Cisco Frame-Relay Traffic Shaping Configuration Example

We will test Cisco Frame-Relay Traffic Shaping.

LLQ (low latency queueing) will be used for traffic shapping queues.LLQ will provide prioritization of voip packets:

Configuration of R1:

class-map match-all voip
 match  dscp ef
!
!
policy-map LLQ-Test
 class voip
  priority percent 50
 class class-default
  fair-queue

interface Serial0/0
 no ip address
 encapsulation frame-relay
 no fair-queue
 frame-relay traffic-shaping
!
interface Serial0/0.1 point-to-point
 ip address 10.10.10.1 255.255.255.252
 snmp trap link-status
 frame-relay interface-dlci 100
  class FRTS-Test 
!
map-class frame-relay FRTS-Test
 frame-relay cir 256000
 service-policy output LLQ-Test

Configuration of R2

class-map match-all voip
 match  dscp ef
!
policy-map LLQ-Test
 class voip
  priority percent 50
 class class-default
  fair-queue

interface Serial0/0
 no ip address
 encapsulation frame-relay
 no fair-queue
 frame-relay traffic-shaping
!
interface Serial0/0.1 point-to-point
 ip address 10.10.10.2 255.255.255.252
 snmp trap link-status
 frame-relay interface-dlci 100 
  class FRTS-Test
!
map-class frame-relay FRTS-Test
 frame-relay cir 256000
 service-policy output LLQ-Test

Lets test prioritization of voip traffic by marking icmp packets to ef value( tos 184):

R2#ping                           
Protocol [ip]:
Target IP address: 10.10.10.1
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: yes
Source address or interface:
Type of service [0]: 184
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 10/82/186 ms

At the same time we had great amount of best-effort traffic:

R2#show policy-map interface s0/0.1

 Serial0/0.1: DLCI 100 -
  Service-policy output: LLQ-Test
    Class-map: voip (match-all)
      200 packets, 20800 bytes
      5 minute offered rate 8000 bps, drop rate 0 bps
      Match:  dscp ef (46)
      Queueing
        Strict Priority
        Output Queue: Conversation 24
        Bandwidth 50 (%)
        Bandwidth 64 (kbps) Burst 1600 (Bytes)
        (pkts matched/bytes matched) 102/10608
        (total drops/bytes drops) 0/0
    Class-map: class-default (match-any)
      50680 packets, 71151483 bytes
      5 minute offered rate 1601000 bps, drop rate 1489000 bps      Match: any
      Queueing
        Flow Based Fair Queueing
        Maximum Number of Hashed Queues 16
        (total queued/total drops/no-buffer drops) 0/46962/0

We see that, voip packets passed without any drop, but best effort traffic dropped.

Cisco IOS Site to Site Ipsec between routers

Cisco IOS Site to Site Ipsec between routers

 We will test site-to-site(lan-to-lan) Ipsec in this example:

Configuration of R2

crypto isakmp policy 1
 encr aes
 authentication pre-share
crypto isakmp key cisco123 address 5.5.5.5
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map maptest local-address Loopback0
crypto map maptest 1 ipsec-isakmp
 set peer 5.5.5.5
 set transform-set set2
 match address 101
!       
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback22
 description Lan_Simulation
 ip address 22.22.22.22 255.255.255.255
!
interface FastEthernet0/1
 description Wan_Interface
 ip address 192.168.25.2 255.255.255.0
 duplex auto
 speed auto
 crypto map maptest

router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 22.22.22.22 0.0.0.0 area 0
 network 192.168.25.0 0.0.0.255 area 0
!
access-list 101 permit ip host 22.22.22.22 host 55.55.55.55

Configuration of R5:

crypto isakmp policy 1
 encr aes
 authentication pre-share
crypto isakmp key cisco123 address 2.2.2.2
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map maptest local-address Loopback0
crypto map maptest 1 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set set2
 match address 101
!       
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface Loopback55
 description Lan_Simulation
 ip address 55.55.55.55 255.255.255.255
!
interface FastEthernet0/1
 description Wan_Interface
 ip address 192.168.25.5 255.255.255.0
 duplex auto
 speed auto
 crypto map maptest
!        
router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 network 5.5.5.5 0.0.0.0 area 0
 network 55.55.55.55 0.0.0.0 area 0
 network 192.168.25.0 0.0.0.255 area 0
!
access-list 101 permit ip host 55.55.55.55 host 22.22.22.22

Lets do basic reachability tests:
R5#show ip route ospf
     2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/11] via 192.168.25.2, 00:09:31, FastEthernet0/1
     22.0.0.0/32 is subnetted, 1 subnets
O       22.22.22.22 [110/11] via 192.168.25.2, 00:07:31, FastEthernet0/1
R5#
R5#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
2.2.2.2         5.5.5.5         QM_IDLE           1001    0 ACTIVE
IPv6 Crypto ISAKMP SA
R5#show crypto ipsec sa
interface: FastEthernet0/1
    Crypto map tag: map2, local addr 5.5.5.5
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (55.55.55.55/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
   current_peer 2.2.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 204, #pkts encrypt: 204, #pkts digest: 204
    #pkts decaps: 204, #pkts decrypt: 204, #pkts verify: 204    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 5.5.5.5, remote crypto endpt.: 2.2.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0xC466B108(3295064328)
     inbound esp sas:
      spi: 0x6B29193A(1797855546)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, crypto map: map2
        sa timing: remaining key lifetime (k/sec): (4411479/3237)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xC466B108(3295064328)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, crypto map: map2
        sa timing: remaining key lifetime (k/sec): (4411479/3237)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
R5#
R5#ping 22.22.22.22 source 55.55.55.55 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 55.55.55.55
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 16/34/80 ms

Cisco Gre over Ipsec Configuration Example

Cisco Gre over Ipsec Configuration Example

In this example we will test gre over ipsec.The tunnel will be established between Loopback0 ip addresses of R2 and R5 routers.We will use Ospf for reachability between Loopback0 interfaces.We will use eigrp through the gre tunnel for reachability of data networks in each sites.All packets that pass through the tunnel will be encrypted.

Configuration of R2

crypto isakmp policy 1
 encr aes
 authentication pre-share
crypto isakmp key cisco123 address 5.5.5.5
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map map2 local-address Loopback0
crypto map map2 1 ipsec-isakmp
 set peer 5.5.5.5
 set transform-set set2
 match address 101
!      
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback22
 ip address 22.22.22.22 255.255.255.255
!
interface Tunnel52
 ip address 192.168.52.2 255.255.255.0
 tunnel source Loopback0
 tunnel destination 5.5.5.5
!
interface FastEthernet0/1
 ip address 192.168.25.2 255.255.255.0
 duplex auto
 speed auto
 crypto map map2
!
router eigrp 100
 network 22.22.22.22 0.0.0.0
 network 192.168.52.0
 no auto-summary
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.25.0 0.0.0.255 area 0
!
       
access-list 101 permit gre host 2.2.2.2 host 5.5.5.5

Configuration R5

crypto isakmp policy 1
 encr aes
 authentication pre-share
crypto isakmp key cisco123 address 2.2.2.2
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map map2 local-address Loopback0
crypto map map2 1 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set set2
 match address 101
!
        
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface Loopback55
 ip address 55.55.55.55 255.255.255.255
!
interface Tunnel52
 ip address 192.168.52.5 255.255.255.0
 tunnel source Loopback0
 tunnel destination 2.2.2.2
!
interface FastEthernet0/1
 ip address 192.168.25.5 255.255.255.0
 duplex auto
 speed auto
 crypto map map2
!        
router eigrp 100
 network 55.55.55.55 0.0.0.0
 network 192.168.52.0
 no auto-summary
!
router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 network 5.5.5.5 0.0.0.0 area 0
 network 192.168.25.0 0.0.0.255 area 0
!
access-list 101 permit gre host 5.5.5.5 host 2.2.2.2

Lets check the connectivity and be sure the all packets that go through the gre tunnel are encrypted.

R2#show ip eigrp neighbor                    
IP-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.52.5            Tu52              14 00:00:47  260  5000  0  11
R2#
R2#show ip route eigrp
     55.0.0.0/32 is subnetted, 1 subnets
D       55.55.55.55 [90/297372416] via 192.168.52.5, 00:00:50, Tunnel52
R2#
R2#ping 55.55.55.55 source 22.22.22.22       
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 22.22.22.22
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/129/152 ms
R2#
R2#show crypto ipsec sa
interface: FastEthernet0/1
    Crypto map tag: map2, local addr 2.2.2.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/47/0)
   current_peer 5.5.5.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 257, #pkts encrypt: 257, #pkts digest: 257
    #pkts decaps: 254, #pkts decrypt: 254, #pkts verify: 254
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 75, #recv errors 0
     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 5.5.5.5
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0xF0037D54(4026760532)
     inbound esp sas:
      spi: 0xB3EB58EB(3018545387)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, crypto map: map2
        sa timing: remaining key lifetime (k/sec): (4506809/3009)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xF0037D54(4026760532)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, crypto map: map2
        sa timing: remaining key lifetime (k/sec): (4506809/3009)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:

Cisco Ipsec over Gre Tunnel Configuration Example

Cisco Ipsec over Gre Tunnel Configuration Example

In this example we will test ipsec over gre tunnel.The tunnel will be established between Loopback0 ip addresses of R1 and R4 routers.We will use Ospf for reachability between Loopback0 interfaces.We will use eigrp through the gre tunnel for reachability of data networks in each sites.All packets that pass through the tunnel will be encrypted.

Configuration of R1

crypto isakmp policy 1
 encr aes
 authentication pre-share

crypto isakmp key cisco123 address 4.4.4.4
!
crypto ipsec transform-set set1 esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile profile1
 set transform-set set1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback 11
 ip address 11.11.11.11 255.255.255.255
!
interface Tunnel14
 ip address 192.168.41.1 255.255.255.0
 tunnel source Loopback0
 tunnel destination 4.4.4.4
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile profile1

interface FastEthernet0/1
 ip address 192.168.14.1 255.255.255.0
 duplex auto
 speed auto

router eigrp 100
 network 11.11.11.11 0.0.0.0
 network 192.168.41.0
 no auto-summary
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.14.0 0.0.0.255 area 0

Configuration of R4

crypto isakmp policy 1
 encr aes
 authentication pre-share
crypto isakmp key cisco123 address 1.1.1.1
!
!
crypto ipsec transform-set set1 esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile profile1
 set transform-set set1

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback 44
 ip address 44.44.44.44 255.255.255.255
!
interface Tunnel14
 ip address 192.168.41.4 255.255.255.0
 tunnel source Loopback0
 tunnel destination 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile profile1

interface FastEthernet0/1
 ip address 192.168.14.4 255.255.255.0
 duplex auto
 speed auto

router eigrp 100
 network 44.44.44.44 0.0.0.0
 network 192.168.41.0
 no auto-summary
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.14.0 0.0.0.255 area 0

Lets check the connectivity and be sure the all packets that go through the gre tunnel are encrypted.

R1#show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.41.4            Tu14              14 00:00:41  109  5000  0  3

R1#show ip route eigrp
     44.0.0.0/32 is subnetted, 1 subnets
D       44.44.44.44 [90/297372416] via 192.168.41.4, 00:00:46, Tunnel14

R1#ping 44.44.44.44 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/84/116 ms

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.1         4.4.4.4         QM_IDLE           1001    0 ACTIVE
IPv6 Crypto ISAKMP SA

R1#show crypto ipsec sa
interface: Tunnel14
    Crypto map tag: Tunnel14-head-0, local addr 1.1.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 4.4.4.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25
    #pkts decaps: 26, #pkts decrypt: 26, #pkts verify: 26
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 4.4.4.4
     path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
     current outbound spi: 0xEB366F8D(3946213261)
     inbound esp sas:
      spi: 0x6D746FAA(1836347306)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: Tunnel14-head-0
        sa timing: remaining key lifetime (k/sec): (4537930/3524)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xEB366F8D(3946213261)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: Tunnel14-head-0
        sa timing: remaining key lifetime (k/sec): (4537930/3524)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:

Cisco DMVPN Redundancy - Vrf aware hub

Cisco DMVPN Redundancy - Vrf aware hub

In this configuration example, we have two hub routers which are also MPLS PE routers on an Internet Service Provider.And there are also two different DMVPN VPN Customers.

Configuration on Hub-1:

interface Tunnel100
 ip vrf forwarding vrf-b
 ip address 172.16.10.1 255.255.255.248
 ip mtu 1400
 ip nhrp authentication 100100
 ip nhrp map multicast dynamic
 ip nhrp network-id 100100
 ip nhrp holdtime 600
 ip ospf network broadcast
 ip ospf cost 10
 ip ospf priority 255
 ip ospf mtu-ignore
 delay 1000
 qos pre-classify
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 100100
 tunnel protection ipsec profile cisco shared

interface Tunnel101
 ip vrf forwarding vrf-a
 ip address 172.16.10.9 255.255.255.248
 ip mtu 1400
 ip nhrp authentication 100101
 ip nhrp map multicast dynamic
 ip nhrp network-id 100101
 ip nhrp holdtime 600
 ip ospf network broadcast
 ip ospf cost 10
 ip ospf priority 255
 ip ospf mtu-ignore
 delay 1000
 qos pre-classify
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 100101
 tunnel protection ipsec profile cisco shared

router ospf 101 vrf vrf-a
network 172.16.10.0 0.0.0.255 area 0

router ospf 100 vrf vrf-b
network 172.16.10.0 0.0.0.255 area 0

Configuration on Hub-2:

interface Tunnel200
 ip vrf forwarding vrf-b
 ip address 172.16.10.17 255.255.255.248
 ip mtu 1400
 ip nhrp authentication 123200
 ip nhrp map multicast dynamic
 ip nhrp network-id 123200
 ip nhrp holdtime 600
 ip ospf network broadcast
 ip ospf cost 100
 ip ospf priority 255
 ip ospf mtu-ignore
 delay 1000
 qos pre-classify
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 100200
 tunnel protection ipsec profile cisco shared

interface Tunnel201
  ip vrf forwarding vrf-a
 ip address 172.16.10.25 255.255.255.248
 ip mtu 1400
 ip nhrp authentication 123201
 ip nhrp map multicast dynamic
 ip nhrp network-id 123201
 ip nhrp holdtime 600
 ip ospf network broadcast
 ip ospf cost 100
 ip ospf priority 255
 ip ospf mtu-ignore
 delay 1000
 qos pre-classify
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 100201
 tunnel protection ipsec profile cisco shared

router ospf 101 vrf vrf-a
network 172.16.10.0 0.0.0.255 area 0

router ospf 100 vrf vrf-b
network 172.16.10.0 0.0.0.255 area 0

Configuration for vrf-a Customer:

interface Tunnel101
 ip address  172.16.10.10 255.255.255.248
 ip mtu 1400
 ip nhrp authentication 100101
 ip nhrp map  172.16.10.9 1.1.1.1
 ip nhrp map multicast 1.1.1.1
 ip nhrp network-id 100101
 ip nhrp nhs  172.16.10.9
 ip tcp adjust-mss 1362
 ip ospf network broadcast
 ip ospf cost 100
 ip ospf priority 0
 qos pre-classify
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100101
 tunnel protection ipsec profile cisco shared

interface Tunnel201
 ip address  172.16.10.26 255.255.255.248
 ip mtu 1400
 ip nhrp authentication 100201
 ip nhrp map  172.16.10.25 1.1.1.2
 ip nhrp map multicast 1.1.1.2
 ip nhrp network-id 100201
 ip nhrp nhs  172.16.10.25
 ip tcp adjust-mss 1362
 ip ospf network broadcast
 ip ospf cost 200
 ip ospf priority 0
 qos pre-classify
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100201
 tunnel protection ipsec profile cisco shared

router ospf 101
network 172.16.10.0 0.0.0.255 area 0

Cisco IOS XR BFD for OSPF configuration Example

Cisco IOS XR BFD for OSPF configuration Example

In Cisco IOS XR software, BFD is configured under a dynamic routing protocol, such as an OSPF or BGP. This is not the case for BFD in Cisco IOS software,where BFD is only configured on an interface.

In Cisco IOS XR software, a BFD neighbor is established through routing. The Cisco IOS bfd neighbor interface configuration command is not supported in Cisco IOS XR software.Hardware based difference and capabilities affect the bfd time interval and mode.


Router-1
router ospf 1
 router-id 100.100.100.1
 bfd minimum-interval 30
 bfd multiplier 2
 area 0
  interface Loopback0
   passive enable
  !
  interface GigabitEthernet0/1/0/5
   bfd fast-detect
   network point-to-point

Router-2
router ospf 1
 router-id 100.100.100.2
 bfd minimum-interval 30
 bfd multiplier 2
 area 0
  interface Loopback0
   passive enable
  !
  interface GigabitEthernet0/1/0/5
   bfd fast-detect
   network point-to-point

 show bfd session
Interface            Dest Addr           Local det time(int*mult)      State
                                                   Echo            Async
-------------------- --------------- ---------------- ---------------- ---------
Gi0/1/0/5            192.168.2.1     60ms(30ms*2)     6s(2s*3)         UP

Cisco IOS XR VPLS Configuration Example

Cisco IOS XR VPLS Configuration Example

Router-1

interface TenGigE0/0/0/3.20 l2transport
 encapsulation dot1q 20

l2vpn
bridge group vplslab
  bridge-domain vplslab
   interface TenGigE0/0/0/3.20
   !
   vfi vplslab
    vpn-id 600
    autodiscovery bgp
     rd 10.10.10.1:20
     route-target 1:60
     signaling-protocol bgp
      ve-id 10

router bgp 1

 address-family l2vpn vpls-vpws
 !
 neighbor 10.10.10.2
  remote-as 1
  update-source Loopback0
  address-family l2vpn vpls-vpws

show l2vpn bridge-domain bd-name vplslab detail
Bridge group: vplslab, bridge-domain: vplslab, id: 0, state: up, ShgId: 0, MSTi: 0
  MAC learning: enabled
  MAC withdraw: enabled
    MAC withdraw for Access PW: enabled
  Flooding:
    Broadcast & Multicast: enabled
    Unknown unicast: enabled
  MAC aging time: 300 s, Type: inactivity
  MAC limit: 4000, Action: none, Notification: syslog
  MAC limit reached: no
  MAC port down flush: enabled
  MAC Secure: disabled, Logging: disabled
  Split Horizon Group: none
  Dynamic ARP Inspection: disabled, Logging: disabled
  IP Source Guard: disabled, Logging: disabled
  DHCPv4 snooping: disabled
  IGMP Snooping profile: none
  Bridge MTU: 1500
  MIB cvplsConfigIndex: 1
  Filter MAC addresses:
  Create time: 12/09/2011 23:24:27 (11:45:37 ago)
  No status change since creation
  ACs: 1 (1 up), VFIs: 1, PWs: 1 (1 up), PBBs: 0 (0 up)
  List of ACs:
    AC: TenGigE0/0/0/3.20, state is up
      Type VLAN; Num Ranges: 1
      VLAN ranges: [20, 20]
      MTU 1504; XC ID 0x40001; interworking none
      MAC learning: enabled
      Flooding:
        Broadcast & Multicast: enabled
        Unknown unicast: enabled
      MAC aging time: 300 s, Type: inactivity
      MAC limit: 4000, Action: none, Notification: syslog
      MAC limit reached: no
      MAC port down flush: enabled
      MAC Secure: disabled, Logging: disabled
      Split Horizon Group: none
      Dynamic ARP Inspection: disabled, Logging: disabled
      IP Source Guard: disabled, Logging: disabled
      DHCPv4 snooping: disabled
      IGMP Snooping profile: none
      Storm Control: disabled
      Static MAC addresses:
      Statistics:
        packets: received 2470, sent 10
        bytes: received 168136, sent 1016
      Storm control drop counters:
        packets: broadcast 0, multicast 0, unknown unicast 0
        bytes: broadcast 0, multicast 0, unknown unicast 0
      Dynamic ARP inspection drop counters:
        packets: 0, bytes: 0
      IP source guard drop counters:
        packets: 0, bytes: 0
  List of Access PWs:
  List of VFIs:
    VFI vplslab
      VPN-ID: 600, Auto Discovery: BGP, state is Provisioned (Service Connected)
      Route Distinguisher:  10.10.10.1:200
      Import Route Targets:
        1:60
      Export Route Targets:
        1:60
      Signaling protocol: BGP
      Local VE-ID: 10 ,  Advertised Local VE-ID : 10
      VE-Range: 10
      PW: neighbor 10.10.10.2, PW ID 600, state is up ( established )
        PW class not set, XC ID 0xfffc0003
        Encapsulation MPLS, Auto-discovered (BGP), protocol BGP
        PW type VPLS, control word disabled, interworking none
        PW backup disable delay 0 sec
        Sequencing not set
          MPLS         Local                          Remote                   
          ------------ ------------------------------ -------------------------
          Label        16008                          16054                    
          MTU          1500                           1500                     
          Control word disabled                       disabled                 
          PW type      VPLS                           VPLS                     
          VE-ID        10                             9                        
          ------------ ------------------------------ -------------------------
        MIB cpwVcIndex: 4294705155
        Create time: 12/09/2011 10:37:35 (00:32:30 ago)
        Last time status changed: 12/09/2011 10:37:35 (00:32:30 ago)
        MAC withdraw message: send 0 receive 0
        Static MAC addresses:
        Statistics:
          packets: received 10, sent 987
          bytes: received 1016, sent 67440
      DHCPv4 snooping: disabled
      IGMP Snooping profile: none
      VFI Statistics:
        drops: illegal VLAN 0, illegal length 0

show bgp l2vpn vpls
BGP router identifier 10.10.10.1, local AS number 1
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0
BGP main routing table version 21
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop        Rcvd Label      Local Label
Route Distinguisher: 10.10.10.1:200 (default for vrf vplslab:vplslab)
*>i9:1/32             10.10.10.2         16045           nolabel
*> 10:1/32            0.0.0.0         nolabel         16000


---------------------------------------------------------------



Router-2

interface TenGigE0/0/0/2.20 l2transport
 encapsulation dot1q 20

l2vpn
 bridge group vplslab
  bridge-domain vplslab
   interface TenGigE0/0/0/2.20
   !
   vfi vplslab
    vpn-id 600
    autodiscovery bgp
     rd 10.10.10.1:20
     route-target 1:60
     signaling-protocol bgp
      ve-id 9
 

show run router bgp
router bgp 1
 address-family l2vpn vpls-vpws

 neighbor 10.10.10.1
  remote-as 1
  update-source Loopback0
  address-family ipv4 unicast
  address-family l2vpn vpls-vpws


show l2vpn bridge-domain bd-name vplslab detail
Bridge group: vplslab, bridge-domain: vplslab, id: 0, state: up, ShgId: 0, MSTi: 0
  MAC learning: enabled
  MAC withdraw: enabled
    MAC withdraw for Access PW: enabled
  Flooding:
    Broadcast & Multicast: enabled
    Unknown unicast: enabled
  MAC aging time: 300 s, Type: inactivity
  MAC limit: 4000, Action: none, Notification: syslog
  MAC limit reached: no
  MAC port down flush: enabled
  MAC Secure: disabled, Logging: disabled
  Split Horizon Group: none
  Dynamic ARP Inspection: disabled, Logging: disabled
  IP Source Guard: disabled, Logging: disabled
  DHCPv4 snooping: disabled
  IGMP Snooping profile: none
  Bridge MTU: 1500
  MIB cvplsConfigIndex: 1
  Filter MAC addresses:
  Create time: 12/09/2011 23:22:52 (12:02:13 ago)
  No status change since creation
  ACs: 1 (1 up), VFIs: 1, PWs: 1 (1 up), PBBs: 0 (0 up)
  List of ACs:
    AC: TenGigE0/0/0/2.20 , state is up
      Type VLAN; Num Ranges: 1
      VLAN ranges: [20, 20]
      MTU 1504; XC ID 0x440002; interworking none
      MAC learning: enabled
      Flooding:
        Broadcast & Multicast: enabled
        Unknown unicast: enabled
      MAC aging time: 300 s, Type: inactivity
      MAC limit: 4000, Action: none, Notification: syslog
      MAC limit reached: no
      MAC port down flush: enabled
      MAC Secure: disabled, Logging: disabled
      Split Horizon Group: none
      Dynamic ARP Inspection: disabled, Logging: disabled
      IP Source Guard: disabled, Logging: disabled
      DHCPv4 snooping: disabled
      IGMP Snooping profile: none
      Storm Control: disabled
      Static MAC addresses:
      Statistics:
        packets: received 11, sent 1292
        bytes: received 1076, sent 88196
      Storm control drop counters:
        packets: broadcast 0, multicast 0, unknown unicast 0
        bytes: broadcast 0, multicast 0, unknown unicast 0
      Dynamic ARP inspection drop counters:
        packets: 0, bytes: 0
      IP source guard drop counters:
        packets: 0, bytes: 0
  List of Access PWs:
  List of VFIs:
    VFI vplslab
      VPN-ID: 600, Auto Discovery: BGP, state is Provisioned (Service Connected)
      Route Distinguisher:  10.10.10.1:200
      Import Route Targets:
        1:60
      Export Route Targets:
        1:60
      Signaling protocol: BGP
      Local VE-ID: 9 ,  Advertised Local VE-ID : 9
      VE-Range: 10
      PW: neighbor 10.10.10.1, PW ID 600, state is up ( established )
        PW class not set, XC ID 0xfffc0003
        Encapsulation MPLS, Auto-discovered (BGP), protocol BGP
        PW type VPLS, control word disabled, interworking none
        PW backup disable delay 0 sec
        Sequencing not set
          MPLS         Local                          Remote                   
          ------------ ------------------------------ -------------------------
          Label        16054                          16008                    
          MTU          1500                           1500                     
          Control word disabled                       disabled                 
          PW type      VPLS                           VPLS                     
          VE-ID        9                              10                       
          ------------ ------------------------------ -------------------------
        MIB cpwVcIndex: 0
        Create time: 12/09/2011 10:36:17 (00:48:48 ago)
        Last time status changed: 12/09/2011 10:36:17 (00:48:48 ago)
        MAC withdraw message: send 0 receive 0
        Static MAC addresses:
        Statistics:
          packets: received 1476, sent 11
          bytes: received 100688, sent 1076
      DHCPv4 snooping: disabled
      IGMP Snooping profile: none
      VFI Statistics:
        drops: illegal VLAN 0, illegal length 0

show bgp l2vpn vpls
BGP router identifier 10.10.10.2 local AS number 1
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0
BGP main routing table version 19
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop        Rcvd Label      Local Label
Route Distinguisher: 10.10.10.1:20 (default for vrf vplslab:vplslab)
*> 9:1/32             0.0.0.0         nolabel         16045
*>i10:1/32            10.10.10.1         16000           nolabel
Processed 2 prefixes, 2 paths

Cisco IOS XR Netflow Configuration Example

Cisco IOS XR Netflow Configuration Example

Here is the sample configuration for netflow on Cisco IOS XR ASR9000 router:

sampler-map netflowtest
 random 1 out-of 100
!
flow monitor-map netflowtest
 record ipv4
 exporter netflowtest
!

flow exporter-map netflowtest
 version v9
 transport udp 9999
destination 2.2.2.20

Attahing netflow configuration to an interface:

interface GigabitEthernet0/1/0/1.10
  ipv4 address 10.10.10.2 255.255.255.252
 flow ipv4 monitor netflowtest sampler netflowtest ingress
 flow ipv4 monitor netflowtest sampler netflowtest egress
 encapsulation dot1q 10

Show output:

RP/0/RSP0/CPU0:netflowtestrouter#show flow monitor netflowtest cache include counters packets ipv4 source-address destination-address  source-port-overloaded destination-port-overloaded

Cache summary for Flow Monitor netflowtest:
Cache size:                          65535
Current entries:                         9
High Watermark:                      62258
Flows added:                         34846
Flows not added:                         0
Ager Polls:                         234548
  - Active timeout                     645
  - Inactive timeout                 31225
  - TCP FIN flag                      2967
  - Watermark aged                       0
  - Emergency aged                       0
  - Counter wrap aged                    0
  - Total                            34837
Periodic export:
  - Counter wrap                         0
  - TCP FIN flag                         0
Flows exported                           0
IPV4SrcAddr      IPV4DstAddr      L4SrcPort  L4DestPort PacketCount
10.10.10.1                    2.2.2.2             30820      23                   664
2.2.2.2                          2.2.2.1             53895      646                     1
10.10.10.2                    2.2.2.1             0              771                  199
10.10.10.1                    224.0.0.5         0               0                      96
10.10.10.1                    224.0.0.2         646           646                  204
2.2.2.2                          10.10.10.1       23             30820              574
2.2.2.1                           2.2.2.2            646           53895                1
2.2.2.1                           2.2.2.2            646            646                 199
10.10.12.4                     224.0.0.5        0                 0                    110

Matching entries:                        9