Cisco IOS Optimized Edge Routing Configuration Guide, Release 12.4

Cisco IOS Optimized Edge Routing
Configuration Guide
Release 12.4
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7817876=

Text Part Number: 78-17876-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work,
Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP,
CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital,
the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink,
Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo,
Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet,
The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the
United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0601R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco IOS Optimized Edge Routing Configuration Guide

© 2005–2006 Cisco Systems, Inc. All rights reserved.
CONTENTS
About Cisco IOS Software Documentation for Release 12.4 ix
Documentation Objectives ix
Audience ix
Documentation Organization for Cisco IOS Release 12.4 x
Document Conventions xvi
Obtaining Documentation xvii

Cisco.com xvii
Product Documentation DVD xviii
Ordering Documentation xviii
Documentation Feedback xviii
Cisco Product Security Overview xix

Reporting Security Problems in Cisco Products xix
Obtaining Technical Assistance xx

Cisco Technical Support & Documentation Website xx
Submitting a Service Request xx
Definitions of Service Request Severity xxi
Obtaining Additional Publications and Information xxi
Using Cisco IOS Software for Release 12.4 xxiii
Understanding Command Modes xxiii
Getting Help xxiv

Example: How to Find Command Options xxv
Using the no and default Forms of Commands xxviii
Saving Configuration Changes xxviii
Filtering Output from the show and more Commands xxix
Finding Additional Feature Support Information xxix
Cisco IOS Optimized Edge Routing Configuration 1
Contents 2
Prerequisites for Cisco IOS Optimized Edge Routing 2
Restrictions for Cisco IOS Optimized Edge Routing 2
Information About Cisco IOS Optimized Edge Routing 3

Cisco IOS Optimized Edge Routing Overview 4
Cisco IOS OER: A Typical Deployment 4

iii
Contents
Cisco IOS OER: Optimizes for Performance 5

Cisco IOS OER Network Components 6
Cisco IOS OER Network Components: Master Controller 6
Cisco IOS OER Network Components: Border Router 6
Cisco IOS OER Network Components: Interfaces 6
Cisco IOS OER Managed Network 8
Cisco IOS OER Managed Network: Central Policy Database 9
Cisco IOS OER Managed Network: Policy Enforcement Point 9
Cisco IOS OER Prefix Learning 9
Cisco IOS OER Prefix Learning: Automatic Prefix Learning 9
Cisco IOS OER Prefix Learning: Manually Selecting Prefixes 10
Cisco IOS OER Prefix Learning: Port and Protocol Based Prefix Learning 10
Cisco IOS OER Prefix Learning: Prefix Transition States 10
Cisco IOS OER Monitoring 11
Cisco IOS OER Monitoring: Passive Monitoring 11
Cisco IOS OER Monitoring: Active Monitoring 12
Cisco IOS OER Monitoring: Combined Monitoring 13
Cisco IOS OER Monitoring: Traceroute Reporting 13
Cisco IOS OER Modes of Operation 13
Cisco IOS OER Modes of Operation: Observe Mode 13
Cisco IOS OER Modes of Operation: Control Mode 14
Cisco IOS OER Routing Control 14
Cisco IOS OER Routing: Border Router Peering with the Internal Network 15
Cisco IOS OER Routing: BGP Peering 15
Cisco IOS OER Routing: BGP Redistribution into an IGP 15
Cisco IOS OER Routing: BGP Redistribution Based on the BGP Local-Preference Attribute 16
Cisco IOS OER Routing: Static Routing and Static Route Redistribution 16
Cisco IOS OER Routing: Injecting Split Prefixes 16
Cisco IOS OER Policy Configuration 16
Cisco IOS OER Policy Configuration: Prefix Policies 16
Cisco IOS OER Policy Configuration: Exit Link Policies 17
Cisco IOS OER Policy Configuration: Cost-Based Optimization 17
Cisco IOS OER Policy Configuration: Optimal Exit Link Selection 19
Cisco IOS OER Policy Configuration: Load Distribution 19
Cisco IOS OER Policy Configuration: Global Policies 19
Cisco IOS OER Policy Configuration: Applying Policies with an OER Map 19
Cisco IOS OER Policy Configuration: Resolving Policies 20
VPN IPSec/GRE Tunnel Interface Optimization 21
Cisco IOS OER Logging and Reporting 21
Cisco IOS OER Deployment Configurations 22

iv
Contents
How to Configure Cisco IOS Optimized Edge Routing 23

Minimum Master Controller Configuration 24
Master Controller 24
Disabling a Master Controller Process 24
Manual Port Configuration 24
Prerequisites 24
Restrictions 25
Examples 29
What to Do Next 29
Minimum Border Router Configuration 29
Border Router 29
Interface Configuration 30
Disabling a Border Router Process 30
Prerequisites 30
Restrictions 30
Examples 32
What to Do Next 33
Configuring Prefix Learning 33
Defaults 33
What to Do Next 36
Manually Selecting Prefixes for Monitoring 36
Manually Excluding Prefixes 36
OER Map Operation 37
Examples 38
What to Do Next 38
Configuring Active Probing 38
Active Probing over eBGP Peerings 39
ICMP Echo Probes 39
Defaults 39
Examples 40
What to Do Next 41
Configuring the Source Address of an Active Probe 41
Defaults 41
Example 42
What to Do Next 42
Configuring Traceroute Reporting 42
Defaults 43
Example 45
What to Do Next 45
Configuring Prefix and Exit Link Policies 45

v
Contents
Prefix Policies 45
Exit Link Policies 46
Adjusting Cisco IOS OER Timers 46
Examples 49
What to Do Next 49
Configuring Cost-Based Optimization 50
Examples 52
What to Do Next 52
Configuring Resolve Policies 52
Setting Variance for Resolve Policies 52
Examples 54
What to Do Next 54
Configuring Cisco IOS OER Modes of Operation 54
Observe Mode 54
Control Mode 54
Optimal Exit Link Selection 55
Examples 56
What to Do Next 56
Configuring OER Policies with an OER Map 56
OER Map Operation 56
IP Prefix Lists 57
Adjusting OER Timers 57
Examples 62
What to do Next 63
Configuring Policy Rules for OER Maps 63
Prerequisites 63
Examples 64
What to Do Next 64
Configuring iBGP Peering on the Border Routers 64
Prerequisites 65
Examples 66
What to Do Next 66
Configuring BGP Redistribution into an IGP on the Border Routers 67
Prerequisites 67
Restrictions 67
Examples 69
What to Do Next 70
Configuring Static Route Redistribution on the Border Routers 70
Prerequisites 71
Restrictions 71

vi
Contents
Examples 73
What to Do Next 73
Configuring Static Route Redistribution into EIGRP 73
Prerequisites 73
Restrictions 74
Examples 76
Configuring OER to Monitor and Control IPSec VPN Prefixes Over GRE Tunnels 76
Routing Prefixes that are Protected with IPSec over GRE Tunnels 77
GRE Tunnel Interfaces are Configured as OER Managed Exit Links 77
Prerequisites 77
Restrictions 77
Border Router Configuration 77
Examples 83
What to Do Next 83
Master Controller Configuration 84
Examples 85
Verifying Cisco IOS OER Configuration 85
Using Cisco IOS OER Clear Commands 88
Using Cisco IOS OER Debug Commands 89
Configuration Examples for Cisco IOS Optimized Edge Routing 91
Master Controller and Two Border Routers Deployment: Example 91
OER MC Configuration 91
BR 1 Configuration 92
Internal Peer Configuration 93
Master Controller and Border Router Deployed on a Single Router: Example 94
BR 1 Configuration: Master/Border with Load Distribution 94
Internal Peer Configuration 95
Configuring OER to Monitor and Control GRE/IPSec VPN Prefixes: Example 96
Central VPN Configuration: OER Master 96
Central VPN Configuration: BR1 97
Central VPN Configuration: BR 2 98
Central VPN Configuration: Internal Peers 99
!VPN A Configuration: MC/BR 99
VPN B Configuration: OER Master 101
VPN B Configuration: BR 1 101
VPN B Configuration: BR 2 102
VPN B Configuration: Internal Peers 103
Additional References 103

vii
Contents
Related Documents 103

Standards 104
MIBs 104
RFCs 104
Technical Assistance 104

viii
About Cisco IOS Software Documentation for
Release 12.4
This chapter describes the objectives, audience, organization, and conventions of Cisco IOS software
documentation. It also provides sources for obtaining documentation, technical assistance, and
additional publications and information from Cisco Systems. It contains the following sections:
• Documentation Objectives, page ix
• Audience, page ix
• Documentation Organization for Cisco IOS Release 12.4, page x
• Document Conventions, page xvi
• Obtaining Documentation, page xvii
• Documentation Feedback, page xviii
• Cisco Product Security Overview, page xix
• Obtaining Technical Assistance, page xx
• Obtaining Additional Publications and Information, page xxi
Documentation Objectives
Cisco IOS software documentation describes the tasks and commands available to configure and
maintain Cisco networking devices.
Audience
The Cisco IOS software documentation set is intended primarily for users who configure and maintain
Cisco networking devices (such as routers and switches) but who may not be familiar with the
configuration and maintenance tasks, the relationship among tasks, or the Cisco IOS software commands
necessary to perform particular tasks. The Cisco IOS software documentation set is also intended for
those users experienced with Cisco IOS software who need to know about new features, new
configuration options, and new software characteristics in the current Cisco IOS software release.

ix
About Cisco IOS Software Documentation for Release 12.4
Documentation Organization for Cisco IOS Release 12.4

The Cisco IOS Release 12.4 documentation set consists of the configuration guide and command
reference pairs listed in Table 1 and the supporting documents listed in Table 2. The configuration guides
and command references are organized by technology. For the configuration guides:
• Some technology documentation, such as that for DHCP, contains features introduced in
Releases 12.2T and 12.3T and, in some cases, Release 12.2S. To assist you in finding a particular
feature, a roadmap document is provided.
• Other technology documentation, such as that for OSPF, consists of a chapter and accompanying
Release 12.2T and 12.3T feature documents.
Note In some cases, information contained in Release 12.2T and 12.3T feature documents augments or
supersedes content in the accompanying documentation. Therefore it is important to review all
feature documents for a particular technology.
Table 1 lists the Cisco IOS Release 12.4 configuration guides and command references.
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References
Configuration Guide and Description

Command Reference Titles
IP
Cisco IOS IP Addressing Services The configuration guide is a task-oriented guide to configuring IP addressing and
Configuration Guide, Release 12.4 services, including Network Address Translation (NAT), Domain Name System
(DNS), and Dynamic Host Configuration Protocol (DHCP). The command
Cisco IOS IP Addressing Services
reference provides detailed information about the commands used in the
Command Reference, Release 12.4
configuration guide.
Cisco IOS IP Application Services The configuration guide is a task-oriented guide to configuring IP application
Configuration Guide, Release 12.4 services, including IP access lists, Web Cache Communication Protocol
(WCCP), Gateway Load Balancing Protocol (GLBP), Server Load Balancing
Cisco IOS IP Application Services
(SLB), Hot Standby Router Protocol (HSRP), and Virtual Router Redundancy
Protocol (VRRP). The command reference provides detailed information about
the commands used in the configuration guide.
Cisco IOS IP Mobility The configuration guide is a task-oriented guide to configuring Mobile IP and
Configuration Guide, Release 12.4 Cisco Mobile Networks. The command reference provides detailed information
about the commands used in the configuration guide.
Cisco IOS IP Mobility
Cisco IOS IP Multicast The configuration guide is a task-oriented guide to configuring IP multicast,
Configuration Guide, Release 12.4 including Protocol Independent Multicast (PIM), Internet Group Management
Protocol (IGMP), Distance Vector Multicast Routing Protocol (DVMRP), and
Cisco IOS IP Multicast
Multicast Source Discovery Protocol (MSDP). The command reference provides
detailed information about the commands used in the configuration guide.
Cisco IOS IP Routing Protocols The configuration guide is a task-oriented guide to configuring IP routing
Configuration Guide, Release 12.4 protocols, including Border Gateway Protocol (BGP), Intermediate
System-to-Intermediate System (IS-IS), and Open Shortest Path First (OSPF).
Cisco IOS IP Routing Protocols
The command reference provides detailed information about the commands used
in the configuration guide.

x
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)

Cisco IOS IP Switching The configuration guide is a task-oriented guide to configuring IP switching
Configuration Guide, Release 12.4 features, including Cisco Express Forwarding, fast switching, and Multicast
Distributed Switching (MDS). The command reference provides detailed
Cisco IOS IP Switching
information about the commands used in the configuration guide.
Cisco IOS IPv6 The configuration guide is a task-oriented guide to configuring IP version 6
Configuration Guide, Release 12.4 (IPv6), including IPv6 broadband access, IPv6 data-link layer, IPv6 multicast
routing, IPv6 quality of service (QoS), IPv6 routing, IPv6 services and
Cisco IOS IPv6
management, and IPv6 tunnel services. The command reference provides
Cisco IOS Optimized Edge Routing The configuration guide is a task-oriented guide to configuring Optimized Edge
Configuration Guide, Release 12.4 Routing (OER) features, including OER prefix learning, OER prefix monitoring,
OER operational modes, and OER policy configuration. The command reference
Cisco IOS Optimized Edge Routing
provides detailed information about the commands used in the configuration
guide.
Security and VPN
Cisco IOS Security The configuration guide is a task-oriented guide to configuring various aspects of
Configuration Guide, Release 12.4 security, including terminal access security, network access security, accounting,
traffic filters, router access, and network data encryption with router
Cisco IOS Security
authentication. The command reference provides detailed information about the
commands used in the configuration guide.
QoS
Cisco IOS Quality of Service Solutions The configuration guide is a task-oriented guide to configuring quality of service
Configuration Guide, Release 12.4 (QoS) features, including traffic classification and marking, traffic policing and
shaping, congestion management, congestion avoidance, and signaling. The
Cisco IOS Quality of Service Solutions
command reference provides detailed information about the commands used in
the configuration guide.
LAN Switching
Cisco IOS LAN Switching The configuration guide is a task-oriented guide to local-area network (LAN)
Configuration Guide, Release 12.4 switching features, including configuring routing between virtual LANs
(VLANs) using Inter-Switch Link (ISL) encapsulation, IEEE 802.10
Cisco IOS LAN Switching
encapsulation, and IEEE 802.1Q encapsulation. The command reference
guide.
Multiprotocol Label Switching (MPLS)
Cisco IOS Multiprotocol Label Switching The configuration guide is a task-oriented guide to configuring Multiprotocol
Configuration Guide, Release 12.4 Label Switching (MPLS), including MPLS Label Distribution Protocol, MPLS
traffic engineering, and MPLS Virtual Private Networks (VPNs). The command
Cisco IOS Multiprotocol Label Switching
Network Management
Cisco IOS IP SLAs The configuration guide is a task-oriented guide to configuring the Cisco IOS IP
Configuration Guide, Release 12.4 Service Level Assurances (IP SLAs) feature. The command reference provides
Cisco IOS IP SLAs

xi

Cisco IOS NetFlow The configuration guide is a task-oriented guide to NetFlow features, including
Configuration Guide, Release 12.4 configuring NetFlow to analyze network traffic data, configuring NetFlow
aggregation caches and export features, and configuring Simple Network
Cisco IOS NetFlow
Management Protocol (SNMP) and NetFlow MIB features. The command
Cisco IOS Network Management The configuration guide is a task-oriented guide to network management
Configuration Guide, Release 12.4 features, including performing basic system management, performing
troubleshooting and fault management, configuring Cisco Discovery Protocol,
Cisco IOS Network Management
configuring Cisco Networking Services (CNS), configuring DistributedDirector,
and configuring Simple Network Management Protocol (SNMP). The command
Voice
Cisco IOS Voice The configuration library is a task-oriented collection of configuration guides,
Configuration Library, Release 12.4 application guides, a troubleshooting guide, feature documents, a library preface, a
voice glossary, and more. It also covers Cisco IOS support for voice call control
Cisco IOS Voice
protocols, interoperability, physical and virtual interface management, and
troubleshooting. In addition, the library includes documentation for IP telephony
applications. The command reference provides detailed information about the
commands used in the configuration library.
Wireless/Mobility
Cisco IOS Mobile Wireless The configuration guide is a task-oriented guide to understanding and configuring a
Gateway GPRS Support Node Cisco IOS Gateway GPRS Support Node (GGSN) in a 2.5G General Packet Radio
Configuration Guide, Release 12.4 Service (GPRS) and 3G Universal Mobile Telecommunication System (UMTS)
network. The command reference provides detailed information about the
Cisco IOS Mobile Wireless
Gateway GPRS Support Node
Cisco IOS Mobile Wireless The configuration guide is a task-oriented guide to understanding and configuring the
Home Agent Cisco Mobile Wireless Home Agent, which is an anchor point for mobile terminals
Configuration Guide, Release 12.4 for which Mobile IP or Proxy Mobile IP services are provided. The command
Home Agent
Cisco IOS Mobile Wireless The configuration guide is a task-oriented guide to understanding and configuring the
Packet Data Serving Node Cisco Packet Data Serving Node (PDSN), a wireless gateway between the mobile
Configuration Guide, Release 12.4 infrastructure and standard IP networks that enables packet data services in a Code
Division Multiple Access (CDMA) environment. The command reference provides
Packet Data Serving Node

xii

Cisco IOS Mobile Wireless The configuration guide is a task-oriented guide to understanding and
Radio Access Networking configuring Cisco IOS Radio Access Network products. The command reference
Configuration Guide, Release 12.4 provides detailed information about the commands used in the configuration
guide.
Radio Access Networking
Long Reach Ethernet (LRE) and Digital Subscriber Line (xDSL)
Cisco IOS Broadband and DSL The configuration guide is a task-oriented guide to configuring broadband access
Configuration Guide, Release 12.4 aggregation and digital subscriber line features. The command reference
Cisco IOS Broadband and DSL
guide.
Cisco IOS Service Selection Gateway The configuration guide is a task-oriented guide to configuring Service Selection
Configuration Guide, Release 12.4 Gateway (SSG) features, including subscriber authentication, service access, and
accounting. The command reference provides detailed information about the
Cisco IOS Service Selection Gateway
Dial—Access
Cisco IOS Dial Technologies The configuration guide is a task-oriented guide to configuring lines, modems,
Configuration Guide, Release 12.4 and ISDN services. This guide also contains information about configuring
dialup solutions, including solutions for remote sites dialing in to a central office,
Cisco IOS Dial Technologies
Internet service providers (ISPs), ISP customers at home offices, enterprise WAN
system administrators implementing dial-on-demand routing, and other
corporate environments. The command reference provides detailed information
about the commands used in the configuration guide.
Cisco IOS VPDN The configuration guide is a task-oriented guide to configuring Virtual Private
Configuration Guide, Release 12.4 Dialup Networks (VPDNs), including information about Layer 2 tunneling
protocols, client-initiated VPDN tunneling, NAS-initiated VPDN tunneling, and
Cisco IOS VPDN
multihop VPDN. The command reference provides detailed information about
the commands used in the configuration guide.
Asynchronous Transfer Mode (ATM)
Cisco IOS Asynchronous Transfer Mode The configuration guide is a task-oriented guide to configuring Asynchronous
Configuration Guide, Release 12.4 Transfer Mode (ATM), including WAN ATM, LAN ATM, and multiprotocol over
ATM (MPOA). The command reference provides detailed information about the
Cisco IOS Asynchronous Transfer Mode
WAN
Cisco IOS Wide-Area Networking The configuration guide is a task-oriented guide to configuring wide-area
Configuration Guide, Release 12.4 network (WAN) features, including Layer 2 Tunneling Protocol Version 3
(L2TPv3); Frame Relay; Link Access Procedure, Balanced (LAPB); and X.25.
Cisco IOS Wide-Area Networking
The command reference provides detailed information about the commands used
in the configuration guide.

xiii

System Management
Cisco IOS Configuration Fundamentals The configuration guide is a task-oriented guide to using Cisco IOS software to
Configuration Guide, Release 12.4 configure and maintain Cisco routers and access servers, including information
about using the Cisco IOS command-line interface (CLI), loading and
Cisco IOS Configuration Fundamentals
maintaining system images, using the Cisco IOS file system, using the Cisco IOS
Web browser user interface (UI), and configuring basic file transfer services. The
command reference provides detailed information about the commands used in
the configuration guide.
Cisco IOS The configuration guide is a task-oriented guide to configuring and managing
Interface and Hardware Component interfaces and hardware components, including dial shelves, LAN interfaces,
Configuration Guide, Release 12.4 logical interfaces, serial interfaces, and virtual interfaces. The command
Cisco IOS
Interface and Hardware Component
IBM Technologies
Cisco IOS Bridging and IBM Networking The configuration guide is a task-oriented guide to configuring:
Configuration Guide, Release 12.4
• Bridging features, including transparent and source-route transparent (SRT)
Cisco IOS Bridging bridging, source-route bridging (SRB), Token Ring Inter-Switch Link
Command Reference, Release 12.4 (TRISL), and Token Ring Route Switch Module (TRRSM).
Cisco IOS IBM Networking • IBM network features, including data-link switching plus (DLSw+), serial
Command Reference, Release 12.4 tunnel (STUN), and block serial tunnel (BSTUN); Logical Link Control,
type 2 (LLC2), and Synchronous Data Link Control (SDLC); IBM Network
Media Translation, including SDLC Logical Link Control (SDLLC) and
Qualified Logical Link Control (QLLC); downstream physical unit (DSPU),
Systems Network Architecture (SNA) service point, SNA Frame Relay
Access, Advanced Peer-to-Peer Networking (APPN), native client interface
architecture (NCIA) client/server topologies, and IBM Channel Attach.
The two command references provide detailed information about the commands
used in the configuration guide.
Additional and Legacy Protocols
Cisco IOS AppleTalk The configuration guide is a task-oriented guide to configuring the AppleTalk
Configuration Guide, Release 12.4 protocol. The command reference provides detailed information about the
Cisco IOS AppleTalk
Cisco IOS DECnet The configuration guide is a task-oriented guide to configuring the DECnet
Configuration Guide, Release 12.4 protocol. The command reference provides detailed information about the
Cisco IOS DECnet
Cisco IOS ISO CLNS The configuration guide is a task-oriented guide to configuring International
Configuration Guide, Release 12.4 Organization for Standardization (ISO) Connectionless Network Service
(CLNS). The command reference provides detailed information about the
Cisco IOS ISO CLNS

xiv

Cisco IOS Novell IPX The configuration guide is a task-oriented guide to configuring the Novell
Configuration Guide, Release 12.4 Internetwork Packet Exchange (IPX) protocol. The command reference provides
Cisco IOS Novell IPX
Cisco IOS Terminal Services The configuration guide is a task-oriented guide to configuring terminal services,
Configuration Guide, Release 12.4 including DEC, local-area transport (LAT), and X.25 packet
assembler/disassembler (PAD). The command reference provides detailed
Cisco IOS Terminal Services
information about the commands used in the configuration guide.
Table 2 lists the documents and resources that support the Cisco IOS Release 12.4 software
configuration guides and command references.
Table 2 Cisco IOS Release 12.4 Supporting Documents and Resources
Document Title Description

Cisco IOS Master Commands List, An alphabetical listing of all the commands documented in the Cisco IOS
Release 12.4 Release 12.4 command references.
Cisco IOS New, Modified, Replaced, A listing of all the new, modified, replaced and removed commands since
and Removed Commands, Release 12.4 Cisco IOS Release 12.3, grouped by Release 12.3T maintenance release and
ordered alphabetically within each group.
Cisco IOS New and Modified A listing of all the new, modified, and replaced commands since Cisco IOS
Commands, Release 12.3 Release 12.2, grouped by Release 12.2T maintenance release and ordered
alphabetically within each group.
Cisco IOS System Messages, Listings and descriptions of Cisco IOS system messages. Not all system messages
Volume 1 of 2 indicate problems with your system. Some are purely informational, and others
may help diagnose problems with communications lines, internal hardware, or the
Cisco IOS System Messages,
system software.
Volume 2 of 2
Cisco IOS Debug Command Reference, An alphabetical listing of the debug commands and their descriptions.
Release 12.4 Documentation for each command includes a brief description of its use, command
syntax, and usage guidelines.
Release Notes, Release 12.4 A description of general release information, including information about
supported platforms, feature sets, platform-specific notes, and Cisco IOS software
defects.
Internetworking Terms and Acronyms Compilation and definitions of the terms and acronyms used in the internetworking
industry.

xv
Document Conventions
Table 2 Cisco IOS Release 12.4 Supporting Documents and Resources (continued)
Document Title Description

RFCs RFCs are standards documents maintained by the Internet Engineering Task Force
(IETF). Cisco IOS software documentation references supported RFCs when
applicable. The full text of referenced RFCs may be obtained at the following URL:
http://www.rfc-editor.org/
MIBs MIBs are used for network monitoring. To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the
following URL:
http://www.cisco.com/go/mibs
Document Conventions
Within Cisco IOS software documentation, the term router is generally used to refer to a variety of Cisco
products (for example, routers, access servers, and switches). Routers, access servers, and other
networking devices that support Cisco IOS software are shown interchangeably within examples. These
products are used only for illustrative purposes; that is, an example that shows one product does not
necessarily indicate that other products are not supported.
The Cisco IOS documentation set uses the following conventions:
Convention Description
^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D
means hold down the Control key while you press the D key. Keys are indicated in capital letters but
are not case sensitive.
string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP
community string to public, do not use quotation marks around the string or the string will include the
quotation marks.
Command syntax descriptions use the following conventions:
bold Bold text indicates commands and keywords that you enter literally as shown.
italics Italic text indicates arguments for which you supply values.
[x] Square brackets enclose an optional element (keyword or argument).
| A vertical line indicates a choice within an optional or required set of keywords or arguments.
[x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional
choice.
{x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice.

xvi
Obtaining Documentation
Nested sets of square brackets or braces indicate optional or required choices within optional or required
elements. For example:
[x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element.
Examples use the following conventions:
screen Examples of information displayed on the screen are set in Courier font.
bold screen Examples of text that you must enter are set in Courier bold font.
< > Angle brackets enclose text that is not printed to the screen, such as passwords, and are used in
contexts in which the italic document convention is not available, such as ASCII text.
! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also
displayed by the Cisco IOS software for certain processes.)
[ ] Square brackets enclose default responses to system prompts.
The following conventions are used to attract the attention of the reader:
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Note Means reader take note. Notes contain suggestions or references to material not covered in the
manual.
Timesaver Means the described action saves time. You can save time by performing the action described in the
paragraph.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation and technical support at this URL:
http://www.cisco.com/techsupport

xvii
Documentation Feedback
You can access the Cisco website at this URL:

http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Product Documentation DVD

Cisco documentation and additional literature are available in the Product Documentation DVD package,
which may have shipped with your product. The Product Documentation DVD is updated regularly and
may be more current than printed documentation.
The Product Documentation DVD is a comprehensive library of technical product documentation on
portable media. The DVD enables you to access multiple versions of hardware and software installation,
configuration, and command guides for Cisco products and to view technical documentation in HTML.
With the DVD, you have access to the same documentation that is found on the Cisco website without
being connected to the Internet. Certain products also have .pdf versions of the documentation available.
The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com
users (Cisco direct customers) can order a Product Documentation DVD (product number
DOC-DOCDVD=) from Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Ordering Documentation
Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product
Documentation Store in the Cisco Marketplace at this URL:
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by
calling 011 408 519-5055. You can also order documentation by e-mail at
tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,
or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.
You can send comments about Cisco documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.

xviii
Cisco Product Security Overview
Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
• Report security vulnerabilities in Cisco products.
• Obtain assistance with security incidents that involve Cisco products.
• Register to receive security information from Cisco.
A current list of security advisories and notices for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
If you prefer to see advisories and notices as they are updated in real time, you can access a Product
Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them,
and we strive to correct all vulnerabilities quickly. If you think that you might have identified a
vulnerability in a Cisco product, contact PSIRT:
• Emergencies — security-alert@cisco.com
An emergency is either a condition in which a system is under active attack or a condition for which
a severe and urgent security vulnerability should be reported. All other conditions are considered
nonemergencies.
• Nonemergencies — psirt@cisco.com
In an emergency, you can also reach PSIRT by telephone:
• 1 877 228-7302
• 1 408 525-6532
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive
information that you send to Cisco. PSIRT can work from encrypted information that is compatible with
PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.

xix
Obtaining Technical Assistance
Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The
Cisco Technical Support & Documentation website on Cisco.com features extensive online support
resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center
(TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact
your reseller.
Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for
troubleshooting and resolving technical issues with Cisco products and technologies. The website is
available 24 hours a day, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user
ID and password. If you have a valid service contract but do not have a user ID or password, you can
register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link. Choose Cisco Product Identification
Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link
under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree
view; or for certain products, by copying and pasting show command output. Search results show an
illustration of your product with the serial number label location highlighted. Locate the serial number
label on your product and record the information before placing a service call.
Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

xx
Obtaining Additional Publications and Information
For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You
and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operation are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.

Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo
merchandise. Visit Cisco Marketplace, the company store, at this URL:
• Cisco Press publishes a wide range of general networking, training and certification titles. Both new
and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies, certification and training
information, and links to scores of in-depth online resources. You can access Packet magazine at
this URL:
http://www.cisco.com/packet
• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies
learn how they can use technology to increase revenue, streamline their business, and expand
services. The publication identifies the challenges facing these companies and the technologies to
help solve them, using real-world case studies and business strategies to help readers make sound
technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
or view the digital edition at this URL:
http://ciscoiq.texterity.com/ciscoiq/sample/

xxi
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• Networking products offered by Cisco Systems, as well as customer support services, can be
obtained at this URL:
http://www.cisco.com/en/US/products/index.html
• Networking Professionals Connection is an interactive website for networking professionals to share
questions, suggestions, and information about networking products and technologies with Cisco
experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html

xxii
Using Cisco IOS Software for Release 12.4
This chapter provides tips for understanding and configuring Cisco IOS software using the
command-line interface (CLI). It contains the following sections:
• Understanding Command Modes, page xxiii
• Getting Help, page xxiv
• Using the no and default Forms of Commands, page xxviii
• Saving Configuration Changes, page xxviii
• Filtering Output from the show and more Commands, page xxix
• Finding Additional Feature Support Information, page xxix
For an overview of Cisco IOS software configuration, see the Cisco IOS Configuration Fundamentals
Configuration Guide.
For information on the conventions used in the Cisco IOS software documentation set, see the “About
Cisco IOS Software Documentation for Release 12.4” chapter.
Understanding Command Modes

You use the CLI to access Cisco IOS software. Because the CLI is divided into many different modes,
the commands available to you at any given time depend on the mode that you are currently in. Entering
a question mark (?) at the CLI prompt allows you to obtain a list of commands available for each
command mode.
When you log in to a Cisco device, the device is initially in user EXEC mode. User EXEC mode contains
only a limited subset of commands. To have access to all commands, you must enter privileged EXEC
mode by entering the enable command and a password (when required). From privileged EXEC mode
you have access to both user EXEC and privileged EXEC commands. Most EXEC commands are used
independently to observe status or to perform a specific function. For example, show commands are used
to display important status information, and clear commands allow you to reset counters or interfaces.
The EXEC commands are not saved when the software reboots.
Configuration modes allow you to make changes to the running configuration. If you later save the
running configuration to the startup configuration, these changed commands are stored when the
software is rebooted. To enter specific configuration modes, you must start at global configuration mode.
From global configuration mode, you can enter interface configuration mode and a variety of other
modes, such as protocol-specific modes.

xxiii
Getting Help
ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a valid
software image is not found when the software boots or if the configuration file is corrupted at startup,
the software might enter ROM monitor mode.
Table 1 describes how to access and exit various common command modes of the Cisco IOS software.
It also shows examples of the prompts displayed for each mode.
Table 1 Accessing and Exiting Command Modes
Command Access Method Prompt Exit Method

Mode
User EXEC Log in. Router> Use the logout command.
Privileged From user EXEC mode, Router# To return to user EXEC mode, use the disable
EXEC use the enable command. command.
Global From privileged EXEC Router(config)# To return to privileged EXEC mode from global
configuration mode, use the configure configuration mode, use the exit or end command.
terminal command.
Interface From global Router(config-if)# To return to global configuration mode, use the exit
configuration configuration mode, command.
specify an interface using To return to privileged EXEC mode, use the end
an interface command. command.
ROM monitor From privileged EXEC > To exit ROM monitor mode, use the continue
mode, use the reload command.
command. Press the
Break key during the
first 60 seconds while the
system is booting.
For more information on command modes, see the “Using the Cisco IOS Command-Line Interface”
chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.
Getting Help
Entering a question mark (?) at the CLI prompt displays a list of commands available for each command
mode. You can also get a list of keywords and arguments associated with any command by using the
context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the
following commands:
Command Purpose
help Provides a brief description of the help system in any command mode.
abbreviated-command-entry? Provides a list of commands that begin with a particular character string. (No space
between command and question mark.)
abbreviated-command-entry<Tab> Completes a partial command name.

xxiv
Getting Help
Command Purpose
? Lists all commands available for a particular command mode.
command ? Lists the keywords or arguments that you must enter next on the command line.
(Space between command and question mark.)
Example: How to Find Command Options

This section provides an example of how to display syntax for a command. The syntax can consist of
optional or required keywords and arguments. To display keywords and arguments for a command, enter
a question mark (?) at the configuration prompt or after entering part of a command followed by a space.
The Cisco IOS software displays a list and brief description of available keywords and arguments. For
example, if you were in global configuration mode and wanted to see all the keywords or arguments for
the arap command, you would type arap ?.
The <cr> symbol in command help output stands for “carriage return.” On older keyboards, the carriage
return key is the Return key. On most modern keyboards, the carriage return key is the Enter key. The
<cr> symbol at the end of command help output indicates that you have the option to press Enter to
complete the command and that the arguments and keywords in the list preceding the <cr> symbol are
optional. The <cr> symbol by itself indicates that no more arguments or keywords are available and that
you must press Enter to complete the command.
Table 2 shows examples of how you can use the question mark (?) to assist you in entering commands.
The table steps you through configuring an IP address on a serial interface on a Cisco 7206 router that
is running Cisco IOS Release 12.0(3).
Table 2 How to Find Command Options
Command Comment
Router> enable Enter the enable command and
Password: <password> password to access privileged EXEC
Router#
commands. You are in privileged
EXEC mode when the prompt changes
to Router#.
Router# configure terminal Enter the configure terminal
Enter configuration commands, one per line. End with CNTL/Z. privileged EXEC command to enter
Router(config)#
global configuration mode. You are in
global configuration mode when the
prompt changes to Router(config)#.

xxv
Getting Help
Table 2 How to Find Command Options (continued)
Command Comment
Router(config)# interface serial ? Enter interface configuration mode by
<0-6> Serial interface number specifying the serial interface that you
Router(config)# interface serial 4 ?
/
want to configure using the interface
Router(config)# interface serial 4/ ? serial global configuration command.
<0-3> Serial interface number
Enter ? to display what you must enter
Router(config)# interface serial 4/0 ?
<cr> next on the command line. In this
Router(config)# interface serial 4/0 example, you must enter the serial
Router(config-if)# interface slot number and port number,
separated by a forward slash.
When the <cr> symbol is displayed,
you can press Enter to complete the
command.
You are in interface configuration mode
when the prompt changes to
Router(config-if)#.
Router(config-if)# ? Enter ? to display a list of all the
Interface configuration commands: interface configuration commands
.
.
available for the serial interface. This
. example shows only some of the
ip Interface Internet Protocol config commands available interface configuration
keepalive Enable keepalive commands.
lan-name LAN Name command
llc2 LLC2 Interface Subcommands
load-interval Specify interval for load calculation for an
interface
locaddr-priority Assign a priority group
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
mls mls router sub/interface commands
mpoa MPOA interface configuration commands
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enable
name-caching
no Negate a command or set its defaults
nrzi-encoding Enable use of NRZI encoding
ntp Configure NTP
.
.
.
Router(config-if)#

xxvi
Getting Help
Command Comment
Router(config-if)# ip ? Enter the command that you want to
Interface IP configuration subcommands: configure for the interface. This
access-group Specify access control for packets
accounting Enable IP accounting on this interface
example uses the ip command.
address Set the IP address of an interface Enter ? to display what you must enter
authentication authentication subcommands
next on the command line. This
bandwidth-percent Set EIGRP bandwidth limit
broadcast-address Set the broadcast address of an interface example shows only some of the
cgmp Enable/disable CGMP available interface IP configuration
directed-broadcast Enable forwarding of directed broadcasts commands.
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
hold-time Configures IP-EIGRP hold time
.
.
.
Router(config-if)# ip
Router(config-if)# ip address ? Enter the command that you want to
A.B.C.D IP address configure for the interface. This
negotiated IP Address negotiated over PPP
Router(config-if)# ip address
example uses the ip address command.
next on the command line. In this
example, you must enter an IP address
or the negotiated keyword.
A carriage return (<cr>) is not
displayed; therefore, you must enter
additional keywords or arguments to
complete the command.
Router(config-if)# ip address 172.16.0.1 ? Enter the keyword or argument that you
A.B.C.D IP subnet mask want to use. This example uses the
Router(config-if)# ip address 172.16.0.1
172.16.0.1 IP address.
example, you must enter an IP subnet
mask.
A <cr> is not displayed; therefore, you
must enter additional keywords or
arguments to complete the command.

xxvii
Using the no and default Forms of Commands
Command Comment
Router(config-if)# ip address 172.16.0.1 255.255.255.0 ? Enter the IP subnet mask. This example
secondary Make this IP address a secondary address uses the 255.255.255.0 IP subnet mask.
<cr>
Router(config-if)# ip address 172.16.0.1 255.255.255.0 Enter ? to display what you must enter
example, you can enter the secondary
keyword, or you can press Enter.
A <cr> is displayed; you can press
Enter to complete the command, or
you can enter another keyword.
Router(config-if)# ip address 172.16.0.1 255.255.255.0 In this example, Enter is pressed to
Router(config-if)# complete the command.
Using the no and default Forms of Commands

Almost every configuration command has a no form. In general, use the no form to disable a function.
Use the command without the no keyword to reenable a disabled function or to enable a function that is
disabled by default. For example, IP routing is enabled by default. To disable IP routing, use the no ip
routing command; to reenable IP routing, use the ip routing command. The Cisco IOS software
command reference publications provide the complete syntax for the configuration commands and
describe what the no form of a command does.
Configuration commands can also have a default form, which returns the command settings to the
default values. Most commands are disabled by default, so in such cases using the default form has the
same result as using the no form of the command. However, some commands are enabled by default and
have variables set to certain default values. In these cases, the default form of the command enables the
command and sets the variables to their default values. The Cisco IOS software command reference
publications describe the effect of the default form of a command if the command functions differently
than the no form.
Saving Configuration Changes

Use the copy system:running-config nvram:startup-config command or the copy running-config
startup-config command to save your configuration changes to the startup configuration so that the
changes will not be lost if the software reloads or a power outage occurs. For example:
Router# copy system:running-config nvram:startup-config
Building configuration...
It might take a minute or two to save the configuration. After the configuration has been saved, the
following output appears:
[OK]
Router#
On most platforms, this task saves the configuration to NVRAM. On the Class A flash file system
platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment
variable. The CONFIG_FILE variable defaults to NVRAM.

xxviii
Filtering Output from the show and more Commands
Filtering Output from the show and more Commands

You can search and filter the output of show and more commands. This functionality is useful if you
need to sort through large amounts of output or if you want to exclude output that you need not see.
To use this functionality, enter a show or more command followed by the “pipe” character (|); one of the
keywords begin, include, or exclude; and a regular expression on which you want to search or filter (the
expression is case-sensitive):
command | {begin | include | exclude} regular-expression
The output matches certain lines of information in the configuration file. The following example
illustrates how to use output modifiers with the show interface command when you want the output to
include only lines in which the expression “protocol” appears:
Router# show interface | include protocol
FastEthernet0/0 is up, line protocol is up

Serial4/0 is up, line protocol is up
Serial4/1 is up, line protocol is up
Serial4/2 is administratively down, line protocol is down
Serial4/3 is administratively down, line protocol is down
For more information on the search and filter functionality, see the “Using the Cisco IOS Command-Line
Interface” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.
Finding Additional Feature Support Information

If you want to use a specific Cisco IOS software feature, you will need to determine in which Cisco IOS
software images that feature is supported. Feature support in Cisco IOS software images depends on
three main factors: the software version (called the “Release”), the hardware model (the “Platform” or
“Series”), and the “Feature Set” (collection of specific features designed for a certain network
environment). Although the Cisco IOS software documentation set documents feature support
information for Release 12.4 as a whole, it does not generally provide specific hardware and feature set
information.
To determine the correct combination of Release (software version), Platform (hardware version), and
Feature Set needed to run a particular feature (or any combination of features), use Feature Navigator.
Use Cisco Feature Navigator to find information about platform support and software image support.
Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images
support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Software features may also have additional limitations or restrictions. For example, a minimum amount
of system memory may be required. Or there may be known issues for features on certain platforms that
have not yet been resolved (called “Caveats”). For the latest information about these limitations, see the
release notes for the appropriate Cisco IOS software release. Release notes provide detailed installation
instructions, new feature descriptions, system requirements, limitations and restrictions, caveats, and
troubleshooting information for a particular software release.

xxix
Finding Additional Feature Support Information

xxx
Cisco IOS Optimized Edge Routing Configuration
Cisco IOS Optimized Edge Routing (OER) provides automatic route optimization and load distribution
for multiple ISP and WAN connections. Cisco IOS OER is an integrated Cisco IOS solution that allows
you to monitor IP traffic flows and then define policies and rules based on prefix performance, link load
distribution, link cost, and traffic type. Cisco IOS OER provides active and passive monitoring systems,
dynamic failure detection, and automatic path correction. Deploying Cisco IOS OER enables intelligent
load distribution and optimal route selection in an enterprise network.
Feature History for Optimized Edge Routing

Release Modification
12.3(8)T This feature was introduced.
12.3(11)T Support for the following features was integrated into Cisco IOS Release
12.3(11)T:
• Port and Protocol Based Prefix Learning allows you to configure a
master controller to learn prefixes based on the protocol type and TCP
or UDP port number.
• VPN IPSec/GRE Tunnel Optimization introduces the capability to
configure IPSec/GRE tunnel interfaces as OER managed exit links.
Only network based IPSec VPNs are supported.
12.3(14)T Support for the following feature was integrated into Cisco IOS Release
12.3(14)T:
• OER Support for Cost-Based Optimization and Traceroute Reporting
introduces the capability to configure exit link policies based monetary
cost and the capability to configure traceroute probes to determine
prefix characteristics on a hop-by-hop basis.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.

78-17876-01 1
Contents
Contents
• Prerequisites for Cisco IOS Optimized Edge Routing, page 2
• Restrictions for Cisco IOS Optimized Edge Routing, page 2
• Information About Cisco IOS Optimized Edge Routing, page 3
• How to Configure Cisco IOS Optimized Edge Routing, page 23
• Configuration Examples for Cisco IOS Optimized Edge Routing, page 91
• Additional References, page 103
Prerequisites for Cisco IOS Optimized Edge Routing

• Cisco Express Forwarding (CEF) must be enabled on all participating routers.
• Cisco IOS OER can be deployed on a single router. The router must have at least two egress
interfaces that can carry outbound traffic and can be configured as OER managed exit links. These
interfaces should connect to an ISP or be WAN connections (Frame-Relay, ATM, etc) at the edge of
the enterprise network.
• The master controller should be deployed close to the border routers to minimize the communication
response time between these devices. All border routers must be reachable by the master controller.
The border routers should be close to each other in terms of hops and throughput.
• Routing protocol peering must be established in your network or static routing must be configured
before Cisco IOS OER is deployed.
If you have configured internal BGP (iBGP) on the border routers, iBGP peering must be established
and consistently applied throughout your network.
If an IGP is deployed in your network, static route redistribution must be configured with the
redistribute static command. Interior Gateway Protocol (IGP) or static routing should also be
applied consistently throughout an OER managed network; the border router should have a
consistent view of the network.
Restrictions for Cisco IOS Optimized Edge Routing

• Cisco IOS OER does not influence or control inter-domain routing or interfaces that are not under
OER control, and Cisco IOS OER does not influence asymmetrical routing.
• Cisco IOS OER passively monitors TCP traffic flows for IP traffic. Passive monitoring of non-TCP
sessions is not supported.
• Cisco IOS OER can be configured to monitor and control outbound traffic only.
• Cisco IOS OER supports only IPSec/GRE VPNs. No other VPN types are supported.
• When two or more border routers are deployed in an OER managed network, the next hop on each
border router, as installed in the Routing Information Base (RIB), cannot be an address from the
same subnet as the next hop on the other border router.
• Interfaces that are configured to be under OER control can also carry multicast traffic. However, if
the source of the multicast traffic comes from outside of the OER managed network and inbound
multicast traffic is carried over OER managed exit links, the source multicast address should be
excluded from OER control.

2 78-17876-01
Information About Cisco IOS Optimized Edge Routing
• Internet exchange points where a border router can communicate with several service providers over
the same broadcast media are not supported.
• Token Ring interfaces are not supported by Cisco IOS OER and cannot be configured as OER
managed interfaces. It may be possible to load a Token Ring interface configuration under certain
conditions. However, the Token Ring interface will not become active and the border router will not
function if the Token Ring interface is the only external interface on the border router.

To configure Cisco IOS Optimized Edge Routing (OER), you should understand the following concepts
• Cisco IOS Optimized Edge Routing Overview, page 4
• Cisco IOS OER Network Components, page 6
• Cisco IOS OER Managed Network, page 8
• Cisco IOS OER Prefix Learning, page 9
• Cisco IOS OER Monitoring, page 11
• Cisco IOS OER Modes of Operation, page 13
• Cisco IOS OER Routing Control, page 14
• Cisco IOS OER Policy Configuration, page 16
• VPN IPSec/GRE Tunnel Interface Optimization, page 21
• Cisco IOS OER Logging and Reporting, page 21
• Cisco IOS OER Deployment Configurations, page 22

78-17876-01 3
Cisco IOS Optimized Edge Routing Overview

Enterprise networks use multiple ISP or WAN connections for reliability and load distribution. Existing
reliability mechanisms depend on link state or route removal on the border router to select a better exit
link for a prefix or set of prefixes. Multiple connections protect enterprise networks from catastrophic
failures but do not protect the network from “brown outs” or soft failures that occur due to network
congestion. Existing mechanisms can respond to catastrophic failures at the first indication of a problem.
However, black outs and brown outs can go undetected and often require the network operator to take
action to resolve the problem. When a packet is transmitted between external networks (nationally or
globally), the packet spends the vast majority its life cycle on the WAN segments of the network.
Optimizing WAN route selection in the enterprise network provides the end-user with the greatest
performance improvement, even better than LAN speed improvements in the local network.
Cisco IOS OER is implemented in Cisco IOS software as an integrated part of Cisco core routing
functionality. Deploying Cisco IOS OER enables intelligent network traffic load distribution and
dynamic failure detection for data paths at the wide-area network (WAN) edge. While other routing
mechanisms can provide both load distribution and failure mitigation, Cisco IOS OER is unique in that
it can make routing adjustments based on criteria other than static routing metrics, such as response time,
packet loss, path availability, and traffic load distribution. Deploying Cisco IOS OER allows you to
optimize network performance and link load utilization while minimizing bandwidth costs and reducing
operational expenses.
Cisco IOS OER: A Typical Deployment

Figure 1 shows a Cisco IOS OER managed enterprise network of a content provider. The enterprise
network has three exit interfaces that are used to deliver content to customer access networks. The
content provider has a separate service level agreement (SLA) with a different ISP for each exit link. The
customer access network has two edge routers that connect to the Internet. Traffic is carried between the
enterprise network and the customer access network over six service provider (SP) networks.
Figure 1 A Typical Cisco IOS Optimized Edge Routing Deployment
BR1
SLA A
Master
Master
Controller
Controller
SP A SP B CR1
BR2
Customer
eBGP
access
CR2
SLA B Client(s)
SP C SP D SP E
Server(s)
BR3 Content
iBGP and/or Consumer
EIGRP, IS-IS, SLA C
OSPF, RIP
SP F
117546
Enterprise/Content Transit
Provider Service Providers
Cisco IOS OER monitors and controls outbound traffic on the three border routers (BRs). It measures
the packet response time and path availability from the egress interfaces on BR1, BR2 and BR3. Changes
to exit link performance on the border routers are detected on a per-prefix basis. If the performance of a

4 78-17876-01
prefix falls below default or user-defined policy parameters, routing is altered locally in the enterprise
network to optimize performance and to route around failure conditions that occur outside of the
enterprise network. For example, an interface failure or network misconfiguration in the SP D network
can cause outbound traffic that is carried over the BR2 exit interface to become congested or fail to reach
the customer access network. Traditional routing mechanisms cannot anticipate or resolve these types of
problem without intervention by the network operator. Cisco IOS OER can detect failure conditions and
alter routing inside of the network to compensate.
Cisco IOS OER: Optimizes for Performance

Traditional routing mechanisms rely upon reachability information to make routing decisions but cannot
enforce performance policies. Cisco IOS OER optimizes routing to improve performance in the
enterprise network. Prefix policies are defined to control the performance of a single prefix or a prefix
range. You can configure Cisco IOS OER to monitor and control the performance of a single host route
or routes from an entire network. Exit link policies are defined to control the performance of exit
interfaces in an OER managed network. Performance policies can be defined for a single exit link or all
exit links in the OER managed network.
Figure 2 shows a Cisco IOS OER managed enterprise network of a content provider. This figure shows
that delay measurements are collected for monitored prefixes on the border routers. These statistics are
collected by the border routers an then transmitted to the master controller.
Figure 2 Cisco IOS OER Optimizes for Performance
BR1
SLA A 200ms
Master
Master
Controller
Controller
SP A SP B CR1
BR2
Customer
eBGP
access
CR2
SP C SP D SP E Client(s)
SLA B
Server(s)
BR3 250ms
iBGP and/or Content
EIGRP, IS-IS, SLA C
Consumer
OSPF, RIP
SP F
117770
Enterprise/Content Transit
Provider Service Providers
For example, if a performance policy is defined that sets the delay threshold for a group of prefixes to
less than or equal to 200 milliseconds (ms), as shown in Figure 2. Prefixes with a slower round-trip
response time (or longer delay) will be considered to be out-of-policy. Routing is locally altered to bring
the prefix to an in-policy state. In Figure 2, out-of-policy prefixes that use exit links on BR3 will be
moved to BR1.
The master controller monitors prefixes and exit links on the border routers. This allows the master
controller to measure performance and detect failure conditions that occur outside of the network. When
the master controller detects a performance change that brings a prefix out of policy, the master

78-17876-01 5
controller sends commands to the border routers to dynamically alter routing inside of the enterprise
network to bring prefix performance back within default or user-defined policy. If all prefixes and exit
links are in policy, the master controller continues to monitor the network and does not take any action.
Cisco IOS OER Network Components

Cisco IOS OER is configured on Cisco routers though standard Cisco IOS CLI configuration. An OER
deployment has two primary components — a master controller and one or more border routers. The
master controller is the intelligent decision maker, while the border routers are enterprise edge routers
with exit interfaces that are used to access the Internet or used as WAN exit links.
Cisco IOS OER Network Components: Master Controller

The master controller is a single router that coordinates all OER functions within an OER managed
network. A Cisco router can be configured to run a stand-alone master controller process or can also be
configured to perform other functions, such as routing or running a border router process. The master
controller maintains communication and authenticates the sessions with the border routers. The master
controller monitors outbound traffic flows using active or passive monitoring and then applies default or
user-defined policies to alter routing to optimize prefixes and exit links. OER administration and control
is centralized on the master controller, which makes all policy decisions and controls the border routers.
The master controller does not need to be in the traffic forwarding path, but it must be reachable by the
border routers. The master controller can support up to 10 border routers and up to 20 OER managed
external interfaces.
Note We recommend that the master controller is deployed as close as possible to the border routers to reduce
communication response time.
Cisco IOS OER Network Components: Border Router

The border router is an enterprise edge router with one or more exit links to an ISP or other participating
network. The border router is where all policy decisions and changes to routing in the network are
enforced. The border router participates in prefix monitoring and route optimization by reporting prefix
and exit link measurements to the master controller and then by enforcing policy changes received from
the master controller. The border router enforces policy changes by injecting a preferred route to alter
routing in the network. The border router is deployed on the edge of the network, so the border router
must be in the forwarding path. A border router process can be enabled on the same router as a master
controller process.
Cisco IOS OER Network Components: Interfaces

An OER managed network must have at least two external interfaces that are used to forward traffic to
the external network (WAN or ISP) and at least one internal interface that is used for passive monitoring.
There are three interface configurations required to deploy OER:
• External interfaces are configured as OER managed exit links to forward traffic. The physical
external interface is enabled on the border router. The external interface is configured as an OER
external interface on the master controller. The master controller actively monitors prefix and exit
link performance on these interfaces. Each border router must have at least one external interface,
and a minimum of two external interfaces are required in an OER managed network.

6 78-17876-01
• Internal interfaces are used for only passive performance monitoring with NetFlow. No explicit
NetFlow configuration is required. The internal interface is an active border router interface that
connects to the internal network. The internal interface is configured as an OER internal l interface
on the master controller. At least one internal interface must be configured on each border router.
• Local interfaces are used for only master controller and border router communication. A single
interface must be configured as a local interface on each border router. The local interface is
identified as the source interface for communication with the master controller.
Tip If a master controller and border router process is enabled on the same router, a loopback interface
should be configured as the local interface.
The following interface types can be configured as external and internal interfaces:
• ATM
• BRI
• CTunnel
• Ethernet
• Fast Ethernet
• Gigabit Ethernet
• HSSI
• Null
• POS
• Serial
• Tunnel
• VLAN
Note VLAN interfaces can be configured only as internal interfaces.
The following interface types can be configured as local interfaces:

• Async
• BVI
• CDMA-Ix
• CTunnel
• Dialer
• Ethernet
• Group-Async
• Lex
• Loopback
• MFR
• Multilink
• Null

78-17876-01 7
• Serial
• Tunnel
• Vif
• Virtual-PPP
• Virtual-Template
• Virtual-TokenRing
Note A Virtual-TokenRing interface can be configured as a local interface. However, Token Ring interfaces
are not supported and cannot be configured as external, internal, or local interfaces.
Cisco IOS OER Managed Network

Figure 3 shows an OER managed network. This network contains a master controller and two border
routers. OER communication between the master controller and the border routers is carried separately
from routing protocol traffic. This communication is protected by MD5 authentication. Each border
router has an external interface that is connected to a different ISP or WAN link to a remote site and a
local and an internal interface that are reachable by the master controller.
Figure 3 Cisco IOS OER Managed Network
Exit link
BR1 ISP-A
Statistics
SLA A
Master
Controller
Commands Border router

ISP-B
SLA B
Statistics
BR2
117771
External interfaces are used to forward outbound traffic from the network and are used as the source for
active monitoring. Internal interfaces are used for OER communication and used for passive monitoring.
At least one external and one internal interface must be configured on each border router. At least two
external interfaces are required in an OER managed network. A local interface is configured on the
border router for communication with the master controller.

8 78-17876-01
Cisco IOS OER Managed Network: Central Policy Database

The master controller continuously monitors the network. The master controller maintains a central
policy database where it stores collected statistical information. The master controller compares
long-term and short-term measurements. The long-term measurements are collected every 60 minutes.
Short term measurements are collected every five minutes. The master controller analyzes these statistics
to determine which routes have the lowest delay, highest outbound throughput, relative or absolute
packet loss, relative or absolute link cost, and prefix reachability to analyze and optimize the
performance of monitored prefixes and to distribute the load from over-utilized exit links to
under-utilized exit links.
Cisco IOS OER Managed Network: Policy Enforcement Point

The border router is the policy enforcement point. Default or user-defined policies are configured on the
master controller to set the performance level for prefixes and exit links. The master controller
automatically alters routing in the OER managed network, as necessary, by sending control commands
to the border routers to inject a preferred route. The preferred route is advertised or redistributed through
the internal network. The preferred route alters default routing behavior so that out of policy prefixes are
moved from over utilized exit links to under utilized exit links to bring prefixes and exit links in-policy,
and thus optimizing the overall performance of the enterprise network.
Cisco IOS OER Prefix Learning

To enable Cisco IOS OER in your network prefixes must be identified to monitor and optimize. A Cisco
router configured as a master controller will learn and monitor up to 2500 prefixes by default and can
configured to learn and monitor up to 5000 prefixes with the max prefix total command in OER master
controller configuration mode. Prefixes can be learned automatically or can manually selected.
Cisco IOS OER Prefix Learning: Automatic Prefix Learning

The master controller can be configured, using Top Talker functionality, to learn prefixes automatically
based on highest outbound throughput or lowest delay time. Throughput learning measures prefixes that
generate the highest outbound traffic volume. Throughput prefixes are sorted from highest to lowest.
Delay learning measures prefixes with the lowest round-trip response time (RTT). Delay prefixes are
sorted from the lowest to the highest delay time.
Automatic prefix learning is configured in OER Top Talker and Delay learning configuration mode. The
learn command is used to enter this mode from OER master controller configuration mode. When
automatic prefix learning is enabled, prefixes and their delay and/or throughput characteristics are
learned, and this is information is stored in the central policy database. Prefixes are learned for 5 minutes
by default. The master controller analyzes these statistics and implements policy decisions as necessary.
Prefixes are learned on the border routers through passive monitoring. Prefix learning is configured on
the master controller. The border routers monitor all incoming and outgoing traffic flows. The top 100
flows are learned by default, and up to 5000 flows can be learned.
Learned prefixes can be aggregated based the prefix type, BGP or non-BGP (static routes), or the prefix
length. Traffic flows are aggregated using a /24 prefix length by default. Prefix aggregation can be
configured to include any subset or superset of a major network, including a single host route (/32). For
each aggregated prefix, up to five host addresses are selected to use as active probe targets. Prefix
aggregation is configured with the aggregation-type command in OER Top Talker and Delay learning
configuration mode.

78-17876-01 9
Cisco IOS OER Prefix Learning: Manually Selecting Prefixes

A prefix or range of prefixes can be selected for monitoring by configuring an IP prefix list. The IP prefix
list is then imported into the master controller database by configuring a match clause in an OER map.
IP prefix-lists are configured with the ip prefix-list command and OER maps are configured with the
oer-map command in global configuration mode.
The following IP prefix list configuration options are supported:
• An exact prefix (/32)
• A specific prefix length and any subset (for example, a /24 under a /16)
• A specific prefix and all more specific routes (le 32)
• All prefixes (0.0.0.0/0)
Traffic is excluded or included by configuring permit or deny statements in the IP prefix list.
For best performance, you should apply the most commonly referenced prefix lists and deny prefix lists
to the lowest (or first) OER map sequences.
Cisco IOS OER Prefix Learning: Port and Protocol Based Prefix Learning
Port and Protocol Based Prefix Learning was introduced in Cisco IOS Release 12.3(11)T. This feature
allows you to configure the master controller to learn traffic based on the protocol number or the source
or destination port number, carried by TCP or UDP traffic. This feature provides a very granular filter
that can be used to further optimize prefixes learned based on throughput and delay.
Port and protocol based prefix learning allows you to optimize or exclude traffic streams for a specific
protocol or the TCP port, UDP port, or range of port numbers. Traffic can be optimized for a specific
application or protocol. Uninteresting traffic can be excluded, allowing you to focus router system
resources, and reduce unnecessary CPU and memory utilization. In cases where traffic streams need to
be excluded or included over ports that fall above or below a certain port number, the range of port
numbers can be specified. Port and protocol prefix based learning is configured with the protocol
command in OER Top Talker and Delay learning configuration mode.
For a list of IANA assigned port numbers, refer to the following document:
• http://www.iana.org/assignments/port-numbers
For a list of IANA assigned protocol numbers, refer to the following document:
• http://www.iana.org/assignments/protocol-numbers
Cisco IOS OER Prefix Learning: Prefix Transition States

Monitored prefixes pass through the following states when imported into the central policy database or
when a default or user-defined policy is applied:
Default—A prefix is placed in this state when it is not under OER control. All routing decisions for the
prefix are controlled by existing metrics determined by the default routing protocol. Prefixes are placed
in the default state when they are initially added to the central policy database. A prefix will transition
into and out of the default state depending on policy configuration and performance measurements.
In-Policy—A prefix is placed in this state when the status of the prefix exit conforms to default or
user-defined policies. No changes are made when a prefix is in the in-policy state. The master controller
continues to monitor the prefix and will take no action until the policy configuration or performance
measurements change.

10 78-17876-01
Out-of-Policy—A prefix is placed in this state when the prefix exit does not conform to default or
user-defined policies. The master controller will use active probing and/or passive monitoring to find a
better exit for the prefix, while the prefix is in this state. If all exit links are out-of-policy, the master
controller will select the best available exit.
Choose—A prefix is placed in this state by the master controller during exit link selection. The prefix
remains in the choose state until it is moved to the new exit.
Holddown—A prefix is placed in this state when the master controller moves a prefix to a new exit. No
policy changes are applied to a prefix in the holddown state. The holddown state is designed to isolate
the prefix during the transition period to prevent the prefix from causing instability due to rapid state
changes (flapping).
Note Over aggressive policy settings can cause a prefix or exit link to remain in the out-of-policy state.
Cisco IOS OER Monitoring

Cisco IOS OER monitors prefix performance over OER managed exit links to ensure that OER
controlled prefixes and exit links conform to policy parameters. Prefixes are passively monitored with
integrated NetFlow functionality and are actively monitored with integrated IP Service Level
Agreements (IP SLAs) functionality. No explicit NetFlow or IP SLAs configuration is required. Support
for these features are enabled automatically as necessary.
The master controller can be configured to monitor learned and manually selected prefixes. The border
routers collect passive monitoring and active monitoring statistics and then transmit this information to
the master controller. The master controller analyzes the collected information. If all monitored prefixes
and exit links are in policy, no changes are made and the master controller continues to monitor the
network. If a monitored prefix or exit link is out of policy, the master controller makes a policy decision
and sends a control command to the border router to alter routing in the OER managed network to move
the prefix to a better exit to bring the prefix or exit in policy.
Cisco IOS OER Monitoring: Passive Monitoring

Cisco IOS OER uses NetFlow, an integrated technology in Cisco IOS software, to collect and aggregate
passive monitoring statistics on a per prefix basis. Passive monitoring is enabled by default when an OER
managed network is created. Netflow is a flow-based monitoring and accounting system. NetFlow
support is enabled by default on the border routers when passive monitoring is enabled.
Passive monitoring uses only existing traffic; additional traffic is not generated. Border routers collect
and report passive monitoring statistics to the master controller approximately once per minute. If traffic
does not go over an external interface of a border router, no data is reported to the master controller.
The master controller uses passive monitoring to measure the following information:
Delay—The master controller measures the average delay of TCP flows for a given prefix. Delay is the
measurement of the round-trip response time (RTT) between the transmission of a TCP synchronization
message and receipt of the TCP acknowledgement.
Packet loss—The master controller measures packet loss by tracking TCP sequence numbers for each
TCP flow. OER estimates packet loss by tracking the highest TCP sequence number. If a subsequent
packet is received with a lower sequence number, OER increments the packet loss counter. Packet loss
is measured in flows per million (fpm).
Reachability—The master controller measures reachability by tracking TCP synchronization messages
that have been sent repeatedly without receiving a TCP acknowledgement.

78-17876-01 11
Throughput—The master controller measures prefixes that generate the highest outbound traffic volume
or throughput. Throughput is measured on external interfaces in bits per second (bps).
Note OER passively monitors TCP traffic flows for IP traffic. Passive monitoring of non-TCP sessions is not
supported.
Passive monitoring statistics are gathered and stored in a prefix history buffer that can hold a minimum
of 60 minutes of information depending on whether the traffic flow is continuos. Cisco IOS OER uses
this information to determine if the prefix is in policy based on the default or user-defined policies.
Cisco IOS OER Monitoring: Active Monitoring

Active monitoring uses IP Service Level Agreements (IP SLAs), an integrated technology in Cisco IOS
software, to analyze and measure the performance of TCP and UDP traffic. Active monitoring generates
traffic in a continuous, reliable, and predictable manner. This allows the master controller to measure
delay and jitter to determine prefix performance characteristics more accurately than is possible with
only passive monitoring.
Active monitoring is enabled with the mode command in OER master controller configuration mode.
When active monitoring is enabled, the master controller commands the border routers to send active
probes to a target IP address. The border router collects and transmits the probe results to master
controller to analyze.
Active probes are automatically generated when a prefix is learned or aggregated. The border router
collects up to five host addresses from the prefix for active probing. Active probes can be configured for
specific host or target address. Active probes are configured with the active-probe command in OER
master controller configuration mode. The active probe is sourced from the border router and transmitted
through an external interface (the external interface may or may not be the preferred route for an
optimized prefix). Active probes are sent once per minute. ICMP probes are used by default.
Note For eBGP peering sessions, the IP address of the eBGP peer must be reachable from the border router
via a connected route in order for active probes to be generated.
Active Probe Types

Cisco IOS OER uses ICMP Echo probes, by default, when an active probe is automatically generated.
The following types of active probes can be configured:
ICMP Echo—A ping is sent to the target address. Configuring an ICMP echo probe does not require
knowledgeable cooperation from the target device. However, repeated probing could trigger an Intrusion
Detection System (IDS) alarm in the target network. If an IDS is configured in a target network that is
not under your administrative control, we recommend that you notify the target network administration
entity.
TCP Connection—A TCP connection probe is sent to the target address. A target port number must be
specified. A remote responder must be enabled if TCP messages are configured to use a port number
other than TCP well-known port number 23.
UDP Echo—A UDP echo probe is sent to the target address. A target port number must be specified. A
remote responder must be enabled on the target device, regardless of the configured port number.

12 78-17876-01
Cisco IOS OER Monitoring: Combined Monitoring

Cisco IOS OER can also be configured to combine both active and passive monitoring in order to
generate a more complete picture of traffic flows within the network. Combined monitoring is enabled
by default. Combined monitoring is configured with the mode monitor both command in OER master
controller configuration mode.
Cisco IOS OER Monitoring: Traceroute Reporting

The OER Support for Traceroute Reporting feature was introduced in Cisco IOS Release 12.3(14)T.
Traceroute reporting is configured on a master controller. Traceroute probes are sourced from the current
border router exit. This feature allows you to monitor prefix performance on a hop-by-hop basis. Delay,
loss, and reachability measurements are gathered for each hop from the probe source to the target prefix.
Traceroute reporting is enabled with the set traceroute reporting oer-map configuration mode
command. Learned or specific prefixes are selected for traceroute reporting by configuring a match
clause in an OER map. When traceroute reporting is enabled, traceroute probes gather delay, loss, and
reachability statistic for a given prefix. Specific traceroute probes can also be configured to gather these
statistics individually only for prefixes that are in the out-of-policy state. The time interval between
traceroute probes is configured with the traceroute probe-delay command in OER master controller
configuration mode.
Traceroute probes are configured using the following methods:
Continuous—A traceroute probe is triggered for each new probe cycle. Entering the set traceroute
reporting command without any keywords enables continuous reporting. The probe is sourced from the
current exit of the prefix.
Policy based—A traceroute probe is triggered automatically when a prefix goes into an out-of-policy
state. Policy based traceroute probes are configured individually for delay, loss, and reachability
policies. The monitored prefix is sourced from a match clause in an oer-map. Policy based traceroute
reporting stops when the prefix returns to an in-policy state.
On demand—A trace route probe is triggered only when the show oer master prefix command is
entered for a specific IP address with the current and now keywords. Continuous or policy-based
traceroute reporting does not need to be enabled to use this method. Entering this command without any
keywords displays the most recent probe results for all exits. Entering this command with the current
keyword displays the results for the current exit from the most recent probe.
Cisco IOS OER Modes of Operation

The master controller can be configured to operate in observe mode or control mode.
Cisco IOS OER Modes of Operation: Observe Mode

The master controller can be configured to operate in route observe mode or route control mode. Observe
mode monitoring is enabled by default. In observe mode, the master controller monitors prefixes and exit
links based on default and user-defined policies and then reports the status of the network and the
decisions that should be made but does not implement any changes. This mode allows you to verify the
effectiveness of this feature before actively deploying it.

78-17876-01 13
Cisco IOS OER Modes of Operation: Control Mode

In control mode, the master controller coordinates information from the border routers and makes policy
decisions just as it does in observe mode. The master controller monitors prefixes and exits based on
default and user-defined policies but then implements changes to optimize prefixes and to select the best
exit. In this mode, the master controller gathers performance statistics from the border routers and then
transmits commands to the border routers to alter routing as necessary in the OER managed network.
Control mode or observe mode monitoring is configured with the mode route command in OER master
controller configuration mode.
Cisco IOS OER Routing Control

Figure 4 shows an OER managed network. The master controller alters default routing behavior inside
of the OER managed network to optimize prefix and exit link performance. Cisco IOS OER uses a
command/response protocol to manage all communication between the border router and the master
controller.
Figure 4 Cisco IOS OER Controls Default Routing Behavior
ISP interfaces
BGP/Static Redistribution BR1 ISP-A

SLA A
Master
Controller
Commands Border router

ISP-B
SLA B
117772
BR2
BGP/Static Redistribution
The border routers are enterprise edge routers. Routing protocol peering or static routing is established
between the border routers and internal peers. The border routers advertise a default route to internal
peers through BGP peering, static routing, or route redistribution into an Interior Gateway Protocol
(IGP). The master controller alters default routing behavior in the OER managed network by sending
control commands to the border routers to inject a preferred route into the internal network.
When the master controller determines the best exit for a prefix, it sends a route control command to the
border router with the best exit. The border router searches for a parent route for the monitored prefix.
The BGP routing table is searched first and then the static routing table. This can be a default route for
the monitored prefix. If a parent route is found that includes the prefix (the prefix may be equivalent or
less specific) and points to the desired exit link by either the route to its nexthop or by a direct reference
to the interface, a preferred route is injected into the internal network from the border router. OER injects
the preferred route where the first parent is found. The preferred route can be an injected BGP route or

14 78-17876-01
an injected static route. The preferred route is learned by internal peers, which in turn recalculate their
routing tables causing the monitored prefix to be moved to the preferred exit link. The preferred route is
only advertised to the internal network and is not advertised to external peers.
Cisco IOS OER Routing: Border Router Peering with the Internal Network
The master controller alters default routing behavior in the OER managed network by injecting preferred
routes into the routing tables of the border routers. The border routers peer with other routers in the
internal network through BGP peering, BGP or static route redistribution into an IGP, or static routing.
The border routers advertise the preferred route to internal peers.
The border routers should be close to each other in terms of hops and throughput and should have a
consistent view of the network; routing should be configured consistently across all border routers. The
master controller verifies that a monitored prefix has a parent route with a valid next hop before it
commands the border routers to alter routing. The border router will not inject a route where one does
not already exist. This behavior is designed to prevent traffic from being blackholed because of an
invalid next hop.
Note When two or more border routers are deployed in an OER managed network, the next hop on each border
router, as installed in the RIB, cannot be an IP address from the same subnet as the next hop on another
border router.
Cisco IOS OER Routing: BGP Peering

Standard internal BGP (iBGP) peering can be established between the border routers and other internal
peers. External BGP (eBGP) peering or a default route is configured to the ISP. In the iBGP network,
OER uses the local preference attribute to set the preference for injected routes. The BGP local
preference attribute is a discretionary attribute that is used to apply the degree of preference to a route
during the BGP best path selection process. This attribute is exchanged only between iBGP peers and is
not advertised outside of the OER managed network or to the eBGP network. The prefix with the highest
local preference value is locally advertised as the preferred path to the destination. OER applies a local
preference value of 5000 to injected routes by default. A local preference value from 1 to 65535 can be
configured.
Note If a local preference value of 5000 or higher has been configured for default BGP routing, you should
configure a higher value in OER. OER default BGP local preference and default static tag values are
configurable with the mode command in OER master controller configuration mode.
Note The IP address for each eBGP peering session must be reachable from the border router via a connected
route. Peering sessions established through loopback interfaces or with the neighbor ebgp-multihop
command are not supported.
Cisco IOS OER Routing: BGP Redistribution into an IGP

BGP redistribution can be used if the border routers are configured to run BGP (for ISP peering for
example) and the internal peers are configured to run another routing protocol (such as Enhanced Interior
Gateway Routing Protocol [EIGRP], Open Shortest Path First [OSPF] or Routing Information Protocol
[RIP]). The border routers can advertise a single default route or full routing tables to the internal

78-17876-01 15
network. If you use BGP to redistribute more than a default route into an IGP, we recommend that you
use IP prefix-list and route-map statements to limit the number of prefixes, as BGP routing tables can be
very large.
Cisco IOS OER Routing: BGP Redistribution Based on the BGP Local-Preference Attribute
OER uses the local-preference attribute to influence routing inside of a BGP network. OER injected BGP
routes can redistributed within the network by configuring the match local-preference route-map
configuration command. A value of 5000 (or a custom value if configured on the master controller) must
be configured when entering this command.
Cisco IOS OER Routing: Static Routing and Static Route Redistribution
Static routing or static route redistribution can be configured in the internal network. OER alters routing
these types of network by injecting temporary static routes. The temporary static route replaces the
parent static route. OER will in not inject a temporary static route where a parent static route does not
exist. OER applies a default tag value of 5000 to identify the injected static route. In the case of the
network where only static routing is configured, no redistribution configuration is required. In the case
of a network where an IGP is deployed and BGP is not run on the border routers, static routes to border
router exit interfaces must be configured, and these static routes must be redistributed into the IGP.
Cisco IOS OER Routing: Injecting Split Prefixes

When configured to control a subset of a larger network, the master controller will add an appropriate
route or split prefix to the existing routing table, as necessary. A split prefix is a more specific route that
is derived from a less specific parent prefix. For example, if a /24 prefix is configured to be optimized,
but only a /16 route is installed to the routing table, the master controller will inject a /24 prefix using
the attributes from the /16 prefix. Any subset of the less-specific prefix can be derived, including a single
host route. Split prefixes are processed only inside the OER managed network and are not advertised to
external networks. If BGP is deployed in the OER managed network, the master controller will inject a
more specific BGP route. If BGP is not deployed, the master controller will inject a more specific
temporary static route.
Cisco IOS OER Policy Configuration

The master controller optimizes prefixes and exit links to conform to default and user-defined policies.
When the performance of a monitored prefix or exit link falls below a policy configuration setting, the
master controller optimizes traffic in the internal network to bring either the prefix or exit link into an
in-policy state. Global policies are configured in OER master controller configuration mode and OER
Top Talker and Top delay learning configuration mode. Policies can also be applied to specific prefixes
that pass through a match statement in an OER map in oer-map configuration mode. Global policies
override OER map policies.
Cisco IOS OER Policy Configuration: Prefix Policies

A prefix policy is a set of rules that governs performance characteristics for a network address. The
network address can be a single host route or an entire network. A prefix is defined as any network
number with a prefix mask applied to it.

16 78-17876-01
The following performance characteristics are managed by prefix policies:

• Delay
• Packet Loss
• Reachability
Note Prefix policies always override exit link policies.
Cisco IOS OER Policy Configuration: Exit Link Policies

An exit link policy is a set of rules that are applied to OER managed exit links. The performance
characteristics that are managed by a link policy are traffic load and exit link utilization. A link policy
can define total outbound throughput or total link utilization. Link utilization policies can be defined for
a single exit link or all OER managed exit links. The following performance characteristics are managed
by link policies:
• Cost-Based Optimization
• Utilization (Range)
• Traffic Load Distribution
Cisco IOS OER Policy Configuration: Cost-Based Optimization

The OER Support for Cost-Based Optimization feature was introduced in Cisco IOS Release 12.3(14)T.
Cost-based optimization allows you to configure policies based on the monetary cost (ISP Service Level
Agreement [SLA]) of each exit link in your network. This feature allows you to configure the master
controller send traffic over exit links that provide the most cost-effective bandwidth utilization, while
still maintaining the desired performance characteristics. Cost-based optimization is configured with the
cost-minimization command in OER border exit configuration mode (under the external interface
configuration). Cost-based optimization supports two billing models: fixed rate or tier-based with
bursting.
Fixed Rate Billing

Fixed rate—This method is used when the ISP bills one flat rate for network access regardless of
bandwidth usage. If only fixed rate billing is configured on the exit links, all exits are considered to be
equal in regards to cost-optimization and other policy parameters (such as delay, loss, utilization, etc)
are used to determine if the prefix or exit link is in-policy. If multiple exit links are configured with tiered
and fixed policies, then exit links with fixed policies have the highest priority in regards to cost
optimization. If the fixed exit links are at maximum utilization, then the tiered exit links will be used.
Fixed rate billing is configured for an exit link when the fixed keyword is entered with the
cost-minimization command. The monetary cost of the exit link is entered with the fee keyword.
Tier-Based Billing
Tier-based with bursting—This method is used when the ISP bills at a tiered rate based on the percentage
of exit link utilization. Tiered-based billing is configured for an exit link when the tier keyword is
entered with the cost-minimization command. A command statement is configured for each cost tier.
The monetary cost of the tier is entered with the fee keyword. The percentage of bandwidth utilization
that activates the tier is entered after the tier keyword.

78-17876-01 17
The specific details of tier-based with bursting billing models vary by ISP. However, most ISPs use some
variation of the following algorithm to calculate what an enterprise should pay in a tiered billing plan:
1. Gather periodic measurements of egress and ingress traffic carried on the Enterprise connection to
the ISP network and aggregate the measurements to generate a rollup value for a rollup period.
2. Generate one or more rollup values per billing period.
3. Rank the rollup values for the billing period into a stack from the largest value to the smallest.
4. Discard the top 5% of the rollup values from the stack to accommodate bursting.
5. Apply the highest remaining rollup value in the stack to a tiered structure to determine a tier
associated with the rollup value.
6. Charge the customer based on a set cost associated with the determined tier.
Note A billing policy must be configured and applied to prefixes in order for the master controller to perform
cost-based optimization.
Cost Optimization Algorithm

At the end of each billing cycle the top n% of samples, or rollup values, are discarded. The remaining
highest value is the sustained utilization. Based on the number of samples discarded, the billing cycle is
divided into three periods:
• Initial Period
• Middle Period
• Last Period
Initial Period
The period when the samples measured is less than the number of discards +1. For example, if discard
is 7%, billing month is 30 days long, and sample period is 24 hours, then there are 30 samples at the end
of the month. The number of discard samples is two (2% of 30). In this case, days one, two, and three
are in the Initial Period. During this period, target the lowest tier for each ISP at the start of their
respective billing periods and walk up the tiers until the current total traffic amount is allocated across
the links.
Middle Period
The period after the Initial Period until the number of samples yet to be measured or collected is less
than the number of discards.
Using the same example as above, the Middle Period would be from day four through day 28. During
this period, set the target tier to the sustained utilization tier, which is the tier where (discard +1) the
highest sample so far measured falls in.
Last Period
The period after the Middle Period until the end of billing period is the Last Period. During this period,
if links were used at the maximum link capacity for the remainder of the billing period and sustained
utilization does not change by doing so, then set the target to maximum allowable link utilization.
Maximum link utilization is configurable where most likely values would be 75-90%. Otherwise, set the
target to sustained utilization tier. During any sample period, if the cumulative usage is more than
targeted cumulative usage, then bump up to the next tier for the remainder of sample period. If rollup is
enabled, then replace sample values to rollup values and number of sample to number of rollups in above
algorithm.

18 78-17876-01
Cisco IOS OER Policy Configuration: Optimal Exit Link Selection

Cisco IOS OER can be configured to periodically select the Optimal Exit Link (OEL) from the available
ISP connections based on exit link performance. The master controller will move traffic from
over-utilized exit links to under-utilized exit links. Optimal Exit Link Selection (OELS) uses policy
configuration to manage prefix and exit link performance. Policy configuration can be customized to
your requirements. For example, a policy can be created to ensure that priority traffic is always routed
to the target network through the exit link with the highest outbound throughput or the lowest delay
(round-trip response time).
Cisco IOS OER Policy Configuration: Load Distribution

Cisco IOS OER supports per-prefix load distribution. The master controller measures transmission
throughput on OER managed exit interfaces. When exit link utilization causes an exit link to go into an
out-of-policy state, monitored prefixes are moved to bring the exit link in-policy and to equalize
transmission utilization across all exit links. Load distribution settings are configured with the
max-range-utilization command. The master controller sets the maximum range utilization to 20
percent for all OER managed exit links by default. Utilization can be customized for a single link or all
exit links. A range policy can be applied to all monitored prefixes or any subset through oer-map or
global policy configuration.
Tip When enabling Cisco IOS OER for load distribution, we recommend that you set the interface load
calculation on OER managed external interfaces to 30 second intervals with the load-interval interface
configuration command (The default calculation interval is 300 seconds). The load calculation is
configured under interface configuration mode on the border router. This configuration is not required.
It is recommended to allow Cisco IOS OER to respond as quickly as possible to load distribution issues.
Cisco IOS OER Policy Configuration: Global Policies

Global policies are applied in Top Talker and Delay learning configuration mode. These policies are used
to configure a master controller to learn and optimize prefixes based on the highest throughput or the
highest delay. Under the Top Talker and Delay learning configuration mode, you can configure prefix
learning based on delay and throughput statistics. You can configure the length of the prefix learning
period, the interval between prefix learning periods, the number of prefixes to learn, and prefix learning
based on port and protocol.
Cisco IOS OER Policy Configuration: Applying Policies with an OER Map
The operation of an OER map is similar to the operation of a route map. An OER map is designed to
select IP prefixes defined in an IP prefix list or to select learned prefixes policies that pass a match clause
and then to apply OER policy configurations using a set clause. The OER map is configured with a
sequence number like a route map, and the OER map with the lowest sequence number is evaluated first.
The operation of an oer-map differs from a route map at this point. There are two important distinctions:
• Only a single match clause may be configured for each sequence. An error message will be
displayed in the console if you attempt to configure multiple match clauses for a single OER map
sequence.

78-17876-01 19
• An OER map is not configured with permit or deny statements. However, a permit or deny sequence
can be configured for an IP traffic flow by configuring a permit or deny statement in an IP prefix list
and then applying the prefix list to the OER map with the match ip address (OER) command. Deny
prefixes should be combined in a single prefix list and applied to the oer-map with the lowest
sequence number.
An OER map can match a prefix or prefix range with the match ip address (OER) command. A prefix
can be any IP network number combined with a prefix mask that specifies the prefix length. The prefix
or prefix range is defined with the ip prefix-list command in Global configuration mode. Any prefix
length can be specified. An oer-map can also match OER learned prefixes with the match oer learn
command. Matching can be configured for learned prefixes based on delay or based on throughput.
The OER map applies the configuration of the set clause after a successful match occurs. Anther set
clause can be used to set policy parameters for the backoff timer, packet delay, holddown timer, packet
loss, mode settings, periodic timer, resolve settings, and unreachable hosts.
Policies applied by an OER map take effect after the current policy or operational timer expires. The
OER map configuration can be viewed in the output of the show running-config command. OER policy
configuration can be viewed in the output of the show oer master policy command. Policies that are
applied by an OER map do not override global policies and user-defined policies configured under OER
master controller configuration mode and OER Top Talker and Delay configuration mode. These policies
are only applied to prefixes that pass OER map match criteria.
Policy-Rules Configuration
The policy-rules OER master controller configuration command was introduced in Cisco IOS Release
12.3(11)T. This command allows you to select an oer-map and apply the configuration under OER
master controller configuration mode, providing an improved method to switch between predefined
oer-maps.
Cisco IOS OER Policy Configuration: Resolving Policies

When configuring multiple policy parameters for a monitored prefix or set of prefixes, it is possible to
have multiple overlapping policies. The resolve function is a flexible mechanism that allows you to set
the priority for cost, delay, loss, utilization, and range policies. Each policy is assigned a unique value.
The policy with the highest priority is selected to determine the policy decision. By default, delay has
the highest priority and utilization has the second highest priority.
Configuring Resolve with Variance
When configuring resolve settings, you can also set an allowable variance for the defined policy.
Variance configures the allowable percentage that an exit link or prefix can vary from the defined policy
value and still be considered equivalent. For example, if exit link delay is set to 80 percent and a 10
percent variance is configured, exit links that have delay values from 80 to 89 percent will be considered
equal.
Note Variance cannot be configured for cost or range policies.

20 78-17876-01
VPN IPSec/GRE Tunnel Interface Optimization

Cisco IOS OER support for VPN IPSec/GRE Tunnel Optimization was introduced in Cisco IOS Release
12.3(11)T. Cisco IOS OER supports the optimization of prefixes that are routed over IPSec/GRE tunnel
interfaces. The VPN tunnel interface is configured as OER external interfaces on the master controller.
Figure 5 shows a an OER managed network that is configured to optimize VPN traffic. Cisco IOS OER
is deployed at the Central Office and Remote Offices.
Figure 5 Cisco IOS OER Network Optimized for VPN Routing
Central office
OER master
Providers Internet Frame Relay VPN

Frame Relay
127263
Remote offices
This enhancement allows you to configure two-way VPN optimization. A master controller and border
router process are enabled on each side of the VPN. Each site maintains a separate master controller
database. VPN routes can be dynamically learned through the tunnel interfaces or can be configured.
Prefix and exit link policies are configured for VPN prefixes through standard Cisco IOS OER
configuration.
Cisco IOS OER Logging and Reporting

Cisco IOS OER supports standard syslog functions. The notice level of syslog is enabled by default.
System logging is enabled and configured in Cisco IOS software under Global configuration mode. The
logging command in OER master controller or OER border router configuration mode is used only to
enable or disable system logging under OER. OER system logging supports the following message
types:
Error Messages—These messages indicate OER operational failures and communication problems
that can impact normal OER operation.

78-17876-01 21
Debug Messages—These messages are used to monitor detailed OER operations to diagnose
operational or software problems.
Notification Messages—These messages indicate that OER is performing a normal operation.
Warning Messages—These messages indicate that OER is functioning properly but an event
outside of OER may be impacting normal OER operation.
To modify system, terminal, destination, and other system global logging parameters, use the logging
commands in Global configuration mode. For more information about global system logging
configuration, refer to the “Troubleshooting and Fault Management” section of the Cisco IOS
Configuration Fundamentals and Network Management Configuration Guide, Release 12.3.
Cisco IOS OER Deployment Configurations

Cisco IOS OER can be deployed in an enterprise network, remote office network, or small office home
office (SOHO) network using one of the following three configurations shown in Figure 6:
• Configuration A shows a network with two edge routers configured as border routers. The border
router that peers with ISP2 is also configured to run a master controller process. This configuration
is suitable for a small network with multiple edge routers that each provide an exit link to a separate
external network.
• Configuration B shows two border routers and an master controller, each running on a separate
router. This configuration is suitable for small, medium, and large networks. In this configuration,
the master controller process is run on a separate Cisco router. This router performs no routing or
forwarding functions. Although, routing and forwarding functions are not prohibited.
• Configuration C shows a single router that is configured to run a master controller and border router
process. This configuration is suitable for a small network with a single router, such as a remote
office or home network.
Figure 6 Cisco IOS OER Deployment Scenarios
Config A Config B Config C

BRs BRs
ISP1
ISP1 ISP1
MC
MC/BR
116661
ISP2 ISP2 ISP2
MC/BR
In each deployment scenario, a single master controller is deployed. The master controller does not need
to be in the traffic forwarding path but must be reachable by the border routers. A master controller
process can be enabled on router that is also configured to run a border router process.The master
controller can support up to 10 border routers and up to 20 OER managed external interfaces. At least
one border router process and two exit interfaces are required in an OER managed network.

22 78-17876-01
How to Configure Cisco IOS Optimized Edge Routing
Note A Cisco router that is configured to run both a master controller and border router process will use more
memory than a router that is configured to run only a border router process. This should be considered
when selecting a router for dual operation. See the following document for more information: Cisco
Optimized Edge Routing CPU and Memory Performance Tests

This section contains the following procedures:
• Minimum Master Controller Configuration, page 24 (required)
• Minimum Border Router Configuration, page 29 (required)
• Configuring Prefix Learning, page 33 (optional)
• Manually Selecting Prefixes for Monitoring, page 36 (optional)
• Configuring Active Probing, page 38 (optional)
• Configuring the Source Address of an Active Probe, page 41 (optional)
• Configuring Traceroute Reporting, page 42 (optional)
• Configuring Prefix and Exit Link Policies, page 45 (optional)
• Configuring Cost-Based Optimization, page 50 (optional)
• Configuring Resolve Policies, page 52 (optional)
• Configuring Cisco IOS OER Modes of Operation, page 54 (optional)
• Configuring OER Policies with an OER Map, page 56 (optional)
• Configuring Policy Rules for OER Maps, page 63 (optional)
• Configuring iBGP Peering on the Border Routers, page 64 (optional)
• Configuring BGP Redistribution into an IGP on the Border Routers, page 67 (optional)
• Configuring Static Route Redistribution on the Border Routers, page 70 (optional)
• Configuring Static Route Redistribution into EIGRP, page 73 (optional)
• Configuring OER to Monitor and Control IPSec VPN Prefixes Over GRE Tunnels, page 76
(optional)
• Verifying Cisco IOS OER Configuration, page 85 (optional)
• Using Cisco IOS OER Clear Commands, page 88 (optional)
• Using Cisco IOS OER Debug Commands, page 89 (optional)
Specific example configurations for each procedure follow each configuration table. Proceed to the
Configuration Examples for Cisco IOS Optimized Edge Routing section to see more complex example
deployment configurations.

78-17876-01 23
Minimum Master Controller Configuration

This section describes the minimum required steps to configure a master controller process to manage
an OER managed network. In this section, the following tasks are completed:
• Communication is established between the master controller and the border router.
• The communication session is protected by key-chain authentication.
• Border routers are specified for OER control.
• Internal and external border router interfaces are specified.
• Passive monitoring is enabled (by default).
• Prefix learning based on outbound packet throughput is enabled.
• Route control mode monitoring is enabled.
Master Controller
• OER administration is centralized on the master controller, which makes all policy decisions and
controls the border routers.
• The master controller is not required to be in the traffic forwarding path but should be deployed near
the border routers to minimize communication response time.
• The master controller can support up to 10 border routers and up to 20 OER managed external
interfaces.
Disabling a Master Controller Process

To disable a master controller and completely remove the process configuration from the running-config
file, use the no oer master command in Global configuration mode.
To temporarily disable a master controller, use the shutdown command in OER master controller
configuration mode. Entering the shutdown command stops an active master controller process but does
not remove any configuration parameters. The shutdown command is displayed in the running-config
file when enabled.
Manual Port Configuration

Communication between the master controller and border router is automatically carried over port 3949
when connectivity is established. Port 3949 is registered with IANA for OER communication. Support
for port 3949 was introduced in Cisco IOS Release 12.3(11)T. Manual port number configuration is only
required if you are running Cisco IOS Release 12.3(8)T or if you need to configure OER communication
to use a dynamic port number.
Prerequisites
Interfaces Must be Defined
Interfaces must be defined and reachable by the master controller and the border router before an OER
managed network can be configured.

24 78-17876-01
Key Chain Authentication

Communication between the master controller and the border router is protected by key-chain
authentication. The authentication key must be configured on both the master controller and the border
router before communication can be established. The key-chain configuration is defined in Global
configuration mode on both the master controller and the border router before key-chain authentication
is enabled for master controller to border router communication. For more information about key
management in Cisco IOS software, refer to the “Managing Authentication Keys” section of the Cisco
IOS IP Configuration Guide, Release 12.3.
Restrictions
Token Ring Interfaces are not Supported
Token Ring interfaces are not supported by OER and cannot be configured as OER managed interfaces.
It may be possible to load a Token Ring interface configuration under certain conditions. However, the
Token Ring interface will not become active and the border router will not function if the Token Ring
interface is the only external interface on the border router.
SUMMARY STEPS
1. enable
2. configure terminal
3. key chain name-of-chain
4. key key-id
5. key-string text
6. exit
7. exit
8. oer master
9. port port-number
10. logging
11. border ip-address [key-chain key-chain-name]
12. interface type number external
13. interface type number internal
14. exit
15. keepalive timer
16. mode {monitor {active | both | passive} | route {control | metric {bgp local-pref preference |
static tag value} observe | select-exit {best | good}}
17. learn
18. throughput
19. end

78-17876-01 25
DETAILED STEPS
Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters Global configuration mode.
Example:
Router# configure terminal
Step 3 key chain name-of-chain Enables key-chain authentication.
• Key-chain authentication protects the communication
Example: session between the master controller and the border
Router(config)# key chain OER router. The key ID and key string must match in order
for communication to be established.
Step 4 key key-id Identifies an authentication key on a key chain.
• The key ID must match the key ID configured on the
Example: border router.
Router(config-keychain)# key 1
Step 5 key-string text Specifies the authentication string for the key.
• The authentication string must match the authentication
Example: string configured on the border router.
Router(config-keychain-key)# key-string CISCO
• Any encryption level can be configured.
Step 6 exit Exits key chain key configuration mode, and enters key
chain configuration mode.
Example:
Router(config-keychain-key)# exit
Step 7 exit Exits key chain configuration mode, and enters Global
configuration mode.
Example:
Router(config-keychain)# exit
Step 8 oer border | master Enters OER master controller configuration mode to
configure a router as a master controller.
Example: • A master controller and border router process can be
Router(config)# oer master enabled on the same router. For example, in a network
that has a single router with two exit links to different
service providers.
Step 9 port port-number (Optional) Configures a dynamic port for communication
between the master controller and border router.
• Communication cannot be established until the same
port number has been configured on both the master
controller and the border router.

26 78-17876-01

Note Manual port number configuration is required to
establish OER communication only when running
Cisco IOS Release 12.3(8)T.
Example:
Router(config-oer-mc)# port 65534
Step 10 logging Enables syslog event logging for a master controller or
border router process.
Example: • The notice level of syslog is enabled by default.
Router(config-oer-mc)# logging
Step 11 border ip-address [key-chain key-chain-name] Enters OER managed border router configuration mode to
establish communication with a border router.
Example: • An IP address is configured to identify the border
Router(config-oer-mc)# border 10.100.1.1 router.
key-chain OER
• At least one border router must be specified to create an
OER managed network. A maximum of 10 border
routers can be controlled by a single master controller.
• The value for the key-chain-name argument must match
the key-chain name configured in Step 3.
Note The key-chain keyword and argument must be
entered when a border router is initially configured.
However, this keyword is optional when
reconfiguring an existing border router.
Step 12 interface type number external Configures a border router interface as an OER managed
external interface.
Example: • External interfaces are used to forward traffic and for
Router(config-oer-mc-br)# interface Ethernet active monitoring.
0/0 external
• A minimum of two external border router interfaces are
required in an OER managed network. At least 1
external interface must be configured on each border
router. A maximum of 20 external interfaces can be
controlled by single master controller.
Tip Configuring an interface as external also enters
OER Border Exit configuration mode. In this mode
you can configure maximum link utilization or
cost-based optimization for the interface.
Note Entering the interface command without the

external or internal keyword, places the router in
Global configuration mode and not OER Border
Exit configuration mode. The no form of this
command should be applied carefully so that active
interfaces are not removed from the router
configuration.

78-17876-01 27

Step 13 interface type number internal Configures a border router interface as an OER controlled
internal interface.
Example: • Internal interfaces are used for passive monitoring only.
Router(config-oer-mc-br)# interface Ethernet Internal interfaces do not forward traffic.
0/1 internal
• At least one internal interface must be configured on
each border router.
Step 14 exit Exits OER managed border router configuration mode, and
enters OER master controller configuration mode.
Example:
Router(config-oer-mc-br)# exit
Step 15 keepalive timer (Optional) Configures the length of time that an OER
master controller will maintain connectivity with an OER
border router after no keepalive packets have been received.
Example:
Router(config-oer-mc)# keepalive 10 • The example sets the keep alive timer to 10 seconds.
Step 16 mode {monitor{active | both | passive} | route Configures route monitoring or route control on an OER
{control | metric {bgp local-pref preference | master controller. The route keyword is used to enable
static tag value} observe | select-exit {best |
good}}
control mode or observe mode.
• In control mode, the master controller analyzes
monitored prefixes and implements changes based on
Example:
policy parameters.
Router(config-oer-mc)# mode route control
• In observe mode, the master controller analyzes
monitored prefixes, reports the changes that should be
made, but does not implement any changes.
Step 17 learn Enters OER Top Talker and Top Delay learning
configuration mode to enable prefix learning.
Example: • Prefixes can be learned based on highest outbound
Router(config-oer-mc)# learn throughput or lowest delay.
Step 18 throughput Configures OER to learn the top prefixes based on the
highest outbound throughput.
Example: • The master controller uses the list of Top Talker
Router(config-oer-mc-learn)# throughput prefixes to select the exit with the highest throughput
when the periodic timer expires or immediately if a
prefix becomes unreachable.
Step 19 end Exits OER Top Talker and Top Delay learning configuration
mode, and enters privileged EXEC mode.
Example:
Router(config-oer-mc-learn)# end

28 78-17876-01
Examples
The following configuration example, starting in Global configuration mode, shows the minimum
configuration required to configure a master controller process to control an OER managed network:
A key-chain configuration named OER is defined in Global configuration mode.
Router(config)# key chain OER
The master controller is configured to communicate with the 10.100.1.1 and 10.200.2.2 border routers.
The keep alive interval is set to 10 seconds. Route control mode is enabled. Internal and external OER
controlled border router interfaces are defined.
Router(config)# oer master
Router(config-oer-mc)# keepalive 10
Router(config-oer-mc)# border 10.100.1.1 key-chain OER
Router(config-oer-mc-br)# interface Ethernet 0/0 external
Router(config-oer-mc-br)# interface Ethernet 0/1 internal
Router(config-oer-mc)# exit
Automatic prefix learning based on highest outbound throughput is enabled.

Router(config-oer-mc)# learn
Router(config-oer-mc-learn)# throughput
What to Do Next
Border routers must be configured to complete the minimum configuration of the OER managed
network. Proceed to the next section to see instructions for configuring the border routers.
Minimum Border Router Configuration

This section describes the minimum required steps to configure a border router process. In this section,
the following tasks are completed:
• Communication is established between the border router and master controller.
• The communication session is protected by key-chain authentication.
• A local interface is configured as the source for communication with the master controller.
• External interfaces are configured as OER managed exit links.
Border Router
• The border router is an enterprise edge router with one or more exit links to an ISP or other
participating network.

78-17876-01 29
• The border router is deployed on the edge of the network, so the border router must be in the
forwarding path.
• A border router process can be enabled on the same router as a master controller process.
Interface Configuration
• Each border router must have at least one external interface that is used to connect to an ISP or is
used as an external WAN link. A minimum of two are required in an OER managed network.
• Each border router must have at least one internal interface. Internal interfaces are used for only
passive performance monitoring with NetFlow. Internal interfaces are not used to forward traffic.
• Each border router must have at least one local interface. Local interfaces are used for only master
controller and border router communication. A single interface must be configured as a local
interface on each border router.
Tip If a master controller and border router process is enabled on the same router, a loopback interface
should be configured as the local interface.
Disabling a Border Router Process

To disable a border router and completely remove the process configuration from the running-config file,
use the no oer border command in Global configuration mode.
To temporarily disable a border router process, use the shutdown command in OER border router
configuration mode. Entering the shutdown command stops an active border router process but does not
remove any configuration parameters. The shutdown command is displayed in the running-config file
when enabled.
Prerequisites
Interfaces Must be Defined
Interfaces must be defined and reachable by the master controller and the border router before an OER
managed network can be configured.
Restrictions
Internet Exchange Point over Broadcast Media
Internet exchange points where a border router can communicate with several service providers over the
same broadcast media are not supported.
Border Exits Cannot use the Same Next Hop

When two or more border routers are deployed in an OER managed network, the next hop to an external
network on each border router, as installed in the RIB, cannot be an IP address from the same subnet as
the next hop on the other border router.

30 78-17876-01
SUMMARY STEPS
1. enable
3. key chain name-of-chain
4. key key-id
5. key-string text
6. exit
7. exit
8. oer border
9. port port-number
10. local type number
11. master ip-address key-chain key-chain-name
12. end
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 key chain name-of-chain Enables key-chain authentication.
• Key-chain authentication protects the communication
Example: session between the both the master controller and the
Router(config)# key chain OER border router. The key ID and key string must match in
order for communication to be established.
Step 4 key key-id Identifies an authentication key on a key chain.
• The key ID must match the key ID configured on the
Example: master controller.
Step 5 key-string text Specifies the authentication string for the key.
• The authentication string must match the authentication
Example: string configured on the master controller.
• Any level of encryption can be configured.
Step 6 exit Exits key chain key configuration mode, and enters key
chain configuration mode.
Example:

78-17876-01 31

Step 7 exit Exits key chain configuration mode, and enters Global
configuration mode.
Example:
Step 8 oer border | master Enters OER border router configuration mode to configure
a router as a border router.
Example: • The border router must be in the forwarding path and
Router(config)# oer border contain at least one external and internal interface.
Step 9 port port-number (Optional) Configures a dynamic port for communication
between an OER master controller and border router.
Example: • Communication cannot be established until the same
Router(config-oer-br)# port 65535 port number has been configured on both the border
router and the master controller.
Note Manual port number configuration is required to
establish OER communication only when running
Cisco IOS Release 12.3(8)T.
Step 10 local type number Identifies a local interface on an OER border router as the
source for communication with an OER master controller.
Example: • A local interface must be defined.
Router(config-oer-br)# local Ethernet 0/1
Tip A loopback should be configured when a single
router is configured to run both a master controller
and border router process.
Step 11 master ip-address key-chain key-chain-name Enters OER managed border router configuration mode to
establish communication with a master controller.
Example: • An IP address is used to identify the master controller.
Router(config-oer-br)# master 192.168.1.1
key-chain OER
• The value for the key-chain-name argument must match
the key-chain name configured in Step 3.
Step 12 end Exits OER Top Talker and Top Delay learning configuration
mode, and enters privileged EXEC mode.
Example:
Router(config-oer-br)# end
Examples
The following configuration example, starting in Global configuration mode, shows the minimum
required configuration to enable a border router:
The key-chain configuration is defined in Global configuration mode.

32 78-17876-01
The key-chain OER is applied to protect communication. An interface is identified to the master
controller as the local source interface for OER communication.
Router(config)# oer border
Router(config-oer-br)# local Ethernet 0/1
Router(config-oer-br)# master 192.168.1.1 key-chain OER
What to Do Next
Prefix learning based on the highest outbound throughput was enabled in the “Minimum Master
Controller Configuration” section. Proceed to the next section to see more information about configuring
and customizing prefix learning on the master controller.
Configuring Prefix Learning

This section describes the commands that are used to configure prefix learning on a master controller in
OER Top Talker and Top Delay configuration mode. The learn command is entered in OER master
controller configuration mode and is required to enter OER Top Talker and Top Delay configuration
mode. All commands described in this section are optional.
The tasks described in this section allow you to configure the following:
• Prefix learning based on highest outbound throughput or lowest delay time
• Port and protocol based prefix learning
• Prefix learning period timers and intervals
• Maximum number of prefixes that can be learned
Defaults
The following defaults are applied when a prefix learning is enabled:
• Aggregation is performed based on a /24 prefix length
• Up to five host addresses are learned for active monitoring when a prefix is aggregated
• The top 100 traffic flows are learned
• The learning period is five minutes
• The interval between prefix learning periods is 120 minutes
SUMMARY STEPS
1. enable
3. oer master
4. learn
5. aggregation-type bgp | non-bgp | prefix-length prefix-mask
6. delay
7. monitor-period minutes
8. periodic-interval minutes

78-17876-01 33
9. prefixes number
10. protocol number | tcp | udp [port port-number | gt port-number | lt port-number | range
lower-number upper-number] [dst | src]
11. throughput
12. exit
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 oer master Enters OER master controller configuration mode to
configure a Cisco router as a master controller and to
configure master controller policy and timer settings.
Example:
Step 4 learn Enters OER Top Talker and Top Delay learning
configuration mode to configure prefix learning policies
and timers.
Example:
Step 5 aggregation-type bgp | non-bgp | prefix-length (Optional) Configures a master controller to aggregate
prefix-mask learned prefixes based on traffic flow type.
• The bgp keyword configures prefix aggregation based
Example: on entries in the BGP routing table. This keyword is
Router(config-oer-mc-learn)# aggregation-type used if iBGP peering is enabled in the internal network.
bgp
• The non-bgp keyword configures learned prefix
aggregation based on static routes. Entries in the BGP
routing table are ignored when this keyword is entered.
• The prefix-length keyword configures aggregation
based on the specified prefix length. The range of
values that can be configured for this argument is a
prefix mask from 1 to 32.
• The example configures BGP prefix aggregation.
Step 6 delay (Optional) Enables prefix learning based on the lowest
delay time (round-trip response time).
• When this command is enabled, the master controller
learn prefixes based on the lowest delay time. The
master controller measures the delay for monitored
prefixes when this command is enabled.

34 78-17876-01

• The master controller uses the list of Top Delay
prefixes to select the prefixes with the lowest delay
time.
Example:
Router(config-oer-mc-learn)# delay • The example configures a master controller to learn top
prefixes based on the lowest delay.
Step 7 monitor-period minutes Sets the time period that an OER master controller learns
traffic flows.
Example: • The length of time between monitoring periods is
Router(config-oer-mc-learn)# monitor-period 10 configured with the periodic-interval command.
• The number of prefixes that are learned is configured
with the prefixes command.
• The example sets the length of each monitoring period
to 10 minutes.
Step 8 periodic-interval minutes Sets the time interval between prefix learning periods.
• The length of time of the learning period is configured
Example: with the monitor-period command.
Router(config-oer-mc-learn)# periodic-interval
20
• The number of prefixes that are learned is configured
with the prefixes command.
• The example sets the time interval between monitoring
periods to 20 minutes.
Step 9 prefixes number Sets the number of prefixes that the master controller will
learn during the monitoring period.
Example: • The length of time of the learning period is configured
Router(config-oer-mc-learn)# prefixes 200 with the monitor-period command.
• The length of time between monitoring periods is
configured with the periodic-interval command.
• The example configures a master controller to learn 200
prefixes during each monitoring period.
Step 10 protocol protocol-number | tcp | udp [port Configures the master controller to learn prefixes based on
port-number | gt port-number | lt port-number | a protocol number, TCP or UDP port number, or a range of
range lower-number upper-number] [dst | src]
port numbers.
• Filtering based on a specific protocol is configured with
the protocol-number argument.
• TCP or UDP based filtering is enabled by configuring
the tcp or udp argument.
• Port based filtering is enabled by configuring the port
keyword. Port number ranges can be filtered based on
greater-than or equal-to and less-than or equal-to
filtering, or can be filtered by specifying a starting and
ending port numbers with the range keyword.
• Prefix destination or source based filtering is enabled
by configuring the dst or src keywords.

78-17876-01 35

• The example configures a master controller to learn
EIGRP prefixes during each monitoring period.
Example:
Router(config-oer-mc-learn)# protocol 88
Step 11 throughput Configures the master controller to learn the top prefixes
based on the highest outbound throughput.
Example: • When this command is enabled, the master controller
Router(config-oer-mc-learn)# throughput will learn the top prefixes across all border routers
according to the highest outbound throughput.
• The example configures a master controller to learn the
top prefixes based on highest outbound throughput.
Step 12 exit Exits OER Top Talker and Top Delay learning and
configuration mode, and enters global configuration mode.
Example:
What to Do Next
This section shows how to configure a master controller to automatically learn prefixes to monitor.
Prefixes can also be manually selected for monitoring. Proceed to the next section to see information
about manually importing prefixes.
Manually Selecting Prefixes for Monitoring

This section describes how to manually select prefixes for monitoring. An IP prefix list is created to
define the prefix or prefix range. The prefix list is then imported into the central policy database by
configuring a match clause in an OER map. The following IP prefix list configuration options are
supported:
• An exact prefix (/32)
• A specific prefix length and any subset (for example, a /24 under a /16)
• A specific prefix and all more specific routes (le 32)
• All prefixes (0.0.0.0/0)
Manually Excluding Prefixes

An IP prefix list with a deny statement is used to configure the master controller to exclude a prefix or
prefix length. Deny prefix list sequences should be applied in the lowest oer-map sequences for best
performance.

36 78-17876-01
OER Map Operation

The operation of an OER map is similar to the operation of a route-map. An OER map is configured to
select an IP prefix list or OER learn policy using a match clause and then to apply OER policy
configurations using a set clause. The OER map is configured with a sequence number like a route-map,
and the OER map with the lowest sequence number is evaluated first.
SUMMARY STEPS
1. enable
3. ip prefix-list list-name [seq seq-value] {deny network/length | permit network/length} [le le-value]
4. oer-map map-name sequence-number
5. match ip address prefix-list name
6. end
DETAILED STEPS

Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Step 3 ip prefix-list list-name [seq seq-value] {deny Creates a prefix list to manually select prefixes for
network/length | permit network/length} [le monitoring.
le-value]
• A master controller can monitor and control an exact
prefix of any length including the default route. The
Example: master controller acts only on the configured prefix.
Router(config)# ip prefix-list PREFIXES seq 20
permit 192.168.1.0/24 • A master controller can monitor and control an
inclusive prefix using the le 32 option. The master
controller acts on the configured prefix and forces any
more specific prefixes in the RIB to use the same exit.
Note This option should not be needed in typical
deployments, and should be applied carefully.
• The example creates an IP prefix list for OER to

monitor and control the exact prefix, 192.168.1.0/24
Step 4 oer-map map-name sequence-number Enters oer-map configuration mode to create or configure
an OER map.
• OER map operation is similar to that of route-maps.
• Only a single match clause can be configured for each
oer-map sequence.

78-17876-01 37

• Common and deny sequences should be applied to
lowest oer-map sequence for best performance.
Example: • The example creates an oer-map named IMPORT.
Router(config)# oer-map IMPORT 10
Step 5 match ip address prefix-list name Creates a prefix list match clause entry in an oer-map to
apply OER policies.
Example: • This command supports IP prefix lists only.
Router(config-oer-map)# match ip address
prefix-list PREFIXES
• The example configures the prefix list PREFIXES.
Step 6 end Exits oer-map configuration mode, and enters privileged
EXEC mode.
Example:
Router(config-oer-map)# end
Examples
The following example creates an oer-map named PREFIXES that matches traffic defined in the IP
prefix lists named EXCLUDE and IMPORT. The prefix-list named EXCLUDE defines a deny sequence
for all prefixes or host routes in the 192.168.0.0/16 subnet. The master controller will exclude these
prefixes from the master controller database. The prefix-list named IMPORT defines a permit sequence
to manually import the exact prefix 10.4.9.0/24.
Router(config)# ip prefix-list seq 10 EXCLUDE deny 192.168.0.0/16 le 32
Router(config)# ip prefix-list seq 10 IMPORT permit 10.4.9.0/24
Router(config)# !
Router(config)# oer-map PREFIXES 10
Router(config-oer-map)# match ip address prefix-list EXCLUDE
Router(config-oer-map)# exit
Router(config)# oer-map PREFIXES 20
Router(config-oer-map)# match ip address prefix-list IMPORT
Tip Notice that the deny prefix list is configured with the lowest oer-map sequence number. For best
performance, all deny sequences should be configured in same prefix list and applied to the lowest
oer-map sequence.
What to Do Next
Proceed to the next section to see information about configuring active probing.
Configuring Active Probing

This section describes how to enable active monitoring and how to configure active probing. Active
monitoring is enabled with the mode command, and active probing is configured with the active-probe
command in OER master controller mode. Active probes are configured with a specific host or target
address. Active probes are sourced on the border router. The active probe source external interface may
or may not be the preferred route for an optimized prefix.

38 78-17876-01
Active Probing over eBGP Peerings

For eBGP peering sessions, the IP address of the eBGP peer must be reachable from the border router
via a connected route in order for active probes to be generated.
ICMP Echo Probes

Configuring an ICMP echo probe does not require knowledgeable cooperation from the target device.
However, repeated probing could trigger an Intrusion Detection System (IDS) alarm in the target
network. If an IDS is configured in a target network that is not under your administrative control, we
recommend that you notify the target network administration entity.
Defaults
The following defaults are applied when a active monitoring is enabled:
• The border router collects up to five host addresses from the prefix for active probing when a prefix
is learned or aggregated.
• Active probes are sent once per minute.
• ICMP probes are used to actively monitor learned prefixes.
SUMMARY STEPS
1. enable
3. oer master
4. mode {monitor {active | both | passive} | route {control | metric {bgp local-pref preference |
5. active-probe {echo ip-address | tcp-conn ip-address target-port number | udp-echo ip-address
target-port number}
6. end
DETAILED STEPS

Example:
Router> enable
Example:
configure a router as a master controller and to configure
global operations and policies.
Example:

78-17876-01 39

{control | metric {bgp local-pref preference | master controller.
good}} • The monitor keyword is used to configure active
and/or passive monitoring.
Example: • The example enables both active and passive
Router(config-oer-mc)# mode monitor both monitoring.
Step 5 active-probe {echo ip-address | tcp-conn Configures an active probe for a target prefix.
ip-address target-port number | udp-echo
ip-address target-port number} • Active probing measures delay and jitter of the target
prefix more accurately than is possible with only
passive monitoring.
Example:
Router(config-oer-mc)# active-probe echo • Active Probing requires you to configure a specific host
10.5.5.55 or target address.
• Active probes are sourced from an OER managed
external interfaces. This external interface may or may
not be the preferred route for an optimized prefix.
• A remote responder with the corresponding port
number must be configured on the target device when
configuring an UDP echo probe or when configuring a
TCP connection probe that is configured with a port
number other than 23. The remote responder is
configured with the ip sla monitor responder Global
configuration command.
Step 6 end Exits OER master controller configuration mode, and enters
Privileged EXEC mode.
Example:
Router(config)# end
Note Configuring an ICMP echo probe does not require knowledgeable cooperation from the target device.
However, repeated probing could trigger an Intrusion Detection System (IDS) alarm in the target
network. If an IDS is configured in a target network that is not under your administrative control, we
recommend that you notify the target network administration entity.
Examples
ICMP Echo Example
The following example configures an active probe using an ICMP echo (ping) message. The 10.4.9.1
address is the target. No explicit configuration is required on the target device.
Router(config-oer-mc)# active-probe echo 10.4.9.1
TCP Connection Example

The following example configures an active probe using a TCP connection message. The 10.4.9.2
address is the target. The target port number must be specified when configuring this type of probe.
Router(config-oer-mc)# active-probe tcp-conn 10.4.9.2 target-port 23

40 78-17876-01
UDP Echo Example

The following example configures an active probe using UDP echo messages. The 10.4.9.3 address is
the target. The target port number must be specified when configuring this type of probe, and a remote
responder must also be enabled on the target device.
Router(config-oer-mc)# active-probe udp-echo 10.4.9.3 target-port 1001
UDP Remote Responder Example

The following example configures an RTR responder on a border router to send IP SLAs control packets
in response to UDP active probes. The port number must match the number that is configured for the
active probe.
Border-Router(config)# ip sla monitor responder type udpEcho port 1001
TCP Remote Responder Example

The following example configures an RTR responder on a border router to send IP SLAs control packets
in response to TCP active probes. The remote responder must be configured for TCP active probes that
do not use the TCP well-known port number 23.
Border-Router(config)# ip sla monitor responder type tcpConnect port 49152
Note A remote responder is required for TCP connection probes only when a port other than 23 is configured.
What to Do Next
If you need to configure a specific interface as the source for active monitoring, proceed to the next
section for more information.
Configuring the Source Address of an Active Probe

The section describes how to specify the source interface for active probing. The active probe source
interface is configured on the border router with the active-probe address source in OER border router
configuration mode. The active probe source interface IP address must be unique to ensure that the probe
reply is routed back to the specified source interface.
Defaults
• The source IP address is used from the default OER external interface that transmits the active probe
when this command is not enabled or if the no form is entered.
• If the interface is not configured with an IP address, the active probe will not be generated.
• If the IP address is changed after the interface has been configured as an active probe source, active
probing is stopped, and then restarted with the new IP address.
• If the IP address is removed after the interface has been configured as an active probe source, active
probing is stopped and not restarted until a valid primary IP address is configured.
SUMMARY STEPS
1. enable

78-17876-01 41
3. oer border
4. active-probe address source interface type number
5. end
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 oer border Enters OER border router configuration mode to configure
a router as a border router.
Example:
Step 4 active-probe address source interface type Configures an interface on a border router as the
number active-probe source.
• The example configures interface FastEthernet 0/0 as
Example: the source interface.
Router(config-oer-br)# active-probe address
source interface FastEthernet 0/0
Step 5 end Exits OER border router configuration mode, and enters
Example:
Example
The following example, starting in Global configuration mode, configures FastEthernet 0/0 as the
active-probe source interface.
Router(config-oer-br)# active-probe address source interface FastEthernet 0/0
What to Do Next
Traceroute reporting can be enable to gather hop-by-hop delay, loss, reachability statistics. Proceed to
the next section for more information.
Configuring Traceroute Reporting

This section describes how to configure trace route reporting. Traceroute reporting is configured on a
master controller. Traceroute probes are sourced from the current border router exit.

42 78-17876-01
Continuous and policy based traceroute reporting is configured with the set traceroute reporting
oer-map configuration mode command. The time interval between traceroute probes is configured with
the traceroute probe-delay command in OER master controller configuration mode. On-demand
traceroute probes are triggered by entering the show oer master prefix command with the traceroute
and now keywords.
Defaults
When traceroute reporting is enabled, the default time interval between traceroute probes is 1000
milliseconds.
SUMMARY STEPS
1. enable
3. oer master
4. traceroute probe-delay milliseconds
5. exit
7. match oer learn delay | throughput
8. set traceroute reporting [policy {delay | loss | unreachable}]
9. end
10. show oer master prefix [detail | learned [delay | throughput] | prefix [detail | policy |
traceroute [exit-id | border-address | current] [now]]]
DETAILED STEPS

Example:
Router> enable
Example:
Example:
Step 4 traceroute probe-delay milliseconds Sets the time interval between traceroute probe cycles.
• The example sets the probe interval to a 10000
Example: milliseconds.
Router(config-oer-mc)# traceroute probe-delay
1000

78-17876-01 43

Step 5 exit Exits OER master controller configuration mode, and enters
Global configuration mode.
Example:
Step 6 oer-map map-name sequence-number Enters oer-map configuration mode to configure an oer-map
to apply policies to selected IP prefixes.
Example: • Only one match clause can be configured for each
Router(config)# oer-map TRACE 10 oer-map sequence.
• The example creates and OER map named
TRACEROUTE.
Step 7 match oer learn delay | throughput Creates a match clause entry in an oer-map to match learned
prefixes.
Example: • Can be configured to learn prefixes based on lowest
Router(config-oer-map)# match oer learn delay delay or highest outbound throughput.
oer-map sequence.
• The example creates a match clause entry that matches
traffic learned based on lowest delay.
Step 8 set traceroute reporting [policy {delay | loss Configures an OER map to enable traceroute reporting.
| unreachable}]
• Monitored prefixes must be included in an OER map.
These can be learned or manually selected prefixes.
Example:
Router(config-oer-map)# set traceroute
• Entering this command with no keywords enables
reporting continuous monitoring.
• Entering this command the policy keyword enables
policy-based trace route reporting.
Example:
Step 10 show oer master prefix [detail | learned [delay Displays the status of monitored prefixes.
| throughput] | prefix [detail | policy |
traceroute [exit-id | border-address | current] • An on-demand traceroute probe is initiated by entering
[now]]] the current and now keywords.
• The current keyword displays the results of the most
recent traceroute probe for the current exit.
• Traceroute probe results can be displayed for the
specified border router exit by entering the exit-id or
border-address keyword.
• The example initiates an on-demand traceroute probe
for the 10.5.5.55 prefix.
Example:
Router# show oer master prefix 10.5.5.5
traceroute now

44 78-17876-01
Example
The following example, starting in Global configuration mode, configures continuous traceroute
reporting for prefix learned based on delay:
Router(config-oer-mc)# traceroute probe-delay 10000
Router(config)# oer-map TRACE 10
Router(config-oer-map)# match oer learn delay
Router(config-oer-map)# set traceroute reporting
The following example, starting in Privileged EXEC mode, initiates an on-demand traceroute probe for
the 10.5.5.5 prefix:
Router# show oer master prefix 10.5.5.55 traceroute current now
Path for Prefix: 10.5.5.0/24 Target: 10.5.5.5
Exit ID: 2, Border: 10.1.1.3 External Interface: Et1/0
Status: DONE, How Recent: 00:00:08 minutes old
Hop Host Time(ms) BGP
1 10.1.4.2 8 0
2 10.1.3.2 8 300
3 10.5.5.5 20 50
What to Do Next
In the “Minimum Master Controller Configuration” section prefix learning based on highest outbound
throughput is configured and only default prefix and exit link policies are enabled, using global settings.
Proceed to the next section to configure and customize global prefix and exit link policies.
Configuring Prefix and Exit Link Policies

This section describes commands that are used to configure global prefix and exit link policies in OER
master controller configuration mode. The oer master command is required to enter OER master
controller configuration mode. All other command listed in this section are optional.
Prefix Policies
A prefix policy is a set of rules that govern the performance characteristics for a network address. The
network address can be a single end point within a network or an entire subnet. A prefix is defined as
any network number with a prefix mask applied to it. The performance characteristics that are managed
by a prefix policy are reachability, delay, and packet loss.
Note Prefix policies will always override exit link policies.

78-17876-01 45
Exit Link Policies

An exit link policy is a set of rules that govern the performance of an OER managed exit link. Prefixes
are moved to another exit link to bring an exit link in-policy. The performance characteristics that are
managed by a link policy are traffic load distribution, link utilization (range), and link bandwidth
monetary cost. An exit link policy can define total outbound throughput or total link utilization.Exit link
utilization policies can be defined for a single exit link or all OER managed exit links.
Tip When enabling Cisco IOS OER for load distribution, we recommend that you set the interface load
calculation on OER managed external interfaces to 30 second intervals with the load-interval interface
configuration command (The default calculation interval is 300 seconds). The load calculation is
configured under interface configuration mode on the border router. This configuration is not required.
It is recommended to allow Cisco IOS OER to respond as quickly as possible to load distribution issues.
Adjusting Cisco IOS OER Timers

Configuring a new timer value will immediately replaces the existing value if the new value is less than
the time remaining. If the new value is greater than the time remaining, the new timer value will be used
when the existing timer is reset.
Note Over aggressive settings can keep an exit link or prefix in an out-of-policy state.
SUMMARY STEPS
1. enable
3. oer master
4. backoff min-timer max-timer [step-timer]
5. delay relative percentage | threshold maximum
6. holddown timer
7. loss relative average | threshold maximum
8. max-range-utilization percent maximum
9. periodic timer
10. unreachable relative average | threshold maximum

46 78-17876-01
DETAILED STEPS

Example:
Router> enable
Example:
configure global prefix and exit link policies.
Example:
Step 4 backoff min-timer max-timer [step-timer] Sets the backoff timer to adjust the time period for prefix
policy decisions.
Example: • The min-timer argument is used to set the minimum
Router(config-oer-mc)# backoff 400 4000 400 transition period in seconds.
• The max-timer argument is used to set the maximum
length of time OER holds an out-of-policy prefix when
there are no OER controlled in-policy prefixes.
• The step-timer argument allows you to optionally
configure OER to add time each time the minimum
timer expires until the maximum time limit has been
reached.
Step 5 delay relative percentage | threshold maximum Sets the delay threshold as a relative percentage or as an
absolute value.
Example: • The relative keyword is used to configure a relative
Router(config-oer-mc)# delay relative 800 delay percentage. The relative delay percentage is
based on a comparison of short-term and long-term
measurements.
• The threshold keyword is used to configure the
absolute maximum delay period in milliseconds.
• If the configured delay threshold is exceeded, then the
prefix is out-of-policy.
• The example sets a delay threshold of 80 percent based
on a relative average.
Step 6 holddown timer Configures the prefix route dampening timer to set the
minimum period of time that a new exit must be used before
an alternate exit can be selected.
• OER does not implement policy changes while a prefix
is in the holddown state.
• When the holddown timer expires, OER will select the
best exit based on performance and policy
configuration.

78-17876-01 47

• An an immediate route change will be triggered if the
current exit for a prefix becomes unreachable.
Example: • The example sets the prefix route dampening timer to
Router(config-oer-mc)# holddown 600 600 seconds.
Step 7 loss relative average | threshold maximum Sets the relative or maximum packet loss limit that OER
will permit for an exit link.
Example: • The relative keyword sets a relative percentage of
Router(config-oer-mc)# loss relative 200 packet loss based on a comparison of short-term and
long-term packet loss percentages.
• The threshold keyword sets the absolute packet loss
based on packets per million.
• The example configures the master controller to search
for a new exit link when the relative percentage of
packet loss is equal to or greater than 20 percent.
Step 8 max-range-utilization percent maximum Sets the maximum utilization range for all OER managed
exit links for load distribution.
Example: • OER will equalizes traffic across all exit links by
Router(config-oer-mc)# max-range-utilization 80 moving prefixes from over utilized or out-of-policy
exits to in-policy exits.
• If exit link utilization is equal to or greater than the
configured or default maximum utilization value, OER
will select an optimal exit link to bring the affected
prefixes back into policy.
• The example sets the maximum utilization range for
OER managed exit links to 80 percent:
Step 9 periodic timer Configures OER to periodically select the best exit link
when the periodic timer expires.
Router(config-oer-mc)# periodic 300 will periodically evaluate and then make policy
decisions for OER managed exit links.
• The mode command is used to determine if OER
selects the first in-policy exit or the best available exit
when this timer expires.
• The example sets the periodic timer to 300 seconds.
When the timer expires OER will select either the best
exit or the first in-policy exit.
Step 10 unreachable relative average | threshold Sets the maximum number of unreachable hosts.
maximum
• Specifies the relative percentage or the absolute
maximum number of unreachable hosts, based on flows
per million (fpm). If the absolute number or relative
percentage of unreachable hosts is greater than the
user-defined or the default value, OER determines that
the exit link is out-of-policy and searches for an
alternate exit link.

48 78-17876-01

• The relative keyword is used to configure the relative
percentage of unreachable hosts. The relative
unreachable host percentage is based on a comparison
Example:
Router(config-oer-mc)# unreachable relative 100
of short-term and long-term measurements.
absolute maximum number of unreachable hosts based
on fpm.
• The example configures OER to search for a new exit
link when the relative percentage of unreachable hosts
is equal to or greater than 10 percent.
Examples
Loss Policy Example
The following example configures the master controller to move prefixes to an in-policy exit link when
the relative percentage of packet loss is equal to or greater than 20 percent:
Router(config-oer-mc)# loss relative 200
Delay Policy Example

The following example sets the absolute delay threshold to 100 milliseconds:
Router(config-oer-mc)# delay threshold 100
Prefix Timer Policy Example

The following example adjusts the period of time that the master controller holds prefixes during
transition states and the period time that the prefix must use an exit before a new exit can be selected.
The backoff command sets the minimum timer to 400 seconds, the maximum timer to 4000 seconds, and
the step timer to 400 seconds. The holddown command sets the prefix route dampening timer to 10
minutes.
Router(config-oer-mc)# backoff 400 4000 400
Router(config-oer-mc)# holddown 600
Exit Link Selection Example

The following example configures the master controller to evaluate OER managed exit links every 5
minutes and then move out-of-policy prefixes to the first in-policy exit.
Router(config-oer-mc)# periodic 300
Router(config-oer-mc)# mode select-exit good
Load Distribution Example

The following examples configures the master controller to set the maximum utilization range for OER
managed exit links to 40 percent:
Router(config-oer-mc)# max-range-utilization 40
What to Do Next
To configure exit link policies based on the monetary cost of the exit links in your network, proceed to
the next section for more information.

78-17876-01 49
Configuring Cost-Based Optimization

This section describes how to configure cost-based optimization. Cost-based optimization is configured
on a master controller with the cost-minimization command in OER border exit interface configuration
mode (under the external interface configuration). Cost-based optimization supports tiered and fixed
billing methods.
SUMMARY STEPS
1. enable
3. oer master
4. border ip-address [key-chain key-chain-name]
6. cost-minimization {calc {combined | separate | sum} | discard [daily] {absolute number |
percent percentage} | end day-of-month day [offset hh:mm] | fixed fee [cost] | nickname name |
sampling period minutes [rollup minutes] | summer-time {start end} [offset] | tier percentage
fee]}
7. end
DETAILED STEPS

Example:
Router> enable
Example:
Example:
Step 4 border ip-address [key-chain key-chain-name] Enters OER managed border router configuration mode to
Example: Note The key-chain keyword is required only for initial
Router(config-oer-mc)# border 10.100.1.1 border router configuration.
key-chain OER
Step 5 interface type number external Enters OER Border Exit configuration mode to configure a
border router interface as an external interface.
Example: • At least one external interface must be configured on
Router(config-oer-mc-br)# interface Ethernet each border router.
0/0 external

50 78-17876-01

Step 6 cost-minimization {calc {combined | separate | Configures cost-based optimization policies on a master
sum} | discard [daily] {absolute number | controller.
percent percentage} | end day-of-month day
[offset hh:mm] | fixed fee [cost] | nickname • Cost-based optimization supports fixed or tier based
name | sampling period minutes [rollup minutes] billing, inbound and outbound cost measurements, and
| summer-time {start end} [offset] | tier
very granular sampling.
percentage fee]
• The calc keyword is used to configure how the fee is
calculated. You can configure the master controller to
Example: combine ingress and egress samples, to first add and
Router(config-oer-mc-br-if)# cost-minimization
calc combined
then combine, or to analyze ingress and egress samples
separately.
• The discard keyword is used to configure the number
Example:
of samples that are removed for bursty link usage. It is
end day-of-month 30 180 specified as a percentage or as an absolute value. If a
sampling rollup is configured, the discard values also
applies to the rollup. If the daily keyword is entered,
Example: samples are analyzed and discarded on a daily basis. At
Router(config-oer-mc-br-if)# cost-minimization the end of the billing cycle, monthly sustained usage is
tier 100 fee 1000
calculated by averaging daily sustained utilization.
tier 90 fee 900 • The end keyword is used to configure the last day of the
billing cycle. Entering the offset keyword allows you to
tier 80 fee 800
adjust the end of the cycle to compensate for an service
provider in a different zone.
• The fixed keyword is configured when the service
provider bills for network access over the specified exit
link at a flat rate. The fee keyword is optionally used to
specify the exit link cost.
• The nickname keyword is used to apply label that
identifies the service provider.
• The sampling keyword is used to configure the time
intervals at which link utilization samples are gathered.
By default, the link is sampled every five minutes. The
rollup keyword is used to reduce the number of
samples by aggregating them. All samples collected
during the rollup period are averaged to calculate rollup
utilization.
Note The minimum number that can be entered for the
rollup period must be equal to or greater than the
number that is entered for the sampling period.
• The first example configures fee calculation based on

combined ingress and egress samples.
• The second example sets 30 as the billing end date, and
applies a three hour offset.
• The third example configures a tiered fee of 1000 at 100
percent utilization, a tiered fee of 900 at 90 percent
utilization, and a tiered fee of 800 at 80 percent
utilization.

78-17876-01 51

Step 7 end Exits OER border exit configuration mode, and enters
Example:
Router(config-oer-mc-br-if)# end
Examples
The following example, starting in Global configuration mode, configures cost-based optimization on a
master controller. Cost optimization configuration is applied under the external interface configuration.
A policy for a tiered billing cycle is configured. Calculation is configured separately for egress and
ingress samples. The time interval between sampling is set to 10 minutes. These samples are configured
to be rolled up every 60 minutes.
Router(config-oer-mc)# border 10.5.5.55 key-chain key
Router(config-oer-mc-br-if)# cost-minimization nickname ISP1
Router(config-oer-mc-br-if)# cost-minimization end day-of-month 30 180
Router(config-oer-mc-br-if)# cost-minimization calc separate
Router(config-oer-mc-br-if)# cost-minimization sampling 10 rollup 60
Router(config-oer-mc-br-if)# cost-minimization tier 100 fee 1000
Router(config-oer-mc-br-if)# exit
What to Do Next
To set the priority for multiple overlapping policies, proceed to the next section.
Configuring Resolve Policies

When configuring multiple policy parameters for a monitored prefix or set of prefixes, it is possible to
have multiple overlapping policies. The resolve function is a flexible mechanism that allows you to set
the priority for cost, delay, loss, utilization, and range policies. Each policy is assigned a unique value.
The policy with the highest priority is selected to determine the policy decision. By default, delay has
the highest priority and utilization has the second highest priority. Assigning a priority value to any
policy will override the default settings.
Setting Variance for Resolve Policies

When setting resolve settings, you can also set an allowable variance for a user-defined policy. Variance
configures the allowable percentage that an exit link or prefix can vary from the user-defined policy
value and still be considered equivalent. For example, if exit link delay is set to 80 percent and a 10
percent variance is configured, exit links that have delay values from 80 to 89 percent will be considered
equal. Variance cannot be configured for cost or range policies.
SUMMARY STEPS
1. enable

52 78-17876-01
3. oer master
4. resolve {cost priority value | delay priority value variance percentage | loss priority value
variance percentage | range priority value | utilization priority value variance percentage}
5. end
DETAILED STEPS

Example:
Router> enable
Example:
Example:
Step 4 resolve {cost priority value | delay priority Sets policy priority or resolves policy conflicts.
value variance percentage | loss priority value
variance percentage | range priority value | • This command is used to set priority when multiple
utilization priority value variance percentage} policies are configured for the same prefix. When this
command is configured, the policy with the highest
priority will be selected to determine the policy
Example:
decision.
Router(config-oer-mc)# resolve cost priority 1
Router(config-oer-mc)# resolve loss priority 2 • The priority keyword is used to specify the priority
variance 10 value. Setting the number 1 assigns the highest priority
Router(config-oer-mc)# resolve delay priority 3
variance 20
to a policy. Setting the number 10 assigns the lowest
priority.
• Each policy must be assigned a different priority
number.
• The variance keyword is used to set an allowable
variance for a user-defined policy. This keyword
configures the allowable percentage that an exit link or
prefix can vary from the user-defined policy value and
still be considered equivalent.
• The example sets the priority for cost policies to 1, the
priority for loss policies to 2 with a 10 percent variance,
the priority for delay policies to 3 with a 20 percent
variance.
Note Variance cannot be configured for range or cost
policies

78-17876-01 53

Example:
Router(config-oer-mc)# end
Examples
Resolve with Variance Policy Example.
The following example configures a resolve policy that sets delay to the highest priority, followed by
loss, and then utilization. The delay policy is configured to allow a 20 percent variance., the loss policy
is configured to allow a 30 percent variance, and the utilization policy is configured to allow a 10 percent
variance.
Router(config-oer-mc)# resolve delay priority 1 variance 20
Router(config-oer-mc)# resolve loss priority 2 variance 30
Router(config-oer-mc)# resolve utilization priority 3 variance 10
What to Do Next
Observe mode monitoring was enabled in the “Minimum Master Controller Configuration” section.
Proceed to the next section to see information about configuring and customizing the Cisco IOS OER
mode of operation.
Configuring Cisco IOS OER Modes of Operation

This section describes commands that are used to configure the mode of operation in OER master
controller configuration mode. The master controller can be configured to operate in observe mode or
control mode. A Cisco IOS OER managed network can be configured to use active and passive
monitoring or both active and passive monitoring. The oer master command is required to enter OER
master controller configuration mode.
Observe Mode
Observe mode monitoring is enabled by default. In observe mode, the master controller monitors
prefixes and exit links based on default and user-defined policies and then reports the status of the
network and the decisions that should be made but does not implement any changes. This mode allows
you to verify the effectiveness of this feature before it is actively deployed.
Control Mode
In control mode, the master controller coordinates information from the border routers and makes policy
decisions just as it does in observe mode. The master controller monitors prefixes and exits based on
default and user-defined policies but then implements changes to optimize prefixes and to select the best
exit. In this mode, the master controller gathers performance statistics from the border routers and then
transmits commands to the border routers to alter routing as necessary in the OER managed network.
Note Route redistribution is required when control mode is enabled on the master controller.

54 78-17876-01
Optimal Exit Link Selection

Cisco IOS OER can be configured to periodically select the Optimal Exit Link (OEL) from the available
ISP connections based on exit link performance. The master controller will move traffic from
over-utilized exit links to under-utilized exit links. Optimal Exit Link Selection (OELS) uses policy
configuration to manage prefix and exit link performance. Policy configuration can be customized to
your requirements. For example, a policy can be created to ensure that priority traffic is always routed
to the target network through the exit link with the highest outbound throughput or the lowest delay
(round-trip response time).
SUMMARY STEPS
1. enable
3. oer master
4. mode {monitor{active | both | passive} | route {control | metric {bgp local-pref preference |
DETAILED STEPS

Example:
Router> enable
Example:
Example:
{control | metric {bgp local-pref preference | master controller.
good}} • The monitor keyword is used to configure active
and/or passive monitoring. The first example enables
both active and passive monitoring.
Example:
Router(config-oer-mc)# mode monitor both • The route keyword is enable control mode or observe
mode. In control mode, the master controller analyzes
monitored prefixes and implemented changes based on
Example:
policy parameters. In observe mode, the master
controller analyzes monitored prefixes, reports the
changes that should be made, but does not implement
Example: any changes. The second example enable OER control
Router(config-oer-mc)# mode select-exit best mode.

78-17876-01 55

• The select-exit keyword is used to configure the master
controller to select either the best available exit when
the best keyword is entered and the first in-policy exit
when the good keyword is entered. The third example
configures the master controller to select the best
available exit for monitored prefixes.
Examples
The following example enables both active and passive monitoring, control mode, and sets the master
controller to evaluate and select the first in-policy exit every 5 minutes. (The monitored prefix is moved
only if the prefix is out-of-policy.) Active and passive monitoring is enabled with the mode monitor
both command. Route control is enabled with the mode route control command. The time period
between the exit selection process is configured with the periodic command. The selection of the first
in-policy exit is configured with the mode select-exit good command.
Router(config-oer-mc)# mode monitor both
Router(config-oer-mc)# periodic 300
What to Do Next
Proceed to the next section to see information about configuring OER policies with an oer-map.
Configuring OER Policies with an OER Map

This section describes commands that are used to configure policies to be applied to prefixes through an
OER Map. The oer-map command is required to enter oer-map 1configuration mode. All other
command listed in this section are optional.
Note Policies applied in an OER map do not override global policies. These policies are only applied to
prefixes that match the oer-map match criteria.
OER Map Operation

The operation of an OER map is similar to the operation of a route map. An OER map is designed to
select IP prefixes or to select OER learn policies using a match clause and then to apply OER policy
configurations using a set clause. The oer-map is configured with a sequence number like a route-map,
and the oer-map with the lowest sequence number is evaluated first. The operation of an OER map differs
from a route map at this point. There are two important distinctions:
• Only a single match clause may be configured for each sequence. An error message will be
displayed in the console if you attempt to configure multiple match clauses for a single OER map
sequence.

56 78-17876-01
• An OER map is not configured with permit or deny statements. However, a permit or deny sequence
can be configured for an IP traffic flow by configuring a permit or deny statement in an IP prefix list
and then applying the prefix list to the oer-map with the match ip address (OER) command. Deny
prefixes should be combined in a single prefix list and applied to the OER map with the lowest
sequence number.
IP Prefix Lists
Cisco IOS OER supports three IP prefix configuration options for importing prefixes. The master
controller can monitor and control an exact prefix (/32), a specific prefix length, and a specific prefix
length and any prefix that falls under the prefix length (for example, a /24 under a /16).
IP prefix list permit and deny statements are supported by Cisco IOS OER. An IP prefix list with a deny
statement can be used to exclude a prefix or prefix length. Any prefix length can be specified for a deny
IP prefix list.
Adjusting OER Timers

An oer-map can be used to configure OER timers for traffic that is defined as match criteria. Configuring
a new timer value will immediately replace the existing value if the new value is less than the time
remaining. If the new value is greater than the time remaining, the new timer value will be used when
the existing timer is reset.
SUMMARY STEPS
1. enable
3. ip prefix-list list-name [seq seq-value] {deny network/length | permit network/length} [ge
ge-value] [le le-value]
5. match ip address prefix-list prefix-list-name
6. match oer learn {delay | throughput }
7. set backoff min-timer max-timer [step-timer]
8. set delay relative percentage | threshold maximum
9. set holddown timer
10. set loss relative average | threshold maximum
11. set periodic timer
12. set resolve {cost priority value | delay priority value variance percentage | loss priority value
variance percentage | range priority value | utilization priority value variance percentage}
13. set unreachable relative average | threshold maximum

78-17876-01 57
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 ip prefix-list list-name [seq seq-value] {deny Creates an IP prefix list.
network/length | permit network/length} [ge
ge-value] [le le-value] • IP prefix lists are used to manual select prefixes for
monitoring by the master controller.
Example: • A master controller can monitor and control an exact

Router(config)# ip prefix-list OER seq 10 prefix (/32), a specific prefix length, and a specific
permit 10.4.9.0/24 prefix length and any prefix that falls under the prefix
length (for example, a /24 under a /16).
• A prefix range can also be selected using the le
keyword with a 32 bit prefix length.
• The prefixes specified in the IP prefix list are imported
into the oer-map with the match ip address (OER)
command.
• The example creates an IP prefix list that permits
prefixes from the 10.4.9.0/24 subnet.
Step 4 oer-map map-name sequence-number Enters oer-map configuration mode to configure an OER
map to apply policies to selected IP prefixes.
Example: • Only one match clause can be configured for each
Router(config)# oer-map THROUGHPUT 10 oer-map sequence.
• Deny sequences must be defined in an IP prefix list and
then applied with the match ip address (OER)
command.
• The example creates an oer-map named
THROUGHPUT.
Step 5 match ip address prefix-list prefix-list-name Creates a prefix list match clause entry in an OER map to
apply OER policies.
Example: • This command supports IP prefix lists only.
Router(config-oer-map)# match ip address
prefix-list OER
OER map sequence.
• The example configures the prefix list named OER as
match criteria in an OER map.

58 78-17876-01

Step 6 match oer learn delay | throughput Creates a match clause entry in an OER map to match OER
learned prefixes.
Example: • Prefixes can be configured to learn prefixes based on
Router(config-oer-map)# match oer learn delay lowest delay or highest outbound throughput.
OER map sequence.
• The example creates a match clause entry that matches
traffic learned based on lowest delay.
Step 7 set backoff min-timer max-timer [step-timer] Creates a set clause entry to configure the backoff timer to
adjust the time period for prefix policy decisions.
Example: • The min-timer argument is used to set the minimum
Router(config-oer-map)# set backoff 400 4000 transition period in seconds.
400
• The max-timer argument is used to set the maximum
length of time OER holds an out-of-policy prefix when
there are no OER controlled in-policy prefixes.
• The step-timer argument allows you to optionally
configure OER to add time each time the minimum
timer expires until the maximum time limit has been
reached.
• The example creates a set clause to configure the
minimum timer to 400 seconds, the maximum timer to
4000 seconds, and the step timer to 400 seconds for
traffic that is matched in the same oer-map sequence.
Step 8 set delay relative percentage | threshold Creates a set clause entry to configure the delay threshold.
maximum
• The delay threshold can be configured as a relative
percentage or as an absolute value for match criteria.
Example:
Router(config-oer-map)# set delay threshold
• The relative keyword is used to configure a relative
2000 delay percentage. The relative delay percentage is
based on a comparison of short-term and long-term
measurements.
absolute maximum delay period in milliseconds.
• The example creates a set clause that sets the absolute
maximum delay threshold to 2000 milliseconds for
traffic that is matched in the same oer-map sequence.
Step 9 set holddown timer Creates a set clause entry to configure the prefix route
dampening timer to set the minimum period of time that a
new exit must be used before an alternate exit can be
selected.
• The prefix route dampening timer to set the minimum
period of time that a new exit must be used before an
alternate exit can be selected.
• OER does not implement policy changes while a prefix
is in the holddown state.

78-17876-01 59

• The master controller puts a prefix in a holddown state
during an exit change to isolate the prefix during the
transition period to prevent the prefix from flapping due
Example: to rapid state changes.
Router(config-oer-map)# set holddown 400 • An immediate route change will be triggered if the
current exit for a prefix becomes unreachable.
• The example creates a set clause that sets the holddown
timer to 400 seconds for traffic that is matched in the
same oer-map sequence.
Step 10 set loss relative average | threshold maximum Creates a set clause entry to configure the relative or
maximum packet loss limit that the master controller will
permit for an exit link.
Example:
Router(config-oer-map)# set loss relative 200 • This command is used to configure an oer-map to
configure the relative percentage or maximum number
of packets that OER will permit to be lost during
transmission on an exit link. If packet loss is greater
than the user-defined or the default value, the master
controller determines that the exit link is out-of-policy.
packet loss percentage. The relative packet loss
percentage is based on a comparison of short-term and
long-term packet loss.
absolute maximum packet loss. The maximum value is
based on the actual number of packets per million that
have been lost.
• The example creates a set clause that configures the
relative percentage of acceptable packet loss to less
than 20 percent for traffic that is matched in the same
oer-map sequence.
Step 11 set mode {monitor {active | both | passive} | Creates a set clause entry to configure monitoring, control,
route {control | observe}| select-exit {best | or exit selection settings for matched traffic.
good}}
• The monitor keyword is used to configured active
and/or passive monitoring. The first example creates a
Example: set clause that enables both active and passive
Router(config-oer-map)# set mode monitor both
monitoring.
• The route keyword is enable control mode or observe
Example: mode. In control mode, the master controller analyzes
Router(config-oer-map)# set mode route control
monitored prefixes and implemented changes based on
policy parameters. In observe mode, the master
controller analyzes monitored prefixes, reports the
changes that should be made, but does not implement
any changes. The second example creates a set clause
that enables OER control mode.

60 78-17876-01

• The select-exit keyword is used to configure the master
controller to select either the best available exit when
the best keyword is entered or the first in-policy exit
Example:
Router(config-oer-map)# set mode select-exit
when the good keyword is entered. The third example
best creates a set clause that configures the master controller
to select the best available exit for matched prefixes.
Step 12 set periodic timer Creates a set clause entry to configure the time period for
the periodic timer.
Router(config-oer-map)# set periodic 300 will periodically evaluate and then make policy
decisions for OER managed exit links.
• The set mode command is used to determine if OER
selects the first in-policy exit or the best available exit
when this timer expires.
• The example creates a set clause that configures the
periodic timer to 300 seconds for traffic that is matched
in the same OER map sequence.
Step 13 set resolve {cost priority value | delay Creates a set clause entry to configure policy priority or
priority value variance percentage | loss resolve policy conflicts.
priority value variance percentage | range
priority value | utilization priority value • This command is used to set priority for a policy type
variance percentage} when multiple policies are configured for the same
prefix. When this command is configured, the policy
Example: with the highest priority will be selected to determine
Router(config-oer-map)# set resolve delay the policy decision.
priority 1 variance 10 • The priority keyword is used to specify the priority
value. Configuring the number 1 assigns the highest
priority to a policy. Configuring the number 10 assigns
the lowest priority.
• Each policy must be assigned a different priority
number.
• The variance keyword is used to set an allowable
variance for a user-defined policy. This keyword
configures the allowable percentage that an exit link or
prefix can vary from the user-defined policy value and
still be considered equivalent.
• Variance cannot be configured for range policies.
• The example creates set clause that configures the
priority for delay policies to 1 for traffic learned based
on highest outbound throughput. The variance is
configured to allow a 10 percent difference in delay
statistics before a prefix is determined to be
out-of-policy.

78-17876-01 61

Step 14 set unreachable relative average | threshold Creates a set clause entry to configure the maximum
maximum number of unreachable hosts.
• This command is used to specify the relative percentage
Example: or the absolute maximum number of unreachable hosts,
Router(config-oer-map)# set unreachable based on flows per million, that a master controller will
relative 100
permit from an OER managed exit link. If the absolute
number or relative percentage of unreachable hosts is
greater than the user-defined or the default value, the
master controller determines that the exit link is
out-of-policy and searches for an alternate exit link.
percentage of unreachable hosts. The relative
unreachable host percentage is based on a comparison
of short-term and long-term measurements.
absolute maximum number of unreachable hosts based
on fpm.
• The example creates a set clause entry that configures
the master controller to search for a new exit link when
the relative percentage of unreachable hosts is equal to
or greater than 10 percent for traffic learned based on
highest delay.
Examples
Imported Prefix Policy Example
The following example creates an oer-map named SELECT_EXIT that matches traffic defined in the IP
prefix list named CUSTOMER and sets exit selection to the first in-policy exit when the periodic timer
expires. This OER map also sets a resolve policy that sets the priority of link utilization policies to 1
(highest priority) and allows for a 10 percent variance in exit link utilization statistics.
Router(config)# ip prefix-list CUSTOMER permit 10.4.9.0/24
Router(config)# !
Router(config)# oer-map SELECT_EXIT 10
Router(config-oer-map)# match ip address prefix-list CUSTOMER
Router(config-oer-map)# set mode select-exit good
Router(config-oer-map)# set resolve utilization priority 1 variance 10
Learned Prefix Policy Example

The following example creates an oer-map named THROUGHPUT that matches traffic learned based on
the highest outbound throughput. The set clause applies a relative loss policy that will permit 1 percent
packet loss:
Router(config)# oer-map THROUGHPUT 20
Router(config-oer-map)# match oer learn throughput
Router(config-oer-map)# set loss relative 10

62 78-17876-01
What to do Next
An OER map configuration can also be applied in OER master controller configuration mode. Proceed
to the next section to see more information.
Configuring Policy Rules for OER Maps

The policy-rules OER master controller configuration command was introduced in Cisco IOS Release
12.3(11)T. This command allows you to select an OER map and apply the configuration under OER
master controller configuration mode, providing an improved method to switch between predefined OER
maps.
Prerequisites
At least one oer-map must be configured before you can enable policy-rule support.
SUMMARY STEPS
1. enable
3. oer master
4. policy-rules map-name
5. end
DETAILED STEPS

Example:
Router> enable
Example:
Example:
Step 4 policy-rules map-name Applies a configuration from an OER map to a master
controller configuration in OER master controller
configuration mode.
• Reentering this command with a new oer-map name
will immediately overwrite the previous configuration.
This behavior is designed to allow you to quickly select
and switch between predefined OER maps.

78-17876-01 63

• The example applies the configuration from the OER
map named RED.
Example:
Router(config-oer-mc)# policy-rules RED
privileged EXEC mode.
Example:
Router(config-oer-mc)# end
Examples
The following examples, starting in global configuration mode, show how to configure the policy-rules
command to apply the OER map configuration named BLUE under OER master controller mode:
Router(config-oer-map)# oer-map BLUE 10
Router(config-oer-map)# match oer learn delay
Router(config-oer-map)# set loss relative 900
Router(config-oer-map)# exit
Router(config-oer-mc)# policy-rules BLUE
What to Do Next
If iBGP peering is enabled in the internal network, proceed to the next section to see information about
configuring iBGP redistribution from the border routers.
Configuring iBGP Peering on the Border Routers

The master control implements policy changes by altering default routing behavior in the OER managed
network. If iBGP peering is enabled on the border routers, the master controller will inject iBGP routes
into routing tables on the border routers. The border routers advertise the preferred route through
standard iBGP peering.
BGP Local Preference Attribute

OER uses the BGP local preference attribute to set the preference for injected BGP prefixes. If a local
preference value of 5000 or higher has been configured for default BGP routing, you should configure
a higher value in OER. OER default BGP local preference and default static tag values are configurable
with the mode command in OER master controller configuration mode.
Injected Routes are not Advertised to External Networks

All OER injected routes remain local to an Autonomous System. The “no-export” community is
automatically applied to inject routes to ensure that are not advertised to external networks.
Parent Route Must Exist

Before injecting a route, the master controller verifies that a parent route with a valid next hop exists.
This behavior is designed to prevent traffic from being blackholed.

64 78-17876-01
eBGP Peerings
The IP address for each eBGP peering session must be reachable from the border router via a connected
route. Peering sessions established through loopback interfaces or with the neighbor ebgp-multihop
command are not supported.
Prerequisites
Peering must be Consistently Applied
Routing protocol peering must be established in your network and consistently applied to the border
routers; the border routers should have a consistent view of the network.
SUMMARY STEPS
1. enable
3. router bgp as-number
4. address-family ipv4 [mdt | multicast | tunnel | unicast [vrf vrf-name] | vrf vrf-name] | vpnv4
[unicast]
5. neighbor ip-address | peer-group-name remote-as as-number
6. neighbor ip-address | peer-group-name activate
7. neighbor ip-address | peer-group-name send-community [both | extended | standard]
8. end
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 router bgp as-number Enters router configuration mode to create or configure a
BGP routing process.
Example:
Router(config)# router bgp 65534
Step 4 address-family ipv4 [mdt | multicast | tunnel | Enters address-family configuration mode to configure a
unicast [vrf vrf-name] | vrf vrf-name] | vpnv4 BGP address- family session.
[unicast]
• The example creates an IPv4 unicast address family
session.
Example:
Router(config-router)# address-family ipv4
unicast

78-17876-01 65

Step 5 neighbor ip-address | peer-group-name remote-as Establishes BGP peering with the specified neighbor or
as-neighbor border router.
Example:
Router(config-router)# neighbor 10.100.1.3
remote-as 65534
Step 6 neighbor ip-address | peer-group-name activate Enables the exchange of address-family routing
information.
Example:
activate
Step 7 neighbor ip-address | peer-group-name Configures the BGP routing process to send the BGP
send-community [both | extended | standard] communities attribute to the specified neighbor.
• Each iBGP peer must be configured to send the
Example: standard BGP communities attribute.
send-community standard
Step 8 end Exits router configuration mode, and enters privileged
EXEC mode.
Example:
Router(config-router)# end
Examples
The following example, starting in Global configuration mode, establishes peering between two routers
in autonomous system 65534. This example also configures the two routers to exchange the standard
BGP communities attribute:
Border Router Configuration

Router(config-router)# neighbor 10.100.1.3 remote-as 65534
Router(config-router-af)# neighbor 10.100.1.3 activate
Router(config-router-af)# neighbor 10.100.1.3 send-community standard
Internal Border Peer Configuration

What to Do Next
If BGP is configured on the border routers and another IGP is deployed in the internal network, proceed
to the next section to see information about configuring redistribution from BGP into the IGP.
If BGP is not configured in the internal network, then static routes to the border exits must be configured
and the static routes must be redistributed into the IGP. For more information, proceed to the Configuring
Static Route Redistribution on the Border Routers section.

66 78-17876-01
Configuring BGP Redistribution into an IGP on the Border Routers

This section describes BGP redistribution into an IGP in the OER managed network. The configuration
task table and examples in this section redistribution into OSPF, but EIGRP, IS-IS, or RIP could also be
used in this configuration.
Filtering Routes that are Redistributed by BGP into the IGP

When redistributing BGP into any IGP, be sure to use IP prefix-list and route-map statements to limit the
number of prefixes that are redistributed. Redistributing full BGP routing tables into an IGP can have a
serious detrimental effect on IGP network operation.
Redistributing OER Injected Routes by Matching on the Local-Preference Attribute

OER uses a local-preference value of 5000 (default) to move traffic to the preferred exit point in a BGP
network. (This value is configured on the OER master controller.) The match local-preference can be
used in place of the ip prefix-list command to redistribute OER injected routes into the IGP. The
local-preference value must match the default or configured value on the master controller. Only OER
injected routes will be redistributed into the IGP. A branching task for this configuration is included in
the task table below. The prefix-list is not required in this configuration.
Prerequisites
IGP peering, static routing, and static route redistribution must be applied consistently throughout the
OER managed network; the border routers should have a consistent view of the network.
Restrictions
SUMMARY STEPS
1. enable
3. ip prefix-list list-name [seq seq-value] {deny network/length | permit network/length} [ge
ge-value] [le le-value]
4. route-map map-tag [permit | deny] [sequence-number]
5. match ip address prefix-list prefix-list-name
or
6. match local preference {value}
7. exit
8. router bgp as-number
9. bgp redistribute-internal
10. exit

78-17876-01 67
11. router {eigrp as-number | is-is [area-tag] | ospf process-id | rip}

12. redistribute static [metric metric-value] [route-map map-tag]
13. end
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 ip prefix-list list-name [seq seq-value] {deny Defines the prefix range to redistribute into the IGP.
network/length | permit network/length} [ge
ge-value] [le le-value] • Any prefix length can be specified.
• The first longest match is processed in the IP prefix list.
Example: • The examples creates a prefix list named PREFIXES.
Router(config)# ip prefix-list PREFIXES seq 5 The first sequence permits the 10.200.2.0/24 subnet.
permit 10.200.2.0/24
The second sequence denies all other prefixes.
Example:
Router(config)# ip prefix-list PREFIXES seq 10
deny 0.0.0.0/0
Step 4 route-map map-tag [permit | deny] Enters route-map configuration mode and configures a
[sequence-number] route map.
• The example creates a route map named BGP.
Example:
Router(config)# route-map BGP permit 10
Step 5 match ip address prefix-list prefix-list-name Creates a prefix list match clause entry in a route-map to
redistribute BGP prefixes.
Example: • The example configures the prefix list named
Router(config-route-map)# match ip address PREFIXES as match criteria in for the route-map.
prefix-list PREFIXES
Note Step 6 can be entered in place of this step. No
prefix-list configuration is necessary when
redistribution is configured based on the BGP
local-preference value.
or
Step 6 match local-preference {value} Configures a route map to match routes based on the BGP
local-preference attribute.
Example: • The example configures routes with a local-preference
Router(config-route-map)# match value of 5000 (default OER) to redistributed into the
local-preference 5000 IGP.

68 78-17876-01

Step 7 exit Exits route-map configuration mode, and enters global
configuration mode.
Example:
Router(config-route-map)# exit
Step 8 router bgp as-number Enters router configuration mode, and creates a BGP
routing process.
Example:
Step 9 bgp redistribute-internal Configures BGP to redistribute routes into the IGP.
Example:
Router(config-router)# bgp
redistribute-internal
Step 10 exit Exits router configuration mode, and enters global
configuration mode.
Example:
Router(config-router)# exit
Step 11 router {eigrp as-number | is-is [area-tag] | Enters router configuration mode, and creates a routing
ospf process-id | rip} process.
• The example creates an OSPF routing process.
Example:
Router(config)# router ospf 1
Step 12 redistribute static [metric metric-value] Redistributes static routes into the specified protocol.
[route-map map-tag]
• The example configures the IGP to accept the
redistributed BGP routes that pass through the route
Example: map.
Router(config-router)# redistribute static
route-map BGP subnets Note In OSPF, the subnets keyword must be entered if
you redistribute anything less than a major network
prefix range.
EXEC mode.
Example:
Examples
The following example, starting in Global configuration mode, configures the border router to
redistribute BGP routes into the internal network and configures the IGP (OSPF) to accept redistributed
BGP routes. The first example configures redistribution using prefix lists. The second example
configures redistribution using the BGP local-preference attribute. The IGP peer configuration is the
same for either configuration.
Border Router Redistribution Configuration Using Prefix Lists

Router(config)# ip prefix-list PREFIXES seq 5 permit 10.200.2.0/24
Router(config)# ip prefix-list PREFIXES seq 10 deny 0.0.0.0/0
Router(config)# !

78-17876-01 69
Router(config-route-map)# match ip address prefix-list PREFIXES

Router(config-router)# bgp redistribute-internal
Border Router Redistribution Configuration Matching on the Local-Preference Attribute

Router(config-route-map)# match local-preference 5000
Router(config-router)# bgp redistribute-internal
IGP Peer Configuration

Router(config-router)# redistribute bgp 65534 route-map BGP subnets
What to Do Next
If BGP is not configured in the internal network, then static routes to the border exits must be configured
and the static routes must be redistributed into the IGP. For more information, proceed to the next
section.
Configuring Static Route Redistribution on the Border Routers

This section describes static redistribution into an IGP in an OER managed network.
OER Tags Static Routes

OER applies a default tag value of 5000 to injected temporary static routes. The static route is filtered
through a route map and then redistributed into the IGP. If you use the tag value of 5000 for another
routing function, you should use a different tag value for that function, or you can change the default
static tag values by configuring the mode command in OER master controller configuration mode.

Before injecting a route, the master controller verifies that a parent route with a valid next hop exists.
This behavior is designed to prevent traffic from being blackholed.
Static Routing without IGP Redistribution

If static routing is configured in your network and no IGP is deployed, OER will inject temporary static
routes as necessary. No redistribution or other specific network configuration is required.
Supported Interior Gateway Protocols

• Enhanced Interior Gateway Routing Protocol (EIGRP)
• Open Shortest Path First (OSPF)
• Intermediate System-to-Intermediate System (IS-IS)
• Routing Information Protocol (RIP)
EIGRP Static Route Redistribution

Cisco IOS OER supports static route redistribution into EIGRP. However, it is configured differently.
Proceed to the Configuring Static Route Redistribution into EIGRP section for more information.

70 78-17876-01
Prerequisites
Restrictions
SUMMARY STEPS
1. enable
3. ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [distance] [name]
[permanent] [tag tag]
5. match tag tag-value [...tag-value]
6. set metric metric-value
7. exit
8. router {is-is area-tag | ospf process-id | rip}
10. end
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 ip route prefix mask {ip-address | Configures a static route.
interface-type interface-number [ip-address]}
[distance] [name] [permanent] [tag tag] • A static route must be configured for each external
interface. The static route is configured only on the
border routers. The static route must include any
Example: prefixes that need to be optimized.
Router(config)# ip route 0.0.0.0 0.0.0.0
Ethernet 0

78-17876-01 71

Step 4 route-map map-tag [permit | deny] Enters route-map configuration mode and creates a route
[sequence-number] map.
• The example creates a route map named STATIC.
Example:
Router(config)# route-map STATIC permit 10
Step 5 match tag tag-value [...tag-value] Redistribute routes in the routing table that match the
specified tag value.
Example: • 5000 must be configured for this tag value unless you
Router(config-route-map)# match tag 5000 have configured a different value with the mode
command.
Step 6 set metric metric-value Sets the metric value for prefixes that pass through the route
map.
Example: • A metric value that is less than 1 must be configured in
Router(config-route-map)# set metric -10 order for the OER injected static route to be preferred
by default routing.
• The example set the metric value for the OER injected
routes to -10.
configuration mode.
Example:
Step 8 router {is-is area-tag | ospf process-id | rip} Enters router configuration mode, and creates a routing
process for the specified routing protocol.
Example:
Router(config)# router rip
[route-map map-tag]
• The example configures the IGP to redistribute static
routes injected from the REDISTRIBUTE_STATIC
Example: route map.
route-map STATIC Note In OSPF, the subnets keyword must be entered if
you redistribute anything less than a major network
prefix range.
EXEC mode.
Example:

72 78-17876-01
Examples
The following example, starting in global configuration mode, configures static redistribution to allow
the master controller to influence routing in an internal network that is running RIP. The match tag
command is match OER injected temporary static routes. The set metric command is used to set the
preference of the injected static.

Router(config)# ip route 0.0.0.0 0.0.0.0 Ethernet 0
Router(config)# ip route 0.0.0.0 0.0.0.0 Ethernet 1
Router(config-route-map)# match tag 5000
Router(config-route-map)# set metric -10
Router(config)# router rip
Router(config-router)# network 192.168.0.0
Router(config-router)# redistribute static route-map STATIC

Router(config)# route rip
What to Do Next
If EIGRP is deployed in the internal network and BGP is not configured on the border routers, proceed
to the next section for more information.
Configuring Static Route Redistribution into EIGRP

This section describes static route redistribution into EIGRP. Under the EIGRP configuration, a tag is
applied to the static route and an a distribute list is configured on all egress interfaces.
OER Tags Static Routes

OER applies a default tag value of 5000 to injected temporary static routes. The static route is filtered
through a route map and then redistributed into the IGP.

Before injecting the temporary static route, the master controller verifies that a parent static route with
a valid next hop exists. This behavior is designed to prevent traffic from being blackholed.
Prerequisites

78-17876-01 73
Restrictions
When two or more border routers are deployed in an OER managed network, the next hop, as installed
in the RIB, to an external network on each border router cannot be an IP address from the same subnet
as the next hop on the other border router.
SUMMARY STEPS
1. enable
3. ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [distance] [name]
[permanent] [tag tag]
5. match tag tag-value [...tag-value]
6. exit
7. router eigrp as-number
8. no auto-summary
9. network ip-address [wildcard-mask]
11. distribute-list {acl-number | acl-name | prefix-list-name} out [interface-name | routing-process |
as-number]
12. end
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 ip route prefix mask {ip-address | Configures a static route.
[distance] [name] [permanent] [tag tag] • A static route must be configured for each external
interface. The static route is configured only on the
border routers. The static route must include any
Example: prefixes that need to be optimized.
Router(config)# ip route 0.0.0.0 0.0.0.0
Ethernet 0 tag 10 • Under EIGRP, a tag is applied to the static route. The
tag is then filtered through a route map.

74 78-17876-01

Step 4 route-map map-tag [permit | deny] Enters route-map configuration mode and creates a route
[sequence-number] map.
• Two route map sequences are configured. One
Example: sequence is configured for static route redistribution
Router(config)# route-map BLUE deny 10 and one to filter prefixes on egress interfaces.
Step 5 match tag tag-value [...tag-value] Redistribute routes in the routing table that match the
specified tag value.
Example: • The first example matches the static route tag, and the
Router(config-route-map)# match tag 10 second example matches the default OER tag value
applied to injected temporary static routes.
Example:
configuration mode.
Example:
Step 7 router eigrp as-number Enters router configuration mode, and creates an EIGRP
routing process.
Example:
Router(config)# router eigrp 1
Step 8 no auto-summary Disables automatic summarization under the EIGRP
routing process.
Example:
Router(config-router)# no auto-summary
Step 9 network ip-address [wildcard-mask] Specifies a network for an EIGRP routing process.
• The network state must cover any interfaces and
Example: prefixes that need to be optimized for the internal
Router(config-router)# network 192.168.0.0 network.
0.0.255.255
[route-map map-tag]
• The example configures the EIGRP to redistribute
static routes that filter through the route map.
Example:
route-map RED
Step 11 distribute-list {acl-number | acl-name | Applies a distribute list to filter outbound advertisements.
prefix-list-name} out [interface-name |
routing-process | as-number] • The distribute list must be applied to egress interfaces.
Example:
Router(config-router)# distribute-list
EXEC mode.
Example:

78-17876-01 75
Examples
The following example, starting in Global configuration mode, configures static redistribution to allow
the master controller to influence routing in an internal network that is running EIGRP:

Router(config)# ip route 0.0.0.0 0.0.0.0 Ethernet 0 tag 10
Router(config)# ip route 0.0.0.0 0.0.0.0 Ethernet 1 tag 10
Router(config)# !
Router(config)# route-map RED deny 20
Router(config)# route-map RED permit 30
Router(config)# route-map BLUE permit 10
Router(config)# route-map BLUE permit 20
Router(config)# route eigrp 1
Router(config-router)# redistribute static route-map RED
Router(config-router)# distribute-list route-map BLUE out Ethernet 0
Router(config-router)# distribute-list route-map BLUE out Ethernet 1

Router(config)# route eigrp 1
Configuring OER to Monitor and Control IPSec VPN Prefixes Over GRE Tunnels
VPN IPSec/GRE Tunnel Optimization was introduced in Cisco IOS Release 12.3(11)T. Cisco IOS OER
supports the optimization of prefixes that are routed over GRE tunnel interfaces and protected with
IPSec. Both GRE and multipoint GRE tunnels are supported.
This task shows a sample IPSec VPN configuration example. In this example, the IPSec VPN is
configured on the border router, and the tunnel interface is configured as an OER managed interface on
the master controller. The following tasks are completed:
• An IKE policy is defined
• A transforms set is configured
• A crypto profile is defined
• A crypto map is defined
• A GRE tunnel is configured
• Tunnel interfaces are configured as an OER managed external interfaces

76 78-17876-01
Routing Prefixes that are Protected with IPSec over GRE Tunnels
The IPSec to GRE model allows a service provider to provide VPN services over the IP backbone. Both
the central and remote VPN clients terminate per the IPSec-to-IPSec model. Prefixes are encapsulated
using generic route encapsulation (GRE) tunnels. The GRE packet is protected by IPSec. The
encapsulated prefixes are forwarded from the central VPN site to a customer headend router that is the
other endpoint for GRE. The IPSec protected GRE packets provide secure connectivity across the IP
backbone of the service provider network.
For more information about configuring IPSec over GRE tunnels, refer to the Dynamic Multipoint IPsec
VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs) published at the following URL:
http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_white_paper09186a008018983e.s
html
GRE Tunnel Interfaces are Configured as OER Managed Exit Links

GRE tunnel interfaces on the border routers are configured as OER external interfaces on the master
controller. At least two external tunnel interfaces must be configured on separate physical interfaces in
an OER managed network. These interfaces can be configured on a single border router or multiple
border routers. Internal interfaces are configured normally using a physical interface on the border router
that is reachable by the master controller.
Prerequisites
• Cisco Express Forwarding (CEF) must be enabled on all participating routers.
• Routing protocol peering or static routing is configured in the OER managed network.
• Standard Cisco OER border router and master controller configuration is completed.
Restrictions
• Cisco IOS OER supports only IPSec/GRE VPNs. No other VPN types are supported.

The GRE tunnel and IPSec protection is configured on the border router. The following configuration
steps show the configuration of single tunnel. At least two tunnels must be configured on the border
router(s) in an OER managed network. The IPSec configuration must be applied at each tunnel end point
(the central and remote site).
SUMMARY STEPS
1. enable
3. crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
4. crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]
5. mode transport [require] | tunnel
6. exit
7. crypto map map-name seq-num [ipsec-manual]

78-17876-01 77
8. set peer host-name | ip-address

9. set transform-set transform-set-name [transform-set-name2...transform-set-name6]
10. match address [access-list-id | name]
11. exit
12. crypto map map-name local-address interface-id
13. crypto ipsec profile name
14. set transform-set transform-set-name [transform-set-name2...transform-set-name6]
15. exit
16. crypto isakmp key encryption-level key-string {address peer-address [mask] | hostname name}
[no-xauth]
17. crypto isakmp keepalive seconds [retries] [periodic | on-demand]
18. crypto isakmp policy priority
19. encryption {des | 3des | aes | aes 192 | aes 256}
20. authentication {rsa-sig | rsa-encr | pre-share}
21. exit
22. interface type number [name-tag]
23. ip address ip-address mask [secondary]
24. crypto map map-name [redundancy standby-name]
25. exit
26. interface type number [name-tag]
27. ip address ip-address mask [secondary]
28. bandwidth kbps | inherit [kbps]
29. tunnel source {ip-address | interface-type interface-number}
30. tunnel destination {host-name | ip-address}
31. tunnel protection ipsec profile name [shared]
32. exit
33. ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance]
[name] [permanent] [tag tag]
34. access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos
tos] [log | log-input] [time-range time-range-name] [fragments]
35. end

78 78-17876-01
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 crypto ipsec security-association lifetime Sets global lifetime values used when negotiating IPSec
{seconds seconds | kilobytes kilobytes} security associations.
• The first example sets volume of traffic, in kilobytes,
Example: that can pass between IPSec peers for this security
Router(config)# crypto ipsec security-association
lifetime kilobytes 530000000
association.
• The second example sets the expiration timer, in
Router(config)# crypto ipsec
security-association lifetime second 14400
seconds, for this security association.
Step 4 crypto ipsec transform-set transform-set-name Enters crypto transform configuration mode to create or
transform1 [transform2] [transform3] modify a transform set—an acceptable combination of
[transform4]
security protocols and algorithms.
• The example specifies 56-bit DES, 168-bit DES, or
Example: SHA for authentication.
Router(config)# crypto ipsec transform-set VPN_1
esp-des esp-3des esp-sha-hmac
Step 5 mode transport [require] | tunnel Sets the mode for the transform set.
• The example sets the mode to transport. The default
Example: mode is tunnel. Under tunnel mode, the entire packet is
Router(cfg-crypto-trans)# mode transport protected. Under transport mode, only the payload is
protected. Encapsulation is performed by GRE.
Step 6 exit Exits crypto transform configuration mode, and enters global
configuration mode.
Example:
Router(cfg-crypto-trans)# exit
Step 7 crypto map map-name seq-num [ipsec-manual] Enters crypto map configuration mode to create or modify
a crypto map.
Example: • The example create a crypto map named TUNNEL, and
Router(config)# crypto map TUNNEL 10 configures IKE to establish the security association.
ipsec-isakmp
Step 8 set peer host-name | ip-address Specifies the IPSec peer in the crypto map entry.
Example:
Router(config-crypto-map)# set peer 10.4.9.81

78-17876-01 79

Step 9 set transform-set transform-set-name Specifies which transform sets can be used with the crypto
[transform-set-name2...transform-set-name6] map entry.
• Specifies the transform set VPN_1 that was configured
Example: in Step 4.
Router(config-crypto-map)# set transform-set
VPN_1
Step 10 match address [access-list-id | name] Specifies an extended access list to define IPSec peers for
the crypto map entry.
Example: • The access list is defined in Step 33.
Router(config-crypto-map)# match address 100
Step 11 exit Exits crypto map configuration mode, and enters global
configuration mode.
Example:
Router(config-crypto-map)# exit
Step 12 crypto map map-name local-address interface-id Attaches a defined crypto map to the specified interface.
• The example attaches the crypto map named TUNNEL
Example: to interface FastEthernet 0/0.
Router(config)# crypto map TUNNEL local-address
FastEthernet 0/0
Step 13 crypto isakmp key encryption-level key-string Creates the preshared authentication key.
{address peer-address [mask] | hostname name}
[no-xauth] • The example configures encryption level 0, and
configures the router to not prompt the IPSec peer for
extended authentication. However, any encryption level
Example: or authentication level can be specified.
Router(config)# crypto isakmp key 0 CISCO
address 10.4.9.81 no-xauth
Step 14 crypto isakmp keepalive seconds [retries] Allows the gateway to send dead peer detection (DPD)
[periodic | on-demand] messages to the peer.
Example:
Router(config)# crypto isakmp keepalive 10
Step 15 crypto isakmp policy priority Define an Internet Key Exchange (IKE) policy, and enters
ISAKMP policy configuration mode.
Example:
Router(config)# crypto isakmp policy 1
Step 16 encryption {des | 3des | aes | aes 192 | aes Specifies the encryption algorithm within the IKE policy.
256}
• The example specifies 168-bit DES encryption.
Example:
Router(config-isakmp)# encryption 3des
Step 17 authentication {rsa-sig | rsa-encr | pre-share} Specifies the authentication method within the IKE policy.
• The example specifies that a preshared key will be
Example: used.
Router(config-isakmp)# authentication pre-share

80 78-17876-01

Step 18 exit Exits ISAKMP policy configuration mode, and enters
global configuration mode.
Example:
Router(config-isakmp)# exit
Step 19 crypto ipsec profile name Defines the IPSec parameters that are to be used for IPSec
encryption between two IPSec routers, and enters IPsec
profile configuration mode.
Example: • The example creates a profile named OER.
Router(config)# crypto ipsec profile OER
Step 20 set transform-set transform-set-name Specifies which transform sets can be used with the crypto
[transform-set-name2...transform-set-name6] map entry.
• The example specifies transform set named VPN_1.
Example: VPN_1 was configured in Step 4.
Router(ipsec-profile)# set transform-set VPN_1
Step 21 exit Exits IPsec profile configuration mode, and enters global
configuration mode.
Example:
Router(ipsec-profile)# exit
Step 22 interface type number [name-tag] Configures an interface type, and enters interface
configuration mode.
Example: • The physical interface is defined in this step.
Router(config)# interface FastEthernet0/0
Step 23 ip address ip-address mask [secondary] Sets a primary or secondary IP address for an interface.
Example:
Router(config-if) ip address 10.4.9.14
255.255.255.0
Step 24 crypto map map-name [redundancy standby-name] Applies the crypto map set to the interface.
• The example specifies the crypto map named TUNNEL
Example: that was defined in Step 7.
Router(config-if)# crypto map TUNNEL
Step 25 exit Exits interface configuration mode, and enters global
configuration mode.
Example:
Router(config-if)# exit
Step 26 interface type number [name-tag] Configures an interface type, and enters interface
configuration mode.
Example: • The tunnel interface is defined in this step.
Router(config)# interface Tunnel0
Step 27 ip address ip-address mask [secondary] Sets a primary or secondary IP address for an interface.
Example:
Router(config-if) ip address 10.100.2.1
255.255.0.0

78-17876-01 81

Step 28 bandwidth kbps | inherit [kbps] Sets and communicates the current bandwidth value for an
interface to higher-level protocols.
Example:
Router(config-if)# bandwidth 500
Router(config-if)# bandwidth inherit

Step 29 tunnel source {ip-address | interface-type Sets the source address for a tunnel interface.
interface-number}
• The source interface in the example was defined in Step
22. The interface name or IP address can be specified.
Example:
Router(config-if)# tunnel source 10.4.9.14
Step 30 tunnel destination {host-name | ip-address} Specifies the destination for a tunnel interface.
• The IP address of the physical interface where the
Example: remote tunnel end point is attached is configured in this
Router(config-if)# tunnel destination 10.4.9.81 step.
Step 31 tunnel protection ipsec profile name [shared] Associates the tunnel interface with the IPSec profile.
• The IPSec profile named OER that is configured in the
Example: example was defined in Step 19.
Router(config-if)# tunnel protection ipsec
profile OER
Step 32 exit Exits interface configuration mode, and enters global
configuration mode.
Example:
Router(config-if)# exit
Step 33 access-list access-list-number [dynamic Creates or configures an extended IP access list.
dynamic-name [timeout minutes]] {deny | permit}
protocol source source-wildcard destination • An extended access list is defined to permit only the
destination-wildcard [precedence precedence] GRE hosts.
[tos tos] [log | log-input] [time-range
time-range-name] [fragments] • The access list in this example is referenced in the
match address statement in Step 10.
Example:
Router(config)# access-list 100 permit gre host
10.4.9.14 host 10.4.9.81
Step 34 ip route prefix mask {ip-address | Establishes a static route.
[dhcp] [distance] [name] [permanent] [tag tag] • A default route is configured for the tunnel destination
host or network.
Example:
Router(config)# ip route 10.2.2.2
255.255.255.255 Tunnel0
Step 35 end Exits global configuration mode, and enters privileged
EXEC mode.
Example:
Router(config)# end

82 78-17876-01
Examples
The following example, starting in global configuration mode, configures an IPSec/GRE tunnel on a
border router. This example shows the configuration of one tunnel. Two tunnels must be configured in
the OER managed network to enable the VPN IPSec/GRE Tunnel Optimization feature.
crypto ipsec security-association lifetime kilobytes 530000000
crypto ipsec security-association lifetime second 14400
crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac
mode transport
exit
!
crypto map TUNNEL 10 ipsec-isakmp
set peer 10.4.9.81
set transform-set VPN_1
match address 100
!
crypto ipsec profile OER
exit
crypto map TUNNEL local-address FastEthernet 0/0
!
crypto isakmp key 0 CISCO address 10.4.9.81 no-xauth
crypto isakmp keepalive 10
crypto isakmp policy 1
encryption 3des
authentication pre-share
exit
!
interface FastEthernet0/0
ip address 10.4.9.14 255.255.255.0
crypto map TUNNEL
exit
!
interface Tunnel0
ip address 10.100.2.1 255.255.0.0
keepalive 30 5
bandwidth 500
bandwidth inherit
tunnel mode gre ip
tunnel source 10.4.9.14
tunnel destination 10.4.9.81
tunnel protection ipsec profile OER
exit
!
ip route 10.100.2.2 255.255.255.255 Tunnel0
!
access-list 100 permit gre host 10.4.9.14 host 10.4.9.81
!
end
What to Do Next
Tunnel interfaces must be configured as OER managed external interfaces to complete this configuration
task. Proceed to the next step table.

78-17876-01 83
Master Controller Configuration

The tunnel interfaces are configured as OER managed external interfaces on the master controller. A
minimum of two tunnel interfaces must be configured to enable the VPN IPSec/GRE Tunnel
Optimization feature.
SUMMARY STEPS
1. enable
3. oer master
4. border ip-address key-chain key-chain-name
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 oer border | master Enters OER master controller configuration mode to
configure a router as a master controller.
Example:
Step 4 border ip-address key-chain key-chain-name Enters OER managed border router configuration mode to
Example: • An IP address is configured to identify the border
Router(config-oer-mc)# border 10.10.10.1 router.
key-chain OER
• A minimum of two border routers must be specified to
create an OER managed network. A maximum of 10
border routers can be controlled by a single master
controller.

84 78-17876-01

Step 5 interface type number external Configures a border router interface as an OER managed
external interface.
Example: • Serial and Ethernet interfaces are supported. External
Router(config-oer-mc-br)# interface Tunnel0 interfaces are used to forward traffic and for active
external monitoring.
• A minimum of two external border router interfaces are
required in an OER managed network. At least 1
external interface must be configured on each border
router. A maximum of 20 interfaces can be controlled
by single master controller.
• The example configures a GRE tunnel interface as an
OER managed external interface.
Step 6 end Exits OER managed border router configuration mode, and
enters privileged EXEC mode.
Example:
Router(config-oer-mc-br)# end
Examples
The following example completes the configuration in this task. Starting in global configuration mode
on the master controller, the Tunnel0 and Tunnel1 interfaces on the border are configured as an OER
managed external interfaces:
oer master
border 10.10.10.1 key-chain OER
interface Tunnel0 external
end
Verifying Cisco IOS OER Configuration

This section describes the show commands that can be used to verify the configuration of Cisco IOS
OER. All show command described in this section are entered in Privileged EXEC mode. The show oer
master commands are entered on a master controller. The show oer border command are entered on a
border router.
SUMMARY STEPS
1. enable
2. show oer border
3. show oer border active-probes
4. show oer border passive cache {learned | prefix}
5. show oer border passive prefixes
6. show oer border routes bgp | static
7. show oer master

78-17876-01 85
8. show oer master active-probes

9. show oer master border [ip-address] [detail]
10. show oer master cost-minimization {billing-history | border ip-address [interface] | nickname
name}
11. show oer master policy [sequence-number] [policy-name] | [default]
12. show oer master prefix [detail | learned [delay | throughput] | prefix [detail | policy |
traceroute [exit-id | border-address | current] [now]]]
DETAILED STEPS

Example:
Router> enable
Step 2 show oer border Displays information about a border router connection and
OER controlled interfaces.
Example: • The output displays information about the border router
Router# show oer border and master controller connection status and border
router interfaces.
Step 3 show oer border active-probes Displays connection status and information about active
probes on a border router.
Example: • This command displays target active-probe assignment
Router# show oer border active-probes for a given prefix and the current probing status
including the border router or border routers that are
executing the active probes.
Step 4 show oer border passive cache {learned | Displays passive measurement information collected by
prefix} NetFlow for monitored prefixes and traffic flows.
• This command displays real-time prefix information
collected from the border router through NetFlow
passive monitoring.
• Entering the learned keyword displays learned
prefixes. A maximum of 5 host addresses and 5 ports
are collected for each prefix. The output will also show
the throughput in bytes and the delay in milliseconds.
Step 5 • Entering the prefix keyword displays the metrics
captured for monitored prefixes. This information
includes the number of packets and bytes per packet,
Example:
Router# show oer border passive cache learned
the delay, the number of delay samples, the amount of
packet loss, the number of unreachable flows, and the
interfaces through which traffic flows travel.
Step 6 show oer border passive prefixes Displays information about passive monitored prefixes.
• The output of this command displays prefixes
Example: monitored by NetFlow on the border router. The
Router# show oer border passive prefixes prefixes displayed in the output are sent from the
master controller.

86 78-17876-01

Step 7 show oer border routes bgp | static Displays information about OER controlled routes.
• This command is used to display information about
Example: OER controlled routes on a border router. You can
Router# show oer border routes bgp display information about BGP routes or static routes.
Step 8 show oer master Displays information about the master controller.
• The output of this command displays information about
Example: the status of the master controller, border routers and
Router# show oer master OER controlled interfaces as well as default and
user-defined policy settings.
Step 9 show oer master active-probes Displays connection and status information about active
probes on a master controller.
Example: • This command is used to display the current state of
Router# show oer master active-probes active probing. The output displays the probe type,
status, and destination.
Step 10 show oer master border [ip-address] [detail] Displays the status of connected border routers.
• The output of this command shows the status of all
Example: border router connections or a single border router
Router# show oer master border connection.
Step 11 show oer master cost-minimization Displays information about cost policies.
{billing-history | border ip-address
[interface] | nickname name} • The output can be filtered to display information about
a specific border router or interface, to display billing
information, or to display information about the
Example: specified service provider.
Router# show oer master cost-minimization
border 10.1.1.1 Ethernet 0/0
Step 12 show oer master policy [sequence-number] Displays user-defined and default policy settings on a
[policy-name] | [default] master controller.
• The output of this command displays global policy and
Example: policies configured with an oer-map.
Router# show oer master policy
Step 13 show oer master prefix [detail | learned [delay Displays the status of monitored prefixes.
| throughput] | prefix [detail | policy |
traceroute [exit-id | border-address | current]
[now]]]
Example:
Router# show oer master prefix
Step 14 show oer master prefix-list list-name [detail] Displays the status of prefixes imported using a prefix list.
Example:
Router# show oer master prefix-list list-name

78-17876-01 87
Using Cisco IOS OER Clear Commands

This section describes the clear commands that can be used to clear Cisco IOS OER sessions and
counters. All clear command described in this section are entered in Privileged EXEC mode. The clear
oer master commands are enter on a master controller. The clear oer border command are entered on
a border router.
SUMMARY STEPS
1. enable
2. clear oer border *
3. clear oer master *
4. clear oer master border * | ip-address
5. clear oer master prefix * | prefix | learned
DETAILED STEPS

Example:
Router> enable
Step 2 clear oer border * Resets a connection between a border router and the master
controller.
Example: • The border router and master controller will
Router# clear oer border * automatically reestablish communication after this
command is entered.
Step 3 clear oer master * Resets a master controller process and all active border
router connections.
• The master controller will restart all default and

user-defined processes and reestablish communication
with active border routers after this command is
Example:
Router# clear master *
entered.
Step 4 clear oer master border * | ip-address Resets an active border router connection or all connections
with a master controller.
Example:
Router# clear oer master border *
Step 5 clear oer master prefix * | prefix | learned Clears OER controlled prefixes from the master controller
database.
Example:
Router# clear oer master prefix *

88 78-17876-01
Using Cisco IOS OER Debug Commands

This section describes the debug commands that can be used to trouble shoot Cisco IOS OER sessions
and operations. All debug commands described in this section are entered in Privileged EXEC mode.
The debug oer master commands are enter on a master controller. The debug oer border command are
entered on a border router.
Caution Debug commands can generate a substantial amount of output and use significant system resources.
Debug commands should be used only as necessary for troubleshooting and should be used with caution
in production networks.
SUMMARY STEPS
1. enable
2. debug oer border
3. debug oer border active-probe
4. debug oer cc [detail]
5. debug oer master border ip-address
6. debug oer master collector [active-probes [detail [trace]]] | [netflow]
7. debug oer master exit [detail]
8. debug oer master learn
9. debug oer master prefix [prefix] [detail]
10. debug oer master prefix-list list-name [detail]
11. debug oer master process
DETAILED STEPS

Example:
Router> enable
Step 2 debug oer border Displays general border router debugging information.
• This command is used to display debugging
Example: information about the OER border process, controlled
Router# debug oer border routes and monitored prefixes.
Step 3 debug oer border active-probe Displays debugging information for active probes
configured on the local border router.
Example:
Router# debug oer border active-probe

78-17876-01 89

Step 4 debug oer cc [detail] Displays OER communication control debugging
information for master controller and border router
communication.
Example:
Router# debug oer cc • This command is used to display messages exchanged
between the master controller and the border router.
These messages include control commands,
configuration commands, and monitoring information.
Step 5 debug oer master border ip-address Displays debugging information for border router events on
a master controller.
Example: • The output displays information related to the events or
Router# debug oer master border updates from one or more border routers.
Step 6 debug oer master collector [active-probes Displays data collection debugging information for
[detail [trace]]] | [netflow] monitored prefixes.
Example:
Router# debug oer master collector
Step 7 debug oer master exit [detail] Displays debugging event information for OER managed
exit links.
Example:
Router# debug oer master exit
Step 8 debug oer master learn Displays debugging information for master controller
learning events.
Example:
Router# debug oer master learn
Step 9 debug oer master prefix [prefix] [detail] Displays debugging events related to prefix processing on
an OER master controller.
Example:
Router# debug oer master prefix
Step 10 debug oer master prefix-list list-name [detail] Displays debug events related to prefix-list processing on an
OER master controller
Example:
Router# debug oer master prefix-list
Step 11 debug oer master process Displays debugging information about the OER master
controller process.
Example:
Router# debug oer master process

90 78-17876-01
Configuration Examples for Cisco IOS Optimized Edge Routing

This section provides the following sample configuration provide example deployment configurations
for Cisco IOS OER:
• Master Controller and Two Border Routers Deployment: Example, page 91
• Master Controller and Border Router Deployed on a Single Router: Example, page 94
• Configuring OER to Monitor and Control GRE/IPSec VPN Prefixes: Example, page 96
Master Controller and Two Border Routers Deployment: Example

Figure 7 shows an OER managed network with two border router processes and a master controller
process deployed separately on Cisco routers.
Figure 7 Master Controller Deployed with Two Border Routers
ISP1 AS2
AS1
BR1 192.168.1.1
iBGP Internet
OER MC
BR2
127264
ISP2 AS3
Enterprise 192.168.2.2
network
The master controller performs no routing functions. BGP is deployed on the border routers and internal
peers in the OER managed network. Each border router has an eBGP peering session with a different
ISP. The eBGP peers (ISP border routers) are reachable through connected routes. Injected prefixes are
advertised the internal network through standard iBGP peering.
OER MC Configuration
The following example, starting in Global configuration mode, shows the master controller
configuration. Both active and passive monitoring is configured. Route control mode is enabled. The
master controller is configured to analyze and move out of policy prefixes to first in-policy exit when
the periodic timer expires. Automatic prefix learning is enabled. The master controller is configured to
learn prefixes with the highest outbound throughput, the monitoring period is set to10 minutes, the
number of prefixes learned during each monitoring period is set to 500, and the interval between
monitoring periods is set to 20 minutes. The master controller is configured to aggregate BGP prefixes.

78-17876-01 91
Router(config-oer-mc-br)# interface Serial 1/1 internal
Router(config-oer-mc-br)# interface Serial 3/3 internal
Router(config-oer-mc)# mode monitor both
Router(config-oer-mc-learn)# throughput
Router(config-oer-mc-learn)# monitor-period 10
Router(config-oer-mc-learn)# periodic-interval 20
Router(config-oer-mc-learn)# prefixes 500
Router(config-oer-mc-learn)# aggregation-type bgp
BR 1 Configuration
The following example, starting in Global configuration mode, shows the configuration for BR1. EBGP
peering is established with ISP 1 (192.168.1.1 AS2). Standard community exchange and iBGP peering
is established with BR2 (10.200.2.2) and internal peers (in the 10.150.1.0/24 network).
Router(config-oer-br)# local Serial 1/1
Router(config-oer-br)# exit
Router(config-router)# address-family ipv4 unicast
Router(config-router-af)# end
BR 2 Configuration
The following example, starting in Global configuration mode, shows the configuration for BR2. EBGP
peering is established with ISP 2 (192.168.2.2 AS1). Standard community exchange and iBGP peering
is established with BR2 (10.100.1.1) and internal peers (in the 10.150.1.0/24 network).

92 78-17876-01
Router(config-oer-br)# local Serial 1/1
Internal Peer Configuration

The following example, starting in Global configuration mode, shows the internal peer configuration.
Standard full-mesh iBGP peering is established with the BR1 and BR2 and internal peers in autonomous
system 1.

78-17876-01 93
Master Controller and Border Router Deployed on a Single Router: Example

Figure 8 shows an OER managed network with two border routers. BR1 is configured to run a master
controller and border router process.
Figure 8 Master Controller and Border Process Deployed on a Single Router
MC/BR 1
Enterprise
network
BGP Internet
127265
BR2
BR2 is configured as a border router. The internal network is running OSPF. Each border router peers
with a different ISP. A static routes to the egress interface is configured on each border router. The static
routes are then redistributed into OSPF. Injected prefixes are advertised through static route
redistribution.
BR 1 Configuration: Master/Border with Load Distribution

The following example, starting in Global configuration mode, shows the configuration of BR 1. This
router is configured to run both a master controller and a border router process. BR 1 peers with ISP1.
A traffic load distribution policy is configured under the master controller process that is applied to all
exit links in the OER managed network.
Router(config-oer-br)# local Loopback 0
Router(config-oer-mc-br)# interface Serial 0/0 external

94 78-17876-01

Router(config-oer-mc-br)# interface Serial 2/2 external
Router(config-oer-mc)# max-range-utilization percent 80
Router(config)# ip route 0.0.0.0 0.0.0.0 Serial 0/0
Router(config)# !
Router(config)# route-map STATIC
Router(config-router)# network 10.0.0.0 0.0.0.255 area 0
Router(config-router)# redistribute static route-map STATIC subnets
BR 2 Configuration
The following example, starting in Global configuration mode, shows the configuration of BR 2. This
router is configured to run only a border router process.
Router(config-oer-border)# master 10.100.1.1 key-chain OER
Router(config-oer-border)# local Ethernet3/3
Router(config-oer-border)# exit
Router(config)# ip route 0.0.0.0 0.0.0.0 Serial 2/2
Router(config)# !
Internal Peer Configuration

The following example, starting in Global configuration mode, configures an OSPF routing process to
establish peering with the border routers and internal peers. No redistribution is configured on the
internal peers.

78-17876-01 95
Configuring OER to Monitor and Control GRE/IPSec VPN Prefixes: Example

Figure 9 shows a central VPN site and two remote VPN sites. VPN Peering is established through the
service provider clouds. An OER managed network is configured at each site where Cisco IOS OER
configuration is applied independently. Each site has separate master controller and border router
process, and each site maintains a separate master controller database.
Figure 9
OER Master
Options
VPN A
BR1
OER MC/BR
SLA A
master SP A SP B Small
F-VR1 CR2
size
BR2 eBGP
SLA B VPN B
F-VR2 SP C SP D SP E CLR
BR1 master
BR3
Server(s)
SLA C
SP F Server(s)
iBGP and/or
EIGRP, OSPF, etc. BR2
126266
Enterprise/VPN Transit VPN
Head-end Service Providers Branches
Two GRE tunnels are configured between each remote site and the central site. VPN prefixes are
encapsulated in GRE tunnels. The GRE tunnels are protected by IPSec encryption. The examples in this
section show the configuration for the central VPN site, VPN A, and VPN B.
Central VPN Configuration: OER Master

The central VPN site peers with VPN A and VPN B. A separate policy is defined for each site using an
OER map. For VPN A prefixes, a delay policy of 80 ms is configured and out-of-policy prefixes are
moved to the first in-policy exit. For VPN B prefixes, a delay policy of 40ms and a relative loss policy
is configured, and out-of-policy prefixes are moved to the best available exit.
key chain OER
key 1
key-string CISCO
!
oer master
logging
interface Ethernet 0/0 external
interface Ethernet 0/1 internal
!

96 78-17876-01
!
mode route control
mode monitor both
exit
!
ip prefix VPN A permit <ip address>
oer-map VPNA
match ip address prefix-list VPNB
set delay 800
set mode select-exit good
exit
!
ip prefix VPNB permit <ip address>
oer-map VPNB
match ip address prefix-list VPNC
set delay 400
set loss relative 100
set resolve loss priority 1 variance 10
set mode select-exit best
end
Central VPN Configuration: BR1

The following example, starting in Global configuration mode, shows the configuration for BR 1:
key chain OER
key 1
key-string CISCO
!
oer border
local serial 0/1
master 10.4.9.4 key-chain OER
!
ip route 10.70.1.0 255.255.255.0
!
route-map REDISTRIBUTE_STATIC
match tag 5000
set metric -10
exit
!
router eigrp 1
network 10.70.0.0 0.0.0.255
redistribute static route-map REDISTRIBUTE_STATIC
exit
!
mode transport
exit
!
set peer 10.4.9.81
match address 100
!
exit
crypto map TUNNEL local-address Ethernet 0/0
!

78-17876-01 97

encryption 3des
exit
!
interface Ethernet0/0
ip address 10.4.9.14 255.255.255.0
crypto map TUNNEL
exit
!
interface Tunnel0
ip address 10.100.2.1 255.255.0.0
keepalive 30 5
bandwidth 500
bandwidth inherit
tunnel mode gre ip
exit
Central VPN Configuration: BR 2

The following example, starting in Global configuration mode, shows the configuration of BR 2:
key chain OER
key 1
key-string CISCO
!
oer border
local Ethernet 0/1
!
ip route 10.70.1.0 255.255.255.0
!
match tag 5000
set metric -10
exit
!
router eigrp 1
network 10.70.0.0 0.0.0.255
!
mode transport
exit
!
set peer 10.4.9.82
match address 100
!
exit
!

98 78-17876-01
encryption 3des
exit
!
ip address 10.4.9.15 255.255.255.0
crypto map TUNNEL
exit
!
interface Tunnel0
ip address 10.100.2.2 255.255.0.0
keepalive 30 5
bandwidth 500
bandwidth inherit
tunnel mode gre ip
end
Central VPN Configuration: Internal Peers

An EIGRP routing process created to establish peering with the border routers and internal peers.
router eigrp 1
network 10.50.1.0 0.0.0.255
end
! VPN A Configuration: MC/BR

The following configuration example, starting in global configuration mode, shows the configuration of
VPN A. VPN A is a remote site that is configured for a small office home office (SOHO) client. A single
router is deployed. This router peers with service provider B and service provider E. No IGP is deployed
at this network, only a static route is configured to the remote tunnel endpoint at the central site. A delay
policy, a loss policy, and optimal exit link selection is configured so that traffic is always routed through
the ISP with the lowest delay time and lowest packet loss. A resolve policy is configured to configure
loss to have the highest priority. Physical interface and internal host peering configuration is not shown
in this example.
key chain BR1
key 1
key-string CISCO
!
Note The local border router process is enabled. Because the border router and master controller process is
enabled on the same router, a loopback interface (192.168.0.1) is configured as the local interface.
oer border
local Loopback0
master 192.168.0.1 key-chain BR1
!
oer master
learn
delay
mode route control
delay threshold 100
loss relative 200
periodic 300

78-17876-01 99
mode select-exit good

resolve loss priority 1 variance 20
resolve delay priority 2 variance 10
!
border 192.168.0.1 key-chain BR1
interface Serial0/0 internal
exit
!
mode transport
exit
!
set peer 10.4.9.81
match address 100
!
exit
!
encryption 3des
exit
!
ip address 10.4.9.14 255.255.255.0
crypto map TUNNEL
exit
!
interface Tunnel0
ip address 10.100.2.1 255.255.0.0
keepalive 30 5
bandwidth 500
bandwidth inherit
tunnel mode gre ip
exit
!
Note A single tunnel configuration is show in this example. Two tunnels are required to configure VPN
optimization.

100 78-17876-01
VPN B Configuration: OER Master

The following example, starting in Global configuration mode, shows the master controller
configuration in VPN B. Load distribution and route control mode is enabled. Out-of-policy prefixes are
configured to be moved to first in-policy exit.
key chain OER
key 1
key-string CISCO
!
oer master
logging
!
!
mode route control
mode select-exit good
max-range utilization
!
learn
delay
end
VPN B Configuration: BR 1
key chain OER
key 1
key-string CISCO
!
oer border
local Ethernet 0/1
!
match tag 5000
set metric -10
exit
!
router rip
network 10.600.1.0
end
!
mode transport
exit
!
set peer 10.4.9.82
match address 100
!

78-17876-01 101

exit
!
encryption 3des
exit
!
ip address 10.4.9.15 255.255.255.0
crypto map TUNNEL
exit
!
interface Tunnel0
ip address 10.100.2.2 255.255.0.0
keepalive 30 5
bandwidth 500
bandwidth inherit
tunnel mode gre ip
end
VPN B Configuration: BR 2
key chain OER
key 1
key-string CISCO
!
oer border
local Ethernet 0/1
exit
!
match tag 5000
set metric -10
exit
!
router rip
network 10.600.1.0
exit
!
mode transport
exit
!
set peer 10.4.9.82
match address 100
!

102 78-17876-01
Additional References
exit
!
encryption 3des
exit
!
ip address 10.4.9.15 255.255.255.0
crypto map TUNNEL
exit
!
interface Tunnel0
ip address 10.100.2.2 255.255.0.0
keepalive 30 5
bandwidth 500
bandwidth inherit
tunnel mode gre ip
end
VPN B Configuration: Internal Peers

A RIP routing process created to establish peering with the border routers and internal peers.
router rip
network 10.60.1.0
end
The following sections provide references related to Cisco IOS Optimized Edge Routing:
Related Documents
Related Topic Document Title
IP SLAs • Cisco IOS IP SLAs Configuration Guide, Release 12.4
Key Chain Authentication: Information about • Managing Authentication Keys” section of the Cisco IOS IP
authentication key configuration and management in Routing Protocols Configuration Guide, Release 12.4
Cisco IOS Software
NetFlow • Cisco IOS NetFlow Configuration Guide, Release 12.4
Routing Protocol Commands • Cisco IOS IP Routing Command Reference, Release 12.4
Routing Protocol Configuration Tasks • Cisco IOS IP Routing Configuration Guide, Release 12.4
System Logging • Cisco IOS Network Management Configuration Guide, Release
12.4

78-17876-01 103
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new or modified MIBs are supported by this To obtain lists of supported MIBs by platform and Cisco IOS
feature, and support for existing MIBs has not been release, and to download MIB modules, go to the Cisco MIB website
modified by this feature. on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
RFCs Title
No new or modified RFCs are supported by this —
feature, and support for existing standards has not been
modified by this feature.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.

104 78-17876-01

Cisco IOS Optimized Edge Routing Configuration Guide, Release 12.4

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco IOS Optimized Edge Routing Configuration Guide, Release 12.4

Uploaded by

Copyright:

Available Formats

Cisco IOS Optimized Edge Routing

Customer Order Number: DOC-7817876=

Cisco IOS Optimized Edge Routing Configuration Guide

About Cisco IOS Software Documentation for Release 12.4 ix

Documentation Organization for Cisco IOS Release 12.4 x

Document Conventions xvi

Obtaining Documentation xvii

Cisco Product Security Overview xix

Obtaining Technical Assistance xx

Using Cisco IOS Software for Release 12.4 xxiii

Understanding Command Modes xxiii

Getting Help xxiv

Using the no and default Forms of Commands xxviii

Saving Configuration Changes xxviii

Filtering Output from the show and more Commands xxix

Finding Additional Feature Support Information xxix

Cisco IOS Optimized Edge Routing Configuration 1

Prerequisites for Cisco IOS Optimized Edge Routing 2

Restrictions for Cisco IOS Optimized Edge Routing 2

Information About Cisco IOS Optimized Edge Routing 3

Cisco IOS Optimized Edge Routing Configuration Guide

Cisco IOS OER: Optimizes for Performance 5

Cisco IOS Optimized Edge Routing Configuration Guide

How to Configure Cisco IOS Optimized Edge Routing 23

Cisco IOS Optimized Edge Routing Configuration Guide

Cisco IOS Optimized Edge Routing Configuration Guide

Cisco IOS Optimized Edge Routing Configuration Guide

Related Documents 103

Cisco IOS Optimized Edge Routing Configuration Guide

Cisco IOS Optimized Edge Routing Configuration Guide

Documentation Organization for Cisco IOS Release 12.4

Configuration Guide and Description

Cisco IOS Optimized Edge Routing Configuration Guide

Configuration Guide and Description

Cisco IOS Optimized Edge Routing Configuration Guide

Configuration Guide and Description

Cisco IOS Optimized Edge Routing Configuration Guide

Configuration Guide and Description

Cisco IOS Optimized Edge Routing Configuration Guide

Configuration Guide and Description

Cisco IOS Optimized Edge Routing Configuration Guide

Configuration Guide and Description

Table 2 Cisco IOS Release 12.4 Supporting Documents and Resources

Document Title Description

Cisco IOS Optimized Edge Routing Configuration Guide

Document Title Description

Command syntax descriptions use the following conventions:

Cisco IOS Optimized Edge Routing Configuration Guide

Examples use the following conventions:

Cisco IOS Optimized Edge Routing Configuration Guide

You can access the Cisco website at this URL:

Product Documentation DVD

Cisco IOS Optimized Edge Routing Configuration Guide

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Cisco IOS Optimized Edge Routing Configuration Guide

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

Submitting a Service Request

Cisco IOS Optimized Edge Routing Configuration Guide

For a complete list of Cisco TAC contacts, go to this URL:

Definitions of Service Request Severity

Obtaining Additional Publications and Information