ATOM on dot1q sub interfaces

Hello, networkers!
Long time no see ;-)
Straight on question now. Imagine a MPLS network with the following topology:
A B C D E
(X) --- (X) --- (X) --- (X) --- (X)
CE PE P PE CE
Router A & E are customer's routers.
Router B & D are PE routers
Let's say that we have created MPLS ATOM using Xconnect in between routers B and D. They are both using FastEthernet interfaces with sub-interfaces configured on. Router D is configured to RouterE in this way:
interface FastEthernet0/0.15
description ** RouterD->RouterE **
encapsulation dot1Q 15
no cdp enable
xconnect 2.2.2.2 666 encapsulation mpls
on the other end, router B is configured as follow:
interface FastEthernet0/0.26
description ** RouterB->RouterA **
encapsulation dot1Q 26
no cdp enable
xconnect 1.1.1.1 666 encapsulation mpls
end
Where 1.1.1.1 is RouterD loopback and 2.2.2.2 is Router B lo0.
What do you think about that scenario? Should it work with this configuration when the dot1q vlans differs? In my opinion this shouldn't work as expected as long as MPLS is doing just transparent transport of entire L2 frame (instead of using internetworking on IP level)
Can anyone, please explain how does Cisco handle this? I remember that I've read somewhere during my CCIE journey that there are different types of AtOM VC's which can either carry the dot1q tag or not.
Thank you in advance!
Kind regards,
Dani Petrov
P.p. I tried it in a few different configurations and the results are very interesting but please first share your thoughts ;-)

Hi,
You can't force the vc-type and don't need to.
To summarize:
- switchport trunk mode and subinterfaces will always pop the outer tag
- EVC interfaces do nothing by default.
On top of that vc-type 4 will add a service-delimiter tag to the frame received from the AC. It's the responsibility of the egress router to know what to do with this tag (rewrite or remove it).
GSR and 7200 will negotiate a vc-type 4 if the AC is a subinterface. 7600 will always negotiate a vc-type 5 except if the peer wants a vc-type 4.
HTH
Laurent.

Similar Messages

ISIS on dot1q/dot1ad-sub-interfaces on A9K

Hi
Is there any particular reason why ISIS on tagged sub-interfaces (both single- and double tagged) doesn't get a CoS value of 6 in the frames?
I know, I know... "Why would you run ISIS on a sub-interface?"
Indeed, but I have a rather special scenario where the core routers need to go through a switched network to reach each other, and for various reasons, these switches only leave us with the option of classifying traffic based on 802.1p, and thus we have to run the IGP on sub-interfaces.
We have/had the same issue on ASR1K, but on that platform we can use a "hack" by having a class-map match on destination mac-addresses for ISIS CLNS traffic and then set the CoS to 6 egress in a policy on the physical interface.
That hack is not, unfortunately, supported on 9K
Anyone with any insight?
/Mikkel

Hmm, well, it seems to tag ISIS with CoS 6 when running on XR 5.2.0
My previous tests have been on 5.1.2.
Will try 5.1.3 as well.
Haven't been able to find anything in release notes, how come?

The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

Hello
I think the following topologies are supported for Cisco Routers
And the Physical interface also can be using as Native VLAN interface right?
Topology 1.
R1 Gi0.1 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
R1 - configuration
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
ip address 10.0.0.1 255.255.255.0
Topology 2.
R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3
Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4 (same VLAN-ID)
R1 - configuration
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet8.20
encapsulation dot1Q 20
ip address 20.0.0.1 255.255.255.0
Any information is very appreciated. but if there is any CCO document please let me know.
Thank you very much and regards,
Masanobu Hiyoshi

Hello,
The diagram is helpful.
If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
Best regards,
Peter

NAT on sub-interface with no internet access

Good morning,
Please I have a router 2901, which I configured tow sub-interfaces for Voice and Data. Everything seems to be working fine but I can't access the internet after configuring NAT.
Config below
Router1#sh config
Using 5392 out of 262136 bytes
! No configuration change since last restart
! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
version 15.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname A
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/0
logging buffered 51200 warnings
enable secret 4 U3/EVMmZsx9ys3vbB8aDhHy.5h4qh2V8/DkTGNsxvTA
enable password 7 06150E2C5F5B071E
aaa new-model
aaa authentication login default local
aaa session-id common
memory-size iomem 25
ip cef
ip dhcp excluded-address 10.10.36.1 10.10.36.25
ip dhcp excluded-address 10.10.36.200 10.10.36.254
ip dhcp pool DATA
network 10.10.36.0 255.255.255.0
default-router 10.10.36.1
dns-server 8.8.8.8 4.2.2.2
ip dhcp pool VOICE
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.10.36.4
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3112445314
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3112445314
revocation-check none
rsakeypair TP-self-signed-3112445314
crypto pki certificate chain TP-self-signed-3112445314
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
voice-card 0
license udi pid CISCO2901/K9 sn FCZ1808C4L8
hw-module pvdm 0/0
username a password 7 1416111F05557C
username e privilege 15 password 7 1437455E0E2A25382525260B67
username c password 7 030B580E0701284F165B5C
username a password 7 01000709481E0808
redundancy
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address #.#.#.58 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no keepalive
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no keepalive
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.10.36.1 255.255.255.0
ip verify unicast reverse-path
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
ip route 0.0.0.0 0.0.0.0 #.#.#.57
ip access-list extended LAN_NAT_POLICY
permit ip 10.0.0.0 0.255.255.255 any
access-list 23 permit 10.10.36.0 0.0.0.255
access-list 23 permit 10.10.0.0 0.0.0.255
access-list 23 permit 10.10.0.0 0.0.255.255
access-list 101 permit tcp 10.10.36.0 0.0.0.255 host 10.10.36.1 eq telnet
control-plane
mgcp profile default
gatekeeper
shutdown
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you hav
already used the username "cisco" to login to the router and your IOS imag
supports the "one-time" user option, then this username has already expire
You will not be able to login to the router with this username after you e
this session.
It is strongly suggested that you create a new username with a privilege l
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want
use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
password 7 13041406025D52
line aux 0
exec-timeout 0 1
no exec
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 094D4D1D105441
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp master
ntp server 10.10.36.1
end
Please I need a quick response
Thank you.

Can you change the interface to outside interface in this command
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
can you try this below command
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/0 ov
Regards
PrajithTR

How to make ASR9000 bridge domain forward traffic between sub interfaces of same physical interface?

Hi,
I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/10.3122 l2transport
description CUSTOMER A CORE
encapsulation dot1q 3122
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
   interface GigabitEthernet0/0/0/5.21
   interface GigabitEthernet0/0/0/10.3122
When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/5.22 l2transport
description CUSTOMER A WAN2
encapsulation dot1q 22
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
   interface GigabitEthernet0/0/0/5.21
   interface GigabitEthernet0/0/0/5.22
If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
Is this because tag rewrites are not happening since packets don't leave the physical interface?
How can I work around this and establish a L2 connection between the two subinterfaces?
Thank you

a vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
that might give a hint to what the precise issue in your forwarding is.
regards
xander

Load balancing on sub-interfaces (3 links)

Hello.
I am trying to load balance between the three links of a bundle. Traffic comes and goes with the same bundle interface.
Launched 5 threads TCP\UDP with different SRC DST IP addresses and see the following balances:
IOS-XR               Monitor Time: 00:00:30          SysUptime: 106:39:28
                          Last Clear:   00:00:22
Protocol:General
Interface             In(pps)      Out(pps)      InPkts/Delta   OutPkts/Delta
Te0/1/0/0             11381           628        102062/25512       256/64
Te0/1/0/1             33849         55965        303244/75700    505364/126230
Te0/1/0/2             11363             0        100800/25200         0/0
Quit='q',     Clear='c',    Freeze='f', Thaw='t',
Next set='n', Prev set='p', Bytes='y', Packets='k'
(General='g', IPv4 Uni='4u', IPv4 Multi='4m', IPv6 Uni='6u', IPv6 Multi='6m')
We have 10G switch connected to asr9010 three ports and the following configuration:
interface TenGigE0/1/0/0
bundle id 1 mode active
bundle port-priority 2
interface TenGigE0/1/0/1
bundle id 1 mode active
bundle port-priority 2
interface TenGigE0/1/0/2
bundle id 1 mode active
interface Bundle-Ether1.75
ipv4 address 25.0.0.1 255.255.255.252
encapsulation dot1q 75
interface Bundle-Ether1.76
ipv4 address 26.0.0.1 255.255.255.252
encapsulation dot1q 76
RP/0/RSP0/CPU0: ios # sh bundle load-balancing bundle-e1 detail location 0/1/CPU0
Tue Jun 4 07:03:07.605 UTC
Bundle-Ether1
Type: Ether (L3)
Members <current/max>: 3/3
Total Weighting: 3
Load balance: Default
Locality threshold: 65
Avoid rebalancing? False
Sub-interfaces: 3
Member Information:
    Port: LON ULID BW
    Te0/1/0/0 0 0 1
    Te0/1/0/1 1 1 1
    Te0/1/0/2 2 2 1
Sub-interface Information:
    Sub-interface Type Load Balance Locality
                                        Hash Threshold
    Bundle-Ether1.76 L3 Default 65
    Bundle-Ether1.75 L3 Default 65
    Bundle-Ether1.100 L3 Default 65
Platform Information:
=====================
                  * Bundle Summary Information *
Interface: Bundle-Ether1 Ifhandle: 0x08000160
Lag ID: 1 Virtual Port: 255
Number of Members: 3 Local to LC: Yes
Hash Modulo Index: 3
Member Information:
LON Interface ifhandle SFP port slot remote / rack_id
Te0/1/0/0 0x02000140 0 12 0 1 0/0
Te0/1/0/1 0x02000180 1 13 0 1 0/0
Te0/1/0/2 0x020001c0 11 2 0 1 0/0
                   * Bundle Table Information *
[NP 0]:
   Unicast (Global) LAG table
idx local LON VQI port
   1 0 0 12 0
   2 0 1 13 0
   3 0 2 11 0
[NP 1]
   Unicast (Global) LAG table
idx local LON VQI port
   1 0 0 12 0
   2 0 1 13 0
   3 0 2 11 0
[NP 2]:
   Unicast (Global) LAG table
idx local LON VQI port
   1 0 0 12 0
   2 0 1 13 0
   3 0 2 11 0
[NP 3]
   Unicast (Global) LAG table | Multicast (Local) LAG table
idx local LON VQI port | idx local LON VQI port
   1 0 0 12 0 1 1 2 11 0
   2 0 1 13 0 2 0 0 0 0
   3 1 2 11 0 3 0 0 0 0
[NP 4]:
   Unicast (Global) LAG table | Multicast (Local) LAG table
idx local LON VQI port | idx local LON VQI port
   1 1 0 12 0 1 1 0 12 0
   2 0 1 13 0 2 0 0 0 0
   3 0 2 11 0 3 0 0 0 0
[NP 5]
   Unicast (Global) LAG table | Multicast (Local) LAG table
idx local LON VQI port | idx local LON VQI port
   1 0 0 12 0 1 1 1 13 0
   2 1 1 13 0 2 0 0 0 0
   3 0 2 11 0 3 0 0 0 0
[NP 6]
   Unicast (Global) LAG table
idx local LON VQI port
   1 0 0 12 0
   2 0 1 13 0
   3 0 2 11 0
[NP 7]
   Unicast (Global) LAG table
idx local LON VQI port
   1 0 0 12 0
   2 0 1 13 0
   3 0 2 11 0
================================================== =============================

20 flows and a bit better result:
IOS-XR               Monitor Time: 00:00:08          SysUptime: 133:33:44
                     Last Clear:   00:00:06
Protocol:General
Interface             In(pps)      Out(pps)      InPkts/Delta   OutPkts/Delta
Te0/1/0/0             11794         14977             0/44696         0/44484
Te0/1/0/1             10682          8786             0/37924         0/25456
Te0/1/0/2             18243         16958             0/44596         0/57579
Quit='q',     Clear='c',    Freeze='f', Thaw='t',
Next set='n', Prev set='p', Bytes='y', Packets='k'
(General='g', IPv4 Uni='4u', IPv4 Multi='4m', IPv6 Uni='6u', IPv6 Multi='6m')
Can the ASR9K more or less normal balance on uneven number of links?

Issue in Sub-interface traffic on cisco 7609-s router

Hello please support,
I configured sub-interfaces and it is working properly, but some time sub-interface show traffic more then physical interface .
Like
int gi 3/32 0.13 Mbps 12:00 PM
int gi 3/32.11 855 Mbps 12:00 PM
as per my knowledge physical interface have cumulative traffic of all sub-interfaces.
interface GigabitEthernet3/32
no ip address
interface GigabitEthernet3/32.10
encapsulation dot1Q 10
ip address 172.20.128.77 255.255.255.252
ip ospf network point-to-point
ip ospf bfd
bfd interval 50 min_rx 50 multiplier 5
no bfd echo
no cdp enable
interface GigabitEthernet3/32.11
description interlink MPLS
encapsulation dot1Q 11
ip address 172.20.129.73 255.255.255.252
ip ospf network point-to-point
mpls ip
mpls label protocol ldp
Regards,
Damodar Nagar

I have not that graph so I am just guessing that you are noticing the difference between policing and shaping. It seems to me you are applying these techniques on each platform on a different way. Try to shape/police in the same order or only to shape.
Hope to help
Alessio
Sent from Cisco Technical Support iPad App

HSRP using sub-interfaces,

I'm planning a design that will need two 2950s to support 4 vlans. Non-local traffic will be routed out via one of two HSRP routers (one pair of vlans using router 1 as a primary, the other pair using router 2).
I've dug around the cisco documentation but can't find an answer to the following...
Does HSRP run ok over sub-interfaces?
For example, VLAN 1 default gateway will be HSRP (virtual) router's f0/0.1 x.x.x.x, VLAN 2 default gateway will be HSRP router's f0/0.2 x.x.x.x, etc.
Any ideas?

Hi Dwatson,
YES, HSRP supports on sub-interfaces also & there wouldn't be any problems.YES the default gateway would be the HSRP standby ip address specified on the sub-interface for the vlans.
eg.
Router A
interface FastEthernet0/0.1
description ***ABC***
encapsulation dot1Q 1
ip address 172.16.1.2 255.255.0.0
standby 1 ip 172.16.1.1
standby 1 timers 5 15
standby 1 priority 108
standby 1 preempt
Router B
interface FastEthernet0/0.1
description ***ABC***
encapsulation dot1Q 1
ip address 172.16.1.3 255.255.0.0
standby 1 ip 172.16.1.1
standby 1 timers 5 15
standby 1 priority 109
standby 1 preempt
Note donot give any ip address on the fastethernet interface.
interface fasthethernet 0/0
no ip address
hope this helps.
rate this post if cleared

Could I configure local switching between sub-interface and global interface on ASR9k?

Could I configure local switching between sub-interface and global interface on ASR9k?

For 2 interfaces it is probably best to use an xconnect. It is faster and saves system resources (eg mac learning doesnt apply to xconnect).
Config example:
l2vpn
xconnect group link
p2p link
interface Bundle-Ether100.4321
interface Bundle-Ether500.4321
EFP config:
interface Bundle-Ether100.4321 l2transport
encapsulation dot1q 4000
rewrite ingress tag pop 1 symmetric
interface Bundle-Ether500.4321 l2transport
encapsulation dot1q 2000
rewrite ingress tag pop 1 symmetric
This example shows that you can link 2 EFP's with different vlan's together if you'd pop the tags.
If the EFP's are of the same vlan, then popping the tag can be done but not a must. In general it is recommended to always pop vlan tags so there is a standard EFP design, but not for any technical reasons.
When you use a bridge domain and using a BVI, you MUST pop the tags as the BVI has no notion of a vlan tag and wants to see "plain ethernet".
regards
xander

Sub-interface Removal

We have created a Gigabitethernet sub-interface on a router, But when removing this with command :-
Router(config)#no int gig2/3.1
It is not removed and still showing in interface list with "deleted" status (i.e Gi2/3.1 deleted down).
Please share the process for permanently removing the sub-interface from list.
Thxns

Txns..Srry but last querry now.I have created a sub-interface Gig2/3.1 with configs.Router#sh run int Gig2/3.1
Building configuration...Current configuration : 186 bytes
interface GigabitEthernet2/3.1
description CONNECTED TO NetCore
encapsulation dot1Q 99
ip address 172.50.140.1 255.255.255.252
endBut
with this configs, The remote end IP of this interface (172.50.140.2)
was reachable but there are drops(approx 30 drops) on the same after
every 40-50 replies. one of my freind suggested me for configuring
below commands under sub-interface(but he seems to be confused about
the purpose of this commands).ip rip send version 1 2
ip rip receive version 1 2After
executing abne cmmds , now there is no drops. What these commds are
doing wht is the purpose of the command, after executing these why ping
/ reachability drops problems rectified. is this standard to configure
this commands under sub-interface...? pls***
Hi,
Those commands are useful to send and recieve RIP version to be sent or recive in interface with counter part neighbour.
To control which RIP version an interface sends, use one of the following commands in interface configuration mode:
ip rip send version 1 2 Configure an interface to send RIP Version 1 and Version 2 packets.
Similarly, to control how packets received from an interface are processed, use one of the following commands in interface configuration mode:
ip rip receive version 1 2 Configure an interface to accept either RIP Version 1 or 2 packets.
Hope to Help !!
If helpful do rate the useful post
Ganesh.H

ASR9000/XR - BNG - L3 sub-interface limit for trunk (4096) error - what is the work around?

We currently have 7,500 broadband subscribers that we will be terminating on our ASR 9001.
Each one of our customers will be terminating on a sub-interface on a bundle.
On the 9k, there will be a QoS policy applied to rate-limit their broadband connection (see example below).
The challenge that we are running into right now is scaling beyond 4096 L3 sub-interfaces. When running through this in our lab, we receive the following fail message:
RP/0/RSP0/CPU0:BNG(config-subif)#show config failed
Tue Mar 10 18:32:07.552 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
interface Bundle-Ether10.6941171
!!% The L3 sub-interface limit for the trunk interface has been reached: Trunk limit for L3 subinterfaces on Bundle-Ether10 is 4096
We have added the following on to each of the sub-interfaces to "fake" out the NPU, but even with SPD configured, we are receiving the max 4096 message:
service-policy output <POLICY> subscriber-parent resource-id 0
service-policy output <POLICY> subscriber-parent resource-id 1
service-policy output <POLICY> subscriber-parent resource-id 2
service-policy output <POLICY> subscriber-parent resource-id 3
It is my understanding that we have a total of 4 resource ID's to use (0-3) and the ASR 9001 will support up to 32,000 sub-interfaces (system wide or 8,000 sub interfaces per resource-id).
See attached image for reference this design.
Main question to the community is what is the work around to scale beyond 4096 L3 sub-interfaces??
In our case it is not feasible to bring in additional bundles and spread the customers out.
Look forward to your responses.
Below is a sample configuration:
policy-map 10M_D
class class-default
shape average 10100000 bps
end-policy-map
policy-map 10M_U
class class-default
police rate 10300000 bps
exceed-action drop
end-policy-map
interface Bundle-Ether10.650102
description ---INT: GigabitEthernet0/0/1.650102 NAME: TEST #1---
service-policy input 10M_U
service-policy output 10M_D subscriber-parent resource-id 0
ipv4 point-to-point
local-proxy-arp
ipv4 unnumbered Loopback10
encapsulation dot1q 650 second-dot1q 102
interface Bundle-Ether10.650103
description ---GigabitEthernet0/0/1.650103 NAME: TEST #2---
service-policy input 10M_U
service-policy output 10M_D subscriber-parent resource-id 1
ipv4 point-to-point
local-proxy-arp
ipv4 unnumbered Loopback10
encapsulation dot1q 650 second-dot1q 103
interface Bundle-Ether10.650104
description ---INT: GigabitEthernet0/0/1.650104 NAME: TEST #3---
service-policy input 10M_U
service-policy output 10M_D subscriber-parent resource-id 2
ipv4 point-to-point
local-proxy-arp
ipv4 unnumbered Loopback10
encapsulation dot1q 650 second-dot1q 104
interface Bundle-Ether10.650105
description ---INT: GigabitEthernet0/0/1.650105 NAME: TEST #4---
service-policy input 10M_U
service-policy output 10M_D subscriber-parent resource-id 3
ipv4 point-to-point
local-proxy-arp
ipv4 unnumbered Loopback10
encapsulation dot1q 650 second-dot1q 105
interface Bundle-Ether10.650106
description ---INT: GigabitEthernet0/0/1.650106 NAME: TEST #5---
service-policy input 10M_U
service-policy output 10M_D subscriber-parent resource-id 0
ipv4 point-to-point
local-proxy-arp
ipv4 unnumbered Loopback10
encapsulation dot1q 650 second-dot1q 106
interface Bundle-Ether10.650107
description ---INT: GigabitEthernet0/0/1.650107 NAME: TEST #6---
service-policy input 10M_U
service-policy output 10M_D subscriber-parent resource-id 1
ipv4 point-to-point
local-proxy-arp
ipv4 unnumbered Loopback10
encapsulation dot1q 650 second-dot1q 107
interface Bundle-Ether10.650108
description ---INT: GigabitEthernet0/0/1.650108 NAME: TEST #7---
service-policy input 10M_U
service-policy output 10M_D subscriber-parent resource-id 2
ipv4 point-to-point
local-proxy-arp
ipv4 unnumbered Loopback10
encapsulation dot1q 650 second-dot1q 108
interface Bundle-Ether10.650109
description ---INT: GigabitEthernet0/0/1.650109 NAME: TEST #8---
service-policy input 10M_U
service-policy output 10M_D subscriber-parent resource-id 3
ipv4 point-to-point
local-proxy-arp
ipv4 unnumbered Loopback10
encapsulation dot1q 650 second-dot1q 109

xander,
Thanks for sharing the QinQ username, works perfectly.
couple of design questions for you.
#1 - If i have >7500 subscribers that will be terminating on this bundle, would this be the best design to ensure that i can scale up to 32,000 subscribers on the BE <leveraging the subscriber-parent resource-id (0-4)>
EXAMPLE
interface Bundle-Ether10.100
description BE10.100 – Area 1 - BNG customers - QinQ
ipv4 point-to-point
ipv4 unnumbered Loopback0
service-policy output <POLICY> subscriber-parent resource-id 0
service-policy type control subscriber IP_PM
ipsubscriber ipv4 l2-connected
initiator dhcp
encapsulation ambiguous dot1q 100 second-dot1q any
interface Bundle-Ether10.200
description BE10.200 – Area 2 - BNG customers - QinQ
ipv4 point-to-point
ipv4 unnumbered Loopback0
service-policy output <POLICY> subscriber-parent resource-id 1
service-policy type control subscriber IP_PM
ipsubscriber ipv4 l2-connected
initiator dhcp
encapsulation ambiguous dot1q 200 second-dot1q any
interface Bundle-Ether10.300
description BE10.300 – Area 3 - BNG customers - QinQ
ipv4 point-to-point
ipv4 unnumbered Loopback0
service-policy output <POLICY> subscriber-parent resource-id 3
service-policy type control subscriber IP_PM
ipsubscriber ipv4 l2-connected
initiator dhcp
encapsulation ambiguous dot1q 300 second-dot1q any
interface Bundle-Ether10.400
description BE10.400 – Area 4 - BNG customers - QinQ
ipv4 point-to-point
ipv4 unnumbered Loopback0
service-policy output <POLICY> subscriber-parent resource-id 4
service-policy type control subscriber IP_PM
ipsubscriber ipv4 l2-connected
initiator dhcp
encapsulation ambiguous dot1q 400 second-dot1q any
#2 - How do I verify in XR the CoA speed profile that is pushed down from RADIUS to a given subscriber?
I thought I might see the dynamic policy using the command below, but no luck.
Do you know the correct command?
RP/0/RSP0/CPU0:bng-asr9001#show policy-map inter be10.1.ip5
Wed Apr 1 14:12:06.390 UTC
Bundle-Ether10.1.ip5 input: __sub_55ffffff8b7dffffffad
Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 126959/10831088 14
Transmitted : N/A
Total Dropped : N/A
Policy __sub_55ffffff8b7dffffffad_child1 Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 126959/10831088 14
Transmitted : N/A
Total Dropped : 325/322582 0
Policing statistics (packets/bytes) (rate - kbps)
Policed(conform) : 126634/10508506 14
Policed(exceed) : 325/322582 0
Policed(violate) : 0/0 0
Policed and dropped : 325/322582
Policed and dropped(parent policer) : N/A
Bundle-Ether10.1.ip5 output: __sub_6effffff81ffffffbfffffffdb
Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 199642/280153690 453
Transmitted : N/A
Total Dropped : N/A
Policy __sub_6effffff81ffffffbfffffffdb_child1 Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 199642/280153690 453
Transmitted : N/A
Total Dropped : 26930/38989025 61
Policing statistics (packets/bytes) (rate - kbps)
Policed(conform) : 172712/241164665 392
Policed(exceed) : 26930/38989025 61
Policed(violate) : 0/0 0
Policed and dropped : 26930/38989025
Policed and dropped(parent policer) : N/A
RP/0/RSP0/CPU0:bng-asr9001#
#3 - CoA QoS profile -> I'm using the following avpair for ingress / egress qos. However when validating against a speed test server, my results are well above the 10Mbps / 10Mbps I have provisioned. Actual is more of in the ~15Mbps/15Mbps range.
Am I missing additional config in the policing section?
cisco-avpair = "ip:qos-policy-in=add-class(sub, (class-default,class-default),police(10000))",
cisco-avpair += "ip:qos-policy-out=add-class(sub, (class-default,class-default),police(10000))"
Appreciate it in advance xander!
-ae

IPSec tunnel on sub-interface on ASA 5510

Hello All,
I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
I would be greatul if someone please reply post this with some details.
Regards,
Muds

Hi Jennifer,
Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
Regards,
Muds

Asa 5505 sub interface plus ports

I have never used 5505 I gave used higher firewalls and all of them can do sub interfaces normally we make sub interfaces and vlans are assigned to them I m trying to config 5505 can someone tell me how I can create sub interfaces ? As I saw few config and it seems that you config vlans like switch ??? Secondly all interfaces have to b part of vlan ? Ie outside which is g0/0 ....can I config it as normall routed port ?

The 5505 is configured nearly the same a a L3-switch. You configure the Vlan-interfaces and assign these to your switch-ports. The switch ports can be configured as access- or as trunk-ports (if you have a SecPlus license).
You find more on this topic on the Config-Guide:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html

LMS 4.2 sub-interface not available in the instance selection window creating poller

Hi All,
I have sub-interfaces created on the switch and are in active(up/up) state,but these sub-interface not available for selection in the instance window while creating the poller, and am not able to monitor the traffic on these sub interface in the performance management.
LMS will not display the interfaces in the instance selection window if they are not active,but here the sub-interface are in active state but these are
not available. can anyboody help me out ??
Thanks,
Channa

Any Idea..??

Sub-interfaces on n5k

Hi, I am trying to connect N5k (layer-3) and ASA, there is a requirement where some of the security-sensitive vlans have their layer-3 on the ASA and for those vlans who are less-sensitive have their svis on the N5k. I am doing a POC in my lab gear first. The n5k and the ASA are connected by 1 physical link having sub-interfaces on both the ends. There is a sub-int with vlan 10 (10.1.1.0/30) on both sides and the ASA injects a default-route to the N5k over this. so in case a non-secure vlan needs to talks to a secure-vlan it goes through via this path. My issue is that, if i create a sub-intf on the ASA, give it a vlan tag of 20, and on my N5k i add a port in that same vlan, i cannot ping my GW (ASA) from the laptop. I have also created a similar sub-int on the N5k side as well with tag 20, BUT still does not work.
attached visio.
Any clues??
Thnx
Sandev

Hello Sande,
That is correct! Please mark this question as answered so future users having a similar problem can learn from your
solution.
Regards,
Julio

ATOM on dot1q sub interfaces

Similar Messages

Maybe you are looking for