Guest

Cisco Network Registrar

Release Notes for Cisco CNS Network Registrar 6.1.1.3

  • Viewing Options

  • PDF (363.7 KB)
  • Feedback
Release Notes for Cisco CNS Network Registrar Release 6.1.1.3

Table Of Contents

Release Notes for Cisco CNS Network Registrar Release 6.1.1.3

Contents

Purpose

Before You Begin

License Keys

System Requirements

Software and Standards Compatibility

User Interfaces and Version Compatibility

Installations and Upgrade Considerations

General Installation

Upgrading

Features Added in Release 6.1.1

Central Management of Administrators, Groups, and Roles

IP Lease History Detail

Current Utilization Reporting

Improved DNS Query Performance

Enhanced Server Controls

DHCP Failover Controls in the Web UI

Dynamic DNS Update Configuration

DNS Forwarder Configuration

Zone Recovery Tool

Connection Security Between Clusters

Features Added in Release 6.1

Central Cluster Administration

Enhanced Address Management

Cluster Management

Cluster Licensing

Regional Administrator Roles

Regional Address Space Management

Replica Data Propagation

RIC Server Support for Cisco CMTSs

DNS Server Enhancements

DHCP Server Enhancements

Import/Export Utility Enhancements

Process, File, and Utility Name Changes

Caveats

Software Caveats

Documentation Caveats

Open Source License Acknowledgements

OpenSSL/Open SSL Project

License Issues

Obtaining Documentation and Submitting a Service Request


Release Notes for Cisco CNS Network Registrar Release 6.1.1.3


October 28, 2004

These release notes describe the new software features, installation updates, caveats, and documentation for Cisco CNS Network Registrar Release 6.1.1.3.

You can also refer to these documents for important information about installing, configuring, and managing Network Registrar:

For Network Registrar installation procedures, see the Cisco CNS Network Registrar Installation Guide.

For configuration and management procedures for Network Registrar, see the Cisco CNS Network Registrar User's Guide.

For details about commands available through the command line interface (CLI), see the Cisco CNS Network Registrar CLI Reference.

You can access Network Registrar technical documentation at this website:

http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/index.html

Contents

These release notes are described in the following sections:

Purpose

Before You Begin

Software and Standards Compatibility

User Interfaces and Version Compatibility

Installations and Upgrade Considerations

Features Added in Release 6.1.1

Features Added in Release 6.1

Caveats

Open Source License Acknowledgements

Obtaining Documentation and Submitting a Service Request

Purpose

This release adds greater functionality to Network Registrar. Several key enhancements are improved central management, better detailed lease history recording and reporting, and subnet utilization reporting.

Before You Begin

Review the following critical information before installing Network Registrar 6.1.1.3.

License Keys

Follow these guidelines concerning software license keys.

Each Network Registrar software license key addresses a separate functional area. You enter these license keys in the Web-based user interface (Web UI) or CLI, or during an upgrade installation. During an upgrade, you are prompted for a license key only if no valid license keys are found in the existing license file. If a valid license key is found, no prompting occurs during the upgrade.

Follow the guidelines to determine if you need a new license key:

Initial installation of Network Registrar—Use the license key that shipped with it.

Upgrading from Release 6.1 or 6.0—You can use a license key from Release 6.0 or 6.1 for a local server upgrade. Although a Network Registrar 6.0 license key operates on the local server cluster, the regional cluster requires one or more new license keys introduced in Release 6.1 to view or change the server configuration data.

Upgrading from a version before Release 6.0—Add a new license key. License keys that were valid before Network Registrar 6.0 will not work.

If you need a new license key for installation or upgrade, ensure that it is available before performing the installation or upgrade to allow Network Registrar cluster administration through the user interfaces.

System Requirements

Ensure that your system meets the necessary minimum requirements:

Java—You must have the Java Runtime Environment (JRE) 1.4 or later, or the equivalent Java Development Kit (JDK), installed on your system. The JRE is available from Sun Microsystems on their website.

Operating system—Table 1 shows the minimum requirements for the Network Registrar servers on Windows, Solaris, and Linux operating systems.

Table 1 Network Registrar Server Minimum Requirements 

Component
Windows
Solaris
Linux

CPU architecture

Intel Pentium III or equivalent

Sun Netra AC200

Intel Pentium III or its equivalent

OS version

Windows 2000 (Service Pack 2 or later is recommended)1

Solaris 8 or Solaris 9

Red Hat Linux 7.3 (kernel 2.4) or Red Hat Enterprise Linux ES (Enterprise Server) or WS (Workstation) 2.1 (kernel 2.4.9-e.24). Use RPM Package Manager (RPM) 4.0.4 or later.

RAM

512 MB on all platforms

Disk space

18 GB recommended, minimum 310 MB required for installation

Swap space

100 MB free swap space

1 Network Registrar was also tested for Japanese Windows 2000, with support for the English language version only.


User Interface—Network Registrar includes two user interfaces, a Web UI for local and regional clusters, and a CLI for local clusters:

The Web UI runs on a minimum of Microsoft Internet Explorer 5.5 (Service Pack 2) or Netscape 6.2.

The CLI runs in a Windows, Solaris, or Linux command window.


Caution You cannot run Cisco CNS Network Registrar and Cisco CNS Access Registrar on the same machine. Attempting to do so will compromise the integrity of both products.

Software and Standards Compatibility

Network Registrar 6.1.1 is compatible with Cisco Broadband Access Center for Cable (BACC).

The Network Registrar servers comply with the applicable Request for Comments (RFCs), protocols, standards, and Internet Engineering Task Force (IETF) drafts:

Domain name system (DNS) servers—Comply with RFCs 974, 1034, 1035 (with updates 1101and 1183), 1995 (IXFR), 1996 (NOTIFY), 2136 (Dynamic DNS Updates), 2181 (Clarifications), 2308 (Negative Caching of DNS Queries), 2317 (Classless in-addr.arpa), 2782 (SRV), 2845 (Secret Key Transaction Authentication), and 2915 (NAPTR).

DHCP and Bootstrap protocol (BOOTP) clients—Comply with RFCs 951 (with updates 1497 and 1542), 1534, 2131, 2132, 2136, 3004, and 3046 (DHCP Relay Agent Information Option).

DHCP failover servers—Comply with draft-ietf-dhc-failover-03.txt.

Trivial File Transport Protocol (TFTP)—Comply with RFCs 1123 and 1350.

Lightweight Directory Access Protocol (LDAP) servers—Operate with any LDAP version 2 or 3 servers that comply with RFCs 1798, 2241, and 2254 (Extensible Filtering).

User Interfaces and Version Compatibility

Network Registrar 6.1.1 includes regional and local cluster Web UIs and a CLI (the nrcmd program). Note the following:

The CLI connects only to the local cluster. (Although the regional cluster installation provides the CLI, it is only present to provide connectivity with local clusters.)

As of Release 6.1, Network Registrar no longer supports the Windows-based graphical user interface (GUI).

Table 2 shows the interoperability of the local clusters with the Release 6.1.1 regional central configuration management (CCM) server. Because of changes to the database, user interfaces in pre-6.0 releases cannot operate with the Network Registrar 6.1 or 6.0 servers. The Network Registrar 6.1.1 CLI is compatible with the Network Registrar 6.1, 6.0, 5.5, 5.0, and 3.5 servers.

You can use the zone recovery tool that was added in this release to recover zones from other servers of the same version; that is, from a Release 6.0 to Release 6.0 cluster, or from Release 6.1 local and regional clusters to a Release 6.1 local cluster.

Table 2 6.1.1 Regional CCM Server Interoperability with Local Clusters

Feature
Local Cluster Version
6.0
6.1
6.1.1

Central push and pull:

Address space
Scope templates, policies, client-classes
Zone data and templates
Groups, owners, regions
Administrators, roles

x
x
x
x

x
x
x
x

x
x
x
x
x

Administrator:

Single sign-on
Password change

 

x

x
x

IP history reporting:

Central lease history
Detail lease history

 

x

x
x

Utilization reporting:

Central subnet utilization history
Current subnet and scope utilization

 

x

x
x


Installations and Upgrade Considerations

Review the following notes before installing Network Registrar or upgrading from a previous version. For the procedures to install Network Registrar, see the Cisco CNS Network Registrar Installation Guide.

General Installation

Review the following information before beginning a new installation or an upgrade:

Windows, Solaris, and Linux installations are performed through these means:

Windows—Using a Windows-based InstallShield setup program

Solaris—With the pkgadd command

Linux—Using the install_cnr script that uses RPM Package Manager (RPM)

On Windows, close all currently running applications, including any antivirus software.

The names of certain Network Registrar processes, files, and utilities were changed in Release 6.1, primarily because product regional and local cluster configurations were introduced. For these name changes, see the "Process, File, and Utility Name Changes" section.

On Windows, ensure that the Dr. Watson Visual Notification check box is unchecked. If checked, this option prevents the servers from restarting automatically if a failure occurs until you respond to a pop-up dialog box. The Visual Notification check box in Dr. Watson is usually enabled by default. Execute C:\WINNT\system32\DRWTSN32.exe, uncheck the Visual Notification check box, and then click OK. (You can perform this step after installation.)

To avoid losing the most recent log entries when the Application Event Log is full in the Windows Event Viewer, check the Overwrite Events as Needed check box in Event Log Settings for the Application Log. If the installation process detects that this option is not set properly, it displays a warning message advising corrective action.

Virus scanning and archiving programs—If you have virus scanning or automatic backup software enabled on your system, exclude these Network Registrar directories and their subdirectories from being scanned to prevent Network Registrar operations from being damaged:

Windows—

install-path\data (for example, C:\Program Files\Network Registrar\Local\data)
install-path\logs (for example, C:\Program Files\Network Registrar\Local\logs)

Solaris and Linux—

install-path/data (for example, /var/nwreg2/local/data)
install-path/logs (for example, /var/nwreg2/local/logs)

Because Network Registrar maintains lock files in the \Temp directory on Windows and the /tmp directory on Solaris or Linux, do not delete the contents of these directories while Network Registrar is running.

You cannot run the Network Registrar DNS, DHCP, or TFTP servers concurrently with any other DNS, DHCP, and TFTP servers. In many Windows 2000 server systems, these services are enabled and running by default. If the Network Registrar installation process detects that a conflict may exist, it displays a warning message. Before installing Network Registrar, take the appropriate action to disable the conflicting servers.


Note Network Registrar includes a list of information, activity, warning, and error messages that are logged during certain operating conditions. This list is available in HTML files for each component as links from a MessageIDIndex.html file:

Windows—By default: C:\Program Files\Network Registrar\Docs\Msgid\MessageIDIndex.html
Solaris and Linux—By default: /opt/nwreg2/docs/msgid/MessageIDIndex.html


Upgrading

Before beginning an upgrade from an earlier version of Network Registrar, read the following notes specifically about upgrading.

The upgrade process differs slightly depending on which release you are upgrading from:

If you are upgrading from Network Registrar 3.5 or earlier, you must upgrade first to Release 5.5. Then you upgrade from Release 5.5 to 6.1.1. You cannot upgrade directly from Release 3.5 to 6.1.1.

If you are upgrading from Network Registrar Release 6.1, 6.0. 5.5, or 5.0, you can upgrade to Release 6.1.1 while preserving the earlier configuration (recommended), or you can replace the configuration with a clean database.

Complete these tasks before starting the upgrade:

Ensure that your environment meets the current system requirements. See the "System Requirements" section.

Complete any configuration changes in progress using the previous release so that the existing database is consistent before you perform the upgrade.

Back up your database. The installation program tries to detect configuration data from a Network Registrar 6.0, 5.5, and 5.0 installation. It also upgrades the data to the Network Registrar 6.1.1 database format if you choose to upgrade.

If you are upgrading from Release 5.5 and have IP history enabled, export and save your existing IP lease history data. Otherwise, the data will be lost.

Note the changes that can occur as a result of the upgrade:

If upgrading from Release 5.0 or 5.5—Beginning with Network Registrar 6.0, usernames are not case sensitive. If you are upgrading from Release 5.0 or 5.5 with usernames that differed in case only, the upgrade deconflicts these names, and a warning message to that effect appears in the log files. All existing usernames are converted to NRCMD limited access users, as defined in the Web UI, except the admin account, which is converted to superuser. If there is no admin account, it is created with a password of changeme.

If upgrading from Release 6.0—Beginning with Network Registrar 6.1, the localhost, localnet, any, and none access control list (ACL) names are reserved. If you are upgrading from Release 6.0 and have ACLs with these names in your current configuration, Network Registrar renames them with the oldname-1 convention and updates any instances of their use. For example, if you defined a localhost ACL in Release 6.0, the upgrade renames it localhost-1.

If upgrading from Release 6.0 or 6.1—Network Registrar 6.1.1 requires that administrators be assigned to groups that define their roles. If you are upgrading from Release 6.0 or 6.1 and have administrators assigned directly to roles, new groups will be created for each of these roles and the administrators will be reassigned to these new groups. The new groups will have the same name as the roles, followed by the suffix -group.

Features Added in Release 6.1.1

This section describes the features added in this release:

Central Management of Administrators, Groups, and Roles

IP Lease History Detail

Current Utilization Reporting

Improved DNS Query Performance

Enhanced Server Controls:

DHCP Failover Controls in the Web UI

Dynamic DNS Update Configuration

DNS Forwarder Configuration

Zone Recovery Tool

Connection Security Between Clusters

Central Management of Administrators, Groups, and Roles

In Network Registrar 6.1.1, you can centrally manage administrators and related administrator data. This feature allows administrators, groups, and roles to be defined centrally at one time and then populated throughout the system. To simplify central management, groups are used exclusively to associate administrators with roles. These groups now manage the role assignments.

If administrators in the previous release were configured with direct role assignments, the upgrade converts these role assignments to group assignments. Group names are created from role names by appending -group, with numbers appended as needed to avoid conflicting names. These groups are only created for the upgrade, and only for roles that have administrators associated with them. The upgrade does not automatically generate a group for roles that have no administrators associated with them.

For new Release 6.1.1 installations only (not upgrades), the regional and local clusters now create predefined groups for each base role.

Owner and region information is also centrally managed because this information provides the basis for role permissions. Owners and regions now have a push-and-pull mechanism at the regional level that is independent of the administrators/groups/roles push and pull.

Administrator password management was also enhanced so that any administrator can change his or her own password. Before this release, administrators could change their passwords at the local or regional levels only if they had ccm-admin and regional-admin role permissions, respectively. (You can change passwords in the Web UI.)


Note You can use this administrator central management feature between Network Registrar Release 6.1.1 and later clusters. In releases earlier than 6.1.1, you could not pull and push all data related to this feature between clusters.


IP Lease History Detail

A new option is available to record additional detail for IP lease history detail. When IP lease history detail is enabled, each interaction between the DHCP server and client is recorded and reported.

The DHCP and CCM servers each have a new configuration attribute in the lease-history category:

ip-history-detail—Causes the DHCP server to maintain a database that records every change to a lease binding, including each renewal. This feature is only meaningful if ip-history is enabled. (default: disabled).

lease-hist-detail—If polling for IP lease history, the CCM server also asks the DHCP server to return history detail if it is available. (default: enabled).

Current Utilization Reporting

The current utilization reporting feature adds viewing current subnet or scope utilization data from the regional or local Web UI:

Local and regional Web UI pages display current utilization by address block, subnet, and scope.

New current utilization Web pages provide a convenient link to jump to view most recent historical subnet utilization data.

Enhanced regional Web UI pages display historical data so that the latest data for each address block and subnet is shown, so that you can access previous history if desired. Simple calculated fields, such as %free, were added to the report. In addition, all subnet utilization queries filter on virtual private networks (VPNs).

The report CLI command was changed. It now provides a one-line summary of lease utilization for each scope, subnet, and address block. The summary line includes the subnet (number and mask), scope name, total for dynamic leases, total for reserved leases, percentage of dynamic leases that are free, and counts for various lease states.

These attributes for the report command were deprecated in Release 6.1.1.

config=config-file

leasing-only

mask-bits

dns-only

Improved DNS Query Performance

The DNS server was enhanced to provide greater DNS query throughput (number of queries per second that a DNS server can handle). Improvements to input request queue handling allow the server to handle concurrent queries more effectively. Throughput is increased as much as 50 percent on dual-processor systems. Also, in the server's default configuration, cached answers to queries are also persisted to disk. Because writing to disk can be very costly in terms of performance, a new attribute was added to disable this feature. When time-to-live (TTL) values are relatively short, little value would exist in saving the cache entries, because they are likely to have expired when they are retrieved from disk the next time.

These attributes were added in Release 6.1.1:

max-dns-packets—Specifies the maximum number of packets that the DNS server handles concurrently (default: 500).

persist-mem-cache—For records stored in the servers' in-memory cache, specifies whether or not the DNS server should read and write records to and from the persistent cache database (cache.db) (default: enabled).

auth-db-cache-kbytes—Size (in kilobytes [KB]) of the internal cache of authoritative records retrieved from the authoritative zone database (authzone.db) (default: 5 MB).

cache-db-cache-kbytes—Size of the internal cache of records retrieved from the cache db (default: 5 MB).

In addition, the default for the DNS mem-cache-size attribute was changed from 200 KB to 10 MB.

Enhanced Server Controls

This section explains additional server improvements added in this release.

DHCP Failover Controls in the Web UI

With this release, equivalents of the getRelatedServers and setPartnerDown CLI commands were added to the local and regional Web UIs. These two commands are useful when you are monitoring the failover pair's operation.

In the regional Web UI, these features were added to the View Cluster Tree and the list Failover Pairs pages. On the local Web UI, they were added to the Manage DHCP Server and List Failover Pairs pages.

For failover servers, if you click the server name, the View Failover Related Server page displays comprehensive information concerning the failover relationship represented by this related server.


Note This functionality in the Web UI is only available when interacting with a Release 6.1.1 cluster.


Dynamic DNS Update Configuration

The scope dynamic-dns attribute has been extended to use these new configuration values:

update-none—Does not perform dynamic DNS update for leases in this scope.

update-all—Performs dynamic DNS update to forward and reverse zone for leases in this scope.

update-fwd-only—Performs dynamic DNS update to forward zone alone for leases in this scope.

update-rev-only—Performs dynamic DNS update to reverse zone alone for leases in this scope.

If you are using CLI scripts that enable or disable dynamic-dns, you need to edit them to work with Release 6.1.1:

The scope name enable dynamic-dns command changes to the new command syntax scope name set dynamic-dns=update-all

The scope name disable dynamic-dns command changes to scope name set dynamic-dns=update-none

These changes were made to the DNS extensions:

In the request dictionary, a new update-dns attribute was added to be a read/write integer. This attribute enables extension users to request partial, full, or no dynamic DNS updates on a per request packet basis. These are the acceptable (input and output) values:

Update-none—Equivalent to a scope dynamic-dns update-none setting and the DHCP does not perform any DNS updates.

Update-all—Equivalent to a scope dynamic-dns update-all setting and the DHCP performs both the forward and reverse zone updates, regardless for scope dynamic-dns configuration.

Update-fwd-only—Equivalent to a scope dynamic-dns update-fwd-only setting, and the DHCP performs only the forward, regardless for scope dynamic-dns configuration setting.

Update-rev-only—Equivalent to a scope dynamic-dns update-rev-only setting and the DHCP performs only the reverse zone updates, regardless for the scope dynamic-dns configuration.

In the response dictionary, a new attribute scope-update-dns was added to be a read-only integer. The return values are the same as for the request attribute: update-none, update-fwd-only, and update-rev-only.

DNS Forwarder Configuration

In previous releases, when a query (nonauthoritative and not yet cached) was sent to a forwarder, the server waited a fixed time of 8 seconds for a response before querying the next forwarder. In Release 6.1.1, you can configure this time period by using the following new attributes:

forward-retry-time—Pertains to forwarding a DNS query in slave mode to a forwarder or resolution exception server (default: 8 seconds).

request-retry-time—Dictates the retry time interval, in seconds, when querying a configured server (not in slave mode). This time interval is used in general user datagram protocol (UDP) queries in response to DNS client queries, zone transfer state of authority (SOA) queries, incremental zone transfer (IXFR) requests, and notify requests (default: 4 seconds).

request-expiration-time—Governs the expiration time, in seconds, of a DNS request (that is, a DNS query, zone transfer SOA query, IXFR request, or notify request) (default: 90 seconds).

restrict-recursion-acl—As a global ACL, restricts the recursive queries that the DNS server honors. This list can contain hosts, network addresses, transaction signature (TSIG) keys, and ACLs that restrict recursive queries to a certain set of DNS clients (default: any).

tcp-query-retry-time—Defines the retry time for DNS queries over a TCP connection (not in slave mode) (default: 10 seconds).

Zone Recovery Tool

The zone recovery tool is a command line tool whereby you can convert a secondary zone to a primary zone when the primary zone is lost. The tool lets you pick different sources from which to extract the necessary data and specify a target machine.

If you need to extract information from a primary and a secondary source, the two sets of information are merged to produce a complete configuration. In this case, however, the primary zone configuration takes precedence, and only the nonduplicated resource record (RR) sets are used from the secondary configuration source.

The tool exists in the bin directory on Windows and the usrbin directory on Solaris or Linux. For additional information about using the tool, see the Cisco CNS Network Registrar User's Guide.

Connection Security Between Clusters

Network Registrar 6.1.0.1 added support for configuring connection security between clusters, failover servers, and zone distribution servers by using a new use-ssl attribute for outbound connections:

At the regional cluster, for connections to local clusters.

For local and regional DHCP failover pair connections to remote servers.

For local and regional zone distribution connections to remote servers.

In each case, the new use-ssl attribute can have one of three values:

Optional (default)—If the Security Option is installed, use secure connections; otherwise, do not require them.

Required—The Security Option is required to handle secure connections.

Disabled—Disable secure connections.

In previous releases, both inbound and outbound connection security was determined through the cnr.conf file security-mode setting. This setting now controls inbound connections only. However, if security-mode is disabled and outbound connections are configured with use-ssl required, the connections will fail, because a secure connection is not possible.

Features Added in Release 6.1

This section briefly describes the features that were added in Release 6.1:

Central Cluster Administration

Enhanced Address Management

Cluster Management:

Cluster Licensing

Regional Administrator Roles

Regional Address Space Management

Replica Data Propagation

RIC Server Support for Cisco CMTSs

DNS Server Enhancements

DHCP Server Enhancements

Import/Export Utility Enhancements

Process, File, and Utility Name Changes

These features and corresponding commands are described in greater detail in the Cisco CNS Network Registrar User's Guide and the Cisco CNS Network Registrar CLI Reference.

Central Cluster Administration

Network Registrar 6.1 adds a regional management cluster to the local address server and address management architecture of Network Registrar 6.0 (see Figure 1). This regional cluster acts as an aggregate management system for up to 100 local clusters. Address and server administrators interact on the regional and local clusters through the regional and local Web UIs.

The regional cluster consists of a CCM server, router interface configuration (RIC) server, Tomcat Web server, and server agent.

A typical deployment is one regional cluster at a customer's network operation center (NOC), the central point of network operations for an organization. Each division of the organization includes a local address management server cluster responsible for managing a part of the network.

The regional cluster can also manage router interfaces responsible for end-point cable modem termination systems (CMTSs). (See the "RIC Server Support for Cisco CMTSs" section.)

Figure 1 Network Registrar User Interfaces and the Server Cluster

Enhanced Address Management

This release significantly improves address management by providing a central view of address allocations spanning multiple Network Registrar DNS and DHCP servers and associated routers. The regional cluster supports a model in which address space flows from external authoritative sources to edge routers and network devices.

Address blocks are assigned from the authoritative source to intermediary allocators and are eventually divided into subnets for assignment to router interfaces. These subnet addresses are allocated statically to manually configured devices or assigned to DHCP servers for dynamic allocation.

Cluster Management

The Network Registrar 6.1 regional cluster centrally manages address space and protocol server configurations such as policies, client-classes, and scope templates. Administrators at the regional cluster can manage a list of Network Registrar local clusters and their credentials by using the regional Web UI. Local cluster data is replicated at the regional cluster.

Table 2 shows the added functionality in releases 6.1 and 6.1.1. These functions require authentication and authorization, which are handled through multiple licensing and administrator role assignments, as described in the following subsections.

Cluster Licensing

These are the new licenses required for user and feature authentication and authorization:

Local cluster (local-cluster) license—At the local cluster, sets the permissions to manage the DNS, DHCP, and TFTP protocol servers for the local cluster.

Central cluster (central-cluster) license—At the regional cluster, sets permissions to manage the local clusters.

Address space (addrspace) license—At the regional cluster, sets permissions to manage subnets and address blocks and to view IP address history and subnet utilization data.

Router (router) license—At the regional cluster, sets permissions to manage router interfaces through the router interface configuration (RIC) server.

Node count (node-count) license—At the local and regional clusters, reports the number of licensed nodes.

For information about when you need a new license key, see also the "License Keys" section.

Regional Administrator Roles

These are the new regional cluster administrator roles:

Central configuration administrator (central-cfg-admin)—Manages the local server clusters and routers to be centrally administered, along with the DHCP objects, failover pairs, and zone distributions. You can constrain the role by owners, regions, and subroles. The subroles are dhcp-management, ric-management, and dns-management.

Regional administrator (regional-admin)—Manages administrators, groups, roles, and licenses and views database change logs and tasks. The subroles are authentication, authorization, owner-region, server-management, and database.

Regional address administrator (regional-addr-admin)—Manages the address space allocated to organizations, delegates address blocks to local clusters, and views address utilization and lease history reports. The subroles are subnet-utilization, lease-history, ric-management, and dhcp-management. (See also the "Regional Address Space Management" section.)

Regional Address Space Management

The regional address space administrators can manage these central cluster functions:

Address aggregation—The local address block can be rolled up (through replication) under its parent at the regional cluster, which allows a unified view of the address space at the regional cluster without affecting the local cluster configuration.

Address delegation—Administrators can delegate address space to the local cluster, which gives up authority of the delegated object.

IP address (lease) history reports—These reports provide a single vantage point on the IP lease history of multiple DHCP servers.

Subnet utilization reports—The regional cluster supports subnet utilization reporting across regions, protocol servers, and sets of network hardware.

Polling configurations—The administrator can control the intervals and periods of local cluster polling for replication, IP histories, and subnet utilization. You can also set the IP history and subnet utilization trimming ages and compacting intervals at the CCM server level.

These DHCP attributes were added for this feature:

collect-addr-util-duration—Maximum time period, in hours, that the server maintains address utilization data (default: 0 hours).

collect-addr-util-interval—Frequency, in minutes or hours, that the DHCP server should maintain address utilization data snapshots (default: 15 minutes).

Replica Data Propagation

The regional cluster maintains copies, called replicas, of configuration objects that are authoritatively managed at the local clusters. You can use this data as input to consistency validation rules, and you can pull (propagate) it into the authoritative data for the regional cluster. In general, the pull functions attempt to build a unified model of the data stored in the local clusters and then merge this model with the existing data in the regional datastore:

Pulling address space—The address space model is created by looking at the scope, subnet, and address block information on the local clusters. The scope information provides the failover pair information for subnets.

Pulling zone data—The list of zones and the mappings of primary and secondary servers are pulled from the replica data by examining the lists of replica primary (forward and reverse) and secondary zones and the servers with which they are associated.

RIC Server Support for Cisco CMTSs

Network Registrar 6.1 adds support for Cisco cable modem termination systems (CMTSs)—the Cisco 7200 and Cisco 10000 series Universal Broadband Routers (uBRs) through the RIC server module in the regional cluster. Network Registrar maps the relationship between a CMTS and the DHCP server that services it through the Router Interface Configuration (RIC) server, which manages the interfaces and address space that reside on the CMTS. The RIC server synchronizes periodically with the CMTS through Telnet or secure shell (SSH).

DNS Server Enhancements

Network Registrar 6.1 enhances the DNS server by adding the following capabilities:

Zone transfers based on transaction signatures (TSIGs)—You can restrict DNS zone transfers based on TSIGs. The TSIG data can include a list of server IP addresses, networks, and TSIG keys. This attribute was added for this feature:

master-servers—For secondary zones, the list of servers from which data can be transferred. You can append each server address with an optional TSIG key name to configure secure zone transfers, in the syntax address-key. If you use the zone name create secondary addr command to create the secondary zone instead, the addr in that syntax becomes the master-servers value (no default).

The master-servers attribute replaces the auth-servers attribute. (You may need to update existing scripts written for previous releases.)

Restricted query access control lists (ACLs)—Network Registrar 6.1 enables you to limit query clients based on the ACL, source IP, or network address. The ACL can contain another ACL or a TSIG key. You can limit queries at the DNS server level or the zone level:

restrict-query-acl—Limits query clients based on the source IP address, source network address, or ACL (default: allow all queries).

restrict-xfer-acl—ACL that designates who is allowed to receive zone transfers. The zone value overrides this setting. (This attribute replaces the restricted-set attribute.) (default: none) (You may need to update existing scripts written for previous releases.)

Named ACLs—Network Registrar 6.1 reserves these ACL names to improve your ability to configure ACLs:

any—Anyone can perform a certain action.

none—No one can perform a certain action.

localhost—Any local host IP address can perform a certain action.

localnet—Any local network can perform a certain action.

If you are upgrading from Release 6.0 and have ACLs with the localhost, localnet, any, or none names in your current configuration, Network Registrar renames them with the oldname-1 convention and updates any instances of their use. For example, if you defined a localhost ACL in Release 6.0, the upgrade renames it localhost-1.

Enhanced statistics—Network Registrar 6.1 adds the following statistical performance counters so you can better measure the performance of its DNS server, including query performance, security, internal errors, and maximum counters.

activity-counter-interval—Sample time interval of server counters (default: 5 minutes).

activity-counter-log-settings—Logs DNS server activity counters in different categories (default categories: total, performance, query, errors, and security).

activity-sample-interval—Sampling period of DNS activity counters, in seconds (default: 5 minutes).

These additional DNS attributes were added:

default-negcache-ttl—Time, in seconds, that negative answers are cached if no SOA resource record exists in the authority section of the reply. An SOA record in the authority section of a negative answer overrides this attribute value (default: 0 seconds).

delegation-only-domains—Limits zones to contain name server (NS) resource records for subdomains but no actual data beyond their own apex (for example, SOA records and apex NS record sets) (no default).

The lame-delegation-notify attribute was deprecated in this release. (You may need to update existing scripts written for previous releases that used this attribute.)

DHCP Server Enhancements

Network Registrar 6.1 adds several capabilities to the DHCP server:

Allocation priority configuration—The DHCP server now lets you disable round-robin allocation across multiple subnets by setting the allocation priority for each subnet. In addition, you can configure the server to allocate addresses contiguously from within a subnet and control the block of addresses allocated to the backup server when using DHCP server failover.

These dhcp command attributes were added for this feature:

equal-priority-most-available—If multiple scopes have the same nonzero allocation priority, the scope with the most available addresses is used to allocate an address for a new client (if it is not in a limitation list). (default: disable)

priority-address-allocation—Considers scopes in the order of the allocation priority if the scope's allocation-priority attribute is set. If the allocation-priority is unset, the scope's subnet address becomes the allocation priority. (default: disable)

These scope command attributes were added for this feature:

allocate-first-available—Forces all new IP addresses from the scope to be allocated from the first available address. If disabled, allocation is from the least recently used address. (default: disable)

allocation-priority—Assigns an ordering to scopes so that IP addresses are allocated from acceptable scopes with a higher priority until all addresses in these scopes are allocated. Lower values have a higher priority. (default: 0 is equal to no allocation priority).

failover-backup-allocation-boundary—If the scope participates in a failover relationship, this is the address boundary below which the failover backup server's addresses are allocated. Normal client addresses are allocated in ascending order, while the backup server's addresses are allocated in descending order from this boundary. (no default)

Improved IP lease history—The IP lease history feature significantly improves server performance when this feature is enabled. The IP lease history data is no longer stored in a separate database and is now maintained concurrently with the active lease data. To ensure that the database does not grow without limit, records older than the configured maximum time period are deleted.

The ip-history-max-age attribute was added in this release—If ip-history is enabled, the DHCP server accumulates database records over time as lease bindings change. This parameter establishes an age limit for the history records that are kept in the database. (default: 4 weeks)

The ip-history-dir attribute was deprecated in this release. (You may need to update existing scripts written for previous releases.)

This additional dns command attribute was added to address the DHCP server: map-radius-class—Controls using the RADIUS class attribute if it exists in a DHCP request's relay-agent option. The values are none (default), map-as-tag, map-as-class, and append-to-tags.

Import/Export Utility Enhancements

In Release 6.0, an import/export (cnr_exim) utility was added to manage importing and exporting configuration data. In Release 6.1, new objects were added to represent configuration data that also needs to be imported or exported by using the cnr_exim utility:

DHCP—AddrSpaceType, RouterType, and VPN

Cluster—ServerConfig and RouterLoginTemplate

An important aspect to this feature is that these new objects, such as AddrSpaceType, are exported as part of the DHCP or cluster classification only and not as single objects. If a file contains these objects in the configuration, the objects are now exported as part of the file.

The cnr_exim utility is available on both the local and regional clusters. It exists in the bin directory on Windows and the usrbin directory on Solaris or Linux. For additional information about using the utility, see the Cisco CNS Network Registrar User's Guide.

Process, File, and Utility Name Changes

Several Network Registrar processes, files, and utilities changed from the introduction of regional and local cluster configurations and general product evolution. The most notable changes are the product extensions to include new CCM regional and local servers that replace the previous MCD configuration server. Because of this, there are now two distinct server agent processes, and different Web UI references for the regional and local servers, respectively. The name changes are summarized in Table 3.


Caution These changes can affect user scripts written for previous releases.

Table 3 Name Changes in Network Registrar 6.1 

Previous Name or Path
New Name(s) or Paths

AIC Server Agent 2.0
(Windows server agent service)

Network Registrar Local Server Agent (nwreglocal)
Network Registrar Regional Server Agent (nwregregion)

/etc/init.d/aicservagt
(Solaris/Linux server agent service)

/etc/init.d/nwreglocal
/etc/init.d/nwregregion

aicservagt.exe

cnrservagt.exe (Windows server agent process)

aicservagt

cnrservagt (Solaris/Linux server agent process)

mcdsvr.exe

ccmsrv.exe (Windows CCM server file)

mcdsvr

ccmsrv (Solaris/Linux CCM server process)

config_mcd_1_log file

config_ccm_1_log file (CCM configuration log file)

aicstatus

cnr_status (server status utility-UNIX platforms only)


Caveats

This section describes the major resolved bugs in Network Registrar 6.1.1.3.

You can find the complete bug list in the CNR6113_Bug_List.html file included with this documentation set, or at the Network Registrar software download site:

http://www.cisco.com/cgi-bin/Software/Tablebuild/tablebuild.pl/nr-eval

You must have a valid Cisco Connection Online (CCO) account to access the software download site.

Software Caveats

The major bugs reported against the software are included in Table 4.

Table 4 Major Bugs Fixed in Release 6.1.1.3 

DDTS Number
Software Release
6.1.1.3
Correction Made

CSCeb68725

More useful debugging data is now included if Java is incorrectly configured and causes a failed server startup.

CSCee24336

The prerequisite to assure that a DNS name exists before updating was dropped for reverse zone DNS updates.

CSCef37588

Creating an inconsistent reservation list and scope configuration by adding a second reservation with the same MAC address is no longer possible.

CSCef40219

Changes to resource record TTL values are now properly updated.

CSCef55119

DHCP failover synchronization no longer results in connection leaks under certain error conditions.

CSCef62238

A Push Subnet operation for a failover pair when the local cluster is not running failover no longer causes inconsistent scope configurations.

CSCef68449

The option-datatype command in the CLI no longer returns errors.

CSCef69580

Failover synchronization in the Web UI no longer fails when one partner is Network Registrar 6.0.x and the other is 6.1.x.

CSCef69755

Deleting a DHCP scope that has DNS updates pending no longer blocks subsequent updates.

CSCef72570

On rare occasions when a DNS update contains an add and a delete of the same record, the server no longer fails outbound incremental zone transfers.

CSCef72602

Changing a DNS zone from dynamic to static while leaving scavenging enabled no longer causes the server to fail.

CSCef80356

A Push Admin operation no longer defaults to Exact mode if the last Push All Admins operation used that mode.

CSCef80436

Deleting a reservation when subnet utilization data is collected no longer causes the DHCP server to fail.

CSCef90573

The DHCP discover-interfaces attribute is now excluded from synchronizations between failover servers.

CSCef91922

A zone administrator can now successfully view and modify active server resource records in the Web UI.

CSCef94640

You can now successfully edit and delete top-of-zone resource records in the Web UI.

CSCeg01857

Trying to add a second reservation with the same MAC address where its IP address is outside the scope's range no longer results in an available lease.

CSCeg02064

Reservations added to the failover backup server when the main server is down are now marked available for lease.

CSCeg06194

Adding or removing reservations when failover partner communication is interrupted no longer results in occasionally inconsistent lease states between the servers.


Documentation Caveats


Note The Cisco CNS Network Registrar Installation Guide and Cisco CNR Network Registrar CLI Reference were updated for 6.1.1.3 to address the following bugs and make other enhancements.


The bugs reported against the documentation and fixed in 6.1.1.3 are listed in Table 5.

Table 5 Documentation Bugs Fixed in Release 6.1.1.3 

DDTS Number
Software Release
6.1.1.3
Correction Made

CSCea49224

The synthetic-name-stem attribute name was fixed in the description of the DHCP synthesize-name attribute description in the CLI Reference.

CSCef52521

The list of output elements of the report command was fixed in the CLI Reference.

CSCef59694

The zone addHost function in the CLI now includes a description in the CLI Reference that adding a host to a forward zone using this function also creates a reverse PTR record for existing reverse zones.

CSCef62526

The Installation Guide was fixed to state that the -a option with the Solaris pkgadd command specifies an upgrade from any previous release, not just pre-6.0 releases.


Open Source License Acknowledgements

The following acknowledgements pertain to this software license.

OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

License Issues

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.

OpenSSL License:

© 1998-2007 The OpenSSL Project. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS"' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

Original SSLeay License:

© 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)".

The word `cryptographic' can be left out if the routines from the library being used are not cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)".

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.