Table Of Contents
Release Notes for the Cisco 10000 Series Router for Cisco IOS Release 12.3(7)XI1
First Published: August 2, 2004
Revised: September 7, 2006
These release notes provide information about Cisco IOS Release 12.3(7)XI1, which provides broadband aggregation and leased-line features for the Cisco 10000 series router.
These release notes are updated as needed to describe new features, memory requirements, hardware support, software platform deferrals, and changes to the microcode and related documents.
Cisco IOS Release 12.3(7)XI1 is based on the following releases:
•Cisco IOS Release 12.2(16)BX
•Cisco IOS Release 12.3T
To review the release notes for Cisco IOS Release 12.2(16)BX, go to the following URL:
To review the release notes for Cisco IOS Release 12.3, go to the following URL:
This document contains the following sections:
Cisco IOS Release 12.3(7)XI1 requires that you have the performance routing engine (PRE), Part Number ESR-PRE2 installed in the Cisco 10000 series router chassis. To verify which PRE is installed in the router, use the show version command.
Route Processor Redundancy Mode
The Cisco 10000 series router supports route processor redundancy (RPR) mode or RPR+ mode to provide fault resistance and to ensure high availability. In RPR mode, one supervisor engine is active and operational while the second supervisor engine is in standby mode waiting for the active supervisor to fail so that it can take over and maintain the operation of the router. In RPR+ mode, the standby supervisor engine is fully initialized and configured, which shortens the time needed to switch over to the standby supervisor.
When upgrading or downgrading the Cisco IOS software, the RPR mode used on the Cisco 10000 series router depends upon the Cisco IOS software currently running on the Cisco 10000 series router and the Cisco IOS software to which you want to upgrade or downgrade.
Table 1 lists the RPR modes used when upgrading or downgrading Cisco IOS software. For example, when upgrading to Cisco IOS Release 12.3(7)XI1 from Release 12.2(16)BX, the router uses RPR mode instead of RPR+ mode. When downgrading to Cisco IOS Release 12.2(16)BX from Release 12.3(7)XI1, the router uses RPR mode.
Table 1 RPR Modes for Cisco IOS Software Releases
Releases 12.2(16)BX 12.3(7)XI1
Before You Upgrade the Cisco IOS Software
Before you upgrade (or downgrade) the Cisco IOS software running on the Cisco 10000 series router, save the running configuration file. In RPR mode, the router synchronizes only the startup configuration.
Upgrading to a New Software Release
For specific information about upgrading your Cisco 10000 series router to a new software release, refer to the Cisco 10000 Series Router Software Configuration Guide.
For additional information about ordering Cisco IOS software, refer to the Cisco IOS Software Releases.
New Features—Cisco IOS Release 12.3(7)XI1
The following new features and improvements are supported on the Cisco 10000 series router in Cisco IOS Release 12.3(7)XI1. While some of the following features are supported on other releases on the Cisco 10000 series router, these features are newly supported in Cisco IOS Release 12.3(7)XI1:
For more information about the new features in Cisco IOS Release 12.3(7)XI1, refer to the following documentation:
For information about new features supported on the Cisco 10000 series router in other releases, see the appropriate Release Notes at the following URL:
The 3-color policer feature provides a single-rate, 3-color marker. A 2-color marker as supported in earlier releases, meters a traffic stream classifying it into two groups (or colors): the traffic conforming to the specified committed information rate (CIR) and the burst parameters, and the traffic exceeding either the CIR or the burst parameters. A 3-color marker classifies the metered traffic into three groups, adding an additional color for the nonconforming traffic.
The 3-color marker distinguishes between the nonconforming traffic that occasionally bursts a certain number of bytes more than the CIR allowance and the traffic that continually violates the CIR allowance. A 3-color marker meets the requirements of applications that require three service levels: guaranteed, best effort, and deny. A three-color policer enables the Cisco 10000 series router to comply with RFC 2597.
3-Level Hierarchical QoS Policies
The 3-Level Hierarchical QoS Policies feature enables you to apply a service policy inside a policy map to define hierarchical policies. This feature increases the hierarchical levels of a nested QoS policy from two to three levels.
A hierarchical policy extends QoS by enabling you to combine one or more classes and applying specific actions on the aggregate traffic as well as executing class-specific actions. For example, a hierarchical policy can define a minimum bandwidth for two classes and specify a combined maximum bandwidth for the two classes. Similarly, a 3-level policy can define a minimum bandwidth for each type of traffic on a virtual circuit and a maximum bandwidth for the virtual circuit's total traffic. A 3-level hierarchical policy can also selectively police a subclass of each guaranteed class and place a maximum transmission limit on the aggregate traffic.
A 3-level policy is typically used to define the transmission capacity of a virtual circuit in the top level, class-based queuing at the middle level, and marking or metering in the bottom level.
BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN
The BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN feature allows you to configure multipath load balancing with both external Border Gateway Protocol (eBGP) and internal BGP (iBGP) paths in BGP networks that are configured to use Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs). BGP Multipath Load Sharing provides improved load-balancing deployment and service offering capabilities and is useful for multihomed autonomous systems and provider edge (PE) routers that import both eBGP and iBGP paths from multihomed and stub networks.
Extended NAS-Port-Type and NAS-Port Support
Cisco support for NAS-Port-Type (RADIUS attribute 61), NAS-Port (RADIUS attribute 5), and NAS-Port-ID (RADIUS attribute 87) has been changed as discussed in the following sections.
NAS-Port-Type (RADIUS Attribute 61)
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific Authentication, Authorization, and Accounting (AAA) elements in a user profile, which is stored on the RADIUS daemon. Currently the Internet Engineering Task Force (IETF) RADIUS attributes that are supported include an attribute 61, NAS-Port-Type. NAS-Port-Type indicates the type of physical port the network access server (NAS) is using to authenticate the user.
However there was no method to identify NAS-Port-Type based on a specific broadband service type because the RADIUS RFC does not support extended types that defines these types of ports. Basically all PPPoA, PPPoEoE, and PPPoEoA sessions were identified as being VIRTUAL and all PPPoEoVLAN and PPPoEoQinQ as ETHERNET.
The Extended NAS-Port-Type Attribute Support feature expands NAS-Port-Type, attribute 61, in order that the client can better identify what type of service is taking place on the different types of ports.
NAS-Port (RADIUS Attribute 5)
The NAS-Port (RADIUS attribute 5) is a 32 bit value that uniquely represents the physical or logical port the user is attempting to authenticate on. A logical port can be represented by the virtual path identifier (VPI) and virtual channel identifier (VCI) for an ATM interface, or by the VLAN ID or Q-in-Q ID for an Ethernet interface.
Because each platform and service may have different port information which are relevant to their environment, there is no one unique way to populate this attribute. Currently Cisco has 4 hard wired formats (a-d) which are service specific and 1 configurable format (e) which can be tailored to customer and platform-specific needs.
Previously format e only allowed customizing 1 global format for all call types on a device, which limited its usefulness on devices that contained multiple services. With the extended NAS-port support, you can now configure a custom format e string for any and all service types based on the value of the NAS-Port-Type (RADIUS attribute 61). That is, when building the RADIUS Access or Accounting request, the encoding routine will pick the specific format e string defined for the session's NAS-Port-Type value and use that first instead of using the default global format e string.
NAS-Port-ID (RADIUS Attribute 87)
The NAS-Port-ID (RADIUS attribute 87) contains the character text string identifier of the NAS port that is authenticating the user. This text string typically matches the interface description found under the CLI configuration. This attribute was previously available under Cisco Vendor Specific Attribute (VSA) "cisco-nas-port". But it is now sent by default under the IETF attribute 87 as per customer demand.
The Half-Duplex VRF (HDVRF) feature provides scalable hub and spoke connectivity for subscribers of a multiprotocol label switching-based virtual private network (MPLS VPN) service. These subscribers connect to the provider edge (PE) router of the wholesale service provider, and they use the same or different services (for example, the same or different VRFs). The HDVRF feature prevents local connectivity between subscribers at the spoke PE router and ensures that a hub site provides subscriber connectivity. Any sites that connect to the same PE router must forward intersite traffic using the hub site. This ensures that the routing done at the spoke site is always access side interface to network side interface, or network side interface to access side interface, and never access side to access side.
The Hierarchical Shaping feature provides two levels of shaping—per VC ATM level shaping and per VC packet level shaping—and provides per-VC and per-VP traffic shaping to control or modify the flow of traffic on an interface. Traffic shaping limits throughput by buffering excess traffic instead of dropping packets. The shaping function also ensures that traffic from one VC does not adversely impact another VC, resulting in loss of data.
The Cisco 10000 series router supports the Hierarchical Shaping feature for the following ATM line cards:
IEEE 802.1Q-in-Q VLAN Tag Termination
For the emerging broadband Ethernet-based DSLAM market, the Cisco 10000 series router supports Q-in-Q encapsulation. With an Ethernet-based DSLAM model, customers typically get their own VLAN and all these VLANs are aggregated on a DSLAM.
VLAN aggregation on a DSLAM results in a lot of aggregate VLANs that at some point need to be terminated on the broadband remote access servers (BRAS). Although the model could connect the DSLAMs directly to the BRAS, a more common model uses the existing Ethernet-switched network where each DSLAM VLAN ID is tagged with a second tag (QinQ) as it connects into the Ethernet-switched network.
The only model that is supported is PPPoE over Q-in-Q (PPPoEoQinQ). This can either be a PPP terminated session or as a L2TP LAC session. No IP over Q-in-Q is supported.
The Cisco 10000 series router already supports plain PPPoE and PPP over 802.1Q encapsulation; support for PPP over Q-in-Q encapsulation is new. PPP over Q-in-Q encapsulation processing is an extension to 802.1q encapsulation processing.
The interface oversubscription feature offers providers the choice to improve network utilization of otherwise underutilized shared networks by leveraging statistical multiplexing on Frame Relay and IEEE 802.1Q networks.
IP Receive ACLs
The IP Receive ACLs feature provides basic filtering capability for traffic that is destined for the router and protects the router from remote intrusions.
To restrict access to the router, you apply a numbered ACL to the ingress interface of the router. You can restrict access to the router to known and trusted sources, and to expected traffic profiles. The IP Receive ACLs feature supports both standard and extended ACLs. The rules for numbered ACLs also apply to the access control entries (ACEs) of the IP receive ACL.
The IP receive ACL filters traffic on the parallel express forwarding engine (PXF) before filtering the packets received by the route processor (RP). This feature protects the router from denial of service (DoS) floods, thereby preventing the flood from degrading the performance of the route processor (RP).
IP Unnumbered on VLAN
The IP Unnumbered on VLAN feature helps to conserve IP address space for service provider configurations that include Ethernet VLAN subinterfaces.
Prior to Cisco IOS Release 12.3(7)XI1, IP support for VLAN subinterfaces required that you configure separate IP subnets for each of the subinterfaces that terminate the VLAN. This resulted in inefficient use of the IP address space because an entire IP subnet is often not needed for the hosts assigned to a VLAN. The IP Unnumbered on VLANs feature helps to conserve IP address space for service provider configurations that include Ethernet VLAN subinterfaces.
VLAN subinterfaces with IP unnumbered configured support DHCP for IP address allocation. The DHCP server uses the information in DHCP Option 82 to assign IP addresses to the hosts on a VLAN. The routing table is dynamically updated to insert an IP route for the IP address assigned on each of the subinterfaces. These IP host routes exist until the DHCP lease time expires or the host releases the leased address.
Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on an individual as authorized by a court order. To assist in the surveillance, the service provider intercepts the target's traffic as it passes through one of their routers, and sends a copy of the intercepted traffic to a third party mediation device (also in the service provider network). This third party mediation device formats and delivers the data to the LEA without the target's knowledge. The Lawful Intercept feature is available in the c10k2-k9p11u2-mz image.
Local AAA Server, User Database—Domain to VRF
The Local AAA Server, User Database—Domain to VRF feature extends the Cisco IOS AAA Authorization to local AAA profiles on the router without using an AAA Server. The local user database acts as a local AAA server, and is fully compatible with any external AAA Server. If you want to maintain your user database locally or provide a failover local mechanism, you no longer have to sacrifice policy options when defining local users.
This flexibility allows you to provide complete user authentication and authorization locally within Cisco IOS without using an AAA Server, provided the local username list is relatively small. While authentication can be done on the router for a limited number of user names, it might make more sense and be much more scalable to use an AAA Server. Note that accounting is still be done on an AAA server and is not be supported on the router.
The key function this feature provides is a mapping of user domain names to local AAA profiles. This allows AAA attributes to be applied to the PPP session as part of the PPP session establishment. These local AAA attributes are RADIUS attributes that would normally be defined on a Radius Server but now are defined locally on the router.
Subscriber profiles are used to match user domain names, and on a match to use a defined AAA attribute list. The AAA attribute list contains a list of valid Cisco IOS format AAA attributes.
The MIB Enhancements feature includes the following additional MIBs and MIB support:
•Addition of the per precedence/DSCP/discard class statistics in the QoS MIB
•MPLS-LDP-MIB (Version 8)
•MPLS enhancements to the IF-MIB
For more information about MIBs supported on the Cisco 10000 series router, refer to:
•Cisco 10000 Series Broadband MIB Specifications Guide
•Cisco 10000 Series Leased-Line MIB Specifications Guide
When a customer transmits IP packets from one site to another, the IP precedence field (the first three bits of the DSCP field in the header of an IP packet) specifies the class of service. Based on the IP precedence marking, the packet can be given a change in treatment such as the latency or the percent of bandwidth allowed. If the service provider network is an MPLS network, then the IP precedence bits are copied into the MPLS EXP field at the edge of the network. However, the service provider might want to set an MPLS packet's QoS to a different value determined by the service offering.
MPLS can be used to "tunnel" the QoS of a packet. The MPLS EXP field can be marked independent of the PHB. The service provider can choose from a variety of criteria (including those based on IP PHB) to classify a packet and set the MPLS EXP field. This allows the service provider to set the MPLS EXP field instead of overwriting the value in the customer's IP precedence field. The IP header remains available for the customer's use; the marking of an IP packet is not changed as the packet travels through the MPLS network. In some instances, it is desirable to extend the MPLS PHB to the egress interface between the provider edge (PE) router and customer edge (CE) router. This has the effect of extending the MPLS QoS tunnel, which allows the MPLS network owner to classify scheduling and discarding behavior on that final interface.
MPLS Traffic Engineering—DiffServ Aware
The MPLS Traffic Engineering—DiffServ Aware (DS-TE) feature extends MPLS traffic engineering capabilities to provide stricter quality of service (QoS) guarantees. TE tunnels provide differentiated services (DiffServ) to satisfy bandwidth requirements of regular traffic. However, the bandwidth currently advertised for TE tunnels and the tunnel traffic do not correspond to any queue. Instead, the MPLS class of service (CoS) provides DiffServ service, which is adequate for most customer services. Special services such as voice, however, require stricter QoS guarantees. The DS-TE feature addresses this need, providing strict bandwidth guarantees for TE tunnels.
The DS-TE feature introduces awareness of a particular class of traffic referred to as the guaranteed bandwidth traffic. DS-TE enables service providers to perform separate admission control and separate route computation of the guaranteed bandwidth traffic. The service provider can, therefore, develop QoS services for end customers that rely on signaled QoS rather than provisioned QoS, which enables the service provider to build QoS services with hard commitments and without overprovisioning.
The Multirouter APS (MR-APS) feature enables ATM connections to switch from one ATM circuit to another ATM circuit if a circuit failure occurs. ATM interfaces can be switched in response to a router failure, degradation or loss of channel signal, or manual intervention.
The protection mechanism used for this feature has a linear 1+1 architecture as described in the Bellcore publication TR-TSY-000253, SONET Transport Systems; Common Generic Criteria, Section 5.3. The connection may be bidirectional or unidirectional and revertive or nonrevertive. The default is bidirectional. The switching mode must be the same on the far end of the connection.
In Cisco IOS Release 12.3(7)XI1, MR-APS is supported for the following line cards:
•4-port Channelized STM-1
The Percent-Based Policing feature enables you to configure traffic policing in bits-per-second or as a percentage of bandwidth of the network interface on which policing is applied. Configuring traffic policing based on bandwidth percentage enables you to use the same policy map for multiple interfaces with differing amounts of bandwidth.
Per DSCP WRED
The per differentiated services code point weighted random early detection (DSCP WRED) feature enables the Cisco 10000 series router to randomly drop packets with a specific DSCP value, according to the DSCP thresholds you configure.
Differentiated Services (DiffServ) is a QoS model that increases the number of definable priority levels by reallocating bits of an IP packet for priority marking. The six most significant bits of the type of service (ToS) field are the DiffServ field. The last two bits in the DiffServ field are used as Early Congestion Notification (ECN) bits.
The per DSCP WRED feature enables you to configure eight unique drop precedence levels for one queue. Each of the 64 DSCP levels correspond to one of the eight levels. Previously, when you configured the eight unique drop precedence levels, all of the queues configured on an interface shared the different levels. The per DSCP WRED feature enhances support to provide eight unique levels per queue.
Per Precedence WRED Statistics
The Enhanced Weighted Random Early Detection (WRED) Statistics feature maintains separate WRED drop statistics for each IP precedence, discard-class, and differentiated services code point (DSCP) value.The show policy-map command has been enhanced to show WRED drop counts for each profile. In earlier releases, RED drop counts were maintained only for each class.
RADIUS Packet of Disconnect
In Cisco IOS Release 12.3(7)XI1, the RADIUS Packet of Disconnect feature consists of a method for terminating a session that has already been connected. This packet of disconnect (POD) is a RADIUS access_request packet and is intended to be used in situations where the authenticating agent server wants to disconnect the user after the session has been accepted by the RADIUS access_accept packet.
The Scaling Enhancements feature provides increased limits with FIB scaling, policy map scaling, and queue scaling.
The FIB is a routing table that is used to look up the next hop route for the destination IP address and the reverse path forwarding (RPF) route using the source IP address. The FIB Scaling feature implements the following changes:
•Up to 1 million routes in the global FIB table are supported without MPLS VPN configuration.
•Total number of virtual routing and forwarding instances (VRFs) supported is 4095.
–Up to 100 routes per VRF with 4095 VRFs configured.
–Up to 70 routes per VRF with 4095 VRFs configured, plus 200,000 global BGP routes.
–Up to 600 routes per VRF with 1000 or fewer VRFs configured.
The Policy-Map Scaling feature increases the system-wide number of quality of service (QoS) policy maps that you can configure. Depending on the complexity of your configuration, the Cisco 10000 series router supports up to 4,096 policy maps. In complex configurations the maximum number of policy maps can be as small as a few hundred. Additionally, when you use percent-based policing in a service policy, the system may convert a single customer-configured service to multiple service policies (which count against the 4096 limit). The system uses one such service policy for each different speed interface that uses a service policy with percent-based policing
The Queue Scaling feature increases the total number of queues that VTMS supports to 131,072 total queues. 254 queues are available for high speed interfaces, and 130,816 queues are available for low speed interfaces. This allows the support of the 31,500 priority queues (of 131,072 total queues) on 31,500 sessions or interfaces.
Strict Priority Queuing
The Priority Queuing feature guarantees latency for any packet that enters the priority queue regardless of the current congestion level on the link. Strict priority queue mode is supported as the only mode of operation for a priority queue in Cisco IOS Release 12.3(7)XI1.
Time-based ACLs allow the network administrator to define a time range when certain resources may be accessed, thus providing greater control over resource usage. Time-based ACLs are functionally similar to extended ACLs and control access to the router for a specific time period.
A time range defines the specific times of the day and week that the ACL is active. A time range name identifies the time range. The access control entries (ACEs) reference the time range name, which causes the router to impose the time restriction on the ACEs. The time range relies on the router system clock to activate or deactivate an ACE.
Previously, access list statements were always in effect after they were applied to an interface. However, using the time-range command, network administrators can now define when the permit and deny statements in the ACL are in effect. Both named and numbered access lists can reference a time range.
The Variable Bit Rate Non-Real Time (VBR-nrt) Oversubscription feature enables service providers to improve network utilization of otherwise under utilized shared networks by leveraging statistical multiplexing on ATM networks. Instead of supporting only unconditional reservation of network bandwidth to VCs, the router offers VC oversubscription to statistically guarantee bandwidth to VCs.
In releases prior to Cisco IOS Release 12.3(7)XI1, a call admission check (CAC) prevented you from assigning more bandwidth to virtual circuits (VCs) than a port's total bandwidth. The VBR-nrt Oversubscription feature enables you to specify the amount of oversubscription (oversubscription factor) you want to allow. The CAC check is based on the oversubscription factor you specify and evaluated separately for both VCs and VP tunnels into the port, and VCs into VP tunnels. When the total assigned bandwidth exceeds the physical capacity, the router provides each VC's bandwidth reservation, as long as a limited number of VCs activate at one time. By doing so, the router takes advantage of statistical multiplexing to provide better network utilization at the expense of degraded service under congestion.
The oversubscription factor is also used to evaluate the amount of bandwidth allocated for unspecified bit rate (UBR) VCs. Prior to Cisco IOS Release 12.3(7)XI1, UBR VCs received the bandwidth remaining after other VCs had been allocated bandwidth. The CAC check now adjusts the bandwidth for UBR VCs based on the oversubscription factor.
In earlier releases, the weight of a particular VC was proportional to the VC speed and was not directly controllable by the user (other than by changing the VC rate). In Cisco IOS Release 12.3(7)XI1, the VC Weighting feature adds the ability to configure the VC weight directly.
WRED with Queue Limit
The Weighted Random Early Detection (WRED) with Queue Limit feature is a congestion avoidance mechanism that expands your ability to customize the size of a WRED queue. Using this feature, you can configure a packet drop policy for a traffic class that includes a bandwidth guarantee and simultaneously limit the maximum number of packets allowed to accumulate in a traffic class queue.
In Cisco IOS Release 12.3(7)XI1 or later, you can specify the random-detect and queue-limit commands in the same class of a policy. Earlier releases allowed you to specify either the random-detect command or the queue-limit command, but not both commands at the same time.
Limitations and Restrictions
This section describes limitations and restrictions for the following areas. Be sure to review the following limitations and restrictions before using the features in the Cisco IOS Release 12.3(7)XI1:
For more information about the restrictions for a specific feature, refer to the Cisco 10000 Series Broadband Aggregation and Leased-Line Configuration Guide.
3-Level Hierarchical QoS Policies
The 3-Level Hierarchical QoS Policies feature has the following restrictions:
•You can configure only the class-default class in the top-level policy. Configure the shape command for the class-default class and then configure the service-policy command to attach an inner policy. You must configure the shape command before the service-policy command.
•In an inner policy, you cannot configure the police and set commands for a class if you attach a service-policy command to the class. This restriction does not apply to classes that do not have a service-policy command configured.
•In a bottommost policy, you can configure only the police and set commands for a class.
•You cannot have default classes in the bottom most class.
•You cannot attach a service-policy command to a bottommost policy.
Note The actual shape rate applied to nested-policy traffic might differ from that specified in the policy. For example, a specified shape rate of 10.5 Mbps might be mapped to 11 Mbps. Use the show policy-map interface command to determine the actual shape rate.
BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN
The BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN feature has the following restrictions:
•The Cisco 10000 series router supports recursive loadsharing, but with the following restriction.
In recursive load sharing, the information required to forward a packet requires at least 2 lookups. The first lookup determines which provider edge (PE) router is used to reach the final destination. The second lookup determines how to reach the PE router (from first lookup).
When you configure MPLS VPN, CEF uses recursive load sharing. The first lookup provides the VPN label, the second lookup provides the IGP label. When PXF forwards a packet, it does only 1 lookup which provides both a VPN and an IGP label; 2 lookups in CEF are combined into 1. The restriction for recursive load sharing when PXF forwards a packet is as follows.
When there are multiple IGP paths between a Cisco 10000 Series PE router to a provider router (P), only per-tag load balancing is supported. That is, PXF is programmed with only one of the paths and this one path is chosen in a round-robin fashion. Because the path is chosen at prefix setup time, it is not possible to predict which path will be selected for which prefix. The path selected depends on the order in which the prefixes are configured in the routing table. The bandwidths of the IGP paths are not considered in the path selection.
•When the routing table contains multiple iBGP paths, a route reflector advertises only one of the paths (one next hop). If a router is behind a route reflector, all routers that are connected to multihomed sites are not advertised unless separate VRFs with different route distinguishers (RDs) are configured for each VRF.
•Each IP routing table entry for a BGP prefix that has multiple iBGP paths uses additional memory. We recommend not using this feature on a router with a low amount of available memory and especially when the router is carrying a full Internet routing table.
Controlling the Rate of Logging Messages
It is important that you limit the rate that system messages are logged by the Cisco 10000 series router. This helps to avoid a situation in which the router becomes unstable and the CPU is overloaded. To control the output of messages from the system, use the logging rate-limit command.
Cisco recommends that you configure the logging rate-limit command as follows. This limits the rate of all messages to the console to 10 per second, except for messages with critical priority (level 3) or greater.Router(config)# logging rate-limit console all 10 except critical
For more information, refer to the logging rate-limit command in the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3.
The following limitations apply to the Cisco 10000 series router implementation of Frame Relay:
•The ip rtp reserve command is not supported.
•Only one priority queue per VC is allowed.
The Half-Duplex VRF feature has the following restrictions:
•In both the upstream and downstream VRFs, routing protocols are not supported on interfaces configured for half-duplex VRFs.
•Half-duplex VRFs apply only to virtual access interfaces (VAIs) and virtual template interfaces. Only IP unnumbered interfaces are supported.
•It is not supported with Routing with Bridged Encapsulation (RBE)
The Hierarchical Shaping feature has the following restrictions:
•The Cisco 10000 series router supports a maximum of 31,500 VCs when the Hierarchical Shaping feature is enabled.
•You can configure a maximum of 127 VP tunnels for each ATM line card. You can configure these 127 VP tunnels across the ports in any fashion.
•The OC-3 and OC-12 line cards support a maximum of 14,336 VCs when configured for hierarchical shaping. The DS3/E3 line card supports a maximum of 8,192 VCs when configured for shaping. You can configure the maximum number of VCs across the ports in any fashion, provided that you do not exceed the per-port maximum. The OC-3 line card is limited to 8,192 VCs per port and the DS3 is limited to 4,096 VCs per port.
•You must have the atm pxf queuing command configured on the port. If not, the SAR still does VP shaping and the VCs are sent to the tunnel based on a weighted round robin format; however, the PXF does not shape the VCs. The default queuing mode for a port is atm pxf queuing.
•Only variable bit rate (VBR) VCs are allowed in the VP tunnel. You cannot configure unspecified bit rate (UBR) VCs or constant bit rate (CBR) VCs in the tunnels.
•Congestion is not handled at the VP tunnel or at the port. During congestion, shaping is degraded.
•During congestion at the port-level, shaping degrades to simple round robin for all VPs contending for the port's capacity; shaping is not weighted based on the rate of the VPs.
IEEE 802.1Q-in-Q VLAN Tag Termination
The IEEE 802.1Q-in-Q VLAN Tag Termination feature has the following restrictions:
•Supported on Ethernet, FastEthernet, or Gigabit Ethernet interfaces.
•Supports only Point-to-Point Protocol over Ethernet (PPPoE) packets that are double-tagged for Q-in-Q VLAN tag termination.
•IP and Multiprotocol Label Switching (MPLS) packets are not supported.
•Modular QoS services can be applied to unambiguous subinterfaces only.
•Limited ACL support.
IP Receive ACLs
The IP receive ACLs feature has the following restrictions:
•A receive ACL must be a numbered ACL. You cannot use a named ACL as the receive ACL.
•The rules for numbered ACLs also apply to the access control entries (ACEs) of receive ACLs.
•Time-based and reflexive ACLs are not supported as receive ACLs.
•Only traffic processed by the RP is filtered. Traffic that is processed exclusively by the Forwarding Processor (FP) is not filtered. For example, GRE tunneled packets, L2TP tunneled packets, and some ICMP packets are not filtered.
IP Unnumbered on VLAN
The IP Unnumbered on VLANs feature has the following restrictions:
•You can configure IP unnumbered on only Ethernet VLAN subinterfaces and point-to-point interfaces.
•If you configure more than 14,000 IP unnumbered subinterfaces and you have configured EIGRP on all interfaces on a router, the router can stop responding. To avoid this problem, use the passive-interface default command (which disables all router interfaces from sending routing updates) and then configure the no passive-interface command on selected interfaces you want to send routing updates.
•Service Selection Gateway (SSG) functionality is not supported.
The following limitations apply to the Cisco 10000 series router implementation of MPLS QoS:
•The match mpls experimental topmost exp-value command (where exp-value is in the range 0-7) is supported on both input and output interfaces, on which MPLS is enabled.
•The set mpls experimental imposition mpls-exp-value command and the set mpls experimental mpls-exp-value command (where in both cases mpls-exp-value is in the range 0-7) are supported on the provider edge (PE) router input interface connecting to customer edge (CE) router. These commands can also be used on input interfaces on the CE, in pipe mode of MPLS QoS Diff Serv tunneling models.
These two commands have the same function, but because the set mpls experimental mpls-exp-value command is supported only for backward compatibility, Cisco recommends that you use the set mpls experimental imposition mpls-exp-value command.
•The set-mpls-exp-imposition-transmit option of the police command is only supported on the PE input interface that is connected to the CE.
•The mpls ip encapsulate explicit-null command is supported on the CE router interface that is connected to the PE. This command is only used in pipe mode of MPLS QoS Diff Serv tunneling models.
•When precedence-based weighted random early detection (WRED) is configured on an output policy map and outgoing packets are MPLS packets, the router drops the MPLS packets based on the 3 EXP bits in the MPLS label, instead of using the 3 bits of IP precedence in the underneath IP packets.
•When DSCP-based WRED is configured on an output policy map and outgoing packets are MPLS packets, the router drops the MPLS packets based on the 3 EXP bits in the MPLS label, instead of using the 6 bits of DSCP in the underneath IP packets. The router left shifts the 3 EXP bits and makes it 6 bits. For example, if the value of the EXP bits is 5 (binary 101), the router converts them to binary 101000 (makes it looks like 6 DSCP bits), and drops packets based on this value.
•When configuring the set and police commands in a traffic class, regardless whether it is an input or output policy map, the police command is processed later than the set command. This means that whatever values implemented by the police command override values set by the set command. The value can be IP precedence, DSCP, qos-group, MPLS experimental imposition, Discard-class, or ATM CLP bit.
•Discard-class can be a number between 0 and 7; qos-group can be a number between 0 and 63.
MPLS Traffic Engineering—Diffserv Aware
The DS-TE feature has the following restrictions:
•The total number of TE tunnels (regular TE tunnels and DS-TE tunnels) that can originate on a device is limited to 1013 tunnels.
Multirouter Automatic Protection Switching
In Cisco IOS Release 12.3(7)XI1, MR-APS is supported for the following line cards:
•4-port Channelized STM-1
Per Domain VRF With Local Templates
Local templates can be used to forward users to a RADIUS Server for remote AAA. The ip vrf forwarding command is not supported under local templates. Therefore, you can only specify a virtual routing and forwarding instance (VRF) by using the ip:vrf-id VSA attribute on the RADIUS Server. Do not use Local templates with Subscriber Profiles; they are mutually exclusive.
Per DSCP WRED
The per DSCP WRED feature has the following restrictions:
•Because Cisco IOS software applies the random-detect command on a per interface-basis, you cannot simultaneously configure precedence-based WRED and DSCP-based WRED on a particular interface.
•You cannot use this feature with Multiprotocol Label Switching (MPLS) encapsulated packets. The Cisco 10000 series router supports this feature for use with IP packets only.
Per Precedence WRED Statistics
In the output of the show policy-map interface command, the Tail Drops counter indicates the number of packets dropped because the average queue length exceeds the maximum threshold for the given precedence. However, under burst conditions it is possible that packets can be dropped because the queue is full. These packets are not counted as Tail Drops. The number of packets that are dropped under burst conditions when the queue is full are counted as Output Queue Drops.
PRE Network Management Ethernet Port
Ensure that the Fast Ethernet NME port on the PRE is configured for auto-negotiation mode, which is the system default. Duplex mode can cause problems, such as flapping. If the port is experiencing such problems and has been configured for duplex mode, use the no half-duplex or no full-duplex command to disable duplex mode.
RADIUS Packet of Disconnect
Proper matching identification information must be communicated by the:
•Billing server and router configuration
•Router's original accounting start request
•Server's POD request
Strict Priority Queuing
If you do not enter a police command with the priority command, other queues on the link can be starved for bandwidth.
After you use the priority command without a police command in a policy map, you cannot use the bandwidth command in other classes in the same policy map.
Testing Performance of High-Speed Interfaces
Cisco IOS software running on the Cisco 10000 series router has multiple queues for all classes of traffic over high-speed interfaces. The software selects a queue based on the source and destination address for the packet. This ensures that a traffic flow always uses the same queue and the packets are transmitted in proper order.
When the Cisco 10000 series router is installed in a real network, the high-speed interfaces work efficiently to spread traffic flow equally over the queues. However, using single traffic streams in a laboratory environment may result in less-than-expected performance.
Therefore, to ensure accurate test results, you should test the throughput of the gigabit Ethernet, Packet over SONET (POS), or ATM uplink with multiple source or destination addresses.
Tip To determine if traffic is being properly distributed, use the show hardware pxf cpu queue command.
The Time-Based ACLs feature has the following restrictions:
•You can specify a time range for only IP extended access lists. Standard access lists are not supported.
•An ACE that refers to a non-existent time-range entry is considered active.
•You define time-based ACLs based on hours and minutes. You cannot specify seconds.
Variable Bit Rate Non-Real Time Oversubscription
The VBR-nrt Oversubscription feature has the following restrictions:
•Due to congestion on the physical interface, the accuracy of priority queuing (PQ) and class-based weighted fair queuing (CBWFQ) on individual VCs degrades. For example, if you configure each of three queues at a distribution of 50, 30, and 20 percent, the actual distribution might be 45, 40, and 15 percent.
•The distribution of bandwidth for each VC might be less than expected based on the speed of the VC. Typically, low speed VCs are allocated the expected bandwidth while high speed VCs share the remaining bandwidth equally.
•The amount of bandwidth allocated for the PQ or latency might be less than expected.
•Oversubscription of the ATM interfaces is off by default. Oversubscription of the tunnels (the number and bandwidth of VCs that can be in a tunnel) is on by default and is not subject to any oversubscription factor. Oversubscription of the tunnels cannot be adjusted or turned off.
•Use the atm over-subscription-factor command to enable the oversubscription feature for a particular interface or tunnel. Do not use the atm oversubscribe command to enable oversubscription, as this can cause undesirable results.
•It is recommended that the atm over-subscription-factor command be applied to all ports of an ATM line card. This command controls the allocation of resources that are managed on a line card. Enabling oversubscription on one port alone could result in other ports taking up more resources than they were supposed to use. This could result in starving other ports for resources, which could cause VC creation to fail.
WRED with Queue Limit
The WRED with Queue Limit has the following restrictions:
•The Cisco 10000 series router supports the configuration of 131,072 queues. The router reserves 255 queues for high speed interfaces. Any link that has a speed greater than 622 Mbps is classified as a high speed interface.
•You can configure a maximum of 29 queues per link.
•The queue limits that you can configure on a high speed interface range from 128 to 65,536 packets and on a low speed interface the queue limits range from 8 to 4,096 packets.
This section provides important information about the following topics:
Configuring the aaa new-model Command
The aaa new-model command is disabled by default on the Cisco 10000 series router. In previous releases, the default configuration did not appear in the running configuration file. However, in Cisco IOS Release 12.3(7)XI1 or later releases, the running configuration file now includes the no aaa new-model command. This is an intentional change in behavior for this command and is the first step in a three-step process to change the default configuration to aaa new-model.
Note This change in behavior differs from Cisco IOS software, which typically does not include default configurations in the running configuration file.
For example, when you enter the show running-config command, no aaa new-model appears in the configuration if either of the following conditions previously occurred:
•You did not configure the aaa new-model command on the router and instead accepted the default configuration of the file: no aaa new-model.
•You entered the no aaa new-model command to remove the previously configured aaa new-model command.
Provisioning for Scaling
The following configuration parameters enhance scalability on the Cisco 10000 series router:
To configure the Cisco 10000 series router for high scalability, be sure to configure the configuration parameters as described in the sections that follow.
For more information, refer to the Cisco 10000 Series Broadband Aggregation and Leased-Line Configuration Guide.
PPPoA Sessions with IP QoS Static Routes
To scale to 32,000 PPPoA sessions with IP QoS enabled, you must limit the number of IP QoS static routes to 4,000 unidirectional QoS static routes.
AAA Authentication on the NME Port
If you use AAA authentication on the NME port, set both the in and out interface hold queues to 4096. For example:Router(config)# int fa 0/0/0Router(config-if)# hold-queue 4096 inRouter(config-if)# hold-queue 4096 out
Call Admission Control
We recommend that you set the Call Admission Control (CAC) to a maximum of 95. For example:Router(config)# call admission limit 95
Enhancing Scalability of Per-User Configurations
To enhance scalability of per-user configurations without changing the router configuration, use the ip:vrf-id and ip:ip-unnumbered RADIUS attributes. These per-user vendor specific attributes (VSAs) are used to map sessions to VRFs and IP unnumbered interfaces. The VSAs apply to virtual access subinterfaces and are processed during PPP authorization.
In releases earlier than Cisco IOS Release 12.2(16)BX1, the lcp:interface-config RADIUS attribute is used to map sessions to VRFs. This per-user VSA applies to any type of interface configuration, including virtual access interfaces. Valid values of this VSA are essentially any valid Cisco IOS interface command; however, not all Cisco IOS commands are supported on virtual access subinterfaces. To accommodate the requirements of the lcp:interface-config VSA, the per-user authorization process forces the Cisco 10000 series router to create full virtual access interfaces, which consume more memory and are less scalable.
In Cisco IOS Release 12.2(16)BX1 and later releases, the ip:vrf-id is used to map sessions to VRFs. Any profile that uses the ip:vrf-id VSA must also use the ip:ip-unnumbered VSA to install IP configurations on the virtual access interface that is to be created. PPP that is used on a virtual access interface to be created requires the ip:ip-unnumbered VSA. An Internet Protocol Control Protocol (IPCP) session is not established if IP is not configured on the interface. You must configure either the ip address command or the ip unnumbered command on the interface so that these configurations are present on the virtual access interface that is to be created. However, specifying the ip address and ip unnumbered commands on a virtual template interface is not required because any pre-existing IP configurations are removed when the ip:ip-vrf VSA is installed on the virtual access interface. Therefore, any profile that uses the ip:vrf-id VSA must also use the ip:ip-unnumbered VSA to install IP configurations on the virtual access interface that is to be created.
These per-user VSAs can be applied to virtual access subinterfaces; therefore, the per-user authorization process does not require the creation of full virtual access interfaces, which improves scalability.
Setting VRF and IP Unnumbered Interface Configurations in User Profiles
Although the Cisco 10000 series router continues to support the lcp:interface-config VSA, the ip:vrf-id and ip:ip-unnumbered VSAs provide another way to set the VRF and IP unnumbered interface configurations in user profiles. The ip:vrf-id and ip:ip-unnumbered VSAs have the following syntax:Cisco:Cisco-AVpair = "ip:vrf-id=vrf-name"Cisco:Cisco-AVpair = "ip:ip-unnumbered=interface-name"
Specify only one ip:vrf-id and one ip:ip-unnumbered value in a user profile. However, if the profile configuration includes multiple values, the Cisco 10000 series router applies the value of the last VSA received, and creates a virtual access subinterface. If the profile includes the lcp:interface-config VSA, the router always applies the value of the lcp:interface-config VSA, and creates a full virtual access interface.
Whenever you specify a VRF in a user profile, but you do not configure the VRF on the Cisco 10000 series router, in Cisco IOS Release 12.2(15)BX, the router accepted the profile. However, in Cisco IOS Release 12.2(16)BX1 and later releases, the router rejects the profile.
Setting VRF and IP Unnumbered Interface Configuration in a Virtual Interface Template
You can specify one VSA value in the user profile on RADIUS and another value locally in the virtual template interface. The Cisco 10000 series router clones the template and then applies the values configured in the profiles it receives from RADIUS, resulting in the removal of any IP configurations when the router applies the profile values.
Redefining User Profiles to Use the ip:vrf-id and ip:ip-unnumbered VSAs
The requirement of a full virtual access interface when using the lcp:interface-config VSA in user profiles can result in scalability issues, such as increased memory consumption. This is especially true when the Cisco 10000 series router attempts to apply a large number of per-user profiles that include the lcp:interface-config VSA. Therefore, when updating your user profiles, we recommend that you redefine the lcp:interface-config VSA to the scalable ip:vrf-id and ip:ip-unnumbered VSAs.
Example 1 shows how to redefine the VRF named newyork using the ip:vrf-id VSA.
Example 1 Redefining VRF ConfigurationsChange:Cisco:Cisco-Avpair = "lcp:interface-config=ip vrf forwarding newyork"To:Cisco:Cisco-Avpair = "ip:vrf-id=newyork"
Example 2 shows how to redefine the Loopback 0 interface using the ip:ip-unnumbered VSA.
Example 2 Redefining IP Unnumbered InterfacesChange:Cisco:Cisco-Avpair = "lcp:interface-config=ip unnumbered Loopback 0"To:Cisco:Cisco-Avpair = "ip:ip-unnumbered=Loopback 0"
Inserting a New Line Card
Unlike other Cisco routers, if you insert a new or different line card into a Cisco 10000 series router chassis slot that previously had a line card installed, the line card initially reports that it is administratively up.
Multilink PPP (MLPPP) is not supported on Cisco IOS Release 12.3(7)XI1.
Open Caveats—Cisco IOS Release 12.3(7)XI1
Table 2 describes Open Caveats in Cisco IOS Release 12.3(7)XI1.
Resolved Caveats—Cisco IOS Release 12.3(7)XI1
This section describes caveats that were fixed in Cisco IOS Release 12.3(7)XI1.
For information about caveats fixed in other Cisco IOS releases, refer to the appropriate Release Note document at the following URL:
GRE implementation of Cisco IOS is compliant with RFC2784 and RFC2890 and backward compatible with RFC1701.
As an RFC compliancy this DDTS adds the check for bits 4-5 (0 being the most significant) of GRE header.
This issue does not cause any problem for router operation.
Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) attack from crafted IPv6 packets when the device has been configured to process IPv6 traffic. This vulnerability requires multiple crafted packets to be sent to the device which may result in a reload upon successful exploitation.
More details can be found in the security advisory, which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml.
Cisco Internetwork Operating System (IOS) Software release trains 12.1YD, 12.2T, 12.3 and 12.3T, when configured for Cisco's IOS Telephony Service (ITS), Cisco CallManager Express (CME) or Survivable Remote Site Telephony (SRST) may contain a vulnerability in processing certain malformed control protocol messages.
A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS). This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml
Cisco has made free software upgrades available to address this vulnerability for all affected customers.
This vulnerability is documented by Cisco bug ID CSCee08584.
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
You can access the most current Cisco documentation on the World Wide Web at this URL:
You can access the Cisco website at this URL:
International Cisco websites can be accessed from this URL:
You can find instructions for ordering documentation at this URL:
You can order Cisco documentation in these ways:
•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:
•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
You can submit e-mail comments about technical documentation to firstname.lastname@example.org.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.
Cisco TAC Website
The Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL:
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:
Opening a TAC Case
Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL:
For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.
To open a case by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete listing of Cisco TAC contacts, go to this URL:
TAC Case Priority Definitions
To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.
Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Go to this URL to visit the company store:
•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
•Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:
•iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
•Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:
© 2005 Cisco Systems, Inc. All rights reserved.
Printed in the USA on recycled paper containing 10% postconsumer waste.