Release Notes for Cisco NCS 5500 Series Routers, IOS XR Release 25.3.1

Cisco NCS 5500 Series Routers, IOS XR Release 25.3.1. 3

New software features. 3

New hardware. 7

Changes in behavior 8

Open issues. 8

Known issues. 8

Compatibility. 9

Supported software packages. 9

Related resources. 11

Legal information. 12

Cisco NCS 5500 Series Routers, IOS XR Release 25.3.1

Cisco IOS XR Release 25.3.1 is a new feature and hardware release for Cisco NCS 5500 Series routers. Key highlights include enhanced BGP and EVPN stability, improved load balancing and multicast efficiency, expanded DHCP and QoS controls, advanced segment routing, improved security—including TACACS+ with TLS protection, and YANG-Push telemetry. The release also delivers stronger SSH and audit security, programmable automation, and support for custom RPM installations, further boosting scale, flexibility, and operational reliability across diverse network environments.

New software features

Table 1. New software features for Cisco NCS 5500 Series Routers, Release 25.3.1

Product impact	Feature	Description
BGP
Software Reliability	Improved BGP next-hop resolution handling	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Compatibility; Native]) You can now improve network routing stability by enabling or disabling BGP nexthop resolution using the default route without resetting active BGP sessions. This enhancement maintains BGP session continuity, prevents traffic disruption, avoids service interruption, and improves operational flexibility. Previously, applying or removing the bgp nexthop resolution allow-default command reset all BGP sessions, even when the reset was not required for nexthop resolution.
EVPN
API experience	Sub-second convergence for EVPN with BGP PIC-edge	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Native]) You can maintain continuous service in multi-homed EVPN deployments using sub-second convergence for EVPN with BGP PIC-edge. This functionality rapidly switches traffic to a backup nexthop path when the preferred nexthop fails, delivering fast convergence and high availability for active-active EVPN E-LAN and E-Line services.
IP Addresses and Services
Software Reliability	NTP-server option for DHCPv6	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Native] You can now configure NTP-server option in the DHCPv6 server profile. The DHCPv6 server provides NTP-server information to a client device when the client requests this information and a user configures it. When configured, this functionality simplifies user setup and ensures accurate time synchronization across the network.
L2VPN
API experience	Decoupled mode for L2VPN and EVPN VPWS services	Introduced in this release on: NCS 5500 fixed port routers(select variants only) Decoupled mode improves fault tolerance by allowing the Provider Edge (PE) router to maintain the pseudowire (PW) in an active state independently of the Attachment Circuit (AC) status. Unlike the traditional coupled mode, which requires both AC and PW to be active for traffic flow, decoupled mode ensures uninterrupted PW traffic even during AC failures. This feature is supported only on NCS-55A1 series fixed port routers.
Software Reliability	MPLS static label support for EVPN ELAN	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Compatibility; Native]) You can configure local static MPLS labels for unicast IP traffic under the EVPN EVI configuration, which ensures remote PEs use a consistent, common label for the same EVPN service, improving forwarding consistency and operational control.
Software Reliability	MPLS static label support for EVPN VPWS	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Compatibility; Native]) You can configure local static MPLS labels for EVPN VPWS under the L2VPN cross-connect P2P EVPN EVI configuration, which ensures remote PEs use a consistent, common label for the same EVPN service, improving forwarding consistency and operational control.
Ease of use	Unicast DHCP relay for EVPN-synchronized ARP entries	Introduced in this release on: NCS 5500 fixed port routers(select variants only) Unicast DHCP relay for EVPN-synchronized ARP entries reduces broadcast traffic by enabling the relay agent to send DHCP replies as unicast even when ARP entries are learned through EVPN synchronization. Unlike the default behavior, which broadcasts replies in this scenario, this feature ensures efficient unicast delivery and minimizes unnecessary network flooding. This feature is supported only on NCS-55A1 series and NCS-55A2 series fixed port routers.
API experience	DHCPv6 route additions in EVPN active-active multi-homing coupled mode	Introduced in this release on: NCS 5500 fixed port routers(select variants only) You can improve network convergence and prevent traffic loss by enabling DHCPv6 PD route addition when the L2 AC is down but the BVI is up post reload in EVPN A-A MH coupled mode. In this scenario, the BVI comes up before the L2 AC due to EVPN holding it down for core isolation or cost-in timers. Having the route in the RIB allows EVPN A-A MH to redirect traffic to the MH peer for forwarding to the subscriber. This feature is supported only on NCS-55A2 series fixed port routers.
MPLS
Ease of Use	Granular TTL and QoS propagation control for MPLS PHP	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Compatibility; Native]) You can now achieve granular control over Time-to-Live (TTL) and Quality of Service (QoS) propagation on Penultimate Hop (PHP) nodes for DNX-1 routers. This allows you to inherit TTL from the outer MPLS header while preserving the original IP.TOS QoS settings.
Modular QoS
API experience	Configurable fair adaptive drop thresholds	Introduced in this release on: NCS 5500 line cards You can improve burst absorption and reduce packet drops on both priority and non-priority queues by configuring buffer allocation strategy as per your need. With this feature, you can now configure adaptive limits for buffer descriptor usage per queue at ingress. By configuring different adaptive limits, you control the share of system buffer resources that each queue can consume. This approach optimizes burst handling and helps prevent resource starvation across multiple classes of service. The feature introduces the hw-module profile qos ingress-fadt-set command.
Multicast
Software Reliability	Enhanced load-balancing in Label Switched Multicast	The enhanced load balancing in Label Switched Multicast (LSM) addresses the limitation where only the MPLS label is used for load balancing. Previously, multiple multicast streams sharing the same label would use a single link, leading to congestion. This update enables better distribution of multicast streams across available links for affected profiles, preventing link saturation. For NCS 5700 fixed port routers and line cards, the platform has the capability to program the bundle ID in hardware. This enables hardware-level load balancing.
NetFlow and sFlow
Ease of Use	BGP community and AS path information elements for IPFIX	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Native]) You can now export flow records with BGP community and AS path information elements in IPFIX. This allows you to monitor and analyze traffic based on precise BGP routing metadata, including community tags and AS paths. This ensures more granular visibility and control over your routing environment.
Programmability
Software Reliability	YANG-Push notifications	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Native]) YANG-Push provides a real-time telemetry solution by allowing applications to subscribe to specific YANG datastore updates. This feature enables efficient, low-latency streaming of operational state data to subscribed receivers. By reducing the reliance on traditional polling methods, YANG-Push enhances network observability, accelerates troubleshooting, and optimizes data collection for modern network automation and assurance workflows.
Segment Routing
Ease of Use	EVPNv6 (ELAN) Layer 2 gateway	Introduced in this release on: NCS 5700 fixed port routers; NCS 5700 line cards [Mode: Native] This feature enables scalable and resilient Layer 2 gateway services over SRv6, supporting advanced multi-homing with ESI filtering and uSID-based service steering. It enhances network flexibility, optimizes traffic management, and improves operational visibility, delivering business value by ensuring high availability, efficient load balancing, and seamless integration across multi-AS environments for service providers and enterprises
Ease of Use	SRv6 per-flow manual steering: ABF redirect into VRF	NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Compatibility; Native]) This feature enables precise manual control of traffic flows by steering them into specific VRFs using ABF redirect mechanisms. This allows optimized routing, improved network segmentation, and flexible policy enforcement, enhancing network performance, security, and resource utilization for complex business needs.
Ease of Use	Cisco Network Controller (CNC) v7.2: Multiple SID-List with Preserve or Transactional gRPC API	This feature enables advanced segment routing path computation by supporting multiple SID lists and atomic, transactional updates through gRPC API. This ensures reliable, consistent policy changes and enhances network stability. It supports high availability with state synchronization across multiple SR-PCEs and integrates with Path Computation Clients for comprehensive traffic engineering across multi-AS topologies. This improves network programmability, scalability, and reduces configuration errors.
API experience	Layer 3 service gateway for interconnecting SRv6 domains	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Compatibility; Native]) Optimize network scalability and interoperability by reducing SID resource usage, and enabling seamless integration between distinct SRv6 domains. The layer 3 service gateway provides a flexible mechanism to extend layer 3 services across different SRv6 networks, supporting efficient route summarization, cross-locator compatibility, and consistent service continuity on both control and data planes.
Software Reliability	Multiple Segment Routing Global Blocks	Introduced in this release on: NCS 5500 modular routers; NCS 5500 fixed port routers. You can now enhance network scalability and fl exibility by enabling the allocation of additional SR label ranges, which prevents label space conflicts and supports efficient label management. By allowing multiple Segment Routing Global Blocks (SRGBs) to operate in parallel on the single node, it expands label space to meet growing network demands without causing widespread re-planning or ripple effects. This capability aligns with segment routing standards such as RFC8660, ensuring a standardized, future-proof approach to label management and network evolution.
Setup and Upgrade
Upgrade	Changes to supported software upgrade or downgrade IOS XR versions due to the underlying OS package manager upgrade	Introduced in this release on: NCS 5700 fixed port routers; NCS 5700 line cards [Mode: Compatibility; Native] You can now upgrade Cisco IOS XR software from an earlier version to version 25.3.1 or later, and downgrade from version 25.3.1 or later to an earlier version, with certain limitations. These limitations are designed to help prevent failures during the upgrade or downgrade process.
Ease of Setup	Install unsigned third-party RPMs	This feature enables the installation of unsigned third-party RPMs on Cisco IOS XR systems, leveraging the existing install infrastructure and Golden ISO (GISO). This simplifies the deployment of custom or third-party containerized applications via the command-line interface, provided these unsigned RPMs adhere to Owner RPM conventions.
Software reliability	Implementing audit monitoring	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Compatibility; Native]) You can enhance your router’s security and compliance by enabling audit monitoring. This feature lets you configure predefined rules that enable the router to monitor, log, and optionally forward audit logs to a remote syslog server for centralized analysis and incident response.
System Security
Software Reliability	Unused connection timeout for SSH sessions	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Compatibility; Native]) You can prevent session limit exhaustion and maintain optimal system performance by automatically disconnecting SSH connections with no active channels. The feature introduces a configurable timeout for unused SSH connections, ensuring stale sessions do not occupy resources on your routers. The router monitors each SSH connection and terminates it when all channels remain closed and SSH clients do not create new channels within the configured timeout period.
Software Reliability	Channel timeout for SSH sessions	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Compatibility; Native]) You can improve resource efficiency and minimize potential security risks by automatically closing idle SSH channels on the routers after a specific period of inactivity. The feature introduces a configurable timeout for SSH channels which ensures that unused channels do not persist while the parent SSH connection remains active. The router monitors each SSH channel and closes any channel where no data is sent or received within the configured timeout period.
Security Efficacy	TACACS+ with TLS protection	Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Native]) You can significantly enhance security and reduce the risk of attacks on weak encryption by using TACACS+ over TLS. This method ensures the secure transmission of all Authentication, Authorization, and Accounting (AAA) data between the client and server. It provides robust protection for sensitive environments by supporting mutual authentication through a TLS X.509 certificate-based infrastructure. This feature is compatible with both TLS versions 1.3 and 1.2.

New hardware

Table 2. New hardware for Cisco NCS 5500 Series Routers, Release 25.3.1

Hardware	Description
Optics	Optics support varies across devices (routers, line cards, RPs, and so on). To know if an optics is compatible with a specific Cisco device, refer to the Transceiver Module Group (TMG) Compatibility Matrix. This release introduces the following optics: * DP01QS28-E20 (C-Temp) * DP01QS28-E25 (I-Temp)
Optics\|	This release launches the following new optics on selective hardware within the product portfolio. For details, refer to the Transceiver Module Group (TMG) Compatibility Matrix. Cisco 50GBASE SFP56 optics: * SFP-50G-BX40D-I * SFP-50G-BX40U-I

Hardware

Description

Optics

Optics support varies across devices (routers, line cards, RPs, and so on). To know if an optics is compatible with a specific Cisco device, refer to the Transceiver Module Group (TMG) Compatibility Matrix.

This release introduces the following optics:

* DP01QS28-E20 (C-Temp)

* DP01QS28-E25 (I-Temp)

Optics|

This release launches the following new optics on selective hardware within the product portfolio. For details, refer to the Transceiver Module Group (TMG) Compatibility Matrix.

Cisco 50GBASE SFP56 optics:

* SFP-50G-BX40D-I

* SFP-50G-BX40U-I

Changes in behavior

● Full Outgoing Interface Name in Cisco-IOS-XR-mpls-forwarding-oper: The outgoing-interface leaf of Cisco-IOS-XR-mpls-forwarding-oper has been updated to include the full outgoing interface name instead of the shortened interface name.

● BVI arp-suppression and ACL configurations: While you can configure Access Control Lists (ACLs) on BVIs to filter network traffic effectively, it is important to note that certain restrictions apply. Specifically, when ACLs are configured on the router, BVI arp-suppression cannot be used concurrently. This ensures optimal operation and resource management within the device. The configuration of ACLs on BVIs allows for flexible traffic filtering across multiple interfaces grouped under the BVI, enhancing network control and security.

● RTBH Filtering Control on NCS 5700 NPU-Based Platforms: On NCS 5700 line cards with NPU-based platforms, configuring a NULL0 route enforces both destination-based RTBH (D-RTBH) and source-based RTBH (S-RTBH) filtering. Starting with Release 25.3.1, S-RTBH filtering is controlled by the Unicast Reverse Path Forwarding (URPF) interface configuration. Enforcement of D-RTBH filtering remains independent of URPF.

Open issues

There are no open caveats in this release.

Known issues

● The Cisco NCS 5500 series modular routers with Cisco NCS 5700 line cards no longer support new features in compatibility mode. All Cisco IOS XR releases will continue to support features that were already enabled in compatibility mode until release 25.1.1. However, no new features will be added to compatibility mode. To take advantage of new features in current and subsequent releases, enable native mode by using the hw-module profile npu native-mode-enable command.

Compatibility

Compatibility matrix for EPNM and Crosswork with Cisco IOS XR software

The compatibility matrix lists the version of EPNM and Crosswork that are supported with Cisco IOS XR Release in this release.

Table 3. Compatibility Matrix for EPNM and Crosswork with Cisco IOS XR Software

Cisco IOS XR	Crosswork	EPNM
Release 25.3.1	Crosswork Optimization Engine 6.0	Evolved Programmable Network Manager 7.1.1

System requirements

Use the show hw-module fpd command in EXEC and Admin mode to view the hardware components with their current FPD version and status. The status of the hardware must be CURRENT; Running and Programed version must be the same. You can also use the show fpd package command in Admin mode to check the fpd versions.

Software version

To verify the software version running on the router, use show version command in the EXEC mode.

Router# show version

Mon Sep 15 23:57:35.840 PDT

Cisco IOS XR Software, Version 25.3.1

Build Information:

Built By : swtools

Built On : Mon Sep 15 07:19:49 PDT 2025

Built Host : iox-lnx-026

Workspace : /auto/srcarchive12/prod/25.3.1/ncs5500/ws

Version : 25.3.1

Location : /opt/cisco/XR/packages/

Label : 25.3.1

cisco NCS-5500 () processor

System uptime is 50 minutes

Supported software packages

The following tables lists the Cisco IOS XR Software feature set matrix (packages) with associated filenames. Visit the Cisco Software Download page to download the Cisco IOS XR software images.

Table 4. Supported software for NCS 5500 Series Routers, Release 25.3.1

Feature Set	Filename	Description
Composite Package
Cisco IOS XR IP Unicast Routing Core Bundle	ncs5500-mini-x.iso	Contains base image contents that includes: Host operating system System Admin boot image IOS XR boot image BGP packages
Individually-Installable Optional Packages
Cisco IOS XR Manageability Package	ncs5500-mgbl-3.0.0.0-r2531.x86_64.rpm	Extensible Markup Language (XML) Parser, Telemetry, Netconf, gRPC and HTTP server packages.
Cisco IOS XR MPLS Package	ncs5500-mpls-2.1.0.0-r2531.x86_64.rpm ncs5500-mpls-te-rsvp-2.2.0.0-r2531.x86_64.rpm	MPLS and MPLS Traffic Engineering (MPLS-TE) RPM.
Cisco IOS XR Security Package	ncs5500-k9sec-3.1.0.0-r2531.x86_64.rpm	Support for Encryption, Decryption, Secure Shell (SSH), Secure Socket Layer (SSL), and Public-key infrastructure (PKI)
Cisco IOS XR ISIS package	ncs5500-isis-1.2.0.0-r2531.x86_64.rpm	Support ISIS
Cisco IOS XR OSPF package	ncs5500-ospf-2.0.0.0-r2531.x86_64.rpm	Support OSPF
Lawful Intercept (LI) Package	ncs5500-li-1.0.0.0-r2531.x86_64.rpm	Includes LI software images
Multicast Package	ncs5500-mcast-1.0.0.0-r2531.x86_64rpm	Support Multicast
EIGRP	ncs5500-eigrp-1.0.0.0-r2531.x86_64.rpm	Supports Enhanced Interior Gateway Routing Protocol
Lawful Intercept Control	ncs5500-lictrl-1.0.0.0-r2531x86_64.rpm	Supports Lawful Intercept Control
Healthcheck	ncs5500-healthcheck-1.0.0.0-r2531.x86_64.rpm	Supports System Health Check

Table 5. TAR files for Cisco NCS 5500 Series Router, Release 25.3.1

Feature Set	Filename
NCS 5500 IOS XR Software 3DES	NCS5500-iosxr-k9-25.3.1.tar
NCS 5500 IOS XR Software	NCS5500-iosxr-25.3.1.tar
NCS 5500 IOS XR Software	NCS5500-docs-25.3.1.tar
NCS 5500 IOS XR Software 3DES	NCS5500-iosxr-k9-25.3.1.tar
NCS 5500 IOS XR Software	NCS5500-iosxr-25.3.1.tar

Table 6. Packages for Cisco NCS 5700 Series Router, Release 25.3.1

Feature Set	Filename
NCS 5700 IOS XR Software	ncs5700-x64-25.3.1.iso
NCS 5700 IOS XR Software (only k9 RPMs)	ncs5700-k9sec-rpms.25.3.1.tar
NCS 5700 IOS XR Software Optional Package	NCS5700-optional-rpms.25.3.1.tar This TAR file contains the following RPMS: optional-rpms/cdp/* optional-rpms/eigrp/* optional-rpms/telnet/*

Related resources

Table 7. Related resources

Resource	Description
Cisco feature finder	Assists in locating features introduced across Cisco IOS XR releases and platforms.
Smart licensing	Provides information about Smart Licensing Using Policy solutions and their deployment on IOS XR routers.
Cisco NCS 5500 documentation	Provides CDC documentation for Cisco NCS 5500 series routers.
Transceiver Module Group (TMG) compatibility matrix	Allows searching by product family, product ID, data rate, reach, cable type, or form factor to determine the transceivers that Cisco hardware device supports.
Cisco IOS XR Error messages	Allows searching by release number, error strings, or comparing release numbers to view a detailed repository of error messages and descriptions.
Cisco IOS XR MIBs	Allows selecting the MIB of your choice from a drop-down to explore an extensive repository of MIB information.
Yang data models in GitHub	Provides yang data models introduced and enhanced in every IOS XR release.
Recommended release	Provides a general guide in case of upgrading IOS XR routers or new deployments that involve IOS XR routers.

Legal information

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Release Notes for Cisco NCS 5500 Series Routers, IOS XR Release 25.3.1

Available Languages

Download Options

Bias-Free Language

Available Languages

Download Options

Table of Contents

Learn more