New Features in and Important Notes About Cisco ASR 1000 Series Aggregation Services Routers Release 3.10S

This chapter provides information about the new features introduced in Cisco ASR 1000 Series Aggregation Services Routers Release 3.10S. In addition, important notes about this release are also included.

This chapter contains the following sections:

New and Changed Information

The following sections list the new hardware and software features that are supported by the Cisco ASR 1000 Series Routers for Cisco IOS XE Release 3.10S:

note.gif

Noteblank.gif MLPPP Broadband functionality is not supported in release 3.10.1. It is recommended to use the feature with release 3.10.0.


New Software Features in Cisco ASR 1000 Series Aggregation Services Routers Release 3.10.2S

WCCP with generic GRE Support

WCCP is extended to support generic GRE return method on Cisco IOS devices. Since GRE negotiated return is not supported on Cisco WAAS AppNav I/O module, customers need to use generic GRE tunnels (multipoint GRE) on the devices. That is, a mGRE tunnel needs to be configured manually on the device if the Cisco WAAS AppNav is configured with GRE return method.

note.gif

Noteblank.gif Generic GRE tunnel does not work with loopback source address. Since the highest numbered loopback is reserved for WCCP, customers need to use the second highest loopback address.


Dropping TCP Packets During Router Reboot Process in AppNav Controller Group Scenario

For AppNav Controller Group (ACG) scenarios, a new CLI (service-insertion acg-reload-delay) provides a time delay before enabling WAN traffic for a router that has just rebooted. During the delay, the router drops all TCP packets passing through the WAN interface. This enables the router to synchronize flows before traffic is enabled, preventing unintended resetting of connections.

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/partner/docs/routers/access/4400/appnav/csr-asr/apnavcsr.html

New Hardware in Cisco ASR 1000 Series Aggregation Services Routers Release 3.10.0S

The following are the new hardware introduced in Cisco ASR 1000 Series Aggregation Services Routers Release 3.10.0S.

Cisco ASR 1000 Series Fixed Ethernet Line Card

The Cisco ASR 1000 Series Fixed Ethernet Line Card (ASR1000-2T+20X1GE) is a fixed-port Ethernet line card for the Cisco ASR 1000 Series Aggregation Services Routers. The line card is capable of 40-Gbps full-duplex traffic forwarding using a fixed-port interface design. This line card has 20 1GigE ports and two 10GigE ports.The small form-factor pluggables (SFP and XFP modules) allow the line card to be configured for different media types (copper or fiber) and different optical requirements (single-mode fiber or multimode fiber), as available.

New Software Features in Cisco ASR 1000 Series Aggregation Services Routers Release 3.10.0S

The following are the new software features introduced in Cisco ASR 1000 Series Aggregation Services Routers Release 3.10.0S.

1-port OC-192c/STM-64 POS/RPR Shared Port Adapter, XFP Optics

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/ASR1000/ASRspasw.html

Add support for more than 32 FNF fields

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/xe-3s/asr1000/fnf-fnetflow.html

Aliases

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/AVC/configuration/xe-3s/asr1000/AVC-fld-alias.html

ASR1000 - 16k policy map scaling

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/asr1000/qos-apply.html

ASR-1000 Minimal Disruptive Restart (MDR) Phase 2 - POS SPA MDR

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/issu.html

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/ASR1000/ASRspasw.html

ASR1000: 40G Native Ethernet Line card

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/ASR1000/fixed_ethernet_linecard/ASRfelcconf_guide.html

ASR1000-ESP200

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/routers/asr1000/install/guide/asr1routers/asr1ESP3.html

ATM support on SPA-24CHT1-CE-ATM on ASR1000

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/ASR1000/ASRspasw.html

Auto-IP

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_ipv4/configuration/xe-3s/ipv4-xe-3s-book_chapter_011.html

BGP - L3VPN iBGP pe-ce (RFC 6368)

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/L3VPN_iBGP_PE-CE.html

BGP NSR Support for MPLS VPNv4 and VPNv6 Inter AS Option B

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-bgp-nsr-inter-as-option-b.html

Bidirectional MPLS-TP LSP

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_basic/configuration/xe-3s/mp-basic-xe-3s-book.html

Bowflex - NHRP snmp restructuring

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-nhrp-mib.html

Bulk-logging and port block allocation

For detailed information, see the following Cisco document:

http://cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-bpa.html

Cisco 8-Port Channelized T1/E1 Shared Port Adapter (SPA-8XCHT1/E1-V2)

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/ASR1000/ASRspasw.html

Configurable RTP port range per IP Address for RTP session connectivity

For ASR boxes, the RTP port range has been increased to a range of 8000 to 48200 to scale high call volumes. This port range allows up 10000 calls on a single interface.

CUBE Inter-Cluster Look up Service (ILS)

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/voice/cube_interop/configuration/xe-3s/voi-cube-ils-service.html

CUBE Serviceability for event logging and debug classification

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/voice/cube_mgmt/configuration/xe-3s/asr1000/voi-cube-service-evntlog-debugclass.html

http://www.cisco.com/en/US/docs/ios-xml/ios/voice/cube_mgmt/configuration/xe-3s/voi-cube-service-evntlog-debugclass.html

CUCM Lineside support

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/voice/cube_interop/configuration/xe-3s/voi-cucm-lineside.html

http://www.cisco.com/en/US/docs/ios-xml/ios/voice/cube_interop/configuration/xe-3s/asr1000/voi-cucm-lineside.html

Debuggability enhancement in IOS-XE Zone Based Firewall (Phase-II)

The Debuggability Enhancement Zone-Based Firewall provides the following functionalities:

  • Severity levels for debug logs. For more information see the Firewall High-Speed Logging module at:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-zone-pol-fw.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-zone-pol-fw.html

  • Conditional Debugging: Prior to the introduction of this feature, when firewall debug is enabled, debug messages are logged for all traffic passing through the firewall. To enable conditional debugging of a single flow of traffic, the following debug command was added: debug platform condition
  • The following commands are also introduced in Cisco IOS XE Release 3.10S:

blank.gif show policy-firewall config platform

blank.gif show policy-firewall sessions platform

blank.gif show policy-firewall stats platform

DHCP-SIP and Walkby Integration

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/isg/configuration/xe-3s/isg-wlkby-supp.html

Disabling Flow Cache Entreis in NAT and NAT64

For detailed information, see the following Cisco document:

http://cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/iadnat-disable-flow-ent.html

http://cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-disable-flow-ent.html

Easy Performance monitor

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/AVC/configuration/xe-3s/asr1000/AVC-ezpm.html

Ethernet over GRE Tunnels

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/interface/configuration/xe-3s/ir-eogre.html

EVC On Port-channel

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/EVCs_on_portchannel.html

eiBGP multipath for non VRF interfaces (IPv4/IPv6)

For detailed information, see the following Cisco document:

www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-eibgp-multipath-for-nonvrf-interfaces.html

EIGRP Over the Top

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/configuration/15-s/ire-eigrp-over-the-top.html

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/configuration/xe-3s/ire-eigrp-over-the-top.html

FlexVPN Mixed Mode support

The FlexVPN Mixed Mode feature provides support for carrying IPv4 traffic over IPsec IPv6 transport. This is the first phase towards providing dual stack support on the IPsec stack. This implementation does not support using a single IPsec security association (SA) pair for both IPv4 and IPv6 traffic.

This feature is only supported for Remote Access VPN with IKEv2 and Dynamic VTI.

GETVPN CRL Checking

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-crl-checking.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/asr1000/sec-get-vpn-crl-checking.html

GETVPN Resiliency - GM Error Detection

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/asr1000/sec-get-vpn-resiliency-gm-error-detection.html

GETVPN support with SuiteB

GETVPN support with SuiteB is supported only on ESP100, ESP200, ASR1002-x platform. When show crypto godi ks member command is executed, it will show 1.0.7 on non-suiteB supported platform and 1.0.8 in suiteB supported platform.

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-suiteb.html

GTPv2 support in iWAG - Intelligent Wireless Access Gateway on ASR1K

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/iwag_asr1k.html#wp1092054

IKE Profile based tunnel selection

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-ipsec-virt-tunnl.html

IKEv1 SHA-2 support

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn.html

IOS BGP - BGP C-Route Full SM Support

The IOS BGP - BGP C-Route Full SM Support feature introduces a new CLI command, mvpn single-forwarder-selection highest-ip-address, which configures the BGP MVPN UMH chosen via the highest ip address.

For detailed information, see the following Cisco documents:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_mvpn/configuration/xe-3s/imc_bgp_croute.html

IOS-XE GTP TEID based ECMP

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipswitch_cef/configuration/xe-3s/asr1000/isw-cef-load-balancing.html#GUID-8BDF5B19-7AA9-461D-9863-B56784C126D0

IP SLAs - Asymmetric probe support for UDP jitter

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipsla/configuration/xe-3s/sla_udp_jitter.html

IPSec debugability enhancement

The IPSec debugability enhancement feature implements the following:

  • An unique session ID for IPsec and IKE debugs. This session is allocated for each active peer and groups the IPsec and IKE debugs.
  • The session ID is displayed in the show crypto session command.
  • Support for crypto IPsec event tracing.
  • Conditional debugging and filtering mechanism for peer sessions.

For more information on these two commands, see the following:

Cisco IOS Security Command Reference: Commands S to Z

IPv6 SNMP MIB support for voice features

The MIB objects relevant to Cisco UBE that have transport-related information such as IPV6 address and type of IP (IPV4 or IPV6) have been verified.

The criteria used for the enhanced MIBs are:

  • The MIB should have voice/video related information.
  • MIB objects should have IP address element in them.

The following MIBs satisfied the above criteria:

  • CISCO-VOICE-DIAL-CONTROL-MIB
  • CISCO-RTTMON-MIB
  • CISCO-RTTMON-IP-EXT-MIB
  • CISCO-SIP-CALLS-MIB
  • CISCO-POP-MGMT-MIB

IPv6 Static Route support for Object Tracking

For detailed information, see the following Cisco document:

iWAG - Intelligent Wireless Access Gateway SSO support for GTP on ASR1K

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/iwag_asr1k.html#wp1099408

iWAG Scale Enhancements

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/iwag_asr1k.html#wp1099408

L2VPN Static to Dynamic PW Interconnection & PW Preferred Path for MPLS-TP Tunnels

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_transport_profile.html

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_basic/configuration/xe-3s/mp-mpls-tp.html#GUID-1A1B84C1-51B6-4A61-9E17-8B14109EDCA7

L3VPN per CE label

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_l3_vpns/configuration/xe-3s/asr1000/mp-vpn-ce-label.html

LI support for IPoE sessions

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-3s/asr1000/sec-lawful-intercept-IPoE.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-3s/sec-lawful-intercept-IPoE.html

Loose Checking Option for TCP Window Scaling in ZBFW

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-loose-check-option-TCP.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-loose-check-option-TCP.html

MPLS Traffic Engineering Non-Stop Routing Support

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_ha/configuration/xe-3s/mp-nsr-supp.html

MPLS VPN over mGRE

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios/interface/configuration/guide/ir_mplsvpnomgre.html

http://www.cisco.com/en/US/docs/ios-xml/ios/interface/configuration/xe-3s/ir-mpls-vpnomgre-xe.html

MPLS VPN Per CE Label Allocation

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_l3_vpns/configuration/xe-3s/asr1000/mp-vpn-ce-label.html

MPLS-TP OAM: Continuity Check via BFD

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_basic/configuration/xe-3s/mp-mpls-tp.html#GUID-5FAE56DC-1B64-474D-923E-AF54B9D8129D

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_transport_profile.html

MPLS-TP OAM: Fault Management

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_transport_profile.html

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_basic/configuration/xe-3s/mp-mpls-tp.html#GUID-5FAE56DC-1B64-474D-923E-AF54B9D8129D

MPLS-TP OAM: GACH

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_transport_profile.html

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_basic/configuration/xe-3s/mp-mpls-tp.html#GUID-5FAE56DC-1B64-474D-923E-AF54B9D8129D

MPLS-TP OAM: Ping/Trace

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_transport_profile.html

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_basic/configuration/xe-3s/mp-mpls-tp.html#GUID-5FAE56DC-1B64-474D-923E-AF54B9D8129D

MPLS-TP Path Protection

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_transport_profile.html

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_basic/configuration/xe-3s/mp-mpls-tp.html#GUID-4E3C4BA8-0777-4CC3-9CC4-84D5956756E4

MVPN BGP C-Route Full SM Support

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_mvpn/configuration/15-s/ imc_vpn_bgp_croute.html

MVPN mLDP Partitioned MDT including wildcard

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_mvpn/configuration/xe-3s/imc_mldp_mdt.html

NAT increase VRF scale to 4k

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/iadnat-addr-consv.html

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-addr-consv.html

Network-based recording of video calls using Cisco UBE

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/voice/cube_proto/configuration/xe-3s/voi-ntwk-based-rec-video-calls.html

http://www.cisco.com/en/US/docs/ios-xml/ios/voice/cube_proto/configuration/15-mt/voi-ntwk-based-rec-video-calls.html

NHRP SNMP Restructuring

The NHRP SNMP Restructuring feature provides hardening support to NHRP MIBs. The snmp mib nhrp command is disabled by default. To enable you must explicitly configure it using the snmp mib nhrp command.

The snmp mib nhrp status command displays information about the following:

  • The state of the tree.
  • The enable or disable status of the NHRP MIB.
  • The number of allocation tree nodes.

The debug snmp mib nhrp command enables debugging for NHRP MIBs.

For more information, see the following documents:

No Service Password-Recovery

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-3s/asr1000/sec-usr-cfg-xe-3s-asr-1000-book.html

OSPFv2 Cryptographic Authentication

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-ospfv2-crypto-authen-xe.html

OSPFv2 Multi Area Adjacency

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/asr1000/iro-multi-area-adj-xe.html

OTV Enhancements

The OTV enhancement include:

  • OTV VRF Aware

OTV join interfaces can be part of a VRF. This allows for OTV forwarding of L2 packets via a VRF L3 domain.

  • OTV Sub-interface as join interface

Sub-interfaces can be configured as OTV join interfaces. This allows more flexibility with the L3 side OTV configuration.

  • OTV Port-channel as join interface

Port-channel interfaces can be configured as OTV join interfaces. This allows interface redundancy for L3 side OTV connections.

  • OTV Port-channel as internal interface

Port-channel interfaces can be configured as OTV internal interfaces. This allows interface redundancy for L2 side OTV connections.

For detailed information, see the following Cisco document

http://www.cisco.com/en/US/docs/ios-xml/ios/wan_otv/configuration/xe-3s/wan-otv-confg.html

Per ACE QoS Statistics

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/qos-per-ace.html

Per COS Storm Control for Broadcast/Unknown Unicast/Multicast for EVC ports in ASR1k

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/Storm_Control_ASR1K.html

PKI - New cert attributes

The PKI New Cert Attributes feature provides the following enhancements to Public Key Infrastructure (PKI):

  • NVRAM Exhaustion
  • Fresh Enrollment

NVRAM Exhaustion

Certificates and certificate revocation lists (CRLs) are used by devices when a certificate authority (CA) is used. Certificates and CRLs can be stored in NVRAM or an external database. If an external database is used to store certificates, there is no need to delete the expired certificates. Each certificate and CRL uses a moderate amount of memory. The following are stored in NVRAM:

  • CA certificates and CRLs
  • Certificates issued by CA server to clients

When a client renews its certificate, the new certificate, along with old certificates, is stored in NVRAM. This decreases the NVRAM space. As more certificates are stored, the NVRAM space is exhausted and this brings down the CA server, which then is unable to retrieve certificates. Manual intervention is required to restore space in NVRAM and bring the CA server up again.

To avoid NVRAM space exhaustion and manual intervention to bring up the CA server, a new timer triggers the database cleanup event. The timer starts when the first certificate is issued, and the timer interval is based on the client certificate life time configuration in the CA server. The timer scans the database and removes expired certificates that are not required, thereby preventing the CA server from going down because of NVRAM exhaustion. The timer information is displayed in the output from the show crypto pki timer command. Note that the timer applies only when certificates are stored in NVRAM and the database level is set to “complete.” However, when NVRAM is used to store certificates and the database level is configured with minimum or names, there is no need to delete the expired certificates because the certificates do not consume much space.

The certificates in the CA server can also be deleted by using the no crypto pki server name command. the following warning appears, when you configure this command:

Device(config)# no crypto pki server ABC-CA
CA certificate, Keypair, CRL and database files will be deleted. Do you wish to continue? [yes/no]:

If “yes” is entered, all files are removed from the database.

For more information on commands, see the following documents:

Cisco IOS Security Command Reference: Commands A to C

Cisco IOS Security Command Reference: Commands S to Z

Fresh Enrollment

The auto-enroll feature helps the device to renew the router certificate when it expires. Sometimes, the router certificate may not be enrolled if the CA server is not reachable or if the client is shut down. The back off mechanism prevents the device from having an expired certificate by renewing the certificates. The certificates are renewed by continuous contact with the CA server at specific intervals by using the retry count and retry period keywords in the enrollment command.

When a device certificate expires, the back off mechanism does the following:

  • Issues a fresh enrollment request and starts the default back off mechanism or follow the configured retry counts. This step is repeated to obtain a fresh certificate.
  • The enrollment request does not contain expired certificate keys, if the trustpoint is configured with the regenerate command. The regenerate command assigns new keys. To issue an enrollment request with the expired certificate keys, do not specify the regenerate command.

The following example shows how to configure the retry count and period keywords:

Device(config)# no crypto pki server ABC-CA
redundancy
enrollment retry count 10
enrollment retry period 1
enrollment url http://ABC_CA:80
revocation-check crl
auto-enroll 70
hash sha1
end

 

The default retry count is 10. The following table provides information when the enrollment does not happen:

Retry
Timeout

1

1 minute

2

1 minute

3

2 minutes

4

5 minutes

5

10 minutes

6

20 minutes

7

40 minutes

8

60 minutes

9

90 minutes

10

120 minutes

After the default retry count, the enrollment request is deleted. If the certificate expires, the 5-second interval is employed to reach the CA.

For more information on the commands, see the following documents:

Cisco IOS Security Command Reference: Commands D to L

Cisco IOS Security Command Reference: Commands M to R

PMIP: Multipath support on MAG

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/mob_pmipv6/configuration/xe-3s/asr1000/imo-pmipv6-multipath-support.html

http://www.cisco.com/en/US/docs/ios-xml/ios/mob_pmipv6/configuration/xe-3s/imo-pmipv6-multipath-support.html

Pseudowire Group Switchover

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/mp_l2_vpns/configuration/xe-3s/asr903/l2vpn-pw-group-switchover.html

RFC4303 IP Encapsulating Security Payload (ESP) dummy packet for traffic flow confidentiality (TFC)

The RFC 4303 IP Encapsulating Security Payload (ESP) dummy packet for traffic flow confidentiality (TFC) feature provides RFC 4303 support in Cisco software. RFC 4303 describes two methods to hide the characteristics of traffic that is passing through an IPsec flow. The first method involves adding extra padding beyond the allowed maximum of 255 bytes after the payload data when using the Encapsulating Security Payload (ESP) protocol for traffic confidentiality. The second method involves adding extra "dummy" packets to the traffic flow. The generation and transmission of dummy packets is implemented in Cisco software through the RFC4303 IP Encapsulating Security Payload (ESP) dummy packet for traffic flow confidentiality (TFC) feature. A dummy packet is designated by setting the next header field in the ESP packet to a value of 59. The dummy packets are discarded when the packets are received by the device. The standard ESP header and trailer fields are present in a dummy packet. The payload (plain text) in the dummy packet contains zero which becomes random data after encryption. You can specify the time interval at which to generate the dummy packets. You can enable generating dummy packets globally using the crypto ipsec security-association dummy command or you can enable dummy packets for a crypto map using the set security-association dummy command. When enabled for a crypto map, dummy packets are enabled for all flows that are created using the crypto map.

For more information on commands, see the following documents:

Cisco IOS Security Command Reference: Commands A to C

Cisco IOS Security Command Reference: Commands S to Z

Secure CDP

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/cdp/configuration/xe-3s/asr1000/nm-cdp-secure.html

Secure Shell-Configuring User Authentication Methods

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/xe-3s/asr1000/sec-ssh-config-auth.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/xe-3s/sec-ssh-config-auth.html

SPA-4XOC3-POS-V2 support on ASR-1000

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/ASR1000/ASRspasw.html

Support for dynamic payload type interworking for DTMF and codec packets for SIP to SIP calls

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/voice/cube_proto/configuration/xe-3s/voi-negt-aud-code.html

TDOS Attack prevention on CUBE

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/voice/cube_proto/configuration/xe-3s/voi-cube-tdos-attack-mitigation.html

TrustSec SGT Handling: L2 SGT imposition and forwarding

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/cts-sgt-handling-imp-fwd.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/cts-sgt-handling-imp-fwd.html

UC GW Services - media forking service

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/voice/cube_proto/configuration/xe-3s/voi-cube-uc-gateway-services.html

VASI (VRF Aware Software Infrastructure) 2000 pairs scale

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/conf-vasi.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/conf-vasi.html

VP/VC Shaping for PPPoEoA/PPPoA

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/qos_plcshp/configuration/xe-3s/asr1000/qos-plcshp-xe-3s-asr-1000-book.html

VRF-Aware IPv6 Rapid Deployment Tunnel

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/interface/configuration/xe-3s/ip6-6rd-vrf-tunnels-xe.html

VRRP aware PIM

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/xe-3s/imc_vrrp_aware.html

VRRPv3: Object Tracking Integration

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-3s/asr1000/fhrp-vrrpv3-obj-trk.html

WCCPv2 - IPv6 Support

For detailed information, see the following Cisco document:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/xe-3s/asr1000/iap-xe-3s-asr1000-book.html

Important Notes

The following sections contain important notes about Cisco ASR 1000 Series Aggregation Services Routers Release 3.10S.

End-of-Sale and End-of-Life of the Cisco Traditional NetFlow Feature

Cisco announces the end-of-sale and end-of-life of the Cisco Traditional NetFlow (TNF) Feature on the Cisco ASR1000 platform. Cisco will not have any future development, CLI support, TAC support, and documentation pertaining to the Cisco TNF feature beyond Cisco IOS XE Software Release 3.10.

Customers with the Cisco TNF feature on the Cisco ASR1000 platform are encouraged to migrate to the Cisco Flexible NetFlow (FNF) feature on the Cisco ASR1000 platform.

For details on transition to Cisco FNF, see the Migrating from Traditional to Flexible NetFlow white paper:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/white_paper_c11-545581.html

Deferrals

Cisco IOS software images are subject to deferral. We recommend that you view the deferral notices at the following location to determine whether your software release is affected:

http://www.cisco.com/en/US/products/products_security_advisories_listing.html

Field Notices and Bulletins

  • Field Notices—We recommend that you view the field notices for Release 3.9S to determine whether your software or hardware platforms are affected. You can find the field notices at the following location:

http://www.cisco.com/en/US/support/tsd_products_field_notice_summary.html

  • Bulletins—You can find bulletins at the following location:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/prod_literature.html

Important Notes About Cisco ASR 1000 Series Aggregation Services Routers Release 3.10S

There are no important notes specific to Cisco ASR 1000 Series Aggregation Services Routers Release 3.10S.