Guest

Cisco Network Registrar

Release Notes for Cisco CNS Network Registrar 6.0.5.4

  • Viewing Options

  • PDF (406.9 KB)
  • Feedback
Release Notes for Cisco CNS Network Registrar Release 6.0.5.4

Table Of Contents

Release Notes for Cisco CNS Network Registrar Release 6.0.5.4

Contents

Purpose

System Requirements

Software and Standards Compatibility

Version Compatibility

Installation and Upgrading

Feature Added in Release 6.0.5

Features Added in Release 6.0.4

Installation on Internationalized Solaris Systems

Multiple Hosts Can Resolve to the Same IP Address in the Web UI

Delegation-Only Domain Setup

Features Added in Release 6.0.1

Packet Cable (Option 122) Support

Relay Agent Information (Option 82) Device Class Support

Warning and Error Message List

Resource Record Data Field Descriptions in Online Help

Updates to the Installation Guide and User's Guide

Features Added in Release 6.0

Licensing

Web-Based User Interface

Database Changes

DNS Server Performance Enhancement

Importing BIND 8 and BIND 9 Files

TSIG Security for Dynamic DNS Updates

Dynamic DNS Update Enhancements and Fixes

Access Control Lists

Enhanced DHCP Option Processing Through Expressions

Enhanced Namespace Configuration for MPLS Solutions

Unavailable Lease Reduction

Extension Point Enhancements and Changes

New cnr_exim Data Import Tool to Replace mcdadmin

Improved Data Validation

Command Line and Windows-Based User Interface Enhancements

Command Line Interface Enhancements

Windows-Based Interface Variations

Caveats

Bugs Fixed in Release 6.0.5.4

Documentation Errata in the Installation Guide

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for Cisco CNS Network Registrar Release 6.0.5.4


October 26, 2004

These release notes are for Cisco CNS Network Registrar 6.0.5.4. They describe installation and upgrading, new software features, caveats, documentation, and technical assistance.

Contents

These release notes cover the following topics:

Purpose

System Requirements

Software and Standards Compatibility

Version Compatibility

Installation and Upgrading

Feature Added in Release 6.0.5

Features Added in Release 6.0.4

Features Added in Release 6.0.1

Features Added in Release 6.0

Caveats

Obtaining Documentation

Documentation Feedback

Obtaining Technical Assistance

Obtaining Additional Publications and Information

Purpose

This release builds on the success of the previous releases of this product, adds a new multi-access Web-based user interface (Web UI), and enhances server features and performance.

System Requirements

Network Registrar 6.0 runs on the following operating systems:

Windows 2000 (Service Pack 2 or later recommended), and Windows NT 4.0 (Service Pack 6a or later), with at least 512 MB RAM and 18 GB disk suggested.

Solaris 8 or 9, with at least 512 MB RAM and 18 GB disk suggested.

Red Hat Linux 7.3 (kernel version 2.4), with at least 512 MB RAM and 18 GB disk suggested.

A minimum of 310 MB of disk space is required to complete the installation. The full system requirements are described in the Network Registrar Installation Guide.

Network Registrar now includes a Web-based user interface (Web UI). This Web UI runs on a Tomcat server and requires a minimum of Microsoft Internet Explorer 5.5 (Service Pack 2) or Netscape 6.2, and the Java Runtime Environment (JRE) or Java Development Kit (JDK) version 1.3.1 or later installed. The Web UI and command line interface (CLI) run on all the listed operating systems. The Windows-based graphical user interface (GUI) runs on Windows 2000 and Windows NT 4.0.


Caution You must obtain a new software license key and add it to the server when you first run Network Registrar 6.0. Your older license keys will not work. Be aware of this before installing the product. However, if you are upgrading from an earlier 6.0 release, the existing software license key will continue to work.

Software and Standards Compatibility

Network Registrar 6.0 is compatible with Cisco Broadband Access Center (BAC) Broadband Provisioning Registrar (BPR) 2.0 and later, and Cisco Address and Name Registrar (ANR) 2.0 and later.


Caution Network Registrar is not compatible with Cisco Access Registrar. You cannot run the two products on the same host machine. Verify that Access Registrar was not installed on your server. The integrity of Network Registrar and Access Registrar is compromised if you try to run both products simultaneously.

The Network Registrar servers continue to comply with standard applicable RFCs, protocols, standards, and IETF drafts:

DNS servers—Compliant with RFCs 974, 1034, 1035 (with updates 1101and 1183), 1995 (IXFR), 1996 (NOTIFY), 2136 (Dynamic DNS Updates), 2181 (Clarifications), 2308 (Negative Caching of DNS Queries), 2317 (Classless in-addr.arpa), 2782 (SRV), 2845 (Secret Key Transaction Authentication), and 2915 (NAPTR).

DHCP and BOOTP clients—Compliant with RFCs 951 (with updates 1497 and 1542), 1534, 2131, 2132, 2136, 3004, and 3046 (DHCP Relay Agent Information Option).

DHCP failover servers—Compliant with draft-ietf-dhc-failover-03.txt.

Trivial File Transport Protocol (TFTP)—Compliant with RFCs 1123 and 1350.

Lightweight Directory Access Protocol (LDAP) servers—Interoperation with any LDAP v2 or LDAPv3 servers compliant with RFC 1798, 2241, and 2254 (Extensible Filtering).

Version Compatibility

Network Registrar 6.0 now includes three interoperable user interface options:

Web-based user interface (Web UI)—New for this release.

Command line interface (CLI, or the nrcmd program)—Includes new commands and attributes.

Windows-based user interface (GUI)—Includes a few modified dialog boxes.

The CLI and GUI are totally compatible with Network Registrar 5.5, 5.0, and 3.5. The Web UI can only be used with Network Registrar 6.0 servers. Also, the interfaces in the earlier versions cannot administer the Network Registrar 6.0 servers, due to changes in the database format. See the "Web-Based User Interface" section for a description of the new Web UI, and "Command Line and Windows-Based User Interface Enhancements" section for enhancements and changes to the CLI and GUI.

Installation and Upgrading

The procedures for new installations, and upgrades from earlier versions, of Network Registrar are described in the Network Registrar Installation Guide. Windows installations are run through a Windows-based program, Solaris installations are run through the pkgadd command, and Linux installations are handled through the install_cnr program.

Be aware of the following for the Network Registrar 6.0 installation:

You must add a new software license key after you install Network Registrar 6.0. You cannot use your previous key. You cannot view or change the server configuration data unless you add the new license key. However, if you are upgrading from an earlier 6.0 release, the existing software license key will continue to work.

A minimum disk space of 310 MB is required to install the product.

Close all applications (especially virus scanning).

Complete previous configurations—If you are upgrading from a previous Network Registrar release, complete any configurations using the previous release so that the existing database, prior to conversion, is up to date. Do this as a precautionary measure. To upgrade from a release earlier than 3.5, you must first upgrade to 3.5. You cannot upgrade directly from a release earlier than 3.5.

Solaris installation change—Solaris installation is now initiated directly from the /solaris directory, and no longer from the /solaris/see_readme_before_using directory as in previous releases.

Data migration—The installation program tries to detect any configuration data from Release 5.5, 5.0, or 3.5, and if you select to do so, migrates the data to the new Network Registrar 6.0 databases.

Make a precautionary backup before beginning the upgrade. If the installation program fails to detect a previous version, it might overwrite the existing database without prompting.

To avoid filling up the Windows Event Viewer, in the Event Log Settings, check the "Overwrite Events as Needed" box. Otherwise, attempts to log messages fail once the Event Log is full.

Remove user intervention on server failures—On Windows, ensure that you set up your server host to allow Network Registrar servers to start up automatically in case of program exceptions. Remove any user intervention to program failures, which is set up by default on some debuggers such as Dr. Watson for Windows. Upon failure, a message box requires you to respond. This freezes the process and prevents the server from restarting until you respond, which is not always practical. Remedy this in Dr. Watson through its control dialog box, accessible in C:\WINNT\system32\drwtsn32.exe. Uncheck the Visual Notification option and implement the change.

Virus scanning and archiving programs—If you have virus scanning or automatic backup software enabled on your system, exclude certain Network Registrar directories from being scanned. Otherwise, it could damage Network Registrar operation. Exclude these directories and their subdirectories:

Windows—\Program Files\Network Registrar\data and ...\logs

UNIX and Linux—/var/nwreg2/data and .../logs.

Network Registrar also maintains lock files in the \temp directory on Windows and the /tmp directory on Solaris and Linux. They are recreated during reboot, but are vital while a system is running. Any maintenance process should also exclude this directory.

Other DNS, DHCP, and TFTP servers cannot run concurrently with Network Registrar DNS, DHCP, and TFTP servers. Once you install Network Registrar, you must take the appropriate action to disable the conflicting servers.

Usernames are now case insensitive as of Network Registrar 6.0. If you upgrade with usernames that differed in case only, the upgrade process differentiates them, and a warning message to that effect appears in the log files.


Note The Network Registrar Installation Guide includes minor errors in the installation steps for Solaris and Linux. See the "Documentation Errata in the Installation Guide" section.


Feature Added in Release 6.0.5

This section describes the Fallback Support for DNS Queries feature added in Network Registrar 6.0.5.

Functionality was added for the DNS server to retry over TCP when it gets a truncated answer over UDP (as noted in RFC 2181) for queries whose complete data set would not fit in a single UDP packet.

Features Added in Release 6.0.4

This section describes the features added in Network Registrar 6.0.4:

Installation on Internationalized Solaris Systems

Multiple Hosts Can Resolve to the Same IP Address in the Web UI

Delegation-Only Domain Setup

Installation on Internationalized Solaris Systems

Beginning with Network Registrar 6.0.4, you can install Network Registrar on Solaris systems that do not have the C LANG environment. Internationalized versions can now install the product as long as the en_US locale is available on the system, even though it need not be the default language in use.

Multiple Hosts Can Resolve to the Same IP Address in the Web UI

Beginning with Network Registrar 6.0.4, you can enter the same IP address for one or more hosts on the List/Add Hosts for Zone and Edit Host pages of the Web UI. This was not previously possible and resulted in an "already in use, please respecify" error. The previous workaround was to add another A record with that address, which caused an inconsistency between the Host and Resource Records views of the DNS data. This inconsistency was resolved.

Delegation-Only Domain Setup

Network Registrar addresses unwanted, unregistered domain resolution to SiteFinder or other diversion mechanisms by adopting a similar solution as Internet Software Consortium (ISC) BIND with its newly defined "delegation-only" zone "type" statement. Network Registrar does this through a DNS server-wide delegation-only-domains setting. (Note that this attribute is not included in the Release 6.0 documentation.)

Through this setting, zones are effectively limited to containing NS resource records for subdomains, but no actual data beyond their own apex (for example, SOA records and apex NS record sets). According to the BIND description, this can be used to filter out "wildcard" or "synthesized" data from authoritative nameservers whose undelegated (in-zone) data is of no interest.

The syntax of the attribute setting is:

nrcmd> dns set delegation-only-domains=list-of-domains 

The list of domains is a comma-separated list—com., net. is one example. When resolving a name in one of the specified domains and communicating with a server considered authoritative for one of them, the Network Registrar DNS server only considers answers that:

Are referrals to other servers.

Provide NS records in response to NS (or ANY) queries.

Contain glue records below a delegation and are accompanied by a referral (delegation NS records in the authority section).

Are in the specified domain.

Any responses that do not conform to one of these are converted to no-such-name (NXDOMAIN) responses. This also applies to no-such-data responses that indicate that a name exists, but does not hold records of the queried type.

The delegation-only-domains feature does not examine answers from forwarders or resolution exception servers. Those servers are queried recursively and may answer from cache, so that their responses may falsely test positive as violations of the delegation-only rules.


Caution Configure the delegation-only-domains attribute only when absolutely necessary. For example, configuring "name." to be a delegation-only domain prevents e-mail from reaching all its registered users. Do not use delegation-only domains especially for top-level domains whose charter allows for wildcard and other non-delegation names, such as the "name." and "museum." domains.

Features Added in Release 6.0.1

This section describes the features added in Network Registrar 6.0.1:

Packet Cable (Option 122) Support

Relay Agent Information (Option 82) Device Class Support

Warning and Error Message List

Resource Record Data Field Descriptions in Online Help

Updates to the Installation Guide and User's Guide

Packet Cable (Option 122) Support

The DHCP extension interface was enhanced in Network Registrar 6.0.1 to allow specific access to the suboptions of the Packet Cable DHCP option (122), as defined in RFC 3495. This option and its suboptions are now definable in the request and response extension dictionaries. The DHCP server now also traces these suboptions in an easy-to-read format.

The Packet Cable option and its suboptions is described as:

cablelabs-client-configuration (option 122), suboptions:

1—ccc-primary-dhcp-server
2—ccc-secondary-dhcp-server
3—ccc-provisioning-server
4—ccc-as-backoff-retry-blob
5—ccc-ap-backoff-retry-blob
6—ccc-kerberos-realm
7—ccc-use-tgt
8—ccc-provisioning-timer
9—ccc-ticket-control-mask
10—ccc-kdc-addresses-blob

This option and its suboptions are now described in an update to the Network Registrar User's Guide.

Relay Agent Information (Option 82) Device Class Support

Network Registrar 6.0.1 includes support for suboption 4 (relay-agent-device-class) of the Relay Agent Information DHCP option (82), as defined in RFC 3256. This suboption is a 4-byte unsigned integer representing the device class or individual attributes of the cable modem. This suboption is now described in an update to the Network Registrar User's Guide.

Warning and Error Message List

Network Registrar 6.0.1 includes a list of warning and error messages that get logged during certain operational conditions in Network Registrar. This list is available in HTML format as links from a MessageIDIndex.html file to individual component files describing information, activity, warning, and error messages in the docs/msgid directory of the Network Registrar installation directory:

Windows—By default: C:\Program Files\Network Registrar\Docs\Msgid\MessageIDIndex.html

Solaris and Linux—By default: /opt/nwreg2/docs/msgid/MessageIDIndex.html

Resource Record Data Field Descriptions in Online Help

The online help for the Web UI in Network Registrar 6.0.1 includes a table of data field descriptions and examples for each DNS resource record type. Each description includes the exact syntax.

Updates to the Installation Guide and User's Guide

The documentation for Network Registrar 6.0.1 includes an update to the Network Registrar Installation Guide and Network Registrar User's Guide (see also the "Documentation Errata in the Installation Guide" section). These updates add the following enhancements:

More specific software media unpack and uncompress instructions for the Solaris and Linux operating systems.

Description of the environmentdictionary expression, missing from the previous User's Guide.

Corrections to DHCP extension point descriptions.

Description of the cablelabs-client-configuration (122) DHCP option—see the "Packet Cable (Option 122) Support" section.

The DHCP Extension Dictionary appendix of the User's Guide now includes the API calls that you you can access from DHCP extensions.

Improved index to the User's Guide.

Features Added in Release 6.0

This section describes the new features in Network Registrar 6.0:

Licensing

Web-Based User Interface

Database Changes

DNS Server Performance Enhancement

Importing BIND 8 and BIND 9 Files

TSIG Security for Dynamic DNS Updates

Dynamic DNS Update Enhancements and Fixes

Access Control Lists

Enhanced DHCP Option Processing Through Expressions

Enhanced Namespace Configuration for MPLS Solutions

Unavailable Lease Reduction

Extension Point Enhancements and Changes

New cnr_exim Data Import Tool to Replace mcdadmin

Improved Data Validation

Command Line and Windows-Based User Interface Enhancements

Licensing


Caution Network Registrar 6.0 requires a new license key. You cannot use any previous key, and you cannot view or edit server configuration data until you add the new license key. Add the new key through any of the user interfaces. Note that you should click Add License in the Web UI. If you are upgrading from an earlier 6.0 release, the existing software license key will continue to work.

Web-Based User Interface

Network Registrar 6.0 includes a new Web-based user interface (Web UI) that improves usability of Network Registrar features and provides better management control of servers and their configurations. Using the Web UI, you must connect to each cluster separately to manage the servers.

To access the Web UI, you need at least Internet Explorer (IE) 5.5 or Netscape 6.2. Page formatting and button behavior may be inconsistent when using other browsers or earlier releases of IE and Netscape. Help is provided with each page to define page constructs, edit fields, and their usage.

Features of the Web UI include:

Ability to use HTTP or secure HTTPS connections for user sessions.

Views to control user login and access.

Views to define users and assign roles to provide constraints for host and zone administrators.

Views for zone administration, including zone templates, and the ability to maintain consistency of configuration for primary and secondary DNS servers (zone distributions), including managing static and active resource records.


Note Resource records are listed in BIND format, with named records grouped together and only the first record having the name displayed. Records are also listed in DNSSEC order, where the names are sorted hierarchically by highest label first, so that example.com comes before boston.example.com, per RFC 2535. The list of selectable record types is alphabetical.


Views for scope administration, including scope templates, and the ability to use expressions for calculating scope properties in templates.

Views for failover administration, and ability to synchronize failover server pairs.

Control of servers and setting of server attributes.

Views to control address space and subnets, and check for address space consistency.


Note In the Web UI, "address blocks" and "subnets" refer to static and dynamic address space. The address-block and subnet commands in the CLI refer to DHCP-allocated addresses.


New functionality being introduced with the Web UI includes multiuser access to the servers and granular access controls for individual users. Concepts added to support these features are roles, constraints, and groups. Roles define the set of functions permitted for a given user. Constraints are then applied to a role to limit access. Read-only roles are set to view the same set of functions and can also be constrained to limit access. Groups associate a collection of users to a set of roles, which can also include defined constraints. When users are created, they can be assigned to a group or a set of roles. If the set of roles includes a read-only role, the read-only constraint takes precedence.

Constraints are implemented for host and zone administrators. These constrained roles simplify basic administrative tasks for less experienced users. For example, the most common operations that the host administrator performs concern significant events involving computer hardware—a new computer arrives, changes locations and its IP address, or changes owners and its name. As part of these events, the DNS information for that computer needs updating. The host administration pages organize these tasks so that they can be completed as easily and efficiently as possible.

Host and zone administrators can be constrained in the following ways:

The host administrator role can be constrained by a list of zones or a range of IP addresses that can be assigned to hosts. If constrained by a list of zones, only hosts in one of the allowed zones can be viewed, added, modified, or deleted.

The zone administrator can be constrained by a list of zones or owners:

If constrained by zones, a zone administrator cannot add zones or zone templates.

If constrained by owners, a zone administrator can add zones only if the zone template used to create the zone is owned by a valid owner.

Constrained zone administrators cannot modify, add, or delete secondary servers.

Administrators can also be assigned to groups and these groups to multiple roles. The base installation includes the predefined address-mgt-group and dns-mgt-group groups:

The address-mgt-group is automatically assigned the addrblock-admin, ccm-admin, and dhcp-admin roles.

The dns-mgt-group is automatically assigned the ccm-admin, host-admin, and zone-admin roles.

Multiple users can edit configuration data using the Web UI and should immediately have access to each other's changes. Pages are not refreshed automatically, however; this must be done manually using the Refresh icon on the page. (Note that the browser's refresh button will not refresh the data.)

You can access the Web UI unsecured through the http://localhost:8080 URL, or if you have secure login, the https://localhost:8483 URL. You can use the default superuser username and password, admin and changeme, to log in and create additional usernames. You should immediately change the password of the default user after completing the installation.

The Web UI is documented in the Network Registrar Web UI Guide and through online help.


Note Object attributes listed in the CLI are also displayed in the Web UI, including the new ones described in the "Added or Changed Attributes" section. In the case of address blocks and subnets, the definitions differ between the two interfaces. In the Web UI, "address blocks" and "subnets" refer to static and dynamic address space. The address-block and subnet commands in the CLI refer to DHCP-allocated addresses.


Database Changes

Network Registrar 6.0 incorporates substantial changes to the server and configuration databases. When you upgrade to Network Registrar 6.0, your existing database automatically converts to the new format. In addition to the format changes, a few changes in behavior were introduced:

Usernames—These are no longer case sensitive. If the upgrade encounters a second username that differs only in case, a specifier is added to the second name. This is logged as a warning message during the upgrade.

Roles—Network Registrar 6.0 now includes granular administrative access. Existing usernames are converted to "nrcmd limited" users, except the distinguished username admin, which is promoted to superuser. If no admin user exists, a new default superuser is created with the password changeme.

New dynamic DNS update attribute—The zone attribute dynupdate-set was deprecated. The upgrade logic converts this attribute to the new update-acl attribute that replaces it. If the address specified in the dynupdate-set attribute is a network address rather than a specific IP address, it is converted into the correct IP address/netmask value required by the update-acl attribute.

Scope subnet property—The address and mask properties (addr and mask attributes) of scopes were replaced by a subnet property (subnet attribute). Even though the address and mask have values derived from the subnet, and you can change the mask using the scope name changemask netmask command, you cannot retrieve the address and mask values separately. The scope also includes a primary subnet property (primary-subnet attribute) that is the address and mask of the scope's primary scope if there are multiple logical subnets on the same physical network.

DNS Server Performance Enhancement

Network Registrar 6.0 improves the DNS server performance with respect to reload and RFC 2181 conformance, and the current implementation of negative caching (RFC 2308). The RFC 2181 conformance and negative caching enhancements bring the DNS server up to date with accepted best practices.

DNS server reload performance was dramatically improved such that server queries, zone transfers, and dynamic updates can be supported immediately on server startup. This applies even to configurations with large numbers of zones, resource records, and zone history records.

Importing BIND 8 and BIND 9 Files

You can now import named.conf files in the BIND 8 and BIND 9 format using the import named.conf command in the CLI.

TSIG Security for Dynamic DNS Updates

Network Registrar 6.0 adds transaction signature (TSIG) support for dynamic DNS updates, as described in RFC 2845. TSIG prevents dynamic updates to a zone from unauthorized addresses by using digital signatures. The DNS server and the client must have access to a shared key. The TSIG-enabled client appends a TSIG resource record to the regular DNS transaction message. This record includes a signature derived from its copy of the shared key. When the server receives a DNS message with a TSIG record, it authenticates it by deriving its own version of the signature from its copy of the shared key.

In this context, you can configure a Network Registrar 6.0 DNS server to accept dynamic DNS updates, and a DHCP server to perform dynamic DNS updates to a TSIG-aware DNS server (such as Network Registrar 6.0 or BIND 9.2). The advantages of TSIG over other security mechanisms are that it is relatively simple to configure, lightweight for resolvers and name servers to use, and flexible enough to secure DNS messages. RFC 2845 also defines security for all other DNS transactions (for example, zone transfers), which may be added in a future release.

In the Web UI, a CCM administrator can configure TSIG keys under the Keys tab of the Administration tab, or in the CLI by using the key name create command. The key requires a time skew and secret value. The key name must be in domain name syntax and the key secret must be in base64 encoded format. You can use the cnr_keygen tool, located in the Network Registrar usrbin directory on Solaris/Linux, or bin directory on Windows, to create valid random keys. You can copy and paste the output of the tool into the secret field to simplify data entry.

This key is used to create a TSIG resource record that the DHCP server sends in the update message. The DNS server tries to recognize the key name and determines if the time signature for the TSIG record falls in the time skew interval. If the secret value and MAC address match with those of the TSIG record, the DNS server allows the update.

You can configure TSIG updates on the DHCP server or scope level using the new dynamic-dns-tsig, dynamic-dns-fwd-key, and dynamic-dns-rev-key attributes in the Web UI and CLI. You can set dynamic-dns-tsig to enable or disable all keys, or only for forward or reverse zone updates, and you can set the zone attribute to use the server settings. See the "Added or Changed Attributes" section for the command syntax.


Note If you use mixed case TSIG key names, the DHCP server might log an erroneous warning message that it does not recognize the key. This is due to an inconsistency in how the DNS and DHCP servers interpret the key name, but the dynamic DNS update and TSIG processing still work as expected.


Dynamic DNS Update Enhancements and Fixes

You can now add and delete individual dynamic DNS records in the server database. This is available in the Web UI, and with the new zone name addDynRR command in the CLI. See the "Added or Changed Attributes" section for the command syntax.

Network Registrar 6.0 also fixes several defects related to dynamic DNS update processing. The following is a high level summary of the DHCP server behavior changes due to these fixes:

Pointer (PTR) records now point to A records when a client does an A record update—When a Windows 2000 client does address registration to a DNS server (thereby updating the A record), the DHCP server uses the client-provided host and domain name values to update the PTR records. This change is in effect only if the DHCP policy has the allow-a-record-update attribute enabled.

For example, if (1) the Windows 2000 client sends myname.client.com as an FQDN option, (2) the scope has the dns-zone-name attribute set to dnszonename.server.com, and (3) the policy has the allow-a-record-update attribute enabled, the PTR record that the DHCP server adds now points to myname.client.com. Before, the PTR record would point to dnszonename.server.com, which is inconsistent with the A record (myname.client.com) that the client added. (CSCdw02480)

Dynamic DNS updates operate correctly with the update-dns-first attribute is enabled—The update-dns-first attribute can be enabled for a scope if the DHCP server should perform dynamic DNS updates before granting a lease. The DHCP server now successfully updates the DNS server with the relevant A and PTR records before offering a lease. (CSCdt59419)

A DHCPDECLINE now removes the DNS name—The DHCP server, while processing a DHCPDECLINE for a client's lease, makes the lease unavailable and also deletes the dynamic DNS update records, if there is a DNS name associated with the lease. (CSCdp72776)

Network Registrar 6.0 now clears a lease client's existing host name, if the client no longer sends a host-name option in the DHCPREQUEST packet. This clears the existing host name that either the client provided in the past or the DHCP server synthesized, if the synthesize-name attribute was enabled for the scope in the past. (CSCdv36232, CSCdx34013, and CSCdx00854)

Access Control Lists

Network Registrar 6.0 now enables using access control lists (ACLs) through the Web UI and CLI. ACLs assign security keys to the DNS server or individual zones. They also provide an easier way to manage dynamic DNS update restrictions with a more versatile form of listing authorized networks and hosts. You can set ACLs by keys (see the "TSIG Security for Dynamic DNS Updates" section), IP addresses, network addresses, and other ACLs.

A new attribute, update-acl, was added to both DNS server and zones. The server-level update-acl attribute value is used by all primary zones. You can override this setting using the zone update-acl, which is unset by default. This attribute deprecates the dynupdate-set attribute used in previous releases to limit updates by IP address.

See the "Command Line Interface Enhancements" section for the acl command syntax and new attributes to the server and zone commands in the CLI. Be aware that you can use negation values.

Enhanced DHCP Option Processing Through Expressions

Network Registrar 6.0 provides enhanced client-class support. You can now place a request into a client-class based on the contents of the request without having to register the client in the client database. Also, you can now place requests in a client-class based on the number of a subscriber's active leases, allowing limitations on the level of service offered to various subscribers. This is possible through the special DHCP options processing using expressions.

You can set the limitation on subscriber addresses by embedding special values in the DHCP relay-agent-info option (option 82, as described in RFC 3046). These values do not need to reveal any sensitive addresses. The special values are expressions you create that evaluate the incoming DHCPDISCOVER request packets against option 82 suboptions (remote-id or circuit-id) or other DHCP options. The expression is a series of if statements that return different values depending on what is evaluated in the packet against the DHCP option. This, in effect, calculates the client-class in which the subscriber belongs, and limits address assignment to the scope of that client-class.

Enhanced Namespace Configuration for MPLS Solutions

In some cases, it is desirable to provision a virtual private network (VPN) inside of Network Registrar instead of externally, where it might have to be configured for every Cisco Internet Operating System (IOS) device. To support this capability, you can now specify a namespace for a client or client-class. Two new attributes are provided:

default-namespace—Namespace that the packet gets if it does not already have a vpn-id or vrf-name value.

override-namespace—Namespace that the packet gets no matter what is provided for a vpn-id or vrf-name value.

In a cable modem deployment, for example, you can use the override-namespace attribute to provision the cable modems. The client-class would determine the scope for the cable modem, and the scope would determine the VPN for the uBR. User traffic through the cable modem would then have the vpn-id suboption set and use the specific VPN namespace or a default-namespace, if one were defined.

Unavailable Lease Reduction

Leases become unavailable for a number of reasons, mostly due to serious errors that the DHCP server detects. The reason the server renders the lease unavailable is recorded in a precise log message in the log file. However, unavailable leases might become more numerous than desired, and you can prevent the server from setting them. In previous Network Registrar releases, you could enable a server attribute, ignore-requests-for-other-servers, which turned off the unavailable leases that occurred because one Network Registrar DHCP server saw a client reporting a lease that it believed it controlled, but with a server identifier that was not one of its own.

Network Registrar 6.0 allows you to disable another reason why a lease can go unavailable—when the server receives a DHCPDECLINE message. You can do this using a new scope attribute, ignore-declines, to turn off recognizing server declines. Therefore, you can now directly control the three reasons why leases become unavailable, using the following attributes:

Scope ping-clients

Scope ignore-declines

DHCP ignore-requests-for-other-servers

Along with these settings, all unavailable leases are now in that state for a configured time, after which time they again become available. A new policy attribute, unavailable-timeout, controls this time. The system_default_policy policy sets this value to one day by default:

nrcmd> policy system_default_policy set unavailable-timeout=86400 

To handle upgrades from previous releases of Network Registrar not having this timeout feature, a special upgrade timeout attribute was included at the server level, upgrade-unavailable-timeout, which also defaults to one day:

nrcmd> dhcp set upgrade-unavailable-timeout=86400 

The upgrade-unavailable-timeout value is the timeout given to leases set to unavailable before the Network Registrar 6.0 upgrade. This setting affects the running server only and currently does not rewrite the database. If the server stays up for one day without reloading, all of the unavailable leases that were present at the last reload will time out. If the server is reloaded in less than a day, the entire process restarts with the next reload. Note that this process only occurs for leases that were set unavailable before the upgrade to Network Registrar 6.0.

If a Network Registrar 6.0 failover server receives an update from a Network Registrar DHCP server running prior to Release 6.0, the unavailable leases do not have a timeout value. In this case, the Release 6.0 server uses the unavailable-timeout value configured in the scope policy or system_default_policy policy as the timeout for the unavailable lease.

Extension Point Enhancements and Changes

Two new extension points are available during DHCP processing:

post-class-lookup

lease-state-change

You can use the post-class-lookup extension point to change any data that the client-class caused to become associated with the request, including the limitation-id (see the "Enhanced DHCP Option Processing Through Expressions" section). The extension also receives information about whether evaluating the client-class-lookup-id attribute drops the packet. The extension not only finds out whether the packet is planned to be dropped, but can instruct the server not to do so. Also, an extension running at this extension point can set a new client-class for the request, so as to use the data from that client-class instead. This is the only extension point where setting the client-class uses it for the request.

Note that an extension attached to the post-class-lookup extension point is called only if the client-class-lookup-id is configured.

You can attach an extension to the lease-state-change extension point to receive control whenever a lease changes state. Consider it a read-only extension. Try not to use it to modify dictionary items, because it is called in many places in the server. The existing lease state is in the response dictionary lease-state data item, while the new lease state is in the environment dictionary under new-state. The extension is never called if the two states are equal.

New cnr_exim Data Import Tool to Replace mcdadmin

Because Network Registrar 6.0 extends the data repositories to serve the Web UI, the previous data import and export tool, mcdadmin, is no longer adequate. The cnr_exim data import and export tool now serves to import data to, and export data from, Network Registrar 6.0 servers. The cnr_exim tool overcomes the mcdadmin tool's inability to export dynamic resource record data.

Before using the cnr_exim tool, exit from the GUI or CLI. Then, find the tool at the following location:

On Windows, by default—C:\Program Files\Network Registrar\bin\cnr_exim.exe

On Solaris or Linux—/opt/nwreg2/usrbin/cnr_exim

You can import data in the raw format only. Note that you must reload the server for the imported data to become active.

The data import syntax is as follows:

> cnr_exim -i importfile [-N username -P password -C cluster] 

You can also overwrite existing data with the -o option:

> cnr_exim -i importfile -o 

The data export syntax is as follows:

> cnr_exim -e exportfile 

For details on the syntax and further options, see the Network Registrar User's Guide.

Improved Data Validation

Data entry validation significantly improved in Network Registrar 6.0. These include:

Scope name and reservation uniqueness

Valid IP ranges

Scope ranges

Main and backup failover server values

Host names requiring real IP addresses

Command Line and Windows-Based User Interface Enhancements

Because the Network Registrar Windows-based graphical user interface (GUI) assumes that it is the only configuration editor and that only one editor can be used at any time, there is no refresh option to update data with changes entered by another session. You have to disconnect from the cluster, and then reconnect, to see the new data. In the CLI, you can use the new session cache refresh command to view the updates made in another session.

The following subsections describe the enhancements and changes made to the CLI and GUI.

Command Line Interface Enhancements

The following commands were added and attributes changed or deprecated in the CLI (see the Network Registrar CLI Reference).

Added Commands

The following new commands were added to the CLI:

acl command (see the "Access Control Lists" section):

acl name create [!] ["key value"] value[,...]—Creates an ACL based on a key, host or network address, or another ACL. Use the ! symbol for negation.

acl name delete—Deletes the specified ACL.

acl name add {key value | value}—Adds a key, host or network address, or another ACL.

acl name remove {key value | value}—Removes an element from an ACL.

acl list—Displays all ACLs and the values associated with them.

acl listnames—Displays only the names of ACLs.

acl name show—Shows the values associated with a specified ACL.

acl name get match-list—Gets the match list for the ACL.

acl name unset match-list—Unsets the match list for the ACL.

dhcp limitationList ipaddr [limitation-id] show command—Shows the DHCP clients and their leases that are currently associated by a common limitation ID (see the "Enhanced DHCP Option Processing Through Expressions" section).

export key keyname file—Exports a single transaction signature (TSIG) key that is configured on the cluster to a file (see the "TSIG Security for Dynamic DNS Updates" section).

export keys file—Exports all the TSIG keys that are configured on the cluster to a file (see the "TSIG Security for Dynamic DNS Updates" section).

import keys command—See the "TSIG Security for Dynamic DNS Updates" section.

import named.conf command— See the "Importing BIND 8 and BIND 9 Files" section.

key command (see the "TSIG Security for Dynamic DNS Updates" section):

key name create secret [attribute=value...]

key name delete

key name set attribute=value

key name unset attribute

key name get attribute

key name show

key list

key listnames

session cache {refresh | clear}—Refreshes or clears the cache of configuration objects.

zone name addDynRR owner [ttl] [class] type data—Adds a dynamic resource record of a certain type for a zone.

zone name removeCachedRR owner [type [data]]—Removes non-authoritative resource records from in-memory and persistent (non-authoritative) cache.

Added or Changed Attributes

New attributes were added to, or definitions changed for, the following commands:

address-block command:

address-block name set default-subnet-size—Set the default subnet size for allocations from this address.

address-block name enable deprecated—Deprecates the address block.

admin command (see the "Web-Based User Interface" section):

admin name set groups—Sets a list of administrator groups, separated by commas.

admin name set nrcmd-flags—Sets the access level to the Network Registrar user interfaces. Values are limited and full.

admin name enable superuser—Gives the administrator superuser privileges in the Web UI.

client command:

client name set default-namespace—Namespace that the client gets if it does not already have a vpn-id or vrf-name value. See the "Enhanced Namespace Configuration for MPLS Solutions" section.

client name set over-limit-client-class-name—Sets the client-class name if the client exceeds the allowable limit of simultaneous active leases with a common limitation-id. See the "Enhanced DHCP Option Processing Through Expressions" section.

client name set override-namespace—Namespace that the client gets no matter what is provided for a vpn-id or vrf-name value. See the "Enhanced Namespace Configuration for MPLS Solutions" section.

client-class command:

client-class name set client-lookup-id—Sets the expression that produces the key value to use to look up the client in the client database. See the "Enhanced DHCP Option Processing Through Expressions" section.

client-class name set default-namespace—Namespace that the client-class gets if it does not already have a vpn-id or vrf-name value. See the "Enhanced Namespace Configuration for MPLS Solutions" section.

client-class name set limitation-id—Sets the expression that produces a number that relates leases for which there is a maximum limit on the number of simultaneous active leases allowed. See the "Enhanced DHCP Option Processing Through Expressions" section.

client-class name set over-limit-client-class-name—Set the client-class name to use if the client exceeds the allowable limit of simultaneous active leases with a common limitation-id. See the "Enhanced DHCP Option Processing Through Expressions" section.

client-class name set override-namespace—Namespace that the client-class gets no matter what is provided for a vpn-id or vrf-name value. See the "Enhanced Namespace Configuration for MPLS Solutions" section.

dhcp command (see the "TSIG Security for Dynamic DNS Updates" section):

dhcp set activity-summary-interval—Time, in seconds, between activity summary log messages if enabled in the activity-summary setting in log-settings.

dhcp set client-class-lookup-id—Expression that determines a client-class solely on data in an incoming client request. See the "Enhanced DHCP Option Processing Through Expressions" section.

dhcp set drop-old-packets—The default value for this attribute was changed from 8 to 4 seconds.

dhcp set dynamic-dns-fwd-key—Server-wide security key to process all forward zone dynamic DNS updates.

dhcp set dynamic-dns-rev-key—Server-wide security key to process all reverse zone dynamic DNS updates.

dhcp enable dynamic-dns-tsig—Controls whether transaction signatures (TSIG) are used for DNS updates for leases from this server.

dhcp set expression-configuration-trace-level—Trace level to use when configuring DHCP expressions.

dhcp set expression-trace-level—Trace level to use when executing DHCP expressions. See the "Enhanced DHCP Option Processing Through Expressions" section.

dhcp enable force-dns-updates—Retries a dynamic DNS update whenever a client renews its lease.

dhcp disable ignore-cisco-options—Disables special processing of the Cisco vpn-id and other Cisco options.

dhcp set initial-environment-dictionary—Contains attribute-value pairs that initialize all environment dictionaries in the DHCP server.

dhcp set max-waiting-packets—The default value of this attribute was changed from 0 to 6.

dhcp enable synthesize-reverse-zone—Controls whether the DHCP server automatically generates the name of the reverse (in-addr.arpa) zone that is updated with PTR records.

dhcp enable trim-host-name—Controls whether the DHCP server trims the host-name string to the first period character (used to update dynamic DNS update records and to return the host-name option to clients).

dhcp set upgrade-unavailable-timeout—Assigns a timeout to an unavailable lease from a pre-Network Registrar 6.0 upgrade. See the "Unavailable Lease Reduction" section.

dhcp enable use-dns-update-prereqs—By default, the DHCP server uses prerequisites in its DNS update messages when it performs DNS updates on behalf of clients. This attribute used to be set at the scope level, which was deprecated.

dhcp enable validate-client-name-as-mac—Validates the client MAC address.

dns command:

dns set activity-summary-interval—Time, in seconds, between activity summary log messages if enabled in the activity-summary setting in log-settings.

dns enable axfr-multirec-default—Default multirecord full zone transfer (AXFR) choice for remote servers not found in the remote server list.

dns set delegation-only-domains—List of domains containing only delegations. See the "Delegation-Only Domain Setup" section for a description and usage guidelines. (This attribute is not described in the Network Registrar documentation.)

dns set log-settings—Added the activity-summary, config-details, query-errors, tsig, and tsig-details flags (see the "TSIG Security for Dynamic DNS Updates" section). The forward, packet, and query flags were removed.

dns set max-negcache-ttl—Sets an upper bound on the amount of time that a Network Registrar DNS server caches a negative response. (Replaces the neg-cache-ttl attribute used in previous versions of Network Registrar, but not compliant with RFC 2308.)

dns set query-source-port—UDP port number from which the DNS server sends queries to other servers when resolving names for clients. Zero indicates a random port.

dns enable simulate-zone-top-dynupdate—For Windows 2000 Domain Controller compatibility, when processing a dynamic update packet that attempts to add or remove A records from the name of a zone, responds as if the update was successful, rather than normally with a refusal.

dns set update-acl—Adds or updates one or more ACLs to a DNS server. See the "DNS Server Performance Enhancement" section. Replaces the dynupdate-set attribute.

lease name set limitation-id—Identifier that relates leases for which there is a maximum limit on those that are simultaneously active. See the "Enhanced DHCP Option Processing Through Expressions" section.

policy command:

policy name enable inhibit-all-renews—Causes the server to reject all renewal requests and forces the client to obtain a new address whenever it contacts the DHCP server.

policy name enable giaddr-as-server-id—Causes the DHCP server to set the server-id option on a DHCPOFFER and DHCPACK to the giaddr of the incoming packet, instead of the address of the server. (This attribute is disabled by default, therefore the server address is used.)

policy name enable inhibit-renews-at-reboot—Allows clients to renew their leases, but forces them to obtain new addresses each time that they reboot.

policy name set limitation-count—Sets the number of clients with identical limitation keys that are allowed to access the network. See the "Enhanced DHCP Option Processing Through Expressions" section.

policy name set unavailable-timeout—Controls the time that a lease remains unavailable before it becomes available again. See the "Unavailable Lease Reduction" section.

scope command (see the "TSIG Security for Dynamic DNS Updates" section):

scope name set dynamic-dns-fwd-key—Scope-wide security key to process all forward zone dynamic DNS updates.

scope name set dynamic-dns-rev-key—Scope-wide security key to process all reverse zone dynamic DNS updates.

scope name enable dynamic-dns-tsig—Controls whether transaction signatures (TSIG) are used for DNS updates for leases from this scope.

scope name enable ignore-declines—Controls whether the scope should turn off recognition of server lease declines. See the "Unavailable Lease Reduction" section.

scope name set primary-subnet—Subnet number of a scope's primary scope, used when multiple logical IP subnets are present on the same physical network.

scope name set subnet—Network address of the IP subnet represented by the scope. This attribute combines the previous addr and mask attributes. (Note that you can still set the mask separately using the scope name changeMask command.)

tftp enable write-allow-file-create—Allows file creation on a PUT. Default disable.

zone command:

zone name set nameservers—Comma-separated list of name servers.

zone name set subzone-forward=no-forward—Delegates authority to subzone servers, not forwarders. For zones with forwarders set (through the dns addForwarder command), the default behavior is to ignore delegation to subzone name servers and forward queries to these forwarding servers instead. You would normally need to set a resolution exception (through the dns addException command) to the subzone server. This can be impractical for a large number of subzones. With the subzone-forward attribute set to no-forward, when the server receives a query for any of its subzones, it tries to find relevant subzone NS records, resolve their corresponding IP addresses, and delegate the query to those IP addresses. Default normal.

zone name set update-acl—Adds or updates one or more ACLs to a DNS zone. See the "DNS Server Performance Enhancement" section. Replaces the dynupdate-set attribute.

Deprecated and Removed Attributes

Attributes were deprecated or removed from the following commands:

dns set neg-cache-ttl—Use in pre-6.0 releases only; replaced in 6.0 by dns set max-negcache-ttl.

scope name set addr and scope name set mask—Replaced by scope name set subnet.

scope name enable use-dns-update-prereqs—Now enabled or disabled on the DHCP server level.

tftp set log-file-count and tftp set log-file-size—Attributes reduced to visibility 3 and ignored in favor of the equivalent tftp serverLogs values (nlogs and logsize).

zone name set dynupdate-set—Use zone name set update-acl instead.

zone name set expire and zone name set minttl.


Caution Existing scripts must be edited and updated to comply with these changes.

Windows-Based Interface Variations

Variations to the GUI appearance and behavior occur if you are connected to Network Registrar 6.0 protocol servers and pre-6.0 protocol servers. These variations occur for configuring subzones, sorting and filtering resource records, and adding CNAME and MX records for a zone, and are described in the Network Registrar User's Guide.

Caveats

This section describes the major resolved and unresolved bugs in Network Registrar 6.0.5.4.

You can find the complete bug list in the CNR6054_Bug_List.html file included with this documentation set, or at the Network Registrar software download site:

http://www.cisco.com/cgi-bin/Software/Tablebuild/tablebuild.pl/nr-eval

You must have a valid Cisco Connection Online (CCO) account to access the software download site.

Bugs Fixed in Release 6.0.5.4

The major bugs fixed in 6.0.5.4 are included in Table 1.

Table 1 Major Bugs Fixed in Release 6.0.5.4 

DDTS Number
Software Release
6.0.5.4
Correction Made

CSCea56809

Refreshed dynamic DNS records are no longer recorded as new adds by the DNS server, causing unnecessary full zone transfers.

CSCeb68725

More useful debugging data is now included if Java is incorrectly configured and causes a failed server startup.

CSCee24336

The prerequisite to assure that a DNS name exists before updating was dropped for reverse zone DNS updates.

CSCef15340

The DNS server no longer fails if the config-detail log setting is enabled when a query-source-address is also defined.

CSCef16478

The cnr_exim tool now properly exports a configuration that contains scopes with a large number of reservations defined.

CSCef19564

The change log history mechanism for the MCD database now purges its unused database log files, thereby preventing the /data/mcd/ndb/logs directory from growing without bound.

CSCef40219

Changes to resource record TTL values are now properly updated.

CSCef55119

Failover synchronization in the Web UI no longer fails when one partner is Network Registrar 6.0.x and the other is 6.1.x.

CSCef69755

Deleting a DHCP scope that has DNS updates pending no longer blocks subsequent updates.

CSCef72570

On rare occasions when a DNS update contains an add and a delete of the same record, the server no longer fails outbound incremental zone transfers.

CSCef72602

Changing a DNS zone from dynamic to static while leaving scavenging enabled no longer causes the server to fail.

CSCef90573

The DHCP discover-interfaces attribute is now excluded from synchronizations between failover servers.

CSCeg02064

Reservations added to the failover backup server when the main server is down are now marked available for lease.


Documentation Errata in the Installation Guide

The following sections of the Network Registrar Installation Guide for Release 6.0 are incorrect:

In Network Registrar Release 6.0.5.1 and later, the option to disable the Web UI listed in the Installation and Upgrade sections of the operating system chapters no longer applies (Step 11 for Windows, and Step 9 for Solaris and Linux).

In the Solaris installation chapter—Step 7: Option 2 of the type of installation is for client-only, not server-only. The default is option 1, client and server installation. Also, in Step 13, you do not need to enter q to exit the setup program.

In the Linux installation chapter—Step 6: Option 2 of the type of installation is for client-only, not server-only. The default is option 1, client and server installation.

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do


Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.


Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html