Overlapping IP Address Restrictions
Overlapping IP addresses in the same virtual routing and forwarding (VRF) instance are not supported.
Overlapping IP subscribers in different VRFs are not supported on the same interface for static IP subscriber sessions and routed IP subscriber sessions. Overlapping IP subscribers in different VRFs are supported on the same interface for Layer 2 connected DHCP subscriber sessions.
IP Subnet Session Restrictions
IP subnet sessions are not supported on an interface configured with the ip subscriber l2-connected command. IP subnet sessions are supported only when the ip subscriber routed command is configured on the interface.
ISG DHCP Restrictions
ISG cannot relay DHCP requests when a Layer 3 DHCP relay agent is between the ISG device and subscriber devices.
DHCP Lease Query supports Cisco 7600 and 7200 series routers and Cisco 10000 series routers.
Dynamic VPN Selection Restrictions
Dynamic VPN selection is not supported for IP interface sessions, IP subnet sessions, and subscribers coming in on nonglobal VRF interfaces.
Dynamic VPN selection is not supported for subscribers with a static VPN configuration on the access interface.
Dynamic VPN selection with address reassignment is not supported for routed IP subscriber sessions that are initiated by DHCP. IP addresses of routed IP subscribers must be routable in the access network. Because Internet service provider (ISP)- or VRF-owned private addresses could overlap or be unroutable in the network between subscribers and the ISG device, it is not possible to assign IP addresses to those subscribers.
IP interface sessions do not support dynamic VRF; only static VRF is supported. If an interface is configured with the ip subscriber interface command, dynamic VRF through a RADIUS VSA is not supported, only static VRF is supported.
General IP Session Restrictions
Network Address Translation (NAT) configuration is not supported on the access side of ISG.
IP subscriber sessions are not supported on ambiguous IEEE 802.1QinQ (QinQ) or IEEE 802.1Q (Dot1Q) subinterfaces.
IP subscriber sessions are not supported on interfaces that receive Multiprotocol Label Switching (MPLS) packets.
Modular quality of service (QoS) CLI (MQC) shaping and queuing is supported in the egress direction in the default class for IP subscriber sessions.
Configuring features on static IP sessions is not supported.
ISG IP subscriber functionality is not supported on the following types of access interfaces:
-
Gigabit EtherChannel (Port Channel)
-
Generic routing encapsulation (GRE)
-
PPP (virtual-template)
-
Layer 2 Tunnel Protocol (L2TP)
Interface statistics are not generated for ISG multiservice interfaces.
Stateful switchover (SSO) and In Service Software Upgrade (ISSU) are not supported for any features on ISG IP subscriber sessions or traffic class sessions. Upon switchover, an IP session must be re-created or restarted (for DHCP sessions) when the session becomes active again.
The following subscriber features are not supported on IPoE sessions:
-
Per-session firewall
-
Per-session NAT
-
Per-session PBR
-
Per-session NBAR
-
Per-session netflow
-
Per-session multicast
The following PPP session features are not supported on IP sessions:
-
Session limit per system, VLAN, or MAC
-
Dual stack session (single PPP session carrying both IPv4 and IPv6 traffic)
-
Packet of Disconnect (PoD)
Multiservice Interface Restrictions
IP interface features (such as QoS and access lists) are not supported on multiservice interfaces.
Only one multiservice interface can belong to a single VRF. For example, the following configuration will not work:
interface multiservice 1
ip vrf forwarding VRF_A
!
interface multiservice 2
ip vrf forwarding VRF_A
Cisco 10000 Series Internet Router Restrictions
On the Cisco 10000 series Internet router, ISG does not support IP subscriber sessions that are initiated by RADIUS packets.
IP interface sessions are not supported on ATM main interfaces and ATM multipoint subinterfaces on the Cisco 10000 series Internet router.
IP subscriber sessions and PPP over ATM or PPP over Ethernet (PPPoX) sessions are not supported on the same ATM main interface or subinterface. Either IP subscriber sessions or PPPoX sessions can be configured on ATM main interfaces or subinterfaces at one time.
IP subscriber sessions are not supported on the following interfaces:
-
Multilink interfaces
-
Tunnel interfaces
-
Virtual-template interfaces
-
IPsec tunnels
For DHCP-initiated IP sessions, you must explicitly configure access lists to permit DHCP control packets (bootps and bootpc packets). If access lists are not configured to permit DHCP control packets, ISG features that are applied to IP sessions might drop these packets, resulting in unexpected or erroneous ISG behavior. For example, DHCP renew packets, which keep the DHCP-initiated IP session alive, might be dropped by security access lists that are applied to IP sessions.
On the Cisco 10000 series router, unicast Reverse Path Forwarding (uRPF) is not supported in the Parallel eXpress Forwarding (PXF) path if ISG is also configured on the same interface. For example, uRPF is supported in the PXF path with this configuration:
interface GigabitEthernet7/0/0
ip address 10.10.10.1 255.255.255.252
ip verify unicast reverse-path
However uRPF is not supported in the PXF path with this configuration:
interface GigabitEthernet7/0/0
ip address 10.10.10.1 255.255.255.252
ip verify unicast reverse-path
service-policy type control isg-control
ip subscriber routed
initiator unclassified ip-address
With this configuration, all IP packets that the router receives whose source IP address does not match an existing ISG IP session are punted to the Cisco 10000 Route Processor (RP) for uRPF processing. This could result in added interrupt-level CPU usage on the Cisco 10000 RP. To prevent IP spoofing issues, consider implementing input Access Control Lists (ACLs) specifying all legitimate IP networks as sources. The Cisco 10000 series router processes input ACLs in the PXF before doing ISG processing.
An access list applied to an ISG interface does not take effect for IP traffic belonging to an existing ISG session until after the ISG session is cleared and reintroduced. Therefore, when applying ACLs to filter traffic on ISG-enabled interfaces, always clear the ISG sessions after the ACL’s application.
On the Cisco 10000 series router, existing sessions are terminated when a VRF instance is changed on the access interface.
Cisco 7600 Router Restrictions
In Cisco IOS Release 12.2(33)SRC, the Cisco 7600 router does not support IP subscriber sessions on the following access interfaces:
-
Gigabit EtherChannel (Port Channel)
-
Switched virtual interfaces
-
Generic routing encapsulation (GRE)
-
PPP
-
Layer 2 Tunnel Protocol (L2TP)
The shared port adapter interface processor (SIP2) network processor (NWP) does not support IP features configured on access, network, and multiservice interfaces for ISG subscriber traffic.
Subscriber redundancy and load balancing are not supported for IP subscribers.
Beginning in Cisco IOS Release 12.2(33)SRE, the Cisco 7600 router supports IP subscriber sessions only on the SIP400 and ES+ line cards and only on the following interfaces:
-
Main interfaces and access-type subinterfaces on the SIP400 line card
-
Main interfaces and all types of subinterfaces on the Ethernet Services Plus (ES+) line card
-
Port-channel interfaces on the ES+ line card
The Cisco 7600 router enforces limits on the number of IP subscriber sessions per line card and router chassis. If the number of active sessions exceeds the following limits, an error message displays:
-
Cisco 7600 chassis--32,000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRE1 and later releases)
-
ES+ line card--4000 subscriber sessions per port group; 16,000 sessions per line card (supported in Cisco IOS Release 12.2(33)SRE and later releases)
-
SIP400 line card--8000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRD4 and later releases)