document Organization i-xxx

Document Conventions i-xxxii

Related Documentation

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

xxxiii

Obtaining Documentation, Obtaining Support, and Security Guidelines

RFCs

RFC Title

RFC 791 Internet Protocol

RFC 1163 A Border Gateway Protocol (BGP)

RFC 1483 Multiprotocol Encapsulation over ATM

RFC 1490 Multiprotocol Interconnect over Frame Relay

RFC 1661 The Point-to-Point Protocol (PPP)

RFC 1990 The PPP Multilink Protocol (MP)

RFC 2373 IP Version 6 Addressing Architecture

RFC 2516 A Method for Transmitting PPP Over Ethernet (PPPoE)

RFC 2529 Transmission of IPv6 over IPv4 Domains without Explicit Tunnels

RFC 2661 Layer Two Tunneling Protocol "L2TP"

RFC 2685 Virtual Private Networks Identifier

RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support

RFC 3036 LDP Specification

RFC 3107 Carrying Label Information in BGP-4

RFC 3587 IPv6 Global Unicast Address Format

RFC 4193 Unique Local IPv6 Unicast Addresses

RFC 4659 BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN

RFC 2684 Multiprotocol Encapsulation over ATM Adaptation Layer 5

RFC 2427 Multiprotocol Interconnect over Frame Relay

About This Guide

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback,

xxxiv

security guidelines, and also recommended aliases and general Cisco

What’s

New in Cisco Product Documentation, which also lists all new and revised Cisco technical

documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Cisco 10000 Series Router Software Configuration Guide

documents, see the monthly

OL-2226-23

CHAP T ER

Broadband Aggregation and Leased-Line Overview

The Cisco 10000 series router is a highly scalable and reliable IP edge platform, providing nonstop performance for service providers deploying IP services. With the rapid growth in broadband customers, the Cisco broadband aggregation features.

This chapter provides an overview of the broadband aggregation features available on the Cisco

• Hardware Requirements, page 1-1

• Broadband Architecture Models, page 1-2

• Leased-Line Architecture Models, page 1-10

• Load Balancing Architecture Models, page 1-13

• New Features, Enhancements, and Changes, page 1-15

10000 series router accommodates the service provider’s need for an expanding set of

10000 series router and includes the following topics:

Hardware Requirements

The performance routing engine (PRE) performs all Layer 2 and Layer 3 packet manipulation related to routing and forwarding operations.

Ta b l e 1-1 PRE Support on Cisco 10000 Series Routers

Performance Routing Engine Support

Chassis ESR-PRE PRE1 PRE2 PRE3

Cisco 10005 Ye s Ye s No No

Cisco 10008 Ye s Ye s Yes Yes

Checking Hardware and Software Compatibility

The PRE installed in the Cisco 10000 series router chassis must support the Cisco IOS software running on the router. Use the show version command to check the PRE version installed.

OL-2226-23

Table 1-1 shows PRE support on Cisco 10000 series routers.

Cisco 10000 Series Router Software Configuration Guide

1-1

Broadband Architecture Models

To see if a feature is supported by a Cisco IOS release, to locate the software document for that feature, or to check the minimum software requirements of Cisco IOS software with the hardware installed on your router, Cisco maintains the Software Advisor tool on Cisco.com at

http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl

You must be a registered user on Cisco.com to access this tool.

Broadband Architecture Models

This section shows broadband models for the following architectures:

• PPP termination and aggregation (PTA) for PPPoA or PPPoE

• PTA to virtual routing and forwarding (VRF)

• PTA to Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN)

• L2TP network server (LNS)

• L2TP to VRF

• L2TP over MPLS to VRF

• L2TP access concentrator (LAC)

• Routed bridge encapsulation (RBE)

Chapter 1 Broadband Aggregation and Leased-Line Overview

• RBE to VRF

• RBE to MPLS VPN

PPP Termination and Aggregation Architectures

Figure 1-1 shows a PPP termination and aggregation (PTA) model for PPP over ATM (PPPoA) or PPP

over Ethernet (PPPoE) sessions.

Cisco 10000 Series Router Software Configuration Guide

1-2

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

Cisco 10000

ESR

PPPoX

sessions

PPPoE

sessions

OC-3/OC-12 ATM

Routed subscribers

GigEthernet or OC-12 POS IP routed traffic

AAA servers

ISP/corporate

network

Client

AT M

network

EMS/NMS

76099

Figure 1-1 PTA Architectural Model

Broadband Architecture Models

In the figure, an ATM network (with no routing capability) is between the clients and the Cisco

10000 series router. Each client session arrives on a VC (multiple sessions and PCs can use this single VC). The IP terminates the PPP

traffic of the client is encapsulated in PPPoX. The Cisco 10000 series router sessions and routes the client data packets toward their final destination, typically

onto the ISP or corporate network.

Note PPPoX refers to either PPPoA or PPPoE.

PTA to Virtual Routing and Forwarding Architecture

Figure 1-2 shows a PPP termination and aggregation (PTA) to virtual routing and forwarding (VRF)

model for PPPoA or PPPoE sessions.

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

1-3

Broadband Architecture Models

CPE

Cisco 10000 ESR

Wholesale

provider

PPPoX

sessions

Retail

provider

Provider 1

Provider 2

Provider n

AT M

access

network

VRF 1

VRF n

VRF 2

69866

transport

network

Separate logical/physical interface, one per retail provider

SP MPLS

core

SP access

network

69868

LAN

Remote

user

DSLAM

DSL router

Customer

network

Customer AAA

server

SP AAA

server

SP DHCP

server

PPPoE

Figure 1-2 PTA to VRF Architectural Model

In this model, the Cisco 10000 series router terminates the sessions and places the sessions in the appropriate VRF. This model is identical to the one in models differ on the network side. The model in Figure 1-2 uses VRFs, does not use a tag interface on the network side, and separates traffic at Layer 2. The “PTA to MPLS VPN Architectural Model” in

Figure 1-3 uses MPLS and a tag interface, and separates traffic at Layer 3.

Chapter 1 Broadband Aggregation and Leased-Line Overview

Figure 1-3 on the access side. However, the two

PTA to Multiprotocol Label Switching Virtual Private Network Architecture

Figure 1-3 shows a MPLS VPN model for PPPoA or PPPoE sessions.

Figure 1-3 PTA to MPLS VPN Architectural Model

1-4

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

Cisco

10000 ESR

PPP sessions

in L2TP tunnels

PPP sessions, typically PPPoA and PPPoEoA

Typically OC-12 ATM or

OC-12 POS physical

links containing

L2TP tunnel flows

100K routed

subscribers

Typically GigEthernet or OC-12 POS IP routed traffic

AAA servers

ISP/corporate

network

Client

AT M

network

EMS/NMS

76100

LAC

1000s of tunnels,

multiple physical

links

In the figure, PPPoX sessions are placed in the proper virtual routing and forwarding (VRF) instance based on the virtual template to which they map. This model is identical to the one in access side. However, the two models differ on the network side. The model in Figure 1-3 uses MPLS and a tag interface on the network side and separates traffic at Layer 3. The “PTA to VRF Architectural

Model” in Figure 1-2 uses VRFs does not use a tag interface, and separates traffic at Layer 2.

L2TP Architectures

Figure 1-4 shows an L2TP network server (LNS) model.

Figure 1-4 LNS Architectural Model

Broadband Architecture Models

Figure 1-2 on the

In the figure, the clients and the LACs exchange PPP packets that are typically encapsulated in PPPoA or PPPoE and typically carried on ATM circuits. However, the protocols used between the clients and the LAC do not affect LNS requirements. The LAC creates L2TP tunnels to all of the LNSs at which its clients want to terminate. Multiple tunnels might exist between each LAC and each LNS. For each client PPP session the LAC signals the LNS to add another session to a tunnel. The LAC forwards all traffic to the LNS, including the PPP control traffic. The LNS terminates the PPP sessions and routes any client IP packets on to the ISP or corporate network toward their final destination. The LNS performs

L2TP to Virtual Routing and Forwarding Architecture

OL-2226-23

authentication, authorization, and accounting (AAA) actions on the PPP sessions.

Figure 1-5 shows an L2TP to VRF model.

Cisco 10000 Series Router Software Configuration Guide

1-5

Broadband Architecture Models

NSP

DSL

IP network

LNS

(home gateway)

NSP

NSPNSP

Cisco 10000

LNS

VRF 1

VRF 2

AAA server

AAA, DHCP

servers

PPP

L2TP tunnel

PPPoX

Client

69997

CPE

PPP in L2TP sessions.

Note L2TP tunnel traffic

is in global VRF

Retail LNS

providers

Provider 1

76272

Wholesale LNS

provider

LAC

Access network

(ATM or Ethernet)

MPLS

transport

network

Subscribers

Provider n

Provider 2

Each provider in

a different VRF.

Not a tag

interface

Tag interface

Figure 1-5 L2TP to VRF Architectural Model

Chapter 1 Broadband Aggregation and Leased-Line Overview

L2TP over MPLS to Virtual Routing and Forwarding Instance

Figure 1-6 L2TP over MPLS to VRF Architectural Model

In this model, the Cisco 10000 series router acts as the LNS with VRF 1 and VRF 2 configured on the router. PPPoX

sessions are placed in an L2TP tunnel and terminated at the LNS where they are placed

in the appropriate VRF.

Figure 1-6 shows PPP in L2TP tunneled traffic transported over an MPLS tag interface to the wholesale

LNS provider.

The LNS encapsulates the PPP in L2TP sessions in IP packets and forwards them to the retail LNS providers, placing the sessions for each provider in separate VRFs.

Cisco 10000 Series Router Software Configuration Guide

1-6

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

CPE

PPP in L2TP sessions,

encapsulated in IP

Retail

providers

LNS provider 1

76266

Wholesale

provider

LAC

Access network

(ATM or Ethernet)

IP transport

network

Subscribers

LNS provider n

LNS provider 2

PPPoA PPPoE

over ATM PPPoE

natively on

Ethernet/802.1q

Typically 1

tunnel per LAC

per retail provider

L2TP Access Concentrator Architecture

Figure 1-7 shows an L2TP access concentrator (LAC) model.

Figure 1-7 LAC Topology

Broadband Architecture Models

In the figure, wholesale providers tunnel subscriber PPP sessions to the retail provider. PPP in L2TP

sessions are encapsulated in IP packets and forwarded over any IP transport network.

Routed Bridge Encapsulation Architectures

Figure 1-8 shows a routed bridge encapsulation (RBE) model.

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

1-7

Broadband Architecture Models

Cisco 10000

ESR

RBE

sessions

Typically

OC-3/OC-12 ATM

100K routed

subscribers

Typically GigEthernet or OC-12 POS IP routed traffic

DHCP servers

ISP/corporate

network

Client

AT M

network

EMS/NMS

RBE

sessions

76101

Figure 1-8 RBE Architectural Model

Chapter 1 Broadband Aggregation and Leased-Line Overview

In the figure, an ATM network (with no routing capability) is between the clients and the Cisco

10000 series router. Each client session arrives on a VC (multiple sessions and PCs can use this single VC). IP traffic of the client is encapsulated in RBE. The Cisco or DHCP requests and routes the client data packets toward their final destination, typically onto the ISP or corporate network.

RBE to Virtual Routing and Forwarding Architecture

Figure 1-9 shows an RBE to VRF model.

10000 series router processes ARP

Cisco 10000 Series Router Software Configuration Guide

1-8

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

CPE

RFC 2684 bridged

format PDUs

Provider 1

Provider 2

Provider n

AT M

access

network

VRF 1

VRF n

VRF 2

76268

Retail

providers

Wholesale

provider

Subscribers

transport

network

Separate logical/physical interfaces. One per retail provider

CPE

RFC 2684 bridged

format PDUs

Tag interface, logically separated into multiple VPNs

Provider 1

Provider 2

Provider n

AT M

access

network

VRF 1

VRF n

VRF 2

MPLS

network

76267

Retail

providers

Wholesale

provider

Subscribers

Figure 1-9 RBE to VRF Topology

In the figure, the wholesale provider uses physical or logical interfaces to separate the subscribers of different retail providers. On the access side, the subscribers are uniquely placed in VRFs. A separate physical or logical interface to each retail provider separates traffic for the different retail providers on the network side.

Broadband Architecture Models

RBE to Multiprotocol Label Switching Virtual Private Network Architecture

Figure 1-10 shows an RBE to MPLS VPN model.

Figure 1-10 RBE to MPLS VPN Topology

OL-2226-23

In the figure, the wholesale provider uses VPNs to separate the subscribers of different retail providers. On the access side, the subscribers are uniquely placed in VRFs. A tag interface separates traffic for the different retail providers on the network side. The MPLS VPN technology is used to assign tags in a VPN aware manner.

Cisco 10000 Series Router Software Configuration Guide

1-9

Leased-Line Architecture Models

TDM/SONET

PPP or HDLC

IP network

SONET/SDH

Cisco 10000

series

Channelized

interfaces

T1/E1

119484

Business customer

Leased-Line Architecture Models

This section shows leased-line models for the following architectures and applications:

• Channelized aggregation

• Frame Relay aggregation

• ATM aggregation

• Ethernet aggregation

• MPLS provider edge application

• Combined Broadband and Leased-Line applications

Channelized Aggregation

The Cisco 10000 series router allows the aggregation of low-speed, very-high-density leased-line circuits by using channelized interfaces.

Figure 1-11 shows an example of channelized architecture.

Chapter 1 Broadband Aggregation and Leased-Line Overview

Figure 1-11 Channelized Architecture

In a typical Cisco 10000 series router application, the provider usually situates the aggregator in a centrally located POP and backhauls individual customer connections from central offices across the SONET/SDH networks. Add-drop multiplexers at either end of the optical network that provide aggregation of low-speed customer connections (T1/E1) and aggregation into higher-order optical interfaces in the central POP. Numerous IP services are supported over channelized interfaces, including IP QoS, ACLs, IP multicast, and security services.

Frame Relay Aggregation

Many service providers offer IP Internet access and VPN products over existing Frame Relay access networks. Frame Relay packet-switched networks allow flexibility to allocate resources based on traffic profiles. When aggregating Frame Relay circuits, the Cisco central POP and connects to local switch nodes through copper or optical interfaces. Typically, these connections are implemented with nonchannelized interfaces. Frame Relay data-link connection identifiers (DLCIs) are terminated on the Cisco through the core network. Frame Relay encapsulation is supported on many interfaces, including channelized and nonchannelized modules. Numerous Frame Relay options and services are supported on the platform, including traffic shaping and QoS.

Cisco 10000 Series Router Software Configuration Guide

1-10

10000 series router is usually located in a

10000 series router with customer IP traffic routed

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

Frame Relay

Frame Relay/DLC1

IP network

SONET/SDH

Cisco 10000

series

Clear Channel

interface

T1/E1

119485

Business customer

AT M

REC 1483

IP network

SONET/SDH

Cisco 10000

series

AT M

interface

T1/E1

119486

Business

Customer

Figure 1-12 shows an example of Frame Relay architecture.

Figure 1-12 Frame Relay Architecture

ATM Aggregation

Leased-Line Architecture Models

ATM is used in many local exchange carrier (ILEC) and PTT access networks, and many providers use the technology as the foundation for multiservice platforms. ATM can be used to provide transport services for many applications, including backhaul for DSL services and leased-line emulation for Internet and VPN services.

Figure 1-13 shows an example of ATM architecture.

Figure 1-13 ATM Architec ture

When used as an ATM aggregator, the Cisco 10000 series router is usually placed in a central POP and connected to a local ATM switching node through optical interfaces. ATM virtual circuits are terminated on the device, and customer IP traffic destined for the Internet or VPN is routed onto the core network.

The Cisco 10000 series router supports ATM classes of service (CoSs), including UBR, UBR+, VBR-nrt, and CBR with extensive IP QoS to ATM CoS interworking. The ATM feature set includes

OL-2226-23

accurate and scalable traffic shaping as well as operations, administration, and maintenance (OAM) facilities.

Cisco 10000 Series Router Software Configuration Guide

1-11

Leased-Line Architecture Models

Ethernet

IP network

SONET/SDH

Cisco 10000

series

Gigabit

Ethernet

119487

Business customer

IP network

Cisco 10000

series

119488

VPN-A

VPN-B

Customer

edge

Customer

edge

Provider

edge

MPLS Core

Cisco 10000

series

Cisco 10000

series

Provider edge

Office 1

(VPN-A)

Office 2

(VPN-B)

Office 3 (VPN-A)

Office 4

(VPN-B)

MPLS VPNAccess protocol

Ethernet Aggregation

Many enterprise customers use Ethernet technology for the “hub” site within a VPN network. “Spoke” sites are generally connected to the service provider infrastructure with lower speed fixed circuits. Customer connections are usually defined as 802.1Q virtual LAN (VLAN) logical interfaces under the main Ethernet interface. The Cisco interfaces with many IP services, including QoS and ACLs.

Figure 1-14 shows an example of Ethernet architecture.

Figure 1-14 Ethernet Architecture

Chapter 1 Broadband Aggregation and Leased-Line Overview

10000 series router supports both Gigabit and Fast Ethernet

MPLS Provider Edge Applications

MPLS technology has allowed providers to target small to medium-sized businesses for outsourced VPN services. The “build once, sell many” approach of the network design provides scalability and flexibility with respect to VPN products and services. MPLS provider edge functions and associated features and services are offered on the Cisco low-speed broadband to traditional leased-line applications to high-speed Ethernet.

Figure 1-15 shows an example of MPLS architecture.

Figure 1-15 MPLS Architecture

1-12

Cisco 10000 Series Router Software Configuration Guide

10000 series router, spanning all interfaces and encapsulations from

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

Cisco 10000

series

119489

VPN

Internet access

Broadband

protocols

Ethernet

Lease- line

protocols

Combined Broadband and Leased-Line Applications

The demarcation between leased-line and broadband applications has become less clear over the past few years. DSL circuits are competing in the traditional leased-line space, with many service providers offering Internet and VPN services over these lower-cost alternatives to dedicated TDM. The role of the leased-line aggregator has expanded to include the termination of many traditional broadband interfaces and encapsulations. Combining leased-line and business-class DSL access is one option that many providers are introducing to reduce costs and consolidate the number of edge products.

Figure 1-16 shows an example of combined broadband and leased-line architecture.

Figure 1-16 Combined Broadband and Leased-Line Architecture

Load Balancing Architecture Models

This section describes how the Cisco 10000 series router load balances traffic in various network topologies. The scenarios apply to a Cisco 10000 series router with a PRE2.

IP and MPLS Applications

Figure 1-17 shows a simple network topology that uses IP or basic MPLS forwarding. It does not include

MPLS VPN routes. There are multiple outgoing paths from the R1 router to the R2 router. Load balancing is achieved by populating multiple paths in the PXF. On a Cisco 10000 series router, load balancing is supported on a maximum of eight unique paths.

Figure 1-17 IP and MPLS Load Balancing

You can set load balancing to work per-destination or per-packet. For per-destination load balancing, the packet arrives at R1 and the hash value is computed based on the source IP address, destination IP address, and router ID. The PXF has a proprietary algorithm to select a path based on the number of total

OL-2226-23

paths available.

Cisco 10000 Series Router Software Configuration Guide

1-13

Chapter 1 Broadband Aggregation and Leased-Line Overview

PE1

CE4

CE2PE2

158658

Dest prefix

10.1.1.1

20.1.1.1

Dest prefix

30.1.1.1

40.1.1.1

CE1

CE3

Load Balancing Architecture Models

Per-packet load balancing allows data traffic to be evenly distributed in an IP network over multiple equal-cost connections. Per-packet load balancing uses round-robin techniques to select the output path without basing the choice on the packet content.

Single Ingress and Single Egress Provider Edge Applications

Figure 1-18 shows the provider edge 1 (PE1) router with three Interior Gateway Protocol (IGP) routes into

the core. Load balancing from customer edge 1 (CE1) to CE2 occurs on the PE1 router into different paths. There is a single path for all destination prefixes on CE2 and a separate path for all destination prefixes on CE4.

Figure 1-18 Single Ingress and Single Egress PE Load Balancing

For each destination prefix on a destination CE that requires unique Label Switched Path (LSP), selection of the outgoing IGP path is in round-robin fashion. When there are multiple IGP paths from the ingress PE to egress PE, the outgoing IGP path is chosen statically upon processing by the PXF. For different destination prefixes, path selection is round-robin and each destination prefix has only one path. All destination IP addresses mapping to the same destination prefix take the same path.

When there are multiple destination prefixes, load balancing occurs on traffic across the IGP paths. In the case of only one or a few destination prefixes, load balancing does not occur on traffic across the IGP paths and this behavior is the same whether load balancing is configured per-destination or per-packet.

Single Ingress and Two Egress Provider Edge Applications

Figure 1-19 shows the routing of packets from CE1 to CE2 using the PE1 router. There are multiple paths

for the destination prefixes on CE2. Load balancing occurs in the PXF of PE1.

1-14

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

CE2

Dest prefix

10.1.1.1

PE1

PE3

PE1CE1

PE1

CE1

Dest prefix

10.1.1.1

20.1.1.1

PE2

PE3

CE2

Figure 1-19 Single Ingress and Two Egress PE Load Balancing

You can set load balancing to work per-destination or per-packet. For per-destination load balancing, the packet arrives at the core router and the hash value is computed based on the source IP address, destination IP address, and router ID. The PXF has a proprietary algorithm to select a path based on the number of total paths available.

New Features, Enhancements, and Changes

Multiple Ingress and Multiple Egress Provider Edge Applications

Figure 1-20 shows multiple IGP paths from PE to PE for iBGP paths into the PE2 router. The theoretical

load balance is eight IGP paths multiplied by eight iBGP paths for a total of 64 possible unique paths. The Cisco 10000 series router supports eight unique paths. The

Provider Edge Applications” section on page 1-14 describes the path selection for this model.

Figure 1-20 Multiple Ingress and Multiple Egress PE Load Balancing

“Single Ingress and Single Egress

New Features, Enhancements, and Changes

The following sections describe features that are new, enhanced, or changed for the specified Cisco IOS software releases:

• New Features in Cisco IOS Release 12.2(33)XNE3, page 1-16

OL-2226-23

• New Features in Cisco IOS Release 12.2(33)XNE, page 1-16

Cisco 10000 Series Router Software Configuration Guide

1-15

Chapter 1 Broadband Aggregation and Leased-Line Overview

New Features, Enhancements, and Changes

• New Features in Cisco IOS Release 12.2(33)SB3, page 1-18

• New Features in Cisco IOS Release 12.2(33)SB2, page 1-18

• New Features in Cisco IOS Release 12.2(33)SB, page 1-18

• New Features in Cisco IOS Release 12.2(31)SB5, page 1-19

• New Features in Cisco IOS Release 12.2(31)SB3, page 1-19

• New Features in Cisco IOS Release 12.2(31)SB2, page 1-20

• New Features in Cisco IOS Release 12.2(28)SB1, page 1-21

• New Features in Cisco IOS Release 12.2(28)SB, page 1-21

• New Features in Cisco IOS Release 12.3(7)XI7, page 1-25

• New Features in Cisco IOS Release 12.3(7)XI3, page 1-26

• New Features in Cisco IOS Release 12.3(7)XI2, page 1-26

• New Features in Cisco IOS Release 12.3(7)XI1, page 1-26

New Features in Cisco IOS Release 12.2(33)XNE3

In Cisco IOS Release 12.2(33)XNE3 support was added on the Cisco 10000 series router for the following feature:

• AAA: Supress System Accounting on Switchover

For more information on the command used to enable or disable this feature after a PRE swtichover, see the section “Suppressing System Accounting Records over Switchover” in the Configuring Accounting feature guide at the following link:

http://www.cisco.com/en/US/docs/ios/ios_xe/sec_user_services/configuration/guide/sec_cfg_acco untg_xe.html#wp1058929

New Features in Cisco IOS Release 12.2(33)XNE

In Cisco IOS Release 12.2(33)XNE support was added on the Cisco 10000 series router for the following features:

• Cisco 10000 Series Router PXF Stall Monitor

For more information, see Cisco 10000 Series Router PXF Stall Monitor, page 17-61

• SSO-BFD

For more information, see SSO-BFD, page 18-69

• Link Noise Monitoring

For more information, see Configuring Link Noise Monitoring, page 19-1

• Routed Interworking

For more information, see Routed Interworking, page 21-4

• MLPoE at PTA

For more information, see MLPoE at PTA, page 22-25

• VLAN-Based Load Balancing

For more information, see Configuring VLAN-Based Load Balancing, page 23-12

Cisco 10000 Series Router Software Configuration Guide

1-16

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

• SSO - MPLS VPN 6VPE & 6PE SSO support

For more information, see the NSF/SSO and ISSU - MPLS VPN 6VPE and 6PE guide at the following link:

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_6vpe_6pe_issu_sso.html

• ISSU - MPLS VPN 6VPE & 6PE ISSU support

For more information, see the NSF/SSO and ISSU - MPLS VPN 6VPE and 6PE guide at the following link:

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_6vpe_6pe_issu_sso.html

• BGP IPv6 Graceful Restart

For more information, see the Implementing Multiprotocol BGP for IPv6 guide at the following link:

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-mptcl_bgp.html

• BGP Support for 4-byte ASN

For more information, see the following guides at:

–

Configuring a Basic BGP Network

http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_basic_net.html

–

Connecting to a Service Provider Using External BGP

New Features, Enhancements, and Changes

http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_external_sp.html

–

BGP per Neighbor SoO Configuration

http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_neighbor_soo.html

–

Cisco BGP Overview

http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_overview.html

• OSPFv3 Graceful Restart

For more information, see the OSPFv3 Graceful Restart section in the Implementing OSPF for IPv6 guide at the following link:

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ospf.html

• MPLS & LDP over Multilink Frame Relay

For more information, see the following guides at:

–

Multilink Frame Relay (FRF.16.1)

http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_ml_fr_frf161.html

–

Any Transport over MPLS

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport.html

–

Configuring Layer 3 VPNs

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_cfg_layer3_vpn.html

• IS-IS - MPLS LDP Autoconfiguration

For more information, see the MPLS LDP Autoconfiguration guide at the following link:

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_autoconfig.html

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

1-17

Chapter 1 Broadband Aggregation and Leased-Line Overview

New Features, Enhancements, and Changes

New Features in Cisco IOS Release 12.2(33)SB3

In Cisco IOS Release 12.2(33)SB3 support was added on the Cisco 10000 series router for the following feature:

• IGP Convergence Acceleration

For more information, see IGP Convergence Acceleration, page 4-3

New Features in Cisco IOS Release 12.2(33)SB2

In Cisco IOS Release 12.2(33)SB2 support was added on the Cisco 10000 series router for the following features:

• MLP at LNS with ATM Tunnel

For more information, see MLP on LNS, page 22-18

• MLPoE LAC Switching

For more information, see the MLPoE LAC Switching, page 22-24

New Features in Cisco IOS Release 12.2(33)SB

In Cisco IOS Release 12.2(33)SB support was added on the Cisco 10000 series router for the following features:

• Unicast Reverse Path Forwarding (uRPF)

For more information, see Chapter 13, “Unicast Reverse Path Forwarding”

• Any Transport over MPLS (AToM): Tunnel Selection

For more information, see the “Any Transport over MPLS—Tunnel Selection” section on

page 20-47

• L2VPN Interworking: Ethernet/VLAN to ATM AAL5

For more information, see the “Ethernet/VLAN to ATM AAL5 Interworking” section on page 21-5

• L2VPN Interworking: Ethernet/VLAN to Frame Relay

For more information, see the “Ethernet/VLAN to Frame Relay Interworking” section on

page 21-17

• IPv6 VPN over MPLS (6VPE)

For more information, see the “IPv6 VPN over MPLS” section on page 4-7

• Any Transport over MPLS (AToM): Remote Ethernet Port Shutdown

For more information, see the “Remote Ethernet Port Shutdown” section on page 20-25

• NSF / SSO - Any Transport over MPLS (AToM)

For more information, see the “NSF and SSO—L2VPN” section on page 20-6

• L2VPN Local Switching--HDLC/PPP

For more information, see the “L2VPN Local Switching—HDLC/PPP” section on page 20-10

• MLP at LNS

For more information, see the “MLP on LNS” section on page 22-18

Cisco 10000 Series Router Software Configuration Guide

1-18

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

• IEEE 802.1Q Tunneling (QinQ) for AToM

For more information, see the “IEEE 802.1Q Tunneling for AToM—QinQ” section on page 20-22

• IGP Convergence Acceleration

This feature allows faster failover of IGP routes in load balanced situation.

• Gigabit EtherChannel-Enhancements

For more information, see Chapter 23, “Configuring Gigabit EtherChannel Features”

• ISG:Flow Control: Flow redirect (PXF scaling)

For more information, see “Layer 4 Redirect Scaling” section on page 2-5

• VRF-Aware VPDN Tunnels

This feature places broadband traffic in a VRF based on the VPDN group. This allows more flexible DSL service at the Layer 2 Network Server (LNS).

New Features in Cisco IOS Release 12.2(31)SB5

In Cisco IOS Release 12.2(31)SB5 support was added for the following features:

• Generic Routing Encapsulation (GRE) Tunnel IP Source and Destination VRF Membership

New Features, Enhancements, and Changes

For more information, see the “GRE Tunnel IP Source and Destination VRF Membership” section

on page 27-1.

• Per Session Queuing and Shaping for PPPoE Over VLAN Using RADIUS

For more information, see the “Shaping PPPoE Over VLAN Sessions Using RADIUS” section in the “Configuring Dynamic Subscriber Services” chapter of the Cisco 10000 Series Router Quality of Service Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

New Features in Cisco IOS Release 12.2(31)SB3

In Cisco IOS Release 12.2(31)SB3, support was added on the Cisco 10000 series router for the following features and functionality:

• IS-IS-MIB

For more information, see the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122sg25/

ismibspt.htm

• QoS: MQC Classification, Policing, and Marking on LAC

Note Support for this feature on the PRE3 was introduced in Cisco IOS Release 12.2(31)SB2.

For detailed information about this feature, see the “Shaping Traffic” chapter in the

Cisco

10000 Series Router Quality of Service Configuration Guide, located at the following URL:

http://cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book09186a008 05b9497.html

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

1-19

Chapter 1 Broadband Aggregation and Leased-Line Overview

New Features, Enhancements, and Changes

• TCP MSS Adjust

For more information, see the “Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN” chapter in the Cisco 10000 Series Router Broadband Aggregation, Leased-Line, and MPLS Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00804d45ca.html

New Features in Cisco IOS Release 12.2(31)SB2

In Cisco IOS Release 12.2(31)SB2, support was added on the Cisco 10000 series router for the following features and functionality:

• ACL - Template ACL/12 Bit ACE

For more information, see the “Configuring Template ACLs” section on page 25-1.

• Frame Relay - Multilink (MLFR-FRF.16)

For more information, see the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134 a9e.html

• IEEE 802.1Q-in-Q VLAN Tag Termination

Support was added for the PRE3. For more information, see the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801f0 f4a.html

• IP Options Selective Drop

For more information, see the “Protecting the Router from DoS Attacks” section on page 26-1.

• IPv6 Services: Extended Access Control Lists

For more information, see the “IPv6 Extended ACLs” section on page 24-4.

• L2TP Domain Screening

For more information, see the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00805a0

782.html

• L2VPN Interworking — Ethernet to VLAN Interworking

For more information, see the “Ethernet to VLAN—Bridged Interworking” section on page 21-2.

• MLPPP - Multilink PPP

Support was added for the PRE3 and the valid multilink interface values on the PRE2 and PRE3 for MLP over Serial and Multi-VC MLP over ATM changed from 1 to 9999 (Release 12.2(28)SB and later) to from 1 to 9999 and 65,536 to 2,147,483,647. For more information, see the

“Configuring

Multilink Point-to-Point Protocol Connections” section on page 22-1.

• MPLS VPN-VRF Selection based on Source IP Address

For more information, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122sz/12214 sz/122szvrf.htm

• Multicast VPN Extranet Support

Cisco 10000 Series Router Software Configuration Guide

1-20

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

For more information, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/newft/122sb31/extvpnsb.htm

• Multicast VPN Extranet VRF Select

For more information, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/newft/122sb31/sbmexsel.htm

• NSF/SSO (Nonstop Forwarding with Stateful Switchover)

Support was added for the PRE3. For more information, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s20/fsnsf 20s.htm

• QoS - Policing Support for GRE Tunnels

For more information, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/newft/122sb31/grepol.htm

• SSO - Multilink Frame Relay

For more information, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s20/fssso 20s.htm

• VRF-Aware VPDN Tunnels

For more information, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/newft/122sb28/sbvpdnmh.ht m

New Features, Enhancements, and Changes

New Features in Cisco IOS Release 12.2(28)SB1

IEEE 802.1Q-in-Q VLAN Tag Termination in the PPPoE—QinQ Support feature guide, located at the

following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801f0f4a. html

New Features in Cisco IOS Release 12.2(28)SB

The following features are new on the Cisco 10000 series router in Cisco IOS Release 12.2(28)SB:

• AAA CLI Stop Record Enhancement in the Per VRF AAA feature guide, located at the following

URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080518 ac1.html

• Any Transport Over MPLS: Frame Relay over MPLS (FRoMPLS) in Chapter 20, “Configuring L2

Virtual Private Networks”

• Cisco 10000 series router 4-Port Channelized T3 Half-Height line card (new line card) in the

following guides:

–

Cisco 10000 Series Router Line Card Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0 9186a008071145e.html

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

1-21

New Features, Enhancements, and Changes

–

Cisco 10000 Series Router Line Card Hardware Installation Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_installation_guide_book09 186a00804c9489.html

• Cisco 10000 series 4-Port OC-3/STM-1c ATM line card (long reach optics added to the existing line

card) in the Cisco 10000 Series Router Line Card Hardware Installation Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_installation_guide_book09186a 00804c9489.html

• Commands:

–

Changes to show pxf command output.

–

New commands (pos flag s1-byte tx and pos flag s1-byte rx-communicate) for Packet Over SONET and ATM line cards in the Cisco 10000 Series Router Line Card Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0 9186a008071145e.html

Chapter 1 Broadband Aggregation and Leased-Line Overview

–

Changes to the show running vrf command in the MPLS VPN—Show Running VRF feature guide, located at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a00805f236c.htm l

–

New command for providing policy map information in the QoS: Enhanced Show Commands for Active Policies feature guide, located at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a0080610cc8.htm l

• Define Interface Policy-Map AV Pairs AAA in the Define Interface Policy-Map AV Pairs AAA

feature guide, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a0080335 ed5.html

• Frame Relay PVC Interface Priority Queueing in the Cisco 10000 Series Router Quality of Service

Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• Hierarchical Input Policing in the Cisco 10000 Series Router Quality of Service Configuration

Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• IGMPv3 in the “Configuring IGMP Version 3” section in the “Configuring IP Multicast Routing”

chapter of “Part 3: IP Multicast” of the Cisco IOS IP Configuration Guide, Release 12.2.

• In Service Software Upgrade (ISSU) in the Cisco IOS In Service Software Upgrade and Enhanced

Fast Software Upgrade Process feature guide, located at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a008063c6e7.html

• Intelligent Service Architecture features in the Intelligent Service Gateway (ISG) Configuration

Library, located at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a008064ec11.html

Cisco 10000 Series Router Software Configuration Guide

1-22

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

• IP SLAs—LSP Health Monitor in the IP SLAs—LSP Health Monitor feature guide, located at the

following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a0080528450.html

• IPv6 in Chapter 24, “Configuring IP Version 6”

• L2TP Congestion Avoidance in the L2TP Congestion Avoidance feature guide, located at the

following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a00805f040e.html

• Layer 2 Local Switching in Chapter 20, “Configuring L2 Virtual Private Networks”

• Link Fragmentation Interleave Over Frame Relay (FRF.12) in the Cisco 10000 Series Router Quality

of Service Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• Logging to Local Non-Volatile Storage (ATA Disk) in the Syslog Writing to Flash feature guide,

located at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a0080611212.html

• MLP Connections in Chapter 22, “Configuring Multilink Point-to-Point Protocol Connections”

New Features, Enhancements, and Changes

• MLPPP with Link Fragmentation Interleave (LFI) in the Cisco 10000 Series Router Quality of

Service Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• MPLS Carrier Supporting Carrier (also known as MPLS VPN—Carrier Supporting Carrier) in the

following feature guides. These guides are located at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guides_list.html

–

LDP: MPLS VPN—Carrier Supporting Carrier

–

BGP: MPLS VPN—Carrier Supporting Carrier—IPv4 BGP Label Distribution

• MPLS Embedded Management—LSP Ping/Traceroute and AToM VCCV in the MPLS Embedded

Management—LSP Ping/Traceroute and AToM VCCV feature guide, located at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a008063d009.html

• MPLS Egress Netflow Accounting in the MPLS Egress Netflow Accounting feature guide, located

at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a0080611269.html

• MPLS High Availability Overview in the MPLS High Availability: Overview feature guide, located

at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a00805ad

326.html

Note In Cisco IOS Release 12.2(28)SB, the Cisco 10000 series router supports Route Processor

Redundancy Plus (RPR+) and Stateful Switchover (SSO). However, for broadband aggregation features the router supports RPR+ only.

• NSF/SSO—MPLS LDP and LDP Graceful Restart in the NSF/SSO—MPLS LDP and LDP Graceful

Restart feature guide, located at the following URL:

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

1-23

New Features, Enhancements, and Changes

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008029b

285.html

• NSF/SSO—MPLS VPN in the NSF/SSO—MPLS VPN feature guide, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a00805ad 34f.html

• MPLS High Availability: Command Changes in the MPLS High Availability: Command Changes

feature guide, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a00805ad

151.html

• Cisco Express Forwarding: Command Changes in the Cisco Express Forwarding: Command

Changes feature guide, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008029b

100.html

• MPLS—LDP MD5 Global Configuration in the MPLS—LDP MD5 Global Configuration feature

guide, located at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a00805f24da.html

• MPLS VPN—Explicit Null Label Support with BGP IPv4 Label Session in the MPLS

VPN—Explicit Null Label Support with BGP IPv4 Label Session feature guide, located at the

following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guides_list.html

Chapter 1 Broadband Aggregation and Leased-Line Overview

• Load Splitting IP Multicast Traffic—For more information about configuring native multicast load

splitting, see the configuration document located at the following URL:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080 5a595a.html

Note You should not configure native multicast load splitting for PE devices running EIBGP as this

can result in a loss of traffic.

• Multicast-VPN: Multicast Support for MPLS VPN in the Multicast VPN—IP Multicast Support for

MPLS VPNs feature guide, located at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a008061128c.html

• Nonstop Forwarding with Stateful Switchover (NSF/SSO) in the Cisco Nonstop Forwarding feature

guide, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper09186a00801ce6 f5.shtml

• Pseudowire Emulation Edge-to-Edge MIBs for Ethernet and Frame Relay Services in the

Pseudowire Emulation Edge-to-Edge MIBs for Ethernet, Frame Relay, and ATM Services feature guide, located at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a00805f5112.html

• RADIUS Server Load Balancing in the RADIUS Server Load Balancing feature guide, located at the

following URL:

http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a008063cffe.html

• Scaling limits for L2TP tunnels in Scaling Enhancements in Cisco IOS Release 12.2(28)SB,

page 2-8

Cisco 10000 Series Router Software Configuration Guide

1-24

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

• SSO—Multilink PPP (MLP) in the Stateful Switchover feature guide, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper09186a00801ce6 f9.shtml

Note In Cisco IOS Release 12.2(28)SB, the Cisco 10000 series supports Route Processor Redundancy

Plus (RPR+) and Stateful Switchover (SSO). However, for broadband aggregation features the Cisco 10000 series supports RPR+ only.

• Template ACLs in Chapter 25, “Configuring Template ACLs”

• Two-Rate Policer (also known as Dual Rate Three Color Policer) in the Cisco 10000 Series Router

Quality of Service Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• Cisco IOS Release 12.2(28)SB Upgrade in the Upgrading to Cisco IOS Release 12.2(28)SB on a

Cisco 10000 Series Router, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_upgrade_guides09186a008059a dee.html

New Features, Enhancements, and Changes

New Features in Cisco IOS Release 12.3(7)XI7

The following features are new on the Cisco 10000 series router in Cisco IOS Release 12.3(7)XI7:

• Dynamic Subscriber Bandwidth Selection in the Cisco 10000 Series Router Quality of Service

Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• L2TP Domain Screening, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00805a0

782.html

• Per Session Queuing and Shaping for PTA in the Cisco 10000 Series Router Quality of Service

Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• Support for IP over Q-in-Q (IPoQ-in-Q)—IP packets that are double-tagged for Q-in-Q VLAN tag

termination on the subinterface level. For more information, see the PPPoE—QinQ Support feature guide, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801f0 f4a.html

• VRF-Aware VPDN Tunnels, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080509 f81.html

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

1-25

New Features, Enhancements, and Changes

New Features in Cisco IOS Release 12.3(7)XI3

The following features are new on the Cisco 10000 series router in Cisco IOS Release 12.3(7)XI3:

• PPPoE Circuit-Tag Processing in the PPPoE Profiles feature guide, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080154 1b8.html

• QoS: Broadband Aggregation Enhancements - Phase 1 (LAC QoS) in the Cisco 10000 Series Router

Quality of Service Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

New Features in Cisco IOS Release 12.3(7)XI2

The following features are new on the Cisco 10000 series router in Cisco IOS Release 12.3(7)XI2:

• Define Interface Policy-Map AV Pairs AAA in the Cisco 10000 Series Router Quality of Service

Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

Chapter 1 Broadband Aggregation and Leased-Line Overview

• Configuring atm pxf queuing, page 2-16(scaling enhancements)

• Dynamic ATM VP and VC Configuration Modification in the Cisco 10000 Series Router Quality of

Service Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• Local Template-Based ATM PVC Provisioning, page 8-2

• MQC Policy Map Support on Configured VC Range in the Cisco 10000 Series Router Quality of

Service Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• RADIUS Attribute 31: PPPoX Calling Station ID, page 16-51

• Scaling Enhancements in Cisco IOS Release 12.3(7)XI2, page 2-7

• Shaped UBR PVCs in the Cisco 10000 Series Router Quality of Service Configuration Guide,

located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

New Features in Cisco IOS Release 12.3(7)XI1

While some of the following features are supported on other releases on the Cisco 10000 series router, these features are new in Cisco IOS Release 12.3(7)XI1:

• 3-Color Policer in the Cisco 10000 Series Router Quality of Service Configuration Guide, located

at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

Cisco 10000 Series Router Software Configuration Guide

1-26

OL-2226-23

Chapter 1 Broadband Aggregation and Leased-Line Overview

• 3-Level Hierarchical QoS Policies in the Cisco 10000 Series Router Quality of Service

Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN, page 4-1

• Class-based Weighted Fair Queueing in the Cisco 10000 Series Router Quality of Service

Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• Extended NAS-Port-Type and NAS-Port Support, page 16-44

• Half-Duplex VRF, page 4-21

• Hierarchical Shaping in the Cisco 10000 Series Router Quality of Service Configuration Guide,

located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• IEEE 802.1Q-in-Q VLAN Tag Termination in the PPPoE—QinQ Support feature guide, located at

the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801f0 f4a.html

New Features, Enhancements, and Changes

• Interface Oversubscription in the Cisco 10000 Series Router Quality of Service Configuration

Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• IP Receive ACLs, page 12-1

• Configuring IP Unnumbered on IEEE 802.1Q VLANs, page 7-1

• Configuring Local AAA Server, User Database—Domain to VRF, page 11-1

• MPLS QoS in the Cisco 10000 Series Router Quality of Service Configuration Guide, located at the

following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• MPLS Traffic Engineering—Diffserv Aware in the Cisco 10000 Series Router Quality of Service

Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• MR-APS in Configuring Automatic Protection Switching, page 14-19

• Percent-Based Policing in the Cisco 10000 Series Router Quality of Service Configuration Guide,

located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• Per DSCP Weighted Random Early Detection in the Cisco 10000 Series Router Quality of Service

Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

1-27

New Features, Enhancements, and Changes

• Per Precedence Weighted Random Early Detection Statistics in the Cisco 10000 Series Router

Quality of Service Configuration Guide, located at the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• PPPoE over Q-in-Q (PPPoEoQ-in-Q)—PPPoE packets that are double-tagged for Q-in-Q VLAN tag

termination on the subinterface level. For more information, see the PPPoE—QinQ Support feature guide, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801f0 f4a.html

• RADIUS Packet of Disconnect, page 16-55

• Scaling Enhancements in Cisco IOS Release 12.3(7)XI1, page 2-6

• Time-Based ACLs, page 12-4

• Variable Bit Rate Non-Real Time Oversubscription, page 8-14

• VC Weighting in the Cisco 10000 Series Router Quality of Service Configuration Guide, located at

the following URL:

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

• Weighted Random Early Detection with Queue Limit in the Cisco 10000 Series Router Quality of

Service Configuration Guide, located at the following URL:

Chapter 1 Broadband Aggregation and Leased-Line Overview

http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html

Cisco 10000 Series Router Software Configuration Guide

1-28

OL-2226-23

CHAP T ER

Scalability and Performance

The infrastructure of the service provider must be capable of supporting the services the enterprise customer or Internet service provider (ISP) wants to offer its subscribers. It must also be able to scale to an expanding subscriber base. You can configure the Cisco

This chapter discusses the following topics:

• Line Card VC Limitations, page 2-1

• Limitations and Restrictions, page 2-3

• Scaling Enhancements in Cisco IOS Release 12.2(33)XNE, page 2-4

• Scaling Enhancements in Cisco IOS Release 12.2(33)SB, page 2-5

• Scaling Enhancements in Cisco IOS Release 12.3(7)XI1, page 2-6

• Scaling Enhancements in Cisco IOS Release 12.3(7)XI2, page 2-7

• Scaling Enhancements in Cisco IOS Release 12.2(28)SB, page 2-8

• Configuring the Cisco 10000 Series Router for High Scalability, page 2-8

• Using the RADIUS Attribute cisco-avpair="lcp:interface-config", page 2-20

• Using Full Virtual Access Interfaces, page 2-20

10000 series router for high scalability.

• Preventing Full Virtual Access Interfaces, page 2-21

Line Card VC Limitations

The Cisco 10000 series router supports four ATM service categories for virtual circuits (VCs):

• Constant Bit Rate (CBR)

• Variable Bit Rate-nonreal-time (VBR-nrt)

• Unspecified Bit Rate (UBR) with a peak cell rate (PCR), referred to as shaped UBR

• UBR without a PCR, referred to as unshaped UBR

The segmentation and reassembly (SAR) mechanism configures priority and additional traffic management parameters for the various ATM service categories. SAR sets for the service categories.

OL-2226-23

Tabl e 2-1 lists the priority levels the

Cisco 10000 Series Router Software Configuration Guide

2-1

Line Card VC Limitations

Chapter 2 Scalability and Performance

Ta b l e 2-1 ATM Service Categories

Parameter CBR VBR-rt VBR-nrt Shaped UBR Unshaped UBR

Priority 0 1 2 3 None

The number of SAR priority levels and the service categories supported at each priority level vary from line card to line card. For example, the 1-port OC-12/STM-1 line card supports the four levels of priority and the service categories listed in priority and the service categories listed in the table.

The ATM line cards support a maximum number of VCs per priority. That VC limit depends on the VC limit of the SAR (SAR limit) and the number of priority levels configured. determine the VC limit per priority level per port for the specified line cards.

Ta b l e 2-2 Maximum Number of VCs per Priority

ATM Line Card SAR Priority Levels VC Rate Maximum Number of VCs per Priority

1-Port OC-12/ STM-1

0 = CBR VCs

1 = VBR-rt VCs

Table 2-2, but the 4-port OC-3 line card supports only two levels of

Table 2-2 describes how to

Full line rate SAR limit / 2 / number of priority levels

4 priority system:

2 = VBR-nrt VCs

3 = UBR VCs

Half line rate and below

65,536 / 2 / 4 = 8192 VCs per priority level

SAR limit / number of priority levels

4 priority system:

65,536 / 4 = 16,384 VCs per priority level

4-Port OC-3 0 = CBR, VBR-nrt VCs

1 = UBR VCs

Half line rate and below

SAR limit / number of PHYs / number of priority levels

2 priority system:

65,536 / 4 / 2 = 8192 VCs per priority level per port

8-Port E3/DS3 0 = CBR VCs

0 = VBR-nrt VCs 1 = UBR VCs

Half line rate and below

SAR limit / number of PHYs / number of priority levels

2 priority system:

65,536 / 8 / 2 = 4096 VCs per priority level per port

Configuring more channels or VCs than there are available priority locations can cause random channels or VCs to get stuck in the SAR. This occurs when an active channel tries to reschedule itself, but no priority locations are available. Therefore, the channel cannot find a place to reschedule itself, which results in a lost event for the channel, and the channel becomes stuck in the SAR.

On the PRE2, when a VC becomes stuck in the SAR, the PRE2 scheduler stops forwarding traffic on only the VC that is stuck in the SAR; the other VCs still carry traffic. On the PRE3, the PRE3 scheduler stops forwarding traffic on all the VCs configured on that ATM line card.

For example, suppose a 1-port OC-12 line card at full line rate is configured for four levels of priority and a 4-port OC-3 line card at half line rate is configured for two levels of priority. By calculating the maximum number of VCs as described in

Table 2-2, you can configure 8192 VCs per priority level for

Cisco 10000 Series Router Software Configuration Guide

2-2

OL-2226-23

Chapter 2 Scalability and Performance

the 1-port OC-12 and 8192 VCs per priority level per port for the 4-port OC-3—a total of 16,384 VCs per priority level per port. If the number of VCs you configure exceeds the VC limit, the VCs get stuck in the SAR.

Limitations and Restrictions

The Cisco 10000 series router has the following limitations and restrictions for scalability and performance:

• When Layer 4 Redirect (L4R) service is applied without Port Bundle Host Key (PBHK) service, the

translations are all done in the PXF, except for those translations that encounter a collision condition. A collision occurs when a subscriber has two simultaneous TCP connections whose source ports have the same Modulo 64 result.

For example, the subscriber has an active TCP connection on source port 1026, and while this connection is still alive the subscriber starts another TCP connection on source port 1090. A collision is created because the Modulo 64 result for both the source ports (1024 and 1090) is 2. In this example, L4R translation for the first traffic stream is done in the PXF and for the second TCP stream the packets are sent to the route processor (RP) where the L4R translation is done. This seperation prevents collisions.

• When the PBHK service is applied with L4R service, certain restrictions apply:

Limitations and Restrictions

–

When the destination IP in any one of the access control entries of the PBHK ACL matches the redirected server IP address, then both L4R and PBHK translations are done in the RP.

–

When the destination IP address in the access control entries of the PBHK ACL does not match the redirect server IP address, then L4R translations are done in the PXF, and the packets that match the PBHK ACL are translated in the RP.

For configuration examples, see the “Layer 4 Redirect Scaling” section on page 2-5.

• Certain restrictions apply on L4R translations for IP subnet sessions. If two subscribers send TCP

traffic using the same source port, then L4R translation for the common port is done in the RP. However, if a group of IP subscribers in an IP subnet session send traffic on different source ports then L4R translations for all the subscribers are done in the PXF.

• For permanent L4R service, you can scale up to the number of sessions listed in Tab l e 2-3. Scaling

beyond these sessions can lead to an increase in CPU usage that is beyond the recommended limits.

Ta b l e 2-3 Scaling Limit of L4R Sessions

Cisco IOS Release PRE2 PRE3 PRE4

12.2(31)SB 4000 4000 —

12.2(33)SB 4000 16000 16000

• You can apply access control lists (ACLs) to virtual access interfaces (VAIs) by configuring them

under virtual template interfaces. You can also configure ACLs by using RADIUS attribute 11 or

242. Prior to Cisco IOS Release 12.2(28)SB, when you used attribute 242, a maximum of 30,000 sessions could have ACLs; this restriction was removed in release 12.2(28)SB and subsequent releases.

• For PRE2, the Cisco 10000 series router supports mini-ACLs (eight or fewer access control entries)

and turbo ACLs (more than eight access control entries) for non-SSG interfaces. The limit for mini-ACLs is 32,000. The limit for turbo ACLs depends on the complexity of the defined ACLs. For PRE3, the Cisco 10000 series router does not use mini-ACLs.

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

2-3

Scaling Enhancements in Cisco IOS Release 12.2(33)XNE

• For SSG (RADIUS) configurations on PRE2, the following limitations apply:

–

For Cisco IOS Release 12.3(7)XI, ACLs defined through SSG configuration (RADIUS) are restricted to mini-ACLs only. Turbo ACLs cannot be used in combination with SSG and RADIUS. If you apply a Turbo ACL to an SSG session, the following syslog error is generated: “%C10K_ACLS-3-SSG_TURBO_ACL: acl is a Turbo ACL and cannot be used for SSG.”

Note If a mini-ACL is on the verge of becoming a turbo ACL (that is, the ACL contains eight

access control entries), SSG redirection can cause the mini-ACL to become a turbo ACL. For Cisco IOS Release 12.3(7)XI, this change would also cause a syslog error to be generated as follows: “%C10K_ACLS-3-SSG_ACL_ERR: acl is miniACL but cannot have another punt rule added.”

• The Cisco 10000 series router supports a maximum of 2,000 authentication, authorization, and

accounting (AAA) method lists. If you configure more than 2,000 AAA method lists by using the aaa authentication ppp or aaa authorization network command, traceback messages appear on the console.

• To avoid CPU overload and router instability, use the logging rate-limit command to limit the rate

that the Cisco

10000 series router logs system messages. For more information, see the logging

rate-limit command in the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release

Chapter 2 Scalability and Performance

12.3, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_book09 186a008017d0a2.html

• The Cisco 10000 series router high-speed interfaces work efficiently to spread traffic flows equally

over the queues. However, using single traffic streams in a laboratory environment might result in less-than-expected performance. To ensure accurate test results, test the throughput of the Gigabit Ethernet, OC-48 POS, or ATM uplink with multiple source or destination addresses. To determine if traffic is being properly distributed, use the show pxf cpu queue command.

• The Cisco 10000 series router supports a configuration file of up to 16 megabytes.

• If you configure create on demand PVCs (individual and within a range) and PPP sessions, RP CPU

utilization can be extremely high when bringing up and tearing down sessions and PVCs. This usage is a concern only when the configuration contains approximately 30,000 PPP sessions, and additional services are enabled (such as DBS, ACLs, and service policies).

To reduce the RP CPU usage for PPPoA sessions, reduce the number of configured PVCs in a single subinterface. To reduce the RP CPU usage for PPPoEoA sessions, use call admission control (call admission limit command).

Scaling Enhancements in Cisco IOS Release 12.2(33)XNE

Starting from Cisco IOS Release 12.2(33)XNE, the microcode reload pxf command has been made for general availability. When this command is executed in a scalable scenario, CPUHOG messages may appear as the IOS software populates the parallel express forwarding (PXF) plane with the required information to resume forwarding of traffic as soon as possible. If there is lot of information to be populated, especially when the configuration is scaled up, CPUHOG messages may not appear till all the information is populated.

Cisco 10000 Series Router Software Configuration Guide

2-4

OL-2226-23

Chapter 2 Scalability and Performance

Scaling Enhancements in Cisco IOS Release 12.2(33)SB

Cisco IOS Release 12.2(33)SB provides increased scalability for the Layer 4 Redirect feature.

Layer 4 Redirect Scaling

The Layer 4 Redirect feature allows redirection of users' TCP or UDP traffic to a server to control and increase performance. In Cisco IOS Release12.2(33)SB, the ISG L4R feature is implemented in the PXF. This design increases the number of redirects to provide higher scalability and performance. This enhancement is a scalable solution for portals and self-provisioning and is supported on PRE3 and PRE4 only. On a PRE2 L4R translations are done in the RP.

PBHK translations are always done in the RP. The L4R feature is scalable when applied alone; however, certain scalability restrictions apply when it is used with PBHK. See also the

Restrictions” section on page 2-3.

In Example 2-1, when the destination IP used in the PBHK ACL (162) matches the redirected server IP address, L4R translations are done in the RP.

“Limitations and

Example 2-1 L4R Translations in the Route Processor

class-map type traffic match-any class-l4r match access-group input 152

policy-map type service ser-l4r class type traffic class-l4r redirect to ip 200.0.0.2

ip portbundle match access-list 162 source loopback 1

access-list 152 deny tcp any host 200.0.0.2 access-list 152 permit tcp any any

access-list 162 permit tcp any host 200.0.0.2

In Example 2-2, when the destination IP used in the PBHK ACL (162) is not the same as the redirected server IP address, L4R translations are done in the PXF.

Example 2-2 L4R Translations in PXF

class-map type traffic match-any class-l4r match access-group input 152

policy-map type service ser-l4r class type traffic class-l4r redirect to ip 210.0.0.2

ip portbundle match access-list 162 source loopback 1

access-list 152 deny tcp any host 200.0.0.2 access-list 152 permit tcp any any

access-list 162 permit tcp any host 200.0.0.2

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

2-5

Chapter 2 Scalability and Performance

Scaling Enhancements in Cisco IOS Release 12.3(7)XI1

For more information on configuring L4R, see the “Redirecting Subscriber Traffic Using ISG Layer 4 Redirect” chapter in the Cisco IOS Intelligent Service Gateway Configuration Guide, Release 12.2 SB at the following URL:

http://www.cisco.com/en/US/products/ps6566/products_configuration_guide_chapter09186a0080630d

65.html#wp1048970

For more information on configuring PBHK, see the “Configuring ISG Port-Bundle Host Key” chapter in the Cisco IOS Intelligent Service Gateway Configuration Guide, Release 12.2 SB URL:

http://www.cisco.com/en/US/products/ps6566/products_configuration_guide_chapter09186a0080630d 6c.html

Scaling Enhancements in Cisco IOS Release 12.3(7)XI1

Cisco IOS Release 12.3(7)XI1 provides increased limits with FIB scaling, policy-map scaling, and queue scaling.

at the following

FIB Scaling

The FIB is a routing table that is used to look up the next hop route for the destination IP address and the reverse path forwarding (RPF) route using the source IP address. The FIB Scaling feature implements the following changes:

• Up to 1 million routes in the global FIB table are supported without MPLS VPN configuration.

• Total number of virtual routing and forwarding instances (VRFs) supported is 4095.

–

Policy-Map Scaling

The Policy-Map Scaling feature increases the system-wide number of quality of service (QoS) policy maps that you can configure. Depending on the complexity of your configuration, the Cisco

10000 series router supports up to 4096 policy maps. In complex configurations the maximum number of policy maps can be as small as a few hundred. Additionally, when you use percent-based policing in a service policy, the system may convert a single customer-configured service to multiple service policies (which count against the 4096 limit). The system uses one such service policy for each different speed interface that uses a service policy with percent-based policing

Each policy-map command counts as one policy map and applying the same policy map on different speed interfaces also counts as an extra policy map. The policy-map command syntax is unchanged. The maximum number of classes that you can configure in a policy is 127.

Up to 100 routes per VRF with 4095 VRFs configured.

Up to 70 routes per VRF with 4095 VRFs configured, plus 200,000 global BGP routes.

Up to 600 routes per VRF with 1000 or fewer VRFs configured.

Cisco 10000 Series Router Software Configuration Guide

2-6

OL-2226-23

Chapter 2 Scalability and Performance

Queue Scaling

The Queue Scaling feature increases the total number of queues that VTMS supports to 131,072. Of the total number, 254 queues are available for high speed interfaces, and 130,816 queues are available for low speed interfaces. This increase allows the support of the 31,500 priority queues (of 131,072 total queues) on 31,500 sessions or interfaces.

Each interface includes a class-default queue and a system queue. If you attach an output policy map with 1 priority queue and 1 class-based weighted fair queue (PQ/CBWFQ) to each of the 31,500 interfaces, the number of priority queues is 31,500 and the total number of queues is 31,500 x 4, or 126,000 queues.

The maximum number of queues per link remains at 32, of which 29 are user-configurable because there is 1 class-default queue, 1 system queue, and 1 reserved queue.

To support 131,072 queues, the queue limits range has changed. For high-speed interfaces (an interface that has a speed greater than 622 Mbps), the queue limit range is 128 to 65,536. For low-speed interfaces the queue limit range is 8 to 4,096. Because the total number of packet buffers for queue limits is 4,194,304, the average queue depth is less than or equal to 32 per queue with 131,072 queues configured.

On low-speed interfaces, the default queue size is 8 for all QoS CBWFQ queues, with the exception of WRED queues. The default queue size for WRED queues is 32.

The class-default queue size on low-speed interfaces has changed from 32 to 8. If the traffic is too bursty and packets drop, you can use the queue-limit command to increase the class-default queue size.

If you change the queue size for 131,072 queues while traffic is running, the queue size for a few queues might not be changed if packets were in the queues. An “out of resource” message can also appear. Use the queue-limit command to modify the queue size for those queues that were not changed.

Scaling Enhancements in Cisco IOS Release 12.3(7)XI2

The queue limits packet buffers can become fragmented after the queue sizes on 131,072 queues has been changed a few times. The system might indicate that there are not enough resources to increase queue size, even though there are enough free packet buffers. Removing and reapplying the policy map on the interfaces solves this problem.

Use the show pxf cpu queue summary command to see the number of packet buffers, packet buffers being recycled, and free packet buffers.

Scaling Enhancements in Cisco IOS Release 12.3(7)XI2

Cisco IOS Release 12.3(7)XI2 provides increased limits with queue scaling and VC scaling.

Queue Scaling

At least two queues are allocated for every interface or subinterface for which separate queues are created. The first queue is the default queue for normal traffic, and the second queue, known as the system queue, is used for a small amount of router-generated traffic that bypasses the normal drop mechanisms. For 32,000 VCs, this setup would require the allocation of a minimum of 64,000 queues. While Cisco IOS Release 12.3(7)XI1 adds support for up to 128,000 queues, a more effective use of these limited resources is realized by having the subinterfaces on a given main interface share the single system queue of the main interface.

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

2-7

Chapter 2 Scalability and Performance

Scaling Enhancements in Cisco IOS Release 12.2(28)SB

In Cisco IOS Release 12.3(7)XI2, the subinterfaces on a given main interface share the single system queue of the main interface, which allows for 32,000 subinterfaces with a three-queue model that supports assured forwarding (AF) queues and expedited forwarding (EF) queues, in addition to the default best effort (BE) queues. Because a system queue does not exist for every subinterface, this setup frees up queues for a 4-queue model.

VC Scaling

When configured for hierarchical shaping, ATM line cards support the following number of VCs:

• E3/DS3 line card supports a maximum of 4,096 VCs

• OC-12 ATM line card supports a maximum of 16,384 VCs (previously 14,436)

• OC-3 ATM line card supports a maximum of 8,191 VCs

Scaling Enhancements in Cisco IOS Release 12.2(28)SB

In Cisco IOS Release 12.2(28)SB, up to 16,384 L2TP tunnels are supported. Because of a limit on the number of VPDN groups supported, it is not possible to configure 16,384 tunnel definitions using the CLI. Configure the remaining tunnel definitions using RADIUS.

Configuring the Cisco 10000 Series Router for High Scalability

To ensure high scalability on the Cisco 10000 series router, perform the following configuration tasks:

• Configuring Parameters for RADIUS Authentication, page 2-9

• Configuring L2TP Tunnel Settings, page 2-9

• VPDN Group Session Limiting, page 2-10

• Disabling Cisco Discovery Protocol, page 2-10

• Disabling Gratuitous ARP Requests, page 2-11

• Configuring a Virtual Template Without Interface-Specific Commands, page 2-11

• Monitoring PPP Sessions Using the SNMP Management Tools, page 2-13

• SNMP Process and High CPU Utilization, page 2-13

• CISCO-ATM-PVCTRAP-EXTN-MIB, page 2-14

• Configuring the Trunk Interface Input Hold Queue, page 2-15

• Configuring no atm pxf queuing, page 2-15

• Configuring atm pxf queuing, page 2-16

• Configuring keepalive, page 2-17

• Enhancing Scalability of Per-User Configurations, page 2-17

• Placing PPPoA Sessions in Listening Mode, page 2-19

• Scaling L2TP Tunnel Configurations, page 2-19

Cisco 10000 Series Router Software Configuration Guide

2-8

OL-2226-23

Chapter 2 Scalability and Performance

Configuring the Cisco 10000 Series Router for High Scalability

Configuring Parameters for RADIUS Authentication

If your network uses a RADIUS server for authentication, set the small, middle, and big buffers by using the buffers command.

Ta b l e 2-4 Buffer Sizes for RADIUS Authentication

Buffer Size

Small 15000

Middle 12000

Big 8000

Example 2-3 Configuring Buffer Sizes

Router(config)# buffers small perm 15000 Router(config)# buffers mid perm 12000 Router(config)# buffers big perm 8000

Typically, if the RADIUS server is only a few hops away from the router, we recommend that you configure the RADIUS server retransmit and timeout rates by using the radius-server command.

Table 2-5 lists the recommended settings (and see Example 2-4).

Tabl e 2-4 lists the buffer sizes to configure (and see Example 2-3).

Ta b l e 2-5 RADIUS Server Parameters

Parameter Value

RADIUS Server Retransmit Rate 5

RADIUS Server Timeout Rate 15

Example 2-4 Configuring RADIUS Server Parameters

Router(config)# radius-server retransmit 5 Router(config)# radius-server timeout 15

Configuring L2TP Tunnel Settings

Configure an L2TP tunnel password using Cisco IOS Release 12.2(4)BZ1 or later. We recommend that you configure the L2TP tunnel parameters listed in

Example 2-7).

Ta b l e 2-6 L2TP Tunnel Settings

Parameter Setting

No Session Timeout 30

L2TP Tunnel Receive Window 100

L2TP Tunnel Retransmit Timeout 2 (minimum)

Tabl e 2-6 (and see Example 2-5, Example 2-6, and

8 (maximum)

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

2-9

Configuring the Cisco 10000 Series Router for High Scalability

Note The No Session Timeout parameter indicates the length of time a tunnel persists when there are no

sessions in the tunnel.

Example 2-5 Configuring an L2TP Tunnel Password

Router(config)# vpdn-group tunnel1 Router(config-if)# l2tp tunnel password 7

Example 2-6 Configuring the No Session Timeout Parameter

Router(config)# vpdn-group tunnel1 Router(config-if)# l2tp tunnel nosession-timeout 30

Example 2-7 Configuring the L2TP Tunnel Receive-Window and Retransmit Timeout Parameters

Router(config)# vpdn-group tunnel1 Router(config-if)# l2tp tunnel receive-window 100 Router(config-if)# l2tp tunnel retransmit timeout min 2 Router(config-if)# l2tp tunnel retransmit timeout max 8

Chapter 2 Scalability and Performance

VPDN Group Session Limiting

Before the introduction of the VPDN Group Session Limiting feature introduced in Cisco IOS software release 12.2(1)DX, you could only globally limit the number of VPDN sessions on a router with limits applied equally to all VPDN groups. Using the VPDN Group Session Limiting feature, you can limit the number of VPDN sessions allowed per VPDN group. For more information, see the VPDN Group Session Limiting feature documentation, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a0080087ef2. html

Configuring the PPP Authentication Timeout

To keep the L2TP network server (LNS) from timing out a PPP authentication process, set the PPP

Timeout parameter to 100, using the ppp timeout authentication command (Example 2-8).

Example 2-8 Configuring the PPP Authentication Timeout

Router(config)# interface Virtual-Template1 Router(config-if)# ppp timeout authentication 100

Disabling Cisco Discovery Protocol

To maximize scalability, do not enable the Cisco Discovery Protocol (CDP).

Note CDP is disabled by default.

Cisco 10000 Series Router Software Configuration Guide

2-10

OL-2226-23

Chapter 2 Scalability and Performance

Configuring the Cisco 10000 Series Router for High Scalability

Disabling Gratuitous ARP Requests

To maximize the performance of the router, disable gratuitous ARP requests, using the no ip gratuitous-arp command (

Example 2-9 Disabling Gratuitous ARP Requests

Router(config)# no ip gratuitous-arp

Example 2-9).

Configuring a Virtual Template Without Interface-Specific Commands

If you configure a virtual template interface with interface-specific commands, the Cisco

10000 series router does not achieve the highest possible scaling. To verify that the router does

not have interface-specific commands within the virtual template interface configuration, use the test virtual-template <number> subinterface command.

Including interface-specific commands in a virtual template can limit PPP session scaling. Tab le 2-7 lists the interface-specific commands that prevent the Cisco 10000 series router from attaining the highest possible PPP session scaling.

Ta b l e 2-7 Interface-Specific Commands That Prevent PPP Scaling

Command Function

access-expression Builds a bridge Boolean access expression.

asp Asynchronous Port (ASP) subcommands.

autodetect Autodetects encapsulations on serial interfaces.

bridge-group Transparent bridging interface parameters.

bsc Binary Synchronous Communications (BSC)

interface subcommands.

bstun Block Serial Tunnel (BSTUN) interface

subcommands.

carrier-delay Specifies delay for interface transitions.

cdp Cisco Discovery Protocol (CDP) interface

subcommands.

clock Configures the serial interface clock.

compress Sets the serial interface for compression.

custom-queue-list Assigns a custom queue list to an interface.

diffserv Differentiated Services (diffserv) for

provisioning.

down-when-looped Forces a looped serial interface down.

encapsulation Sets the encapsulation type for an interface.

fair-queue Enables fair queuing on an interface.

full-duplex Configures full-duplex operational mode.

h323-gateway Configures the H.323 Gateway.

half-duplex Configures half-duplex and related commands.

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

2-11

Configuring the Cisco 10000 Series Router for High Scalability

Table 2-7 Interface-Specific Commands That Prevent PPP Scaling (continued)

Command Function

help Provides a description of the interactive help

hold-queue Sets the hold queue depth.

lan-name Specifies a name for the LAN that is attached to

lapb X.25 Level 2 parameters (Link Access Procedure,

load-interval Specifies the interval for load calculation for an

locaddr-priority Assigns a priority group.

logging Configures logging for an interface.

loopback Configures the internal loopback on an interface.

mac-address Manually sets the MAC address for an interface.

max-reserved-bandwidth Specifies the maximum reservable bandwidth on

mpoa Multiprotocol over ATM (MPOA) interface

multilink Configures multilink parameters.

multilink-group Puts the interface in a multilink bundle.

netbios Defines Network Basic Input/Output System

ntp Configures the Network Time Protocol (NTP).

priority-group Assigns a priority group to an interface.

qos pre-classify Enables quality of service (QoS) preclassification.

random-detect Enables weighted random early detection

roles Specifies roles (by entering roles mode).

sap-priority Assigns a priority group.

sdlc Configures Synchronous Data Link Control

serial Serial interface commands.

Chapter 2 Scalability and Performance

system.

the interface.

Balanced).

interface.

an interface.

configuration commands.

(NetBIOS) access list or enables name-caching.

(WRED) on an interface.

(SDLC) to Logical Link Control type 2 (LLC2) translation.

Cisco 10000 Series Router Software Configuration Guide

2-12

OL-2226-23

Chapter 2 Scalability and Performance

Table 2-7 Interface-Specific Commands That Prevent PPP Scaling (continued)

Command Function

snmp Modifies Simple Network Management Protocol

source Gets the configuration from another source.

stun Serial Tunnel (STUN) interface subcommands.

transmit-interface Assigns a transmit interface to a receive-only

trunk-group Configures an interface to be in a trunk group.

tx-ring-limit Limits the number of particles or packets that can

In Example 2-10, the output of the test virtual-template <number> subinterface command indicates that the interface-specific command carrier-delay is set.

Example 2-10 Verifying Interface-Specific Commands in the Virtual Template

Configuring the Cisco 10000 Series Router for High Scalability

(SNMP) interface parameters.

interface.

be used on a transmission ring on an interface.

Router(config)# test virtual-template 11 subinterface

Subinterfaces cannot be created using Virtual-Template11 Interface specific commands: carrier-delay 45

Monitoring PPP Sessions Using the SNMP Management Tools

To prevent the virtual-access subinterfaces from being registered with the SNMP functionality of the router and using memory, do not use the router’s SNMP management tools to monitor PPP sessions. Use the no virtual-template snmp command to disable the SNMP management tools (

Example 2-11 Preventing SNMP Registration of Virtual-Access Subinterfaces

Router(config)# no virtual-template snmp

SNMP Process and High CPU Utilization

Network management applications retrieve information from devices by using SNMP. If a user application polls the SNMP MIBs while the router is updating its routing table, the SNMP engine process can cause CPU HOG messages to appear and sessions and tunnels to go down until the process releases the CPU.

Example 2-11).

For information about how to avoid high CPU utilization by an SNMP process, see the IP Simple Network Management Protocol (SNMP) Causes High CPU Utilization Tech Note, located at the following URL:

http://www.cisco.com/warp/public/477/SNMP/ipsnmphighcpu.shtml#polling

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

2-13

Configuring the Cisco 10000 Series Router for High Scalability

CISCO-ATM-PVCTRAP-EXTN-MIB

The Cisco 10000 series router does not support the CISCO-ATM-PVCTRAP-EXTN-MIB for large numbers of permanent virtual circuits (for example, 32,000 PVCs). To exclude the Cisco-ATM-PVCTRAP-EXTN-MIB from the Simple Network Management Protocol (SNMP) view and enhance scalability, configure the following commands in global configuration mode:

Command Purpose

Step 1

Step 2

Router(config)# snmp-server view view-name oid-tree included

Router(config)# snmp-server view

view-name ciscoAtmPvcTrapExtnMIB excluded

Chapter 2 Scalability and Performance

Creates or updates a view entry.

The view-name argument is a label for the view record that you are updating or creating. The name is used to reference the record.

The oid-tree argument is the object identifier of the ASN.1 subtree to be included from the view. Specify a valid oid-tree from where you want to poll the information.

The included argument configures the OID (and subtree OIDs) specified in the oid-tree argument to be included in the SNMP view.

Configures the CISCO-ATM-PVCTAP-EXTN-MIB OID (and subtree OIDs) to be explicitly excluded from the SNMP view. You must specify the oid-tree as shown in the command line.

Step 3

Router(config)# snmp-server community string [view view-name] [ro | rw] [access-list-number]

Example 2-12 shows how to create or modify the SNMP view named myview to include the information

polled from the Internet oid-tree and to exclude the CISCO-ATM-PVCTRAP-EXTN-MIB oid-tree. The community access string named private is set up and access to SNMP is read-only (ro) access.

Example 2-12 Excluding CISCO-ATM-PVCTRAP-EXTN-MIB from the SNMP View

Router(config)# snmp-server view myview internet included Router(config)# snmp-server view myview ciscoAtmPvcTrapExtnMIB excluded Router(config)# snmp-server community private view myview ro

For more information about the snmp-server view and snmp-server community commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3, located at the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_book09186a 008017d0a2.html

The view-name argument must match the view-name you specified in step

Sets up the community access string to permit access to SNMP.

The string argument is a community string that acts like a password and permits access to the SNMP protocol.

The view-name argument must match the view-name you specified in step

Cisco 10000 Series Router Software Configuration Guide

2-14

OL-2226-23

Chapter 2 Scalability and Performance

Configuring the Cisco 10000 Series Router for High Scalability

Configuring the Trunk Interface Input Hold Queue

To ensure high scalability, set the trunk interface input hold queue to a high value (Example 2-13).

Note The default value for the OC-12 ATM line card trunk interface input hold queue is 27230. Cisco

laboratory tests have shown this setting to result in the highest scalability for the OC-12 ATM line card. We recommend that you not change the default setting.

Example 2-13 Setting the Trunk Interface Input Hold Queue

Router(config)# interface gig1/0/0 Router(config-if)# hold-queue 4096 in

Configuring no atm pxf queuing

Note We do not recommend using this mode for QoS-sensitive deployments.

Configuring the no atm pxf queuing command on each port of the Cisco 10000 series router enables the router to support a high number of VCs. PPPoA supports one session per VC and requires that you enable no atm pxf queuing to support 32,000 PPPoA sessions. Enabling no atm pxf queuing is not required for L2TP, and might not be required for PPPoE, because you can have 32,000 sessions on a single VC.

The Cisco 10000 series router supports three ATM traffic classes when you configure no atm pxf queuing: unshaped UBR (no PCR is specified), shaped UBR (PCR is specified), and VBR-nrt. To configure an unspecified bit rate (UBR) quality of service (QoS) and specify the output peak cell rate (PCR), use the ubr command in the appropriate configuration mode. In ATM VC configuration mode, the syntax is:

Router(config-if-atm-vc)# ubr output-pcr

If you do not specify a PCR, unshaped UBR is configured.

To configure the variable bit rate-nonreal-time (VBR-nrt) QoS, use the vbr-nrt command in the appropriate configuration mode and specify the output PCR, output sustainable cell rate (SCR), and the output maximum burst cell size (MBS) for a VC class. Note that if the PCR and SCR values are equal, the MBS value is 1.

output-pcr output-scr output-mbs

Note Before you configure VCs on an interface, configure the atm pxf queuing mode for the port

(atm

pxf queuing or no atm pxf queuing). After you configure the mode, then configure the VCs. Do

not change the mode while VCs are configured on the interface. If you need to change the mode, delete the VCs first and then change the mode. Changing the mode while VCs are configured can produce undesired results, and the change will not take effect until the next router reload.

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

2-15

Configuring the Cisco 10000 Series Router for High Scalability

Configuring atm pxf queuing

The Cisco 10000 series router supports two ATM traffic classes when you configure atm pxf queuing: unshaped UBR and VBR-nrt. When you specify an output PCR for an unshaped UBR class, the Cisco

10000 series router accepts the PCR. However, the router does not use the PCR value and it does not notify you of this omission.

For information about configuring the traffic classes, see the “Configuring no atm pxf queuing” section

on page 2-15.

Note Before you configure VCs on an interface, configure the atm pxf queuing mode for the port (atm pxf

queuing or no atm pxf queuing). After you configure the mode, then configure the VCs. Do not change

the mode while VCs are configured on the interface. If you need to change the mode, delete the VCs first and then change the mode. Changing the mode while VCs are configured can produce undesired results.

Table 2-8 lists the number of active VCs the ATM line cards support in atm pxf queuing mode for Cisco

IOS Release 12.3(7)XI2 or later releases.

Ta b l e 2-8 Active VCs on ATM Line Cards

Chapter 2 Scalability and Performance

Line Card Maximum VCs per Port Maximum VCs per Module No. VBR, CBR, Shaped UBR VCs

E3/DS3 4,096 32,768

OC-3 8,191 32,764

28,672

OC-12 16,384 (previously 14,436) 16,384 16,384

1. For 32,768 VCs per module, 4096 of them must be unshaped UBR VCs.

2. For 28,672 VBR, CBR, and shaped UBR VCs, no VCs can be in shaped VP tunnels. If VCs are in shaped VPs, the number of VBR, CBR, and shaped UBR VCs is 22,204.

3. For 32,764 VCs per module, 4096 of them must be unshaped UBR VCs.

4. For 28,672 VBR, CBR, and shaped UBR VCs, no VCs can be in shaped VP tunnels. If VCs are in shaped VPs, the number of VBR, CBR, and shaped UBR VCs is 22,204.

You can configure the maximum number of VCs across the ports in any fashion, provided that you do not exceed the per-port maximum.

Although the maximum number of VBR, CBR, and shaped UBR VCs per E3/DS3 and OC-3 ATM line card is 28,672 VCs, the router supports a maximum of 22,204 VBR, CBR, and shaped UBR VCs per line card that you can place within virtual path (VP) tunnels. If you attempt to bring up more than 22,204 VCs in a configuration that includes VP tunnels and VCs (hierarchical traffic shaping configuration), the VCs might not assign traffic correctly or the VCs might not come up at all. Be sure to limit the number of configured VBR, CBR, and shaped UBR VCs on an ATM card to less than 22,204 VCs if you place the VCs in VP tunnels.

For the OC-12 ATM line card, the router supports 16,384 VCs in VP tunnels.

Cisco 10000 Series Router Software Configuration Guide

2-16

OL-2226-23

Chapter 2 Scalability and Performance

Configuring the Cisco 10000 Series Router for High Scalability

Configuring keepalive

The keepalive command sets the keepalive timer for a specific interface. To ensure proper scaling and to minimize CPU utilization, set the timer for 30 seconds or longer ( is 10 seconds.

Example 2-14 Configuring keepalive for a Virtual Template Interface

interface Virtual-Template1 ip unnumbered Loopback1 keepalive 30 no peer default ip address ppp authentication pap

Enhancing Scalability of Per-User Configurations

To enhance scalability of per-user configurations without changing the router configuration, use the ip:vrf-id and ip:ip-unnumbered RADIUS attributes. These per-user vendor specific attributes (VSAs) are used to map sessions to VRFs and IP unnumbered interfaces. The VSAs apply to virtual access subinterfaces and are processed during PPP authorization.

In releases earlier than Cisco IOS Release 12.2(16)BX1, the lcp:interface-config RADIUS attribute is used to map sessions to VRFs. This per-user VSA applies to any type of interface configuration, including virtual access interfaces. Valid values of this VSA are essentially any valid Cisco IOS interface command; however, not all Cisco IOS commands are supported on virtual access subinterfaces. To accommodate the requirements of the lcp:interface-config VSA, the per-user authorization process forces the Cisco memory and are less scalable.

In Cisco IOS Release 12.2(16)BX1 and later releases, the ip:vrf-id attribute is used to map sessions to VRFs. Any profile that uses the ip:vrf-id VSA must also use the ip:ip-unnumbered VSA to install IP configurations on the virtual access interface that is to be created. PPP that is used on a virtual access interface to be created requires the ip:ip-unnumbered VSA. An Internet Protocol Control Protocol (IPCP) session is not established if IP is not configured on the interface. You must configure either the ip address command or the ip unnumbered command on the interface so that these configurations are present on the virtual access interface that is to be created. However, specifying the ip address and ip unnumbered commands on a virtual template interface is not required because any pre-existing IP configurations are removed when the ip:ip-vrf VSA is installed on the virtual access interface. Therefore, any profile that uses the ip:vrf-id VSA must also use the ip:ip-unnumbered VSA to install IP configurations on the virtual access interface that is to be created.

These per-user VSAs can be applied to virtual access subinterfaces; therefore, the per-user authorization process does not require the creation of full virtual access interfaces, which improves scalability.

10000 series router to create full virtual access interfaces, which consume more

Example 2-14). The default value

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

2-17

Chapter 2 Scalability and Performance

Configuring the Cisco 10000 Series Router for High Scalability

Setting VRF and IP Unnumbered Interface Configurations in User Profiles

Although the Cisco 10000 series router continues to support the lcp:interface-config VSA, the ip:vrf-id and ip:ip-unnumbered VSAs provide another way to set the VRF and IP unnumbered

interface configurations in user profiles. The ip:vrf-id and ip:ip-unnumbered VSAs have the following syntax:

Cisco:Cisco-AVpair = “ip:vrf-id=vrf-name” Cisco:Cisco-AVpair = “ip:ip-unnumbered=interface-name”

You should specify only one ip:vrf-id and one ip:ip-unnumbered value in a user profile. However, if the profile configuration includes multiple values, the Cisco

10000 series router applies the value of the

last VSA received, and creates a virtual access subinterface. If the profile includes the lcp:interface-config VSA, the router always applies the value of the lcp:interface-config VSA, and creates a full virtual access interface.

In Cisco IOS Release 12.2(15)BX, when you specify a VRF in a user profile, but do not configure the VRF on the Cisco 10000 series router, the router accepts the profile. However, in Cisco IOS Release

12.2(16)BX1 and later releases, the router rejects the profile.

Setting VRF and IP Unnumbered Interface Configuration in a Virtual Interface Template

You can specify one VSA value in the user profile on RADIUS and another value locally in the virtual template interface. The Cisco

10000 series router clones the template and then applies the values configured in the profiles it receives from RADIUS, resulting in the removal of any IP configurations when the router applies the profile values.

Redefining User Profiles to Use the ip:vrf-id and ip:ip-unnumbered VSAs

The requirement of a full virtual access interface when using the lcp:interface-config VSA in user profiles can result in scalability issues such as increased memory consumption. This situation is especially true when the Cisco that include the lcp:interface-config VSA. Therefore, when updating your user profiles, we recommend that you redefine the lcp:interface-config VSA to the scalable ip:vrf-id and ip:ip-unnumbered VSAs.

Example 2-15 shows how to redefine the VRF named newyork using the ip:vrf-id VSA.

Example 2-15 Redefining VRF Configurations

Change: Cisco:Cisco-Avpair = “lcp:interface-config=ip vrf forwarding newyork”

To: Cisco:Cisco-Avpair = “ip:vrf-id=newyork”

Example 2-16 shows how to redefine the Loopback 0 interface using the ip:ip-unnumbered VSA.

10000 series router attempts to apply a large number of per-user profiles

Example 2-16 Redefining IP Unnumbered Interfaces

Change: Cisco:Cisco-Avpair = “lcp:interface-config=ip unnumbered Loopback 0”

To: Cisco:Cisco-Avpair = “ip:ip-unnumbered=Loopback 0”

Cisco 10000 Series Router Software Configuration Guide

2-18

OL-2226-23

Chapter 2 Scalability and Performance

Placing PPPoA Sessions in Listening Mode

For better scalability and faster convergence of PPPoA, PPPoEoA, or LAC sessions, set sessions to passive mode, using the atm pppatm passive command in ATM subinterface configuration mode. This command places PPP or L2TP sessions on an ATM subinterface into listening mode. For large-scale PPP

terminated aggregation (PPPoA and PPPoEoA) and L2TP (LAC), the atm pppatm passive

command is required.

Instead of sending out Link Control Protocol (LCP) packets to establish the sessions actively, the sessions listen to the incoming LCP packets and become active only after they receive their first LCP

packet. When PPPoX is in passive mode, the LAC brings up the sessions only when the subscribers

become active and does not waste processing power polling all the sessions.

The following example configures passive mode for the PPPoA sessions on an ATM multipoint subinterface:

Router(config)# interface atm 1/0.1 multipoint Router(config-subif)# atm pppatm passive Router(config-subif)# range range-pppoa-1 pvc 100 199 Router(config-subif-atm-range)# encapsulation aal5mux ppp virtual-template 1

Configuring the Cisco 10000 Series Router for High Scalability

Scaling L2TP Tunnel Configurations

To prevent head-of-the-line blocking of the IP input process and save system resources, configure the following command in global configuration mode:

Router(config)# vpdn ip udp ignore checksum

When you configure this command, the router directly queues L2TP Hello packets and Hello acknowledgements to the L2TP control process. We recommend that you configure this command in all scaled LAC and LNS L2TP tunnel configurations.

If you do not configure the vpdn ip udp ignore checksum command, the L2TP software sends the packet to UDP to validate the checksum. When too many packets are queued to the IP input process, the router starts selective packet discard (SPD), which causes IP packets to be dropped.

Note Head-of-the-line blocking of the IP input process might occur in other non-L2TP configurations. A flush

occurring on an input interface indicates that SPD is discarding packets.

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

2-19

Chapter 2 Scalability and Performance

Using the RADIUS Attribute cisco-avpair="lcp:interface-config"

When you use the lcp:interface-config RADIUS attribute to reconfigure the virtual-access subscriber interface, scaling on the Cisco

• The lcp:interface-config command syntax includes an IOS interface configuration command. This

command is any valid IOS command that can be applied to an interface. When the lcp:interface-config attribute is downloaded from the RADIUS server to the Cisco

10000 series router, the command parser is activated to configure the interface as per AV-pair, determining if the option is valid and then applying the configuration to the virtual access interface (VAI).

• The lcp:interface-config command forces the Cisco 10000 series router to create full VAIs instead

of subinterface VAIs. Full VAIs consume more memory and are less scalable, and they follow a significantly slower and different path when sessions are established.

• The lcp:interface-config command degrades the call rate.

To enhance the scalability of per-user configurations, in many cases different Cisco AV-pairs are available to place the subscriber interface in a virtual routing and forwarding (VRF) instance or to apply a policy map to the session. For example, use the ip:vrf-id and ip:ip-unnumbered VSAs to reconfigure the user’s VRF. For more information, see the

section on page 2-17.

10000 series router decreases for the following reasons:

“Enhancing Scalability of Per-User Configurations”

Using Full Virtual Access Interfaces

A virtual access interface (VAI) is an interface that is dynamically created to terminate PPP subscribers. The Cisco router indicates full VAIs using a notation similar to Virtual-Access6 (without a .number suffix).

Note For Cisco IOS Release 12.3(7)XI and later releases, the router does not support the use of full VAIs for

broadband interfaces due to the scaling implications full VAIs have.

In general, the router creates full VAIs for one or more of the following reasons:

• Virtual template interface-specific configuration

Some Cisco IOS configuration commands configured under the virtual template, such as the carrier-delay command, can force the router to create a full VAI. You can use the test command to determine the interface-specific configuration under the virtual template that triggered the full VAI.

• RADIUS attribute lcp:interface-config

• Global configuration no virtual-template subinterface command

Cisco 10000 Series Router Software Configuration Guide

2-20

OL-2226-23

Chapter 2 Scalability and Performance

Preventing Full Virtual Access Interfaces

The lcp:interface-config RADIUS attribute is used to reconfigure the subscriber interface. To accommodate the requirements of this attribute, the per-user authorization process forces the router to create full VAIs.

Cisco IOS Release 12.2(31)SB2, Release 12.2(28)SB6, and later releases include an enhancement that allows you to use the lcp:interface-config attribute while preserving subvirtual access subinterfaces. You can achieve this behaviour in the following ways:

• Entering the following command in global configuration mode to preserve virtual access

subinterfaces:

Router(config)# aaa policy interface-config allow-subinterface

• Sending a Cisco attribute-value pair (AV-pair) in the user’s profile on the RADIUS server:

cisco-avpair="lcp:interface-config allow-subinterface=yes"

When you use the aaa policy interface-config allow-subinterface command, the router does not allow you to reconfigure the router using any commands that interact with the interface’s hardware interface descriptor block (HWIDB), for example, the compression command.

When you use the lcp:interface-config attribute, sessions are not established if the sessions receive the attribute and the attribute reconfigures the HWIDB for the virtual access interface (VAI).

When the allow-subinterface=yes option is used in the Cisco AV-pair or the aaa policy interface-config allow-subinterface command is set, enter the following command to verify the condition for which a full VAI reconfiguration is required:

Router# debug sss feature-name interface-config {error | event}

Preventing Full Virtual Access Interfaces

In general, for interface reconfiguration, use the dedicated Cisco vendor specific attributes (VSAs). For example, use Cisco-Policy-Up or Cisco-Policy-Down, or ip:vrf-id instead of lcp:interface-config. Alternatively, when no dedicated Cisco AV-pair is present, use lcp:interface-config with the allow-subinterface=yes option, or the aaa policy interface-config allow-subinterface command to preserve VAI subinterfaces (for example, to enable multicast on the subscriber interface).

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

2-21

Preventing Full Virtual Access Interfaces

Chapter 2 Scalability and Performance

Cisco 10000 Series Router Software Configuration Guide

2-22

OL-2226-23

CHAP T ER

Configuring Remote Access to MPLS VPN

TheCisco 10000 series router supports the IP virtual private network (VPN) feature for Multiprotocol Label Switching (MPLS). MPLS-based VPNs allow service providers to deploy a scalable and cost-effective VPN service that provides a stable and secure path through the network. An enterprise or Internet service provider (ISP) can connect to geographically dispersed sites through the service provider’s network. Using the MPLS backbone, a set of sites are interconnected to create an MPLS VPN.

The remote access (RA) to MPLS VPN feature on the Cisco 10000 series router allows the service provider to offer a scalable end-to-end VPN service to remote users. The RA to MPLS VPN feature integrates the MPLS-enabled backbone with broadband access capabilities. By integrating access VPNs with MPLS VPNs, a service provider can:

• Enable remote users and offices to seamlessly access their corporate networks

• Offer equal access to a set of different ISPs or retail service providers

• Integrate their broadband access networks with the MPLS-enabled backbone

• Provide an end-to-end VPN service to enterprise customers with remote access users and offices

• Separate network access and connectivity functions from ISP functions

The RA to MPLS VPN feature is described in the following topics:

• MPLS VPN Architecture, page 3-2

• Access Technologies, page 3-3

• Feature History for RA to MPLS VPN, page 3-10

• Restrictions for RA to MPLS VPN, page 3-10

• Prerequisites for RA to MPLS VPN, page 3-11

• Configuration Tasks for RA to MPLS VPN, page 3-12

• Verifying VPN Operation, page 3-30

• Configuration Examples for RA to MPLS VPN, page 3-30

• Monitoring and Maintaining an MPLS Configuration, page 3-39

• Monitoring and Maintaining the MPLS VPN, page 3-43

• Monitoring and Maintaining PPPoX to MPLS VPN, page 3-47

• Monitoring and Maintaining RBE to MPLS VPN, page 3-48

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

3-1

MPLS VPN Architecture

SP MPLS

core

SP access

network

69868

LAN

Remote

user

DSLAM

DSL router

Customer

network

Customer AAA

server

SP AAA

server

SP DHCP

server

PPPoE

MPLS VPN Architecture

The MPLS VPN architecture enables the service provider to build the MPLS VPN network one time and add VPNs for new customers as needed, including them in the already established network. The elements that comprise the MPLS VPN are:

• Customer edge (CE) routers—The CPE devices to which subscribers in a customer’s network

connect. The CE router connects to a service provider’s edge router (PE router). The CE router initiates the remote access session to the PE router.

• Provider edge (PE) routers—The router, such as the Cisco 10000 series router, located at the edge

of the service provider’s MPLS core network. The PE router connects to one or more CE routers and has full knowledge of the routes to the VPNs associated with those CE routers. The PE router does not have knowledge of the routes to VPNs whose associated CE routers are not connected to it.

• Provider (P) routers—The service provider routers that comprise the provider’s core network. The

P routers do not assign VPN information and they do not have any knowledge of CE routers. Instead, the main focus of the P router is on label switching.

Figure 3-1 shows an example of the MPLS VPN architecture.

Chapter 3 Configuring Remote Access to MPLS VPN

Figure 3-1 MPLS VPN Network—Example

3-2

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 3 Configuring Remote Access to MPLS VPN

CPE

Cisco 10000 ESR

Wholesale

provider

PPPoE

sessions

Tag interface, logically separated into multiple VPNs

Retail

provider

Provider 1

Provider 2

Provider n

AT M

access

network

VRF 1

VRF n

VRF 2

MPLS

network

69865

Access Technologies

The Cisco 10000 series router supports routed bridge encapsulation (RBE) protocol. Point-to-point protocol PPP

• PPP over ATM (PPPoA)

• PPP over Ethernet (PPPoE)

By using these PPP access technologies, the Cisco 10000 series router can terminate up to 32,000 sessions and support many features, including:

• Per session authentication based on Password Authentication Protocol (PAP) or Challenge

• Per session accounting

• Per session quality of service

Note The Cisco 10000 series router can terminate up to 32,000 ATM RBE sessions.

(PPP) access-based permanent virtual circuits (PVCs) is supported by using the following

access encapsulation methods:

Handshake Authentication Protocol (CHAP)

Access Technologies

Figure 3-2 shows the topology of an integrated PPPoX (PPPoE or PPPoA) access to a multiprotocol label

switching virtual private network (MPLS VPN) solution.

Figure 3-2 PPPoX Access to MPLS VPN Topology

In the figure, the service provider operates an MPLS VPN that interconnects all customer sites. The service provider’s core network is an MPLS backbone with VPN service capability. The service provider provides all remote access operations to its customer. The network side interfaces are tagged interfaces, logically separated into multiple VPNs.

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

3-3

Access Technologies

CPE

RFC 2684 bridged

format PDUs

Tag interface, logically separated into multiple VPNs

Provider 1

Provider 2

Provider n

AT M

access

network

VRF 1

VRF n

VRF 2

MPLS

network

76267

Retail

providers

Wholesale

provider

Subscribers

Chapter 3 Configuring Remote Access to MPLS VPN

Figure 3-3 shows the topology of an RBE to MPLS VPN solution.

Figure 3-3 RBE to MPLS VPN Topology

In the figure, the wholesale provider uses VPNs to separate the subscribers of different retail providers. The subscribers are uniquely placed in VRFs on the access side. A tag interface separates traffic for the different retail providers on the network side. The MPLS VPN technology is used to assign tags in a VPN-aware manner.

PPP over ATM to MPLS VPN

The Cisco 10000 series router supports a PPP over ATM (PPPoA) connection to an MPLS VPN architecture. In this model, when a remote user attempts to establish a connection with a corporate network, a PPPoA (VHG) or provider edge (PE) router. All remote hosts connected to a particular CE router must be part of the same VPN to which the CE router is connected.

The following events occur when the remote user attempts to access the corporate network or ISP:

1. A PPPoA session is initiated over the broadband access network.

2. The VHG/PE router accepts and terminates the PPPoA session.

3. The VHG/PE router obtains virtual access interface (VAI) configuration information.

a. The VHG/PE obtains virtual template interface configuration information, which typically

includes virtual routing and forwarding (VRF) mapping for sessions.

b. The VHG/PE sends a separate request to either the customer’s or service provider’s

Cisco 10000 Series Router Software Configuration Guide

3-4

RADIUS

c. The VPN’s VRF instance was previously instantiated on the VHG or PE. The VPN’s VRF

contains a routing table and other information associated with a specific VPN.

Typically, the customer RADIUS server is located within the customer VPN. To ensure that transactions between the VHG/PE router and the customer RADIUS server occur over routes within the customer VPN, the VHG/PE router is assigned at least one IP address that is valid within the

VPN.

session is initiated and is terminated on the service provider’s virtual home gateway

server for the VPN to authenticate the remote user.

OL-2226-23

Chapter 3 Configuring Remote Access to MPLS VPN

4. The VHG/PE router forwards accounting records to the service provider’s proxy RADIUS server,

which in turn logs the accounting records and forwards them to the appropriate customer RADIUS

5. The VHG/PE obtains an IP address for the CPE. The address is allocated from one of the following:

• Local address pool

• Service provider’s RADIUS server, which either specifies the address pool or directly provides

server.

the address

• Service provider’s DHCP server

6. The CPE is now connected to the customer VPN. Packets can flow to and from the remote user.

Use virtual template interfaces to map sessions to VRFs. The Cisco 10000 series router can then scale to 32,000 sessions. In Cisco IOS Release 12.2(16)BX1 and later releases, when you map sessions to VRFs by using the RADIUS server, use the syntax ip:vrf-id or ip:ip-unnumbered. These vendor specific attributes (VSAs) enhance the scalability of per-user configurations because a new full virtual access interface is not required. For more information, see the

Configurations” section on page 2-17.

Access Technologies

“Enhancing Scalability of Per-User

Note In releases earlier than Cisco IOS Release 12.2(16)BX1, to map sessions to VRFs by using the RADIUS

server, use the syntax lcp:interface-config. This configuration forces the Cisco use full access virtual interfaces, which decreases scaling. We recommend that you do not use this configuration. Upgrading to Cisco IOS Release 12.2(16)BX1 or later eliminates this restriction.

PPP over Ethernet to MPLS VPN

The Cisco 10000 series router supports a PPP over Ethernet (PPPoE) connection to an MPLS VPN architecture. In this model, when a remote user attempts to establish a connection with a corporate network, a PPPoE session is initiated and is terminated on the service provider’s virtual home gateway (VHG) or provider edge (PE) router. All remote hosts connected to a particular CE router must be part of the VPN to which the CE router is connected.

The PPPoE to MPLS VPN architecture is a flexible architecture with the following characteristics:

• A remote host can create multiple concurrent PPPoE sessions, each to a different VPN.

• If multiple remote hosts exist behind the same CE router, each remote host can log in to a different

VPN.

• Any remote host can log in to any VPN at any time because each VHG or PE router has the VRFs

for all possible VPNs pre-instantiated on it. This configuration requires that the VRF be applied through the RADIUS server, which can cause scalability issues (see the following note).

Configurations” section on page 2-17.

10000 series router to

“Enhancing Scalability of Per-User

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

3-5

Access Technologies

Note For releases earlier than Cisco IOS Release 12.2(16)BX1, to map sessions to VRFs by using the

Chapter 3 Configuring Remote Access to MPLS VPN

RADIUS server, use the syntax lcp:interface-config. This configuration forces the Cisco

10000 series router to use full access virtual interfaces, which decreases scaling. We recommend that you do not use this configuration. Upgrading to Cisco IOS Release 12.2(16)BX1 or later releases will eliminate this restriction.

The following events occur as the VHG or PE router processes the incoming PPPoE session:

1. A PPPoE session is initiated over the broadband access network.

2. The VHG/PE router accepts and terminates the PPPoE session.

3. The VHG/PE router obtains virtual access interface (VAI) configuration information.

a. The VHG/PE obtains virtual template interface configuration information, which typically

includes VRF mapping for sessions.

b. The VHG/PE sends a separate request to either the customer’s or service provider’s

RADIUS

c. The VPN’s VRF instance was previously instantiated on the VHG or PE. The VPN’s VRF

contains a routing table and other information associated with a specific VPN.

server for the VPN to authenticate the remote user.

“Enhancing

Scalability of Per-User Configurations” section on page 2-17.

Note For releases earlier than Cisco IOS Release 12.2(16)BX1, to map sessions to VRFs by using the

RADIUS server, use the syntax lcp:interface-config. This configuration forces the Cisco

10000 series router to use full access virtual interfaces, which decreases scaling. We

recommend that you do not use this configuration. Upgrading to Cisco IOS Release

12.2(16)BX1 or later releases will eliminate this restriction.

4. The VHG/PE router forwards accounting records to the service provider’s proxy RADIUS server,

which in turn logs the accounting records and forwards them to the appropriate customer RADIUS

5. The VHG/PE obtains an IP address for the CPE. The address is allocated from one of the following:

• Local address pool

server.

• Service provider’s RADIUS server, which either specifies the address pool or directly provides

the address

• Service provider’s DHCP server

6. The CPE is now connected to the customer VPN. Packets can flow to and from the remote user.

Cisco 10000 Series Router Software Configuration Guide

3-6

OL-2226-23

Chapter 3 Configuring Remote Access to MPLS VPN

LAN

Remote

user

DSL router

Can be a bridge CPE

RBE

DSLAM

SP access

network

MPLS

core

Customer

network

Cutomer DHCP

server

SP DHCP server

VHG/PE

87111

Cisco 10000

ESR

RBE over ATM to MPLS VPN

The Cisco 10000 series router supports an ATM RBE to MPLS VPN connection. RBE is used to route IP over bridged RFC 1483 Ethernet traffic from a stub-bridged LAN. The ATM connection appears like a routed connection; however, the packets received on the interface are bridged IP packets. RBE looks at the IP them.

In Figure 3-4, RBE is configured between the DSL router and the Cisco 10000 series router, acting as the VHG/PE router.

Figure 3-4 DSL RBE to MPLS VPN Integration

header of the packets arriving at an ATM interface and routes the packets instead of bridging

Access Technologies

The DSL router can be set up as a pure bridge or it can be set up for integrated routing and bridging (IRB) where multiple LAN interfaces are bridged through the bridge group virtual interface (BVI). Each of the DSL routers terminates on a separate point-to-point subinterface on the VHG/PE, which is statically configured with a specific VRF. Remote user authentication or authorization is available with Option 82 for DSL RBE remote access. RBE treats the VHG/PE subinterface as if it is connected to an Ethernet LAN, but avoids the disadvantages of pure bridging, such as broadcast storms, IP hijacking, and ARP spoofing issues. Address management options include static and VRF-aware DHCP servers.

Note For more information, see the “DSL Access to MPLS VPN Integration” chapter in the

Cisco

Remote Access to MPLS VPN Solution Overview and Provisioning Guide, Release 2.0, located at

the following URL.

http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/rampls2/ovprov/ra_op_05.htm

MPLS VPN ID

The MPLS VPN ID is a 14-digit hexadecimal number that uniquely identifies a VPN and its associated VRF across all VHGs and PE routers in the network. In a router with multiple VPNs configured, you can

OL-2226-23

use a VPN ID to identify a particular VPN. The VPN The configuration of a VPN ID is optional.

ID follows a standard specification (RFC 2685).

Cisco 10000 Series Router Software Configuration Guide

3-7

Access Technologies

Note The VPN ID is used for provisioning only. BGP routing updates do not include the VPN ID.

Chapter 3 Configuring Remote Access to MPLS VPN

You can configure a VRF instance for each VPN configured on the Cisco 10000 series router. By using the vpn ID in the corresponding VRF structure for the VPN (see the

Forwarding Instances” section on page 3-13).

DHCP servers use the VPN ID to identify a VPN and allocate resources as the following describes:

id VRF configuration command, you can assign a VPN ID to a VPN. The router stores the VPN

“Configuring Virtual Routing and

1. A VPN DHCP client requests a connection to the Cisco 10000 series router (PE router) from a VRF

interface.

2. The PE router determines the VPN ID associated with that interface.

3. The PE router sends a request with the VPN ID and other information for assigning an IP address to

the DHCP server.

4. The DHCP server uses the VPN ID and IP address information to process the request.

5. The DHCP server sends a response back to the PE router, allowing the VPN DHCP client access to

the VPN.

The RADIUS server uses the VPN ID to assign dialin users to the proper VPN. Typically, a user login consists of the following packets:

• Access-Request packet—A query from the network access server (NAS) that contains the user

name, encrypted password, NAS IP address, VPN ID, and port. The format of the request also provides information on the type of session that the user wants to initiate.

• Access-Accept or Access-Reject packet—A response from the RADIUS server. The server returns

an Access-Accept response if it finds the user name and verifies the password. The response includes a list of attribute-value (AV) pairs that describe the parameters to be used for this session. If the user is not authenticated, the RADIUS server returns an Access-Reject packet, and access is denied.

Note For more information, see the MPLS VPN ID, Release 12.2(4)B feature module, located at the following

URL.

http://www.cisco.com/en/US/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_vpn.html

Cisco 10000 Series Router Software Configuration Guide

3-8

OL-2226-23

Chapter 3 Configuring Remote Access to MPLS VPN

DHCP Relay Agent Information Option—Option 82

The Cisco 10000 series router supports the Dynamic Host Configuration Protocol (DHCP) relay agent information option (Option 82) feature when ATM routed bridge encapsulation (RBE) is used to configure DSL access. This feature communicates information to the DHCP server by using a suboption of the DHCP relay agent information option called agent remote ID. The information sent in the agent remote ID includes an IP address identifying the relay agent, information about the ATM interface, and information about the PVC over which the DHCP request came in. The DHCP server can use this information to make IP address assignments and security policy decisions.

Acting as the DHCP relay agent, the Cisco 10000 series router can also include VPN ID information in the agent remote ID suboption when forwarding client-originated DHCP packets to a DHCP server that has knowledge of existing VPNs. The VPN-aware DHCP server receives the DHCP packets and uses the VPN ID information to determine from which VPN to allocate an address. The DHCP server responds to the DHCP relay agent and includes information that identifies the originating client.

Note For more information, see the DHCP Option 82 Support for Routed Bridge Encapsulation,

Release 12.2(2)T feature module.

Access Technologies

DHCP Relay Support for MPLS VPN Suboptions

The DHCP relay agent information option (Option 82) enables a Dynamic Host Configuration Protocol (DHCP) relay agent to include information about itself when forwarding client-originated DHCP packets to a DHCP server. In some environments, the relay agent has access to one or more MPLS VPNs. A DHCP server that wants to offer service to DHCP clients on those different VPNs needs to know the VPN where each client resides. The relay agent typically knows about the VPN association of the DHCP client and includes this information in the relay agent information option.

The DHCP relay support for MPLS VPN suboptions feature allows the Cisco 10000 series router, acting as the DHCP relay agent, to forward VPN-related information to the DHCP server by using the following three suboptions of the DHCP relay agent information option:

• VPN identifier

• Subnet selection

• Server identifier override

The DHCP relay agent uses the VPN identifier suboption to tell the DHCP server the VPN for each DHCP request that it passes on to the DHCP server, and also uses the suboption to properly forward any DHCP reply that the DHCP server sends back to the relay agent. The VPN identifier suboption contains the VPN ID configured on the incoming interface to which the client is connected. If you configure the VRF name but not the VPN ID, the VRF name is used as the VPN identifier suboption. If the interface is in global routing space, the router does not add the VPN suboptions.

The subnet selection suboption allows the separation of the subnet where the client resides from the IP

address that is used to communicate with the relay agent. In some situations, the relay agent needs to

specify the subnet on which a DHCP client resides that is different from the IP address the DHCP server can use to communicate with the relay agent. The DHCP relay agent includes the subnet selection suboption in the relay agent information option, which the relay agent passes on to the DHCP server.

The server identifier override suboption contains the incoming interface IP address, which is the IP

address on the relay agent that is accessible from the client. By using this information, the DHCP

client sends all renew and release packets to the relay agent. The relay agent adds all the VPN suboptions and then forwards the renew and release packets to the original DHCP server.

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

3-9

Feature History for RA to MPLS VPN

After adding these suboptions to the DHCP relay agent information option, the gateway address changes to the relay agent’s outgoing interface on the DHCP server side. The DHCP server uses this gateway address to send reply packets back to the relay agent. The relay agent then removes the relay agent information options and forwards the packets to the DHCP client on the correct VPN.

Note For more information, see the DHCP Relay Support for MPLS VPN Suboptions, Release 12.2(4)B

feature module, located at the following URL.

http://www.cisco.com/en/US/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_dhc.html

Feature History for RA to MPLS VPN

Cisco IOS Release Description Required PRE

12.2(4)BZ1 This feature was integrated into Cisco IOS Release

12.2(4)BZ1.

12.3(7)XI1 This feature was integrated into Cisco IOS Release

12.3(7)XI1.

12.2(28)SB This feature was integrated into Cisco IOS Release

12.2(28)SB.

Chapter 3 Configuring Remote Access to MPLS VPN

PRE1

PRE2

Restrictions for RA to MPLS VPN

The RA to MPLS VPN feature has the following restrictions:

• When BGP aggregates customer routes, the received packets that match the aggregate route require

an additional feedback in the PXF forwarding engine, which reduces performance.

• RBE to MPLS VPN does not support MAC-layer access lists; only IP access lists are supported.

• Before configuring DHCP relay support for MPLS VPN suboptions, you must configure standard

MPLS VPNs. For more information, see the

page 3-28 and the “Configuring the MPLS Core Network” section on page 3-12, or see the

Cisco IOS Switching Services Configuration Guide, Release 12.2, located at the following URL

http://www.cisco.com/en/US/docs/ios/12_2/switch/configuration/guide/fswtch_c.html.

• The VPN ID is not used to control the distribution of routing information or to associate IP addresses

with VPN IDs in routing updates.

“Configuring Virtual Private Networks” section on

Cisco 10000 Series Router Software Configuration Guide

3-10

OL-2226-23

Chapter 3 Configuring Remote Access to MPLS VPN

Prerequisites for RA to MPLS VPN

The RA to MPLS VPN feature has the following requirements:

• Your network must be running the following Cisco IOS services before you configure

VPN

operation:

–

MPLS in the service provider backbone routers

–

Tag distribution protocol (TDP) or the label distribution protocol (LDP)

–

BGP in all routers providing a VPN service

–

Cisco Express Forwarding (CEF) switching in each MPLS-enabled router

Note IP CEF is on by default on the Cisco 10000 series router and it cannot be turned off. If you

attempt to enable IP CEF, an error appears.

• For PPPoX to MPLS VPN networks, the Cisco 10000 series router must be running Cisco IOS

Release router’s chassis.

• For ATM RBE to MPLS VPN networks, the Cisco 10000 series router must be running Cisco IOS

Release router’s chassis.

12.2(4)BZ1 or later releases and the performance routing engine must be installed in the

12.2(15)BX or later releases and the performance routing engine must be installed in the

Prerequisites for RA to MPLS VPN

• You must configure DHCP option 82 support on the DHCP relay agent by using the ip dhcp relay

information option command before you can use the DHCP Option 82 support for the RBE feature.

• Configure all the PE routers that belong to the same VPN with the same VPN ID. Make sure that the

VPN ID is unique to the service provider network.

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

3-11

Configuration Tasks for RA to MPLS VPN

To configure the RA to MPLS VPN feature, perform the following configuration tasks:

• Configuring the MPLS Core Network, page 3-12

• Configuring Access Protocols and Connections, page 3-16

• Configuring and Associating Virtual Private Networks, page 3-28

• Configuring RADIUS User Profiles for RADIUS-Based AAA, page 3-30

Configuring the MPLS Core Network

To configure an MPLS core network, perform the following tasks:

• Enabling Label Switching of IP Packets on Interfaces, page 3-12

• Configuring Virtual Routing and Forwarding Instances, page 3-13

• Associating VRFs, page 3-13

• Configuring Multiprotocol BGP PE to PE Routing Sessions, page 3-14

Chapter 3 Configuring Remote Access to MPLS VPN

Enabling Label Switching of IP Packets on Interfaces

Enable label switching of IP packets on each PE router interface on the MPLS side of the network. The Cisco

10000 series router MPLS network side interface is a tagged interface. The packets passing through the interface are tagged packets.

Note Multiple interfaces require a Label Switch Router (LSR).

To enable label switching of IP packets on interfaces, enter the following command in interface configuration mode:

Command Purpose

Router(config-if)# mpls ip

Note The Cisco 10000 series router supports the PPP Terminated Aggregation (PTA) to VRF feature, which

terminates incoming PPP sessions and places them into the appropriate VRF for transport to the customer network. Unlike the RA to MPLS VPN model, the network side interface is not a tagged interface and there are no tagged packets. In the PTA to VRF model, the network side interface is an IP

interface with IP packets. In this case, the traffic for the different VRFs is typically separated at

Layer 2.

Enables label switching of IP packets on the interface.

Cisco 10000 Series Router Software Configuration Guide

3-12

OL-2226-23

Chapter 3 Configuring Remote Access to MPLS VPN

Configuring Virtual Routing and Forwarding Instances

Configure VRF instances on each PE router in the provider network. Create one VRF for each VPN connected using the ip vrf command in global configuration mode or router configuration mode.

To create the VRF, do the following:

• Specify the correct route distinguisher (RD) used for that VPN using the rd command in VRF

configuration submode. The RD is used to extend the IP address so that you can identify the VPN to which it belongs.

• Set up the import and export policies for the MP-BGP extended communities using the route-target

command in VRF configuration submode. These policies are used for filtering the import and export process.

To configure a VRF, enter the following commands on the PE router beginning in global configuration mode:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Router(config)# ip vrf vrf-name

Router(config-vrf)# rd route-distinguisher

Router(config-vrf)# route-target {import | export | both} route-target-ext-community

Router(config-vrf)# vpn id oui:vpn-index

Enters VRF configuration mode and defines the virtual routing instance by assigning a VRF name.

Creates routing and forwarding tables.

Creates a list of import and export route target communities for the specified VRF.

Assigns or updates a VPN ID on the VRF. The VPN ID uniquely identifies a VPN and VRF across all VHG and PE routers in the network.

Note The VPN ID is used for provisioning only. BGP routing

Configuration Tasks for RA to MPLS VPN

updates do not include the VPN ID.

Associating VRFs

Command Purpose

Step 1

Step 2

Step 3

OL-2226-23

Router(config-if)# ip vrf forwarding

vrf-name

Router(config-if)# ip address ip-address mask

Router(config-if)# exit

After you define and configure the VRFs on the PE routers, associate each VRF with:

• An interface or subinterface

• A virtual template interface

The virtual template interface is used to create and configure a virtual access interface (VAI). For information about configuring a virtual template interface, see the

“Configuring a Virtual Template

Interface” section on page 3-17.

To associate a VRF, enter the following commands on the PE router beginning in interface configuration mode:

Associates a VRF with an interface or subinterface.

Sets a primary or secondary address for an interface.

Returns to global configuration mode.

Cisco 10000 Series Router Software Configuration Guide

3-13

Configuration Tasks for RA to MPLS VPN

Command Purpose

Step 4

Step 5

Router(config)# interface virtual-template

number

Router(config-if)# ip vrf forwarding

vrf-name

Note Apply the ip vrf forwarding command and then the ip address command. If you do not, the ip vrf

forwarding command removes the existing IP address on the interface.

Example 3-1 Associating a VRF with an Interface

interface GigabitEthernet7/0/0.1 encapsulation dot1Q 11 ip vrf forwarding vpn1 ip address 192.168.1.1 255.255.255.0 !

Chapter 3 Configuring Remote Access to MPLS VPN

Creates a virtual template interface and enters interface configuration mode.

Associates a VRF with a virtual template interface.

Example 3-2 Associating a VRF with a Virtual Template Interface

interface Virtual-Template1 ip vrf forwarding vpn1 ip unnumbered Loopback1 no peer default ip address ppp authentication chap vpn1 ppp authorization vpn1 ppp accounting vpn1

Configuring Multiprotocol BGP PE to PE Routing Sessions

To configure multiprotocol BGP (MP-BGP) routing sessions between the PE routers, enter the following commands on the PE routers beginning in global configuration mode:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

Router(config)# router bgp autonomous-system

Router(config-router)# no bgp default

ipv4-unicast

Router(config-router)# neighbor {ip-address | peer-group-name} remote-as as-number

Router(config-router)# neighbor {ip-address | peer-group-name} update-source interface-type

Router(config-router)# neighbor {ip-address | peer-group-name} activate

Configures the internal BGP (iBGP) routing process with the autonomous system number passed along to other iBGP

routers.

Disables IPv4 BGP routing.

Configures the neighboring PE router’s IP address or iBGP peer group and identifies it to the local autonomous system. The MP-BGP neighbors must use the loopback addresses.

Allows iBGP sessions to use any operational interface for TCP connections.

Activates route exchanges with the global BGP neighbors.

Cisco 10000 Series Router Software Configuration Guide

3-14

OL-2226-23

Chapter 3 Configuring Remote Access to MPLS VPN

Command Purpose

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Router(config-router)# address-family ipv4 vrf

vrf-name

Router(config-router-af)# redistribute

protocol

Router(config-router-af)# exit-address-family

Router(config-router)# address-family vpnv4 [unicast]

Router(config-router-af)# neighbor { ip-address | peer-group-name} activate

Router(config-router-af)# neighbor { ip-address | peer-group-name} send-community [both]

Configuration Tasks for RA to MPLS VPN

Enters address family configuration mode and configures the VRF routing table for BGP routing sessions that use standard IPv4 address prefixes.

The vrf-name argument specifies the name of the virtual routing and forwarding (VRF) instance to associate with subsequent IPv4 address family configuration mode commands.

Redistributes routes from one routing domain into another routing domain.

The protocol argument is the source protocol from which routes are being redistributed. It can be one of the following keywords: bgp, connected, egp, igrp, isis, ospf, static [ip], or rip.

The connected keyword refers to routes that are established automatically by virtue of having enabled IP on an interface.

Exits address family configuration mode.

Enters address family configuration mode for configuring BGP routing sessions that use standard Virtual Private Network (VPN) Version 4 address prefixes.

(Optional) The unicast keyword specifies VPN Version 4 unicast address prefixes.

Activates route exchanges with the global BGP neighbors.

Specifies that a communities attribute should be sent to a BGP neighbor.

Example 3-3 Configuring MP-BGP

router bgp 100

no synchronization no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 10.1.1.4 remote-as 100 neighbor 10.1.1.4 update-source Loopback0 neighbor 10.1.1.4 activate neighbor 10.3.1.4 remote-as 100 neighbor 10.3.1.4 update-source Loopback0 neighbor 10.3.1.4 activate

no auto-summary ! address-family ipv4 vrf vrf-1

redistribute connected

no auto-summary

no synchronization

exit-address-family !

The both keyword specifies that both communities attributes should be sent.

OL-2226-23

Cisco 10000 Series Router Software Configuration Guide

3-15

Configuration Tasks for RA to MPLS VPN

address-family vpnv4

neighbor 10.1.1.4 activate neighbor 10.1.1.4 send-community both neighbor 10.3.1.4 activate neighbor 10.3.1.4 send-community both exit-address-family

Note Typically, you enable BGP only on the PE routers. It is not necessary to enable BGP on all provider (P)

core routers. However, if your network topology includes a route reflector, you may then enable BGP on a core router, which might be a P or PE router.

Configuring Access Protocols and Connections

The Cisco 10000 series router supports the following access protocols:

• PPP over ATM

• PPP over Ethernet

• RBE over ATM

Chapter 3 Configuring Remote Access to MPLS VPN

When a remote user initiates a PPPoA or PPPoE session to the Cisco 10000 series router, a predefined configuration template is used to configure a virtual interface known as a virtual access interface (VAI). The VAI is created and configured dynamically by using a virtual template interface. When the user terminates the session, the VAI goes down and the resources are freed for other client uses.

Note Virtual template interfaces and VAIs do not apply to RBE over ATM.

The virtual template interface is a logical entity that the Cisco 10000 series router applies dynamically as needed to a connection. It is a configuration for an interface, but it is not tied to the physical interface. The VAI uses the attributes of the virtual template to create the session, which results in a VAI that is uniquely configured for a specific user.

After you configure a virtual template, configure the virtual connection that will use the template and then apply the template to the connection. The order in which you create virtual templates and configure the virtual connections that use the templates is not important. However, both the virtual templates and connections must exist before a remote user initiates a session to the Cisco

10000 series router.

The following sections describe how to create a virtual template and apply it to a VAI. For more information, see the “Configuring Virtual Template Interfaces” chapter in the Cisco IOS Dial Technologies Configuration Guide, Release 12.2.

Note If you are using a RADIUS server, the RADIUS configuration takes precedence over the virtual template

interface configuration. For example, the RADIUS configuration might override a number of parameters with the remainder of the configuration coming from the virtual template interface.

To configure access protocols and connections, perform the following configuration tasks. The first task listed is required and you can perform any of the remaining tasks as needed:

• Configuring a Virtual Template Interface, page 3-17

• Configuring PPP over ATM Virtual Connections and Applying Virtual Templates, page 3-18

• Configuring PPPoE over ATM Virtual Connections and Applying Virtual Templates, page 3-18

Cisco 10000 Series Router Software Configuration Guide

3-16

OL-2226-23

Cisco 10000-2P2-2DC, 10005, 10008 Software Configuration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual