Cisco 10000 Series Routers

Table Of Contents

Release Notes for the Cisco 10000 Series Router for Cisco IOS Release 12.3(7)XI1

Contents

System Requirements

Route Processor Redundancy Mode

Before You Upgrade the Cisco IOS Software

Upgrading to a New Software Release

New Features—Cisco IOS Release 12.3(7)XI1

3-Color Policer

3-Level Hierarchical QoS Policies

BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN

Extended NAS-Port-Type and NAS-Port Support

NAS-Port-Type (RADIUS Attribute 61)

NAS-Port (RADIUS Attribute 5)

NAS-Port-ID (RADIUS Attribute 87)

Half-Duplex VRF

Hierarchical Shaping

IEEE 802.1Q-in-Q VLAN Tag Termination

Interface Oversubscription

IP Receive ACLs

IP Unnumbered on VLAN

Lawful Intercept

Local AAA Server, User Database—Domain to VRF

MIB Enhancements

MPLS QoS

MPLS Traffic Engineering—DiffServ Aware

Multirouter APS

Percent-Based Policing

Per DSCP WRED

Per Precedence WRED Statistics

RADIUS Packet of Disconnect

Scaling Enhancements

FIB Scaling

Policy-Map Scaling

Queue Scaling

Strict Priority Queuing

Time-Based ACLs

VBR-nrt Oversubscription

VC Weighting

WRED with Queue Limit

Limitations and Restrictions

3-Level Hierarchical QoS Policies

BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN

Controlling the Rate of Logging Messages

Frame Relay

Half-Duplex VRF

Hierarchical Shaping

IEEE 802.1Q-in-Q VLAN Tag Termination

IP Receive ACLs

IP Unnumbered on VLAN

MPLS QoS

MPLS Traffic Engineering—Diffserv Aware

Multirouter Automatic Protection Switching

Per Domain VRF With Local Templates

Per DSCP WRED

Per Precedence WRED Statistics

PRE Network Management Ethernet Port

RADIUS Packet of Disconnect

Strict Priority Queuing

Testing Performance of High-Speed Interfaces

Time-Based ACLs

Variable Bit Rate Non-Real Time Oversubscription

WRED with Queue Limit

Important Notes

Configuring the aaa new-model Command

Provisioning for Scaling

PPPoA Sessions with IP QoS Static Routes

AAA Authentication on the NME Port

Call Admission Control

Enhancing Scalability of Per-User Configurations

Setting VRF and IP Unnumbered Interface Configurations in User Profiles

Setting VRF and IP Unnumbered Interface Configuration in a Virtual Interface Template

Redefining User Profiles to Use the ip:vrf-id and ip:ip-unnumbered VSAs

Inserting a New Line Card

Multilink PPP

Open Caveats—Cisco IOS Release 12.3(7)XI1

Resolved Caveats—Cisco IOS Release 12.3(7)XI1

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information

Release Notes for the Cisco 10000 Series Router for Cisco IOS Release 12.3(7)XI1

---

First Published: August 2, 2004
Revised: September 7, 2006

These release notes provide information about Cisco IOS Release 12.3(7)XI1, which provides broadband aggregation and leased-line features for the Cisco 10000 series router.

These release notes are updated as needed to describe new features, memory requirements, hardware support, software platform deferrals, and changes to the microcode and related documents.

Cisco IOS Release 12.3(7)XI1 is based on the following releases:

•Cisco IOS Release 12.2(16)BX

•Cisco IOS Release 12.3T

To review the release notes for Cisco IOS Release 12.2(16)BX, go to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/aggr/10000/10krn/122bx/index.htm

To review the release notes for Cisco IOS Release 12.3, go to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/index.htm

Contents

This document contains the following sections:

•System Requirements

•New Features—Cisco IOS Release 12.3(7)XI1

•Limitations and Restrictions

•Important Notes

•Open Caveats—Cisco IOS Release 12.3(7)XI1

•Resolved Caveats—Cisco IOS Release 12.3(7)XI1

•Obtaining Documentation

•Documentation Feedback

•Obtaining Technical Assistance

•Obtaining Additional Publications and Information

System Requirements

Cisco IOS Release 12.3(7)XI1 requires that you have the performance routing engine (PRE), Part Number ESR-PRE2 installed in the Cisco 10000 series router chassis. To verify which PRE is installed in the router, use the show version command.

Route Processor Redundancy Mode

The Cisco 10000 series router supports route processor redundancy (RPR) mode or RPR+ mode to provide fault resistance and to ensure high availability. In RPR mode, one supervisor engine is active and operational while the second supervisor engine is in standby mode waiting for the active supervisor to fail so that it can take over and maintain the operation of the router. In RPR+ mode, the standby supervisor engine is fully initialized and configured, which shortens the time needed to switch over to the standby supervisor.

When upgrading or downgrading the Cisco IOS software, the RPR mode used on the Cisco 10000 series router depends upon the Cisco IOS software currently running on the Cisco 10000 series router and the Cisco IOS software to which you want to upgrade or downgrade.

Table 1 lists the RPR modes used when upgrading or downgrading Cisco IOS software. For example, when upgrading to Cisco IOS Release 12.3(7)XI1 from Release 12.2(16)BX, the router uses RPR mode instead of RPR+ mode. When downgrading to Cisco IOS Release 12.2(16)BX from Release 12.3(7)XI1, the router uses RPR mode.

Table 1 RPR Modes for Cisco IOS Software Releases

Releases	12.2(16)BX	12.3(7)XI1
12.2(16)BX	RPR+	RPR
12.3(7)XI1	RPR	RPR+

Before You Upgrade the Cisco IOS Software

Before you upgrade (or downgrade) the Cisco IOS software running on the Cisco 10000 series router, save the running configuration file. In RPR mode, the router synchronizes only the startup configuration.

Upgrading to a New Software Release

For specific information about upgrading your Cisco 10000 series router to a new software release, refer to the Cisco 10000 Series Router Software Configuration Guide.

For general information about upgrading to a new software release, refer to the product bulletin Cisco IOS Upgrade Ordering Instructions.

For additional information about ordering Cisco IOS software, refer to the Cisco IOS Software Releases.

New Features—Cisco IOS Release 12.3(7)XI1

The following new features and improvements are supported on the Cisco 10000 series router in Cisco IOS Release 12.3(7)XI1. While some of the following features are supported on other releases on the Cisco 10000 series router, these features are newly supported in Cisco IOS Release 12.3(7)XI1:

•3-Color Policer

•3-Level Hierarchical QoS Policies

•BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN

•Extended NAS-Port-Type and NAS-Port Support

•Half-Duplex VRF

•Hierarchical Shaping

•IEEE 802.1Q-in-Q VLAN Tag Termination

•Interface Oversubscription

•IP Receive ACLs

•IP Unnumbered on VLAN

•Lawful Intercept

•Local AAA Server, User Database—Domain to VRF

•MIB Enhancements

•MPLS QoS

•MPLS Traffic Engineering—DiffServ Aware

•Multirouter APS

•Percent-Based Policing

•Per DSCP WRED

•Per Precedence WRED Statistics

•RADIUS Packet of Disconnect

•Scaling Enhancements

•Strict Priority Queuing

•Time-Based ACLs

•VBR-nrt Oversubscription

•VC Weighting

•WRED with Queue Limit

For more information about the new features in Cisco IOS Release 12.3(7)XI1, refer to the following documentation:

•Cisco 10000 Series Broadband Aggregation and Leased-Line Configuration Guide

•Cisco 10000 Series Router Feature Map

For information about new features supported on the Cisco 10000 series router in other releases, see the appropriate Release Notes at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/aggr/10000/10krn/index.htm

3-Color Policer

The 3-color policer feature provides a single-rate, 3-color marker. A 2-color marker as supported in earlier releases, meters a traffic stream classifying it into two groups (or colors): the traffic conforming to the specified committed information rate (CIR) and the burst parameters, and the traffic exceeding either the CIR or the burst parameters. A 3-color marker classifies the metered traffic into three groups, adding an additional color for the nonconforming traffic.

The 3-color marker distinguishes between the nonconforming traffic that occasionally bursts a certain number of bytes more than the CIR allowance and the traffic that continually violates the CIR allowance. A 3-color marker meets the requirements of applications that require three service levels: guaranteed, best effort, and deny. A three-color policer enables the Cisco 10000 series router to comply with RFC 2597.

3-Level Hierarchical QoS Policies

The 3-Level Hierarchical QoS Policies feature enables you to apply a service policy inside a policy map to define hierarchical policies. This feature increases the hierarchical levels of a nested QoS policy from two to three levels.

A hierarchical policy extends QoS by enabling you to combine one or more classes and applying specific actions on the aggregate traffic as well as executing class-specific actions. For example, a hierarchical policy can define a minimum bandwidth for two classes and specify a combined maximum bandwidth for the two classes. Similarly, a 3-level policy can define a minimum bandwidth for each type of traffic on a virtual circuit and a maximum bandwidth for the virtual circuit's total traffic. A 3-level hierarchical policy can also selectively police a subclass of each guaranteed class and place a maximum transmission limit on the aggregate traffic.

A 3-level policy is typically used to define the transmission capacity of a virtual circuit in the top level, class-based queuing at the middle level, and marking or metering in the bottom level.

BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN

The BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN feature allows you to configure multipath load balancing with both external Border Gateway Protocol (eBGP) and internal BGP (iBGP) paths in BGP networks that are configured to use Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs). BGP Multipath Load Sharing provides improved load-balancing deployment and service offering capabilities and is useful for multihomed autonomous systems and provider edge (PE) routers that import both eBGP and iBGP paths from multihomed and stub networks.

Extended NAS-Port-Type and NAS-Port Support

Cisco support for NAS-Port-Type (RADIUS attribute 61), NAS-Port (RADIUS attribute 5), and NAS-Port-ID (RADIUS attribute 87) has been changed as discussed in the following sections.

NAS-Port-Type (RADIUS Attribute 61)

Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific Authentication, Authorization, and Accounting (AAA) elements in a user profile, which is stored on the RADIUS daemon. Currently the Internet Engineering Task Force (IETF) RADIUS attributes that are supported include an attribute 61, NAS-Port-Type. NAS-Port-Type indicates the type of physical port the network access server (NAS) is using to authenticate the user.

However there was no method to identify NAS-Port-Type based on a specific broadband service type because the RADIUS RFC does not support extended types that defines these types of ports. Basically all PPPoA, PPPoEoE, and PPPoEoA sessions were identified as being VIRTUAL and all PPPoEoVLAN and PPPoEoQinQ as ETHERNET.

The Extended NAS-Port-Type Attribute Support feature expands NAS-Port-Type, attribute 61, in order that the client can better identify what type of service is taking place on the different types of ports.

NAS-Port (RADIUS Attribute 5)

The NAS-Port (RADIUS attribute 5) is a 32 bit value that uniquely represents the physical or logical port the user is attempting to authenticate on. A logical port can be represented by the virtual path identifier (VPI) and virtual channel identifier (VCI) for an ATM interface, or by the VLAN ID or Q-in-Q ID for an Ethernet interface.

Because each platform and service may have different port information which are relevant to their environment, there is no one unique way to populate this attribute. Currently Cisco has 4 hard wired formats (a-d) which are service specific and 1 configurable format (e) which can be tailored to customer and platform-specific needs.

Previously format e only allowed customizing 1 global format for all call types on a device, which limited its usefulness on devices that contained multiple services. With the extended NAS-port support, you can now configure a custom format e string for any and all service types based on the value of the NAS-Port-Type (RADIUS attribute 61). That is, when building the RADIUS Access or Accounting request, the encoding routine will pick the specific format e string defined for the session's NAS-Port-Type value and use that first instead of using the default global format e string.

NAS-Port-ID (RADIUS Attribute 87)

The NAS-Port-ID (RADIUS attribute 87) contains the character text string identifier of the NAS port that is authenticating the user. This text string typically matches the interface description found under the CLI configuration. This attribute was previously available under Cisco Vendor Specific Attribute (VSA) "cisco-nas-port". But it is now sent by default under the IETF attribute 87 as per customer demand.

Half-Duplex VRF

The Half-Duplex VRF (HDVRF) feature provides scalable hub and spoke connectivity for subscribers of a multiprotocol label switching-based virtual private network (MPLS VPN) service. These subscribers connect to the provider edge (PE) router of the wholesale service provider, and they use the same or different services (for example, the same or different VRFs). The HDVRF feature prevents local connectivity between subscribers at the spoke PE router and ensures that a hub site provides subscriber connectivity. Any sites that connect to the same PE router must forward intersite traffic using the hub site. This ensures that the routing done at the spoke site is always access side interface to network side interface, or network side interface to access side interface, and never access side to access side.

Hierarchical Shaping

The Hierarchical Shaping feature provides two levels of shaping—per VC ATM level shaping and per VC packet level shaping—and provides per-VC and per-VP traffic shaping to control or modify the flow of traffic on an interface. Traffic shaping limits throughput by buffering excess traffic instead of dropping packets. The shaping function also ensures that traffic from one VC does not adversely impact another VC, resulting in loss of data.

The Cisco 10000 series router supports the Hierarchical Shaping feature for the following ATM line cards:

•OC-12

•4-port OC-3

•8-port DS3/E3

IEEE 802.1Q-in-Q VLAN Tag Termination

For the emerging broadband Ethernet-based DSLAM market, the Cisco 10000 series router supports Q-in-Q encapsulation. With an Ethernet-based DSLAM model, customers typically get their own VLAN and all these VLANs are aggregated on a DSLAM.

VLAN aggregation on a DSLAM results in a lot of aggregate VLANs that at some point need to be terminated on the broadband remote access servers (BRAS). Although the model could connect the DSLAMs directly to the BRAS, a more common model uses the existing Ethernet-switched network where each DSLAM VLAN ID is tagged with a second tag (QinQ) as it connects into the Ethernet-switched network.

The only model that is supported is PPPoE over Q-in-Q (PPPoEoQinQ). This can either be a PPP terminated session or as a L2TP LAC session. No IP over Q-in-Q is supported.

The Cisco 10000 series router already supports plain PPPoE and PPP over 802.1Q encapsulation; support for PPP over Q-in-Q encapsulation is new. PPP over Q-in-Q encapsulation processing is an extension to 802.1q encapsulation processing.

Interface Oversubscription

The interface oversubscription feature offers providers the choice to improve network utilization of otherwise underutilized shared networks by leveraging statistical multiplexing on Frame Relay and IEEE 802.1Q networks.

IP Receive ACLs

The IP Receive ACLs feature provides basic filtering capability for traffic that is destined for the router and protects the router from remote intrusions.

To restrict access to the router, you apply a numbered ACL to the ingress interface of the router. You can restrict access to the router to known and trusted sources, and to expected traffic profiles. The IP Receive ACLs feature supports both standard and extended ACLs. The rules for numbered ACLs also apply to the access control entries (ACEs) of the IP receive ACL.

The IP receive ACL filters traffic on the parallel express forwarding engine (PXF) before filtering the packets received by the route processor (RP). This feature protects the router from denial of service (DoS) floods, thereby preventing the flood from degrading the performance of the route processor (RP).

IP Unnumbered on VLAN

The IP Unnumbered on VLAN feature helps to conserve IP address space for service provider configurations that include Ethernet VLAN subinterfaces.

Prior to Cisco IOS Release 12.3(7)XI1, IP support for VLAN subinterfaces required that you configure separate IP subnets for each of the subinterfaces that terminate the VLAN. This resulted in inefficient use of the IP address space because an entire IP subnet is often not needed for the hosts assigned to a VLAN. The IP Unnumbered on VLANs feature helps to conserve IP address space for service provider configurations that include Ethernet VLAN subinterfaces.

VLAN subinterfaces with IP unnumbered configured support DHCP for IP address allocation. The DHCP server uses the information in DHCP Option 82 to assign IP addresses to the hosts on a VLAN. The routing table is dynamically updated to insert an IP route for the IP address assigned on each of the subinterfaces. These IP host routes exist until the DHCP lease time expires or the host releases the leased address.

Lawful Intercept

Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on an individual as authorized by a court order. To assist in the surveillance, the service provider intercepts the target's traffic as it passes through one of their routers, and sends a copy of the intercepted traffic to a third party mediation device (also in the service provider network). This third party mediation device formats and delivers the data to the LEA without the target's knowledge. The Lawful Intercept feature is available in the c10k2-k9p11u2-mz image.

Local AAA Server, User Database—Domain to VRF

The Local AAA Server, User Database—Domain to VRF feature extends the Cisco IOS AAA Authorization to local AAA profiles on the router without using an AAA Server. The local user database acts as a local AAA server, and is fully compatible with any external AAA Server. If you want to maintain your user database locally or provide a failover local mechanism, you no longer have to sacrifice policy options when defining local users.

This flexibility allows you to provide complete user authentication and authorization locally within Cisco IOS without using an AAA Server, provided the local username list is relatively small. While authentication can be done on the router for a limited number of user names, it might make more sense and be much more scalable to use an AAA Server. Note that accounting is still be done on an AAA server and is not be supported on the router.

The key function this feature provides is a mapping of user domain names to local AAA profiles. This allows AAA attributes to be applied to the PPP session as part of the PPP session establishment. These local AAA attributes are RADIUS attributes that would normally be defined on a Radius Server but now are defined locally on the router.

Subscriber profiles are used to match user domain names, and on a match to use a defined AAA attribute list. The AAA attribute list contains a list of valid Cisco IOS format AAA attributes.

MIB Enhancements

The MIB Enhancements feature includes the following additional MIBs and MIB support:

•MPLS-LSR-MIB

•MPLS-TE-MIB

•MPLS-VPN-MIB

•CISCO-TAP-MIB

•CISCO-IP-LOCAL-POOL-MIB

•Addition of the per precedence/DSCP/discard class statistics in the QoS MIB

•MPLS-LDP-MIB (Version 8)

•MPLS enhancements to the IF-MIB

For more information about MIBs supported on the Cisco 10000 series router, refer to:

•Cisco 10000 Series Broadband MIB Specifications Guide

•Cisco 10000 Series Leased-Line MIB Specifications Guide

MPLS QoS

When a customer transmits IP packets from one site to another, the IP precedence field (the first three bits of the DSCP field in the header of an IP packet) specifies the class of service. Based on the IP precedence marking, the packet can be given a change in treatment such as the latency or the percent of bandwidth allowed. If the service provider network is an MPLS network, then the IP precedence bits are copied into the MPLS EXP field at the edge of the network. However, the service provider might want to set an MPLS packet's QoS to a different value determined by the service offering.

MPLS can be used to "tunnel" the QoS of a packet. The MPLS EXP field can be marked independent of the PHB. The service provider can choose from a variety of criteria (including those based on IP PHB) to classify a packet and set the MPLS EXP field. This allows the service provider to set the MPLS EXP field instead of overwriting the value in the customer's IP precedence field. The IP header remains available for the customer's use; the marking of an IP packet is not changed as the packet travels through the MPLS network. In some instances, it is desirable to extend the MPLS PHB to the egress interface between the provider edge (PE) router and customer edge (CE) router. This has the effect of extending the MPLS QoS tunnel, which allows the MPLS network owner to classify scheduling and discarding behavior on that final interface.

MPLS Traffic Engineering—DiffServ Aware

The MPLS Traffic Engineering—DiffServ Aware (DS-TE) feature extends MPLS traffic engineering capabilities to provide stricter quality of service (QoS) guarantees. TE tunnels provide differentiated services (DiffServ) to satisfy bandwidth requirements of regular traffic. However, the bandwidth currently advertised for TE tunnels and the tunnel traffic do not correspond to any queue. Instead, the MPLS class of service (CoS) provides DiffServ service, which is adequate for most customer services. Special services such as voice, however, require stricter QoS guarantees. The DS-TE feature addresses this need, providing strict bandwidth guarantees for TE tunnels.

The DS-TE feature introduces awareness of a particular class of traffic referred to as the guaranteed bandwidth traffic. DS-TE enables service providers to perform separate admission control and separate route computation of the guaranteed bandwidth traffic. The service provider can, therefore, develop QoS services for end customers that rely on signaled QoS rather than provisioned QoS, which enables the service provider to build QoS services with hard commitments and without overprovisioning.

Multirouter APS

The Multirouter APS (MR-APS) feature enables ATM connections to switch from one ATM circuit to another ATM circuit if a circuit failure occurs. ATM interfaces can be switched in response to a router failure, degradation or loss of channel signal, or manual intervention.

The protection mechanism used for this feature has a linear 1+1 architecture as described in the Bellcore publication TR-TSY-000253, SONET Transport Systems; Common Generic Criteria, Section 5.3. The connection may be bidirectional or unidirectional and revertive or nonrevertive. The default is bidirectional. The switching mode must be the same on the far end of the connection.

In Cisco IOS Release 12.3(7)XI1, MR-APS is supported for the following line cards:

•OC-3 ATM

•OC-12 ATM

•4-port Channelized STM-1

Percent-Based Policing

The Percent-Based Policing feature enables you to configure traffic policing in bits-per-second or as a percentage of bandwidth of the network interface on which policing is applied. Configuring traffic policing based on bandwidth percentage enables you to use the same policy map for multiple interfaces with differing amounts of bandwidth.

Per DSCP WRED

The per differentiated services code point weighted random early detection (DSCP WRED) feature enables the Cisco 10000 series router to randomly drop packets with a specific DSCP value, according to the DSCP thresholds you configure.

Differentiated Services (DiffServ) is a QoS model that increases the number of definable priority levels by reallocating bits of an IP packet for priority marking. The six most significant bits of the type of service (ToS) field are the DiffServ field. The last two bits in the DiffServ field are used as Early Congestion Notification (ECN) bits.

The per DSCP WRED feature enables you to configure eight unique drop precedence levels for one queue. Each of the 64 DSCP levels correspond to one of the eight levels. Previously, when you configured the eight unique drop precedence levels, all of the queues configured on an interface shared the different levels. The per DSCP WRED feature enhances support to provide eight unique levels per queue.

Per Precedence WRED Statistics

The Enhanced Weighted Random Early Detection (WRED) Statistics feature maintains separate WRED drop statistics for each IP precedence, discard-class, and differentiated services code point (DSCP) value.The show policy-map command has been enhanced to show WRED drop counts for each profile. In earlier releases, RED drop counts were maintained only for each class.

RADIUS Packet of Disconnect

In Cisco IOS Release 12.3(7)XI1, the RADIUS Packet of Disconnect feature consists of a method for terminating a session that has already been connected. This packet of disconnect (POD) is a RADIUS access_request packet and is intended to be used in situations where the authenticating agent server wants to disconnect the user after the session has been accepted by the RADIUS access_accept packet.

Scaling Enhancements

The Scaling Enhancements feature provides increased limits with FIB scaling, policy map scaling, and queue scaling.

FIB Scaling

The FIB is a routing table that is used to look up the next hop route for the destination IP address and the reverse path forwarding (RPF) route using the source IP address. The FIB Scaling feature implements the following changes:

•Up to 1 million routes in the global FIB table are supported without MPLS VPN configuration.

•Total number of virtual routing and forwarding instances (VRFs) supported is 4095.

–Up to 100 routes per VRF with 4095 VRFs configured.

–Up to 70 routes per VRF with 4095 VRFs configured, plus 200,000 global BGP routes.

–Up to 600 routes per VRF with 1000 or fewer VRFs configured.

Policy-Map Scaling

The Policy-Map Scaling feature increases the system-wide number of quality of service (QoS) policy maps that you can configure. Depending on the complexity of your configuration, the Cisco 10000 series router supports up to 4,096 policy maps. In complex configurations the maximum number of policy maps can be as small as a few hundred. Additionally, when you use percent-based policing in a service policy, the system may convert a single customer-configured service to multiple service policies (which count against the 4096 limit). The system uses one such service policy for each different speed interface that uses a service policy with percent-based policing

Queue Scaling

The Queue Scaling feature increases the total number of queues that VTMS supports to 131,072 total queues. 254 queues are available for high speed interfaces, and 130,816 queues are available for low speed interfaces. This allows the support of the 31,500 priority queues (of 131,072 total queues) on 31,500 sessions or interfaces.

Strict Priority Queuing

The Priority Queuing feature guarantees latency for any packet that enters the priority queue regardless of the current congestion level on the link. Strict priority queue mode is supported as the only mode of operation for a priority queue in Cisco IOS Release 12.3(7)XI1.

Time-Based ACLs

Time-based ACLs allow the network administrator to define a time range when certain resources may be accessed, thus providing greater control over resource usage. Time-based ACLs are functionally similar to extended ACLs and control access to the router for a specific time period.

A time range defines the specific times of the day and week that the ACL is active. A time range name identifies the time range. The access control entries (ACEs) reference the time range name, which causes the router to impose the time restriction on the ACEs. The time range relies on the router system clock to activate or deactivate an ACE.

Previously, access list statements were always in effect after they were applied to an interface. However, using the time-range command, network administrators can now define when the permit and deny statements in the ACL are in effect. Both named and numbered access lists can reference a time range.

VBR-nrt Oversubscription

The Variable Bit Rate Non-Real Time (VBR-nrt) Oversubscription feature enables service providers to improve network utilization of otherwise under utilized shared networks by leveraging statistical multiplexing on ATM networks. Instead of supporting only unconditional reservation of network bandwidth to VCs, the router offers VC oversubscription to statistically guarantee bandwidth to VCs.

In releases prior to Cisco IOS Release 12.3(7)XI1, a call admission check (CAC) prevented you from assigning more bandwidth to virtual circuits (VCs) than a port's total bandwidth. The VBR-nrt Oversubscription feature enables you to specify the amount of oversubscription (oversubscription factor) you want to allow. The CAC check is based on the oversubscription factor you specify and evaluated separately for both VCs and VP tunnels into the port, and VCs into VP tunnels. When the total assigned bandwidth exceeds the physical capacity, the router provides each VC's bandwidth reservation, as long as a limited number of VCs activate at one time. By doing so, the router takes advantage of statistical multiplexing to provide better network utilization at the expense of degraded service under congestion.

The oversubscription factor is also used to evaluate the amount of bandwidth allocated for unspecified bit rate (UBR) VCs. Prior to Cisco IOS Release 12.3(7)XI1, UBR VCs received the bandwidth remaining after other VCs had been allocated bandwidth. The CAC check now adjusts the bandwidth for UBR VCs based on the oversubscription factor.

VC Weighting

In earlier releases, the weight of a particular VC was proportional to the VC speed and was not directly controllable by the user (other than by changing the VC rate). In Cisco IOS Release 12.3(7)XI1, the VC Weighting feature adds the ability to configure the VC weight directly.

WRED with Queue Limit

The Weighted Random Early Detection (WRED) with Queue Limit feature is a congestion avoidance mechanism that expands your ability to customize the size of a WRED queue. Using this feature, you can configure a packet drop policy for a traffic class that includes a bandwidth guarantee and simultaneously limit the maximum number of packets allowed to accumulate in a traffic class queue.

In Cisco IOS Release 12.3(7)XI1 or later, you can specify the random-detect and queue-limit commands in the same class of a policy. Earlier releases allowed you to specify either the random-detect command or the queue-limit command, but not both commands at the same time.

Limitations and Restrictions

This section describes limitations and restrictions for the following areas. Be sure to review the following limitations and restrictions before using the features in the Cisco IOS Release 12.3(7)XI1:

•3-Level Hierarchical QoS Policies

•BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN

•Controlling the Rate of Logging Messages

•Frame Relay

•Half-Duplex VRF

•Hierarchical Shaping

•IEEE 802.1Q-in-Q VLAN Tag Termination

•IP Receive ACLs

•IP Unnumbered on VLAN

•MPLS QoS

•MPLS Traffic Engineering—Diffserv Aware

•Multirouter Automatic Protection Switching

•Per Domain VRF With Local Templates

•Per DSCP WRED

•Per Precedence WRED Statistics

•PRE Network Management Ethernet Port

•RADIUS Packet of Disconnect

•Strict Priority Queuing

•Testing Performance of High-Speed Interfaces

•Time-Based ACLs

•Variable Bit Rate Non-Real Time Oversubscription

•WRED with Queue Limit

For more information about the restrictions for a specific feature, refer to the Cisco 10000 Series Broadband Aggregation and Leased-Line Configuration Guide.

3-Level Hierarchical QoS Policies

The 3-Level Hierarchical QoS Policies feature has the following restrictions:

•You can configure only the class-default class in the top-level policy. Configure the shape command for the class-default class and then configure the service-policy command to attach an inner policy. You must configure the shape command before the service-policy command.

•In an inner policy, you cannot configure the police and set commands for a class if you attach a service-policy command to the class. This restriction does not apply to classes that do not have a service-policy command configured.

•In a bottommost policy, you can configure only the police and set commands for a class.

•You cannot have default classes in the bottom most class.

•You cannot attach a service-policy command to a bottommost policy.

---

Note The actual shape rate applied to nested-policy traffic might differ from that specified in the policy. For example, a specified shape rate of 10.5 Mbps might be mapped to 11 Mbps. Use the show policy-map interface command to determine the actual shape rate.

---

BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN

The BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN feature has the following restrictions:

•The Cisco 10000 series router supports recursive loadsharing, but with the following restriction.

In recursive load sharing, the information required to forward a packet requires at least 2 lookups. The first lookup determines which provider edge (PE) router is used to reach the final destination. The second lookup determines how to reach the PE router (from first lookup).

When you configure MPLS VPN, CEF uses recursive load sharing. The first lookup provides the VPN label, the second lookup provides the IGP label. When PXF forwards a packet, it does only 1 lookup which provides both a VPN and an IGP label; 2 lookups in CEF are combined into 1. The restriction for recursive load sharing when PXF forwards a packet is as follows.

When there are multiple IGP paths between a Cisco 10000 Series PE router to a provider router (P), only per-tag load balancing is supported. That is, PXF is programmed with only one of the paths and this one path is chosen in a round-robin fashion. Because the path is chosen at prefix setup time, it is not possible to predict which path will be selected for which prefix. The path selected depends on the order in which the prefixes are configured in the routing table. The bandwidths of the IGP paths are not considered in the path selection.

•When the routing table contains multiple iBGP paths, a route reflector advertises only one of the paths (one next hop). If a router is behind a route reflector, all routers that are connected to multihomed sites are not advertised unless separate VRFs with different route distinguishers (RDs) are configured for each VRF.

•Each IP routing table entry for a BGP prefix that has multiple iBGP paths uses additional memory. We recommend not using this feature on a router with a low amount of available memory and especially when the router is carrying a full Internet routing table.

Controlling the Rate of Logging Messages

It is important that you limit the rate that system messages are logged by the Cisco 10000 series router. This helps to avoid a situation in which the router becomes unstable and the CPU is overloaded. To control the output of messages from the system, use the logging rate-limit command.

Cisco recommends that you configure the logging rate-limit command as follows. This limits the rate of all messages to the console to 10 per second, except for messages with critical priority (level 3) or greater.

Router(config)# logging rate-limit console all 10 except critical

For more information, refer to the logging rate-limit command in the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3.

Frame Relay

The following limitations apply to the Cisco 10000 series router implementation of Frame Relay:

•The ip rtp reserve command is not supported.

•Only one priority queue per VC is allowed.

Half-Duplex VRF

The Half-Duplex VRF feature has the following restrictions:

•In both the upstream and downstream VRFs, routing protocols are not supported on interfaces configured for half-duplex VRFs.

•Half-duplex VRFs apply only to virtual access interfaces (VAIs) and virtual template interfaces. Only IP unnumbered interfaces are supported.

•It is not supported with Routing with Bridged Encapsulation (RBE)

Hierarchical Shaping

The Hierarchical Shaping feature has the following restrictions:

•The Cisco 10000 series router supports a maximum of 31,500 VCs when the Hierarchical Shaping feature is enabled.

•You can configure a maximum of 127 VP tunnels for each ATM line card. You can configure these 127 VP tunnels across the ports in any fashion.

•The OC-3 and OC-12 line cards support a maximum of 14,336 VCs when configured for hierarchical shaping. The DS3/E3 line card supports a maximum of 8,192 VCs when configured for shaping. You can configure the maximum number of VCs across the ports in any fashion, provided that you do not exceed the per-port maximum. The OC-3 line card is limited to 8,192 VCs per port and the DS3 is limited to 4,096 VCs per port.

•You must have the atm pxf queuing command configured on the port. If not, the SAR still does VP shaping and the VCs are sent to the tunnel based on a weighted round robin format; however, the PXF does not shape the VCs. The default queuing mode for a port is atm pxf queuing.

•Only variable bit rate (VBR) VCs are allowed in the VP tunnel. You cannot configure unspecified bit rate (UBR) VCs or constant bit rate (CBR) VCs in the tunnels.

•Congestion is not handled at the VP tunnel or at the port. During congestion, shaping is degraded.

•During congestion at the port-level, shaping degrades to simple round robin for all VPs contending for the port's capacity; shaping is not weighted based on the rate of the VPs.

IEEE 802.1Q-in-Q VLAN Tag Termination

The IEEE 802.1Q-in-Q VLAN Tag Termination feature has the following restrictions:

•Supported on Ethernet, FastEthernet, or Gigabit Ethernet interfaces.

•Supports only Point-to-Point Protocol over Ethernet (PPPoE) packets that are double-tagged for Q-in-Q VLAN tag termination.

•IP and Multiprotocol Label Switching (MPLS) packets are not supported.

•Modular QoS services can be applied to unambiguous subinterfaces only.

•Limited ACL support.

IP Receive ACLs

The IP receive ACLs feature has the following restrictions:

•A receive ACL must be a numbered ACL. You cannot use a named ACL as the receive ACL.

•The rules for numbered ACLs also apply to the access control entries (ACEs) of receive ACLs.

•Time-based and reflexive ACLs are not supported as receive ACLs.

•Only traffic processed by the RP is filtered. Traffic that is processed exclusively by the Forwarding Processor (FP) is not filtered. For example, GRE tunneled packets, L2TP tunneled packets, and some ICMP packets are not filtered.

IP Unnumbered on VLAN

The IP Unnumbered on VLANs feature has the following restrictions:

•You can configure IP unnumbered on only Ethernet VLAN subinterfaces and point-to-point interfaces.

•If you configure more than 14,000 IP unnumbered subinterfaces and you have configured EIGRP on all interfaces on a router, the router can stop responding. To avoid this problem, use the passive-interface default command (which disables all router interfaces from sending routing updates) and then configure the no passive-interface command on selected interfaces you want to send routing updates.

•Service Selection Gateway (SSG) functionality is not supported.

MPLS QoS

The following limitations apply to the Cisco 10000 series router implementation of MPLS QoS:

•The match mpls experimental topmost exp-value command (where exp-value is in the range 0-7) is supported on both input and output interfaces, on which MPLS is enabled.

•The set mpls experimental imposition mpls-exp-value command and the set mpls experimental mpls-exp-value command (where in both cases mpls-exp-value is in the range 0-7) are supported on the provider edge (PE) router input interface connecting to customer edge (CE) router. These commands can also be used on input interfaces on the CE, in pipe mode of MPLS QoS Diff Serv tunneling models.

These two commands have the same function, but because the set mpls experimental mpls-exp-value command is supported only for backward compatibility, Cisco recommends that you use the set mpls experimental imposition mpls-exp-value command.

•The set-mpls-exp-imposition-transmit option of the police command is only supported on the PE input interface that is connected to the CE.

•The mpls ip encapsulate explicit-null command is supported on the CE router interface that is connected to the PE. This command is only used in pipe mode of MPLS QoS Diff Serv tunneling models.

•When precedence-based weighted random early detection (WRED) is configured on an output policy map and outgoing packets are MPLS packets, the router drops the MPLS packets based on the 3 EXP bits in the MPLS label, instead of using the 3 bits of IP precedence in the underneath IP packets.

•When DSCP-based WRED is configured on an output policy map and outgoing packets are MPLS packets, the router drops the MPLS packets based on the 3 EXP bits in the MPLS label, instead of using the 6 bits of DSCP in the underneath IP packets. The router left shifts the 3 EXP bits and makes it 6 bits. For example, if the value of the EXP bits is 5 (binary 101), the router converts them to binary 101000 (makes it looks like 6 DSCP bits), and drops packets based on this value.

•When configuring the set and police commands in a traffic class, regardless whether it is an input or output policy map, the police command is processed later than the set command. This means that whatever values implemented by the police command override values set by the set command. The value can be IP precedence, DSCP, qos-group, MPLS experimental imposition, Discard-class, or ATM CLP bit.

•Discard-class can be a number between 0 and 7; qos-group can be a number between 0 and 63.

MPLS Traffic Engineering—Diffserv Aware

The DS-TE feature has the following restrictions:

•The total number of TE tunnels (regular TE tunnels and DS-TE tunnels) that can originate on a device is limited to 1013 tunnels.

Multirouter Automatic Protection Switching

In Cisco IOS Release 12.3(7)XI1, MR-APS is supported for the following line cards:

•OC-3 ATM

•OC-12 ATM

•4-port Channelized STM-1

Per Domain VRF With Local Templates

Local templates can be used to forward users to a RADIUS Server for remote AAA. The ip vrf forwarding command is not supported under local templates. Therefore, you can only specify a virtual routing and forwarding instance (VRF) by using the ip:vrf-id VSA attribute on the RADIUS Server. Do not use Local templates with Subscriber Profiles; they are mutually exclusive.

Per DSCP WRED

The per DSCP WRED feature has the following restrictions:

•Because Cisco IOS software applies the random-detect command on a per interface-basis, you cannot simultaneously configure precedence-based WRED and DSCP-based WRED on a particular interface.

•You cannot use this feature with Multiprotocol Label Switching (MPLS) encapsulated packets. The Cisco 10000 series router supports this feature for use with IP packets only.

Per Precedence WRED Statistics

In the output of the show policy-map interface command, the Tail Drops counter indicates the number of packets dropped because the average queue length exceeds the maximum threshold for the given precedence. However, under burst conditions it is possible that packets can be dropped because the queue is full. These packets are not counted as Tail Drops. The number of packets that are dropped under burst conditions when the queue is full are counted as Output Queue Drops.

PRE Network Management Ethernet Port

Ensure that the Fast Ethernet NME port on the PRE is configured for auto-negotiation mode, which is the system default. Duplex mode can cause problems, such as flapping. If the port is experiencing such problems and has been configured for duplex mode, use the no half-duplex or no full-duplex command to disable duplex mode.

RADIUS Packet of Disconnect

Proper matching identification information must be communicated by the:

•Billing server and router configuration

•Router's original accounting start request

•Server's POD request

Strict Priority Queuing

If you do not enter a police command with the priority command, other queues on the link can be starved for bandwidth.

After you use the priority command without a police command in a policy map, you cannot use the bandwidth command in other classes in the same policy map.

Testing Performance of High-Speed Interfaces

Cisco IOS software running on the Cisco 10000 series router has multiple queues for all classes of traffic over high-speed interfaces. The software selects a queue based on the source and destination address for the packet. This ensures that a traffic flow always uses the same queue and the packets are transmitted in proper order.

When the Cisco 10000 series router is installed in a real network, the high-speed interfaces work efficiently to spread traffic flow equally over the queues. However, using single traffic streams in a laboratory environment may result in less-than-expected performance.

Therefore, to ensure accurate test results, you should test the throughput of the gigabit Ethernet, Packet over SONET (POS), or ATM uplink with multiple source or destination addresses.

---

Tip To determine if traffic is being properly distributed, use the show hardware pxf cpu queue command.

---

Time-Based ACLs

The Time-Based ACLs feature has the following restrictions:

•You can specify a time range for only IP extended access lists. Standard access lists are not supported.

•An ACE that refers to a non-existent time-range entry is considered active.

•You define time-based ACLs based on hours and minutes. You cannot specify seconds.

Variable Bit Rate Non-Real Time Oversubscription

The VBR-nrt Oversubscription feature has the following restrictions:

Congestion

•Due to congestion on the physical interface, the accuracy of priority queuing (PQ) and class-based weighted fair queuing (CBWFQ) on individual VCs degrades. For example, if you configure each of three queues at a distribution of 50, 30, and 20 percent, the actual distribution might be 45, 40, and 15 percent.

•The distribution of bandwidth for each VC might be less than expected based on the speed of the VC. Typically, low speed VCs are allocated the expected bandwidth while high speed VCs share the remaining bandwidth equally.

•The amount of bandwidth allocated for the PQ or latency might be less than expected.

Oversubscription Feature

•Oversubscription of the ATM interfaces is off by default. Oversubscription of the tunnels (the number and bandwidth of VCs that can be in a tunnel) is on by default and is not subject to any oversubscription factor. Oversubscription of the tunnels cannot be adjusted or turned off.

•Use the atm over-subscription-factor command to enable the oversubscription feature for a particular interface or tunnel. Do not use the atm oversubscribe command to enable oversubscription, as this can cause undesirable results.

•It is recommended that the atm over-subscription-factor command be applied to all ports of an ATM line card. This command controls the allocation of resources that are managed on a line card. Enabling oversubscription on one port alone could result in other ports taking up more resources than they were supposed to use. This could result in starving other ports for resources, which could cause VC creation to fail.

WRED with Queue Limit

The WRED with Queue Limit has the following restrictions:

•The Cisco 10000 series router supports the configuration of 131,072 queues. The router reserves 255 queues for high speed interfaces. Any link that has a speed greater than 622 Mbps is classified as a high speed interface.

•You can configure a maximum of 29 queues per link.

•The queue limits that you can configure on a high speed interface range from 128 to 65,536 packets and on a low speed interface the queue limits range from 8 to 4,096 packets.

Important Notes

This section provides important information about the following topics:

•Configuring the aaa new-model Command

•Provisioning for Scaling

•Enhancing Scalability of Per-User Configurations

•Inserting a New Line Card

•Multilink PPP

Configuring the aaa new-model Command

The aaa new-model command is disabled by default on the Cisco 10000 series router. In previous releases, the default configuration did not appear in the running configuration file. However, in Cisco IOS Release 12.3(7)XI1 or later releases, the running configuration file now includes the no aaa new-model command. This is an intentional change in behavior for this command and is the first step in a three-step process to change the default configuration to aaa new-model.

---

Note This change in behavior differs from Cisco IOS software, which typically does not include default configurations in the running configuration file.

---

For example, when you enter the show running-config command, no aaa new-model appears in the configuration if either of the following conditions previously occurred:

•You did not configure the aaa new-model command on the router and instead accepted the default configuration of the file: no aaa new-model.

•You entered the no aaa new-model command to remove the previously configured aaa new-model command.

Provisioning for Scaling

The following configuration parameters enhance scalability on the Cisco 10000 series router:

•PPPoA Sessions with IP QoS Static Routes

•AAA Authentication on the NME Port

•Call Admission Control

To configure the Cisco 10000 series router for high scalability, be sure to configure the configuration parameters as described in the sections that follow.

For more information, refer to the Cisco 10000 Series Broadband Aggregation and Leased-Line Configuration Guide.

PPPoA Sessions with IP QoS Static Routes

To scale to 32,000 PPPoA sessions with IP QoS enabled, you must limit the number of IP QoS static routes to 4,000 unidirectional QoS static routes.

AAA Authentication on the NME Port

If you use AAA authentication on the NME port, set both the in and out interface hold queues to 4096. For example:

Router(config)# int fa 0/0/0

Router(config-if)# hold-queue 4096 in

Router(config-if)# hold-queue 4096 out

Call Admission Control

We recommend that you set the Call Admission Control (CAC) to a maximum of 95. For example:

Router(config)# call admission limit 95

Enhancing Scalability of Per-User Configurations

To enhance scalability of per-user configurations without changing the router configuration, use the ip:vrf-id and ip:ip-unnumbered RADIUS attributes. These per-user vendor specific attributes (VSAs) are used to map sessions to VRFs and IP unnumbered interfaces. The VSAs apply to virtual access subinterfaces and are processed during PPP authorization.

In releases earlier than Cisco IOS Release 12.2(16)BX1, the lcp:interface-config RADIUS attribute is used to map sessions to VRFs. This per-user VSA applies to any type of interface configuration, including virtual access interfaces. Valid values of this VSA are essentially any valid Cisco IOS interface command; however, not all Cisco IOS commands are supported on virtual access subinterfaces. To accommodate the requirements of the lcp:interface-config VSA, the per-user authorization process forces the Cisco 10000 series router to create full virtual access interfaces, which consume more memory and are less scalable.

In Cisco IOS Release 12.2(16)BX1 and later releases, the ip:vrf-id is used to map sessions to VRFs. Any profile that uses the ip:vrf-id VSA must also use the ip:ip-unnumbered VSA to install IP configurations on the virtual access interface that is to be created. PPP that is used on a virtual access interface to be created requires the ip:ip-unnumbered VSA. An Internet Protocol Control Protocol (IPCP) session is not established if IP is not configured on the interface. You must configure either the ip address command or the ip unnumbered command on the interface so that these configurations are present on the virtual access interface that is to be created. However, specifying the ip address and ip unnumbered commands on a virtual template interface is not required because any pre-existing IP configurations are removed when the ip:ip-vrf VSA is installed on the virtual access interface. Therefore, any profile that uses the ip:vrf-id VSA must also use the ip:ip-unnumbered VSA to install IP configurations on the virtual access interface that is to be created.

These per-user VSAs can be applied to virtual access subinterfaces; therefore, the per-user authorization process does not require the creation of full virtual access interfaces, which improves scalability.

Setting VRF and IP Unnumbered Interface Configurations in User Profiles

Although the Cisco 10000 series router continues to support the lcp:interface-config VSA, the ip:vrf-id and ip:ip-unnumbered VSAs provide another way to set the VRF and IP unnumbered interface configurations in user profiles. The ip:vrf-id and ip:ip-unnumbered VSAs have the following syntax:

Cisco:Cisco-AVpair = "ip:vrf-id=vrf-name"

Cisco:Cisco-AVpair = "ip:ip-unnumbered=interface-name"

Specify only one ip:vrf-id and one ip:ip-unnumbered value in a user profile. However, if the profile configuration includes multiple values, the Cisco 10000 series router applies the value of the last VSA received, and creates a virtual access subinterface. If the profile includes the lcp:interface-config VSA, the router always applies the value of the lcp:interface-config VSA, and creates a full virtual access interface.

Whenever you specify a VRF in a user profile, but you do not configure the VRF on the Cisco 10000 series router, in Cisco IOS Release 12.2(15)BX, the router accepted the profile. However, in Cisco IOS Release 12.2(16)BX1 and later releases, the router rejects the profile.

Setting VRF and IP Unnumbered Interface Configuration in a Virtual Interface Template

You can specify one VSA value in the user profile on RADIUS and another value locally in the virtual template interface. The Cisco 10000 series router clones the template and then applies the values configured in the profiles it receives from RADIUS, resulting in the removal of any IP configurations when the router applies the profile values.

Redefining User Profiles to Use the ip:vrf-id and ip:ip-unnumbered VSAs

The requirement of a full virtual access interface when using the lcp:interface-config VSA in user profiles can result in scalability issues, such as increased memory consumption. This is especially true when the Cisco 10000 series router attempts to apply a large number of per-user profiles that include the lcp:interface-config VSA. Therefore, when updating your user profiles, we recommend that you redefine the lcp:interface-config VSA to the scalable ip:vrf-id and ip:ip-unnumbered VSAs.

Example 1 shows how to redefine the VRF named newyork using the ip:vrf-id VSA.

Example 1 Redefining VRF Configurations

Change:

Cisco:Cisco-Avpair = "lcp:interface-config=ip vrf forwarding newyork"

To:

Cisco:Cisco-Avpair = "ip:vrf-id=newyork"

Example 2 shows how to redefine the Loopback 0 interface using the ip:ip-unnumbered VSA.

Example 2 Redefining IP Unnumbered Interfaces

Change:

Cisco:Cisco-Avpair = "lcp:interface-config=ip unnumbered Loopback 0"

To:

Cisco:Cisco-Avpair = "ip:ip-unnumbered=Loopback 0"

Inserting a New Line Card

Unlike other Cisco routers, if you insert a new or different line card into a Cisco 10000 series router chassis slot that previously had a line card installed, the line card initially reports that it is administratively up.

Multilink PPP

Multilink PPP (MLPPP) is not supported on Cisco IOS Release 12.3(7)XI1.

Open Caveats—Cisco IOS Release 12.3(7)XI1

Table 2 describes Open Caveats in Cisco IOS Release 12.3(7)XI1.

Table 2 Open Caveats in Cisco IOS Release 12.3(7)XI1 

Caveat	Description
CSCdt94857	High impact commands or commands used in high scaling environments impact scaling by increasing CPU cycles, increasing boot time, and decreasing control plane run-time efficiency. Workaround: There is no workaround for this problem.
CSCdy19642	Performance counters under the VT1.5, T3, and VT2 controllers for DS1/E1 are not getting updated/displayed correctly. On inserting the CRC errors in different ways to generate various events which can be used to count errors at the T1/E1 levels under either VT1.5 T3 or VT2 controllers, the counters are not getting updated correctly. Workaround: There is no workaround for this problem.
CSCdy45049	When scaling over 3000 serial interfaces, line rate traffic may not be achieved. This problem occurs when thousands of serial interfaces (PPP or HDLC) are used on the port and line rate traffic is sent through all interfaces. Workaround: There is no workaround for this problem.
CSCdz40002	When you remove APS and then re-activate it, traffic convergence after an APS switchover takes longer than 2 seconds. Workaround: There is no workaround for this problem.
CSCdz83304	A T3 link on a 4-port channelized OC-3 line card may not come up under Synchronous Digital Hierarchy (SDH) framing. This problem occurs when the 4-port channelized OC-3 line card interoperates with third-party vendor test equipment. Workaround: Enter the shutdown controller configuration command followed by the no shutdown controller configuration command on the AU-3 controller that contains the T3 link.
CSCea63115	When you enter the redundancy force-failover main-cpu privileged EXEC command on a router that is configured with two Performance Routing Engines (PREs), an automatic protection system (APS) switchover occurs on OC-12 Packet-over-SONET (POS) line cards, which is incorrect behavior. This problem occurs when APS is configured on OC-12 POS line cards in two different Cisco 10000 series routers that are connected back-to-back and you enter the following sequence of commands: 1. Enter the aps force pos slot/subslot/port from working interface configuration command on both routers. 2. Enter the show aps EXEC command. The output displays the active channels for both routers. 3. Enter the redundancy force-failover main-cpu privileged EXEC on one of the routers, causing an APS switchover to occur on this router. Workaround: There is no workaround for this problem. However, when problem occurs, there is no loss of data.
CSCea63638	When Automatic Protection Switching (APS) is enabled, if you issue the hw-module reset command on the primary APS slot, no change is observed because the router does not switch to the secondary APS slot. This problem occurs when the hw-module reset command is issued. Workaround: There is no workaround for this problem.
CSCea68229	The traffic flow over multirouter automatic protection switching (MR- APS) connections can stop. This problem occurs under the following cond