Cisco 10000 Series Routers

Table Of Contents

Release Notes for the Cisco 10000 Series Router for Cisco IOS Release 12.3(7)XI10

Contents

System Requirements

Route Processor Redundancy Mode

Before You Upgrade Cisco IOS Software

Upgrading to a New Software Release

New Features—Cisco IOS Release 12.3(7)XI10

Enhancements for Alleviating High CPU Use

Checking ARP Requests

Enabling and Disabling ARP Sanity Checking

Restrictions for PXF ARP Sanity Checking

Verifying Invalid ARP Requests

Policing and Dropping Encapsulation Diversions

Configuring Encap Diverts Dropping

Limitations and Restrictions

Binding a Service to Broadcast Interface

Complete ID

Controlling the Rate of Logging Messages

DBS Extensions

DNS Fault Tolerance

DNS Redirection

Frame Relay

Full VAIs

Half-Duplex Virtual Routing and Forwarding over Route Bridge Encapsulation

IEEE 802.1Q-in-Q VLAN Tag Termination

Layer 2 Tunnel Protocol Dialout

PDSN Interworking

Per Session Queuing and Shaping for PPPoE VLAN Using RADIUS

PRE Network Management Ethernet Port

Service Selection Gateway PTA MD

RADIUS Proxy Enhancements for CHAP

Range Command for Bind Statements

Redundant Uplinks to the Same Service

Scalability

Service level ACLs

SSG Auto Logoff

SSG EAP Transparency

SSG GRE

SSG IOS NAT

SSG L2TP

SSG Prepaid

Support for Classifying Hosts Based on IP Address

Suppression of Unused Accounting Records

Testing Performance of High-Speed Interfaces

Unique Session ID

VRF-Aware VPDN Tunnels

Important Notes

Configuring the aaa new-model Command

Enhancing Scalability of Per-User Configurations

Setting VRF and IP Unnumbered Interface Configurations in User Profiles

Setting VRF and IP Unnumbered Interface Configuration in a Virtual Interface Template

Redefining User Profiles to Use the ip:vrf-id and ip:ip-unnumbered VSAs

Inserting a New Line Card

Provisioning for Scaling

PPPoA Sessions with IP QoS Static Routes

AAA Authentication on the NME Port

Call Admission Control

Deferrals

Caveats for Cisco IOS Release 12.3(7)XI10

Open Caveats—Cisco IOS Release 12.3(7)XI10

Resolved Caveats—Cisco IOS Release 12.3(7)XI10

Obtaining Documentation

Release Notes for the Cisco 10000 Series Router for Cisco IOS Release 12.3(7)XI10

---

First Published: March 23, 2007

Revised: September 24, 2008

These release notes provide information about Cisco IOS software Release 12.3(7)XI10, which provides broadband aggregation, leased-line, and MPLS features for the Cisco 10000 series router.

Cisco IOS Release 12.3(7)XI10 is a maintenance release and there are no new features.

For a list of the software caveats that apply to Cisco IOS Release 12.3(7)XI10, see the "Caveats for Cisco IOS Release 12.3(7)XI10" section and Caveats for Cisco IOS Release 12.3T. The caveats document is updated for each maintenance release and is located on Cisco.com.

We recommend that you view the field notices for this release to see if your software or hardware platforms are affected. If you have an account on Cisco.com, you can find field notices at http://www.cisco.com/warp/public/tech_tips/index/fn.html. If you do not have a Cisco.com login account, you can find field notices at http://www.cisco.com/warp/public/tech_tips/index/fn.htm.

Cisco IOS Release 12.3(7)XI10 is based on the following releases:

•Cisco IOS Release 12.3T

•Cisco IOS Release 12.3(7)XI9

To review the release notes for Cisco IOS Release 12.3, go to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/xprn123/index.htm

Contents

These release notes describe the following topics:

•System Requirements

•New Features—Cisco IOS Release 12.3(7)XI10

•Enhancements for Alleviating High CPU Use

•Limitations and Restrictions

•Important Notes

•Caveats for Cisco IOS Release 12.3(7)XI10

•Obtaining Documentation

System Requirements

Cisco IOS Release 12.3(7)XI10 requires that the performance routing engine (PRE) is installed on the Cisco 10000 series router chassis [Part Number ESR-PRE2]. To verify which PRE is installed in the router, use the show version command.

Route Processor Redundancy Mode

When you upgrade or downgrade Cisco IOS software, the RPR mode used on the Cisco 10000 series router depends upon the Cisco IOS software currently running on the router and the Cisco IOS software to which you want to upgrade or downgrade. When you upgrade or downgrade from Cisco IOS Release 12.3(7)XIx to another Release 12.3(7)XIx, the RPR mode is always RPR+.

The Cisco 10000 series router supports route processor redundancy (RPR) mode or RPR+ mode to provide fault resistance and to ensure high availability.

•In RPR mode—One performance routing engine (PRE) is active and operational while the second PRE is in standby mode waiting for the active PRE to fail so that it can take over and maintain the operation of the router.

•In RPR+ mode—The standby PRE is fully initialized and configured, which shortens the time needed to switch over to the standby PRE.

Before You Upgrade Cisco IOS Software

Before you upgrade (or downgrade) the Cisco IOS software running on the Cisco 10000 series router, save the running configuration file. In RPR mode, the router synchronizes only the startup configuration.

Upgrading to a New Software Release

For specific information about upgrading your Cisco 10000 series router to a new software release, refer to the Cisco 10000 Series Router Performance Routing Engine Installation at:

http://www.cisco.com/univercd/cc/td/doc/product/aggr/10000/hdwr/3971pr.htm

For general information about upgrading to a new software release, refer to the product bulletin Cisco IOS Upgrade Ordering Instructions.

For additional information about ordering Cisco IOS software, refer to the Cisco IOS Software Releases.

New Features—Cisco IOS Release 12.3(7)XI10

Cisco IOS Release 12.3(7)XI10 is a maintenance release and there are no new features.

For information about new features supported on the Cisco 10000 series router in other releases, see the appropriate Release Notes at:

http://www.cisco.com/univercd/cc/td/doc/product/aggr/10000/10krn/index.htm

Enhancements for Alleviating High CPU Use

Cisco IOS Release 12.3(7)XI10 introduces the following enhancements to alleviate high CPU use:

•Checking ARP Requests

•Policing and Dropping Encapsulation Diversions

Checking ARP Requests

In Cisco IOS Release 12.3(7)XI9a, Release 12.3(7)XI10, and Release 12.2(28)SB7, an enhancement was added to enable the PXF to verify ARP packets before punting them to the route processor (RP). By performing ARP sanity checking for the interface on which the request was received, the PXF can send only valid ARP requests to the RP, thereby preventing the RP from becoming overloaded with ARP requests. This enhancement is useful when an ingress Ethernet interface is used for PPPoEoX aggregation.

In earlier releases, the PXF sends all incoming ARP requests to the RP for processing. However, not all ARP requests always require processing. Under some conditions, such as the following, ARP requests are considered invalid or unneeded:

•The ingress interface does not have an IP address configured

•The ingress interface receives an ARP request with a 13-target protocol address field that is not in the same subnet as the one configured on the interface.

For example, suppose the ingress interface is configured with the following IP address:

ip address 192.168.1.1 255.255.255.0

The interface then receives an ARP request for IP address 192.168.2.20 or 172.16.2.222. The PXF forwards the request to the RP without verifying it. Because these two addresses are not in the same subnet, the ARP request is invalid and the RP drops the request.

For more information, see the following topics:

•Enabling and Disabling ARP Sanity Checking

•Restrictions for PXF ARP Sanity Checking

•Verifying Invalid ARP Requests

Enabling and Disabling ARP Sanity Checking

To enable ARP sanity checking on all interfaces, enter the following hidden command in interface or subinterface mode:

pxf arp-sanity-check

Sometimes it is necessary to disable ARP sanity checking altogether (for example, for testing purposes). To temporarily disable ARP sanity checking on all interfaces, regardless of the individual interface configuration, enter the following command in global configuration mode:

ip pxf disable-arp-sanity

---

Note These commands are available only when service internal is configured.

---

Restrictions for PXF ARP Sanity Checking

•When PXF ARP sanity checking is configured on an interface and the IP address or subnet mask of the interface changes, reconfigure the pxf arp-sanity-check command on the interface to save the new information to the PXF.

•When the PXF reloads, either by manually entering the reload command or due to a failure, the router does not automatically re-save PXF ARP sanity checking information to the PXF. After the PXF reloads, reconfigure the pxf arp sanity check command on all applicable interfaces.

Verifying Invalid ARP Requests

PXF statistics include the arp_req drop counter to identify the number of invalid ARP requests that the PXF identified and dropped. To view the PXF statistics, use the following command in privileged EXEC mode:

show pxf cpu stat drop

The following example shows sample output from the show pxf cpu stat drop command. In the example, the PXF identified and dropped 2105 invalid ARP request packets.

Router# show pxf cpu stat drop

FP drop statistics

                        packets            bytes

    generic             0                  0

    mpls_no_eos         0                  0

    fib_zero_dest       0                  0

............

    ipm_replay_full     0                  0

    arp_req             2105               126300 <<<

    bad_atm_arp         0                  0

Policing and Dropping Encapsulation Diversions

In Cisco IOS Release 12.3(7)XI10, an enhancement was introduced to police and drop encapsulation diversions (encap diverts).

All non-ARPA Ethernet packets are process-switched in Cisco IOS software and are, therefore, diverted to the RP. Some types of ARPA Ethernet packets are also diverted to the RP. If encap diverts increase rapidly, CPU use can become high. To alleviate this high CPU use, functionality was added to manage encap diverts before the PXF sends the packets to the RP.

The encap diverts enhancement adds a second route processor (RP) queue to enable rate-limited encap diverts to be tail dropped instead of being punted to the RP.

Configuring Encap Diverts Dropping

To allow encap diverts to be completely dropped before the PXF engine sends the packets to the RP, use the following command in global configuration mode:

ip pxf encap-divert drop

Limitations and Restrictions

This section describes limitations and restrictions for the following areas. Be sure to review the following limitations and restrictions before using the features in Cisco IOS Release 12.3(7)XI10:

•Binding a Service to Broadcast Interface

•Complete ID

•Controlling the Rate of Logging Messages

•DBS Extensions

•DNS Fault Tolerance

•DNS Redirection

•Frame Relay

•Full VAIs

•Half-Duplex Virtual Routing and Forwarding over Route Bridge Encapsulation

•IEEE 802.1Q-in-Q VLAN Tag Termination

•Layer 2 Tunnel Protocol Dialout

•PDSN Interworking

•Per Session Queuing and Shaping for PPPoE VLAN Using RADIUS

•PRE Network Management Ethernet Port

•Service Selection Gateway PTA MD

•RADIUS Proxy Enhancements for CHAP

•Range Command for Bind Statements

•Redundant Uplinks to the Same Service

•Scalability

•Service level ACLs

•SSG Auto Logoff

•SSG EAP Transparency

•SSG GRE

•SSG IOS NAT

•SSG L2TP

•SSG Prepaid

•Support for Classifying Hosts Based on IP Address

•Suppression of Unused Accounting Records

•Testing Performance of High-Speed Interfaces

•Unique Session ID

•VRF-Aware VPDN Tunnels

Binding a Service to Broadcast Interface

Not supported.

Complete ID

Not supported.

Controlling the Rate of Logging Messages

It is important that you limit the rate that system messages are logged by the Cisco 10000 series router. This helps to avoid a situation in which the router becomes unstable and the CPU is overloaded. To control the output of messages from the system, use the logging rate-limit command.

We recommend that you configure the logging rate-limit command as follows. This limits the rate of all messages to the console to 10 per second, except for messages with critical priority (level 3) or greater.

Router(config)# logging rate-limit console all 10 except critical

For more information, refer to the logging rate-limit command in the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3.

DBS Extensions

You must configure the AV pairs for both the high and low watermarks. Configuring only one of the AV pairs results in the watermark not being configured.

The Cisco 10000 series router only supports RADIUS Pull for automatically provisioned VCs and virtual path (VP) tunnels.

DNS Fault Tolerance

Not supported.

DNS Redirection

Not supported.

Frame Relay

The following limitations apply to the Cisco 10000 series router implementation of Frame Relay:

•The ip rtp reserve command is not supported.

•Only one priority queue per VC is allowed.

Full VAIs

Full virtual access interfaces (VAIs) are not recommended for scaling because they consume significant memory and the router cannot scale to high session counts as advertised. However, there are times when full VAIs cannot be prevented. There are some known issues with regards to counters for full VAIs and if operation is considered incorrect, a case should be logged with the Technical Assistance Center (TAC).

Before opening a TAC case, refer to the CSCsc83107 caveat to make sure the issue is not the same.

Half-Duplex Virtual Routing and Forwarding over Route Bridge Encapsulation

Half-duplex virtual routing and forwarding (HDVRF) over route bridge encapsulation (RBE) is not supported.

IEEE 802.1Q-in-Q VLAN Tag Termination

PPPoEoQ-in-Q supports a maximum of 32,000 sessions per interface.

•IP over Q-in-Q (IPoQ-in-Q) supports a maximum of 16,000 IPoQ-in-Q subinterfaces per interface.

•IPoQ-in-Q supports a maximum of 448 outer VLAN IDs.

•Multiprotocol Label Switching (MPLS) is not supported on PPPoEoQ-in-Q and IPoQ-in-Q subinterfaces.

Layer 2 Ethernet over MPLS (EoMPLS) tunneling using the xconnect command on PPPoEoQ-in-Q and IPoQ-in-Q subinterfaces is not supported.

Layer 2 Tunnel Protocol Dialout

Layer 2 Tunnel Protocol (L2TP) dialout is not supported. SSG attempts to set up the tunnel, but does not set up the VRF for tunnel services. Therefore, traffic is not forwarded to the tunnel.

PDSN Interworking

Not supported.

Per Session Queuing and Shaping for PPPoE VLAN Using RADIUS

•The router does not support per session queuing and shaping for Layer 2 Access Concentrator (LAC) or L2TP Network Server (LNS) sessions. For LNS sessions, the router executes a session-level policy and any policies on the inbound and outbound interface.

•The QoS-related statistics available using the show policy interface command are not available using RADIUS.

•The router does not support using a virtual template interface to apply a service policy to a session.

•You can only apply per session queuing and shaping policies as output service policies. The router supports input service policies on sessions for other existing features, but not for per session queuing and shaping for PPPoE over VLAN using RADIUS.

•During periods of congestion, the router does not provide specific scheduling between the various PPPoE sessions. If the entire port becomes congested, the scheduling that results has the following effects:

–The amount of bandwidth that each session receives of the entire port's capacity is not typically proportionally fair share.

–The contribution of each class queue to the session's total bandwidth might not degrade proportionally.

•Including the ATM overhead in the shaping rate is not a user-configurable option. Whenever you apply a queuing service policy to a session, the router includes the ATM overhead in the queue and shape rates.

•The shaping rates on the router might be lower than the actual rate of the ATM link. This is because a networking device between the router and the subscriber's ATM link removes portions of the Ethernet frame (for example, a device removes the VLAN tags). The exact amount depends on the distribution of transmitted packet sizes.

---

Note The ATM overhead calculation includes the size of the Ethernet frame (the packet segment), including all VLAN tags.

---

•The router does not support the configuration of the policy map using RADIUS. You must use the modular QoS (MQC) command line interface (CLI) to configure the policy map on the router.

PRE Network Management Ethernet Port

Ensure that the Fast Ethernet, Network Management Ethernet (NME) port on the PRE is configured for auto-negotiation mode, which is the system default. Duplex mode can cause problems, such as flapping. If the port is experiencing such problems and has been configured for duplex mode, use the no half-duplex or no full-duplex command to disable duplex mode.

The interface should only be used for system management. Do not use this interface for operations such as Telnet and SNMP. The interface used for system management cannot terminate PPPoE or L2TP sessions.

Service Selection Gateway PTA MD

The Service Selection Gateway (SSG) PTA-MD is a form of Layer 2 switching. In the SSG implementation the host's PPP session is terminated by the access provider, but it may be logically associated with a particular service. Packets to and from the host are not routed normally but switched to and from the network to which the host is associated. This functionality is provided by designating the network-side interfaces as being associated with a service. The control plane then binds a host with a particular service based on service selection. This feature has evolved such that VRFs are used to ensure a host's packets are forwarded to and from the interface associated with the service to which they are bound.

If a network-side interface is designated as being associated with a service it is then bound to a VRF. Likewise, if a host subscribes to that same service it is also bound to that same VRF.

Packets to and from the host and to and from the network-side interface are routed within the same VRF. Therefore, packets to and from the host always traverse the service they have subscribed to first, regardless of the ultimate destination or original source.

A host cannot be connected to multiple services that are in different VRFs simultaneously.

RADIUS Proxy Enhancements for CHAP

Not supported.

Range Command for Bind Statements

To configure a non-PPP user as an SSG user, bind the interface as downlink or uplink by using the ssg direction command in subinterface configuration mode. The command syntax is:

ssg direction {uplink | downlink}

For example:

Router(config)# interface atm 5/0/1.15

Router(config-subif)# ssg direction downlink

Router(config-subif)# interface atm 5/0/1.16

Router(config-subif)# ssg direction uplink

---

Note Note The ssg direction command also applies to range commands.

---

When you bind an interface to a direction, traffic is routed through SSG features and processing. If you do not bind an interface to a direction, the interface is a transparent passthrough interface and traffic is routed through normal Cisco IOS features processing.

Redundant Uplinks to the Same Service

Not supported.

Scalability

If you configure on-demand PVCs (individual and within a range) and PPP sessions, route processor (RP) CPU use can be high when bringing up and tearing down sessions and PVCs. This is only a concern when the configuration contains approximately 30,000 PPP sessions, and additional services such as Dynamic Bandwidth Selection (DBS), ACLs, and service policies are enabled.

---

Note Do not configure more than 1500 VCs under a multipoint interface. Exceeding this recommended limit can cause very high CPU use.

---

To reduce the RP CPU usage for PPPoA sessions, reduce the number of configured PVCs in a single subinterface. To reduce the RP CPU usage for PPPoEoA sessions, use the call admission control call admission limit command.

Service level ACLs

Service ACLs cannot be applied to a connection. If this occurs, the connection remains active, but the ACLs have no effect.

SSG Auto Logoff

Use only one method of SSG auto logoff at a time: ARP ping or ICMP ping. ARP ping works only on hosts that have a MAC address.

SSG EAP Transparency

Not supported.

SSG GRE

You cannot configure GRE tunneling type interface as an SSG uplink interface.

SSG IOS NAT

Network address translation (NAT) functionality is not supported. This means that the router does not support concurrent access to multiple services for which the services, not the access provider, must assign the user's IP address.

SSG L2TP

Neither SSG acting as a PPP client proxy with LAC nor PPP session in L2TP getting SSG processing is supported.

SSG Prepaid

The SSG Prepaid feature has the following restrictions:

· Quotas are measured in seconds. You cannot change the unit of measure.

· The Cisco 10000 series router supports only time-based SSG Prepaid for a service connection.

Support for Classifying Hosts Based on IP Address

Not supported.

Suppression of Unused Accounting Records

Not supported.

Testing Performance of High-Speed Interfaces

Cisco IOS software running on the Cisco 10000 series router has multiple queues for all classes of traffic over high-speed interfaces. The software selects a queue based on the source and destination address for the packet. This ensures that a traffic flow always uses the same queue and the packets are transmitted in proper order.

When the Cisco 10000 series router is installed in a real network, the high-speed interfaces work efficiently to spread traffic flow equally over the queues. However, using single traffic streams in a laboratory environment may result in less-than-expected performance.

Therefore, to ensure accurate test results, you should test the throughput of the Gigabit Ethernet, Packet over SONET (POS), or ATM uplink with multiple source or destination addresses.

---

Note To determine if traffic is being properly distributed, use the show hardware pxf cpu queue command.

---

Unique Session ID

Not supported.

VRF-Aware VPDN Tunnels

The Virtual Routing and Forwarding (VRF)-Aware VPDN Tunnels feature can only be used with Layer 2 Tunnel Protocol (L2TP) on the L2TP Access Concentrator (LAC). The reason is that the Cisco 10000 series router can only initiate tunnels in a VRF; it cannot terminate tunnels that arrive in a VRF. Therefore, this feature does not apply to the Cisco 10000 series router when the router is acting as the L2TP Network Server (LNS) because the Cisco 10000 series router, as the LNS, cannot terminate tunnels that arrive in a VRF.

For the multihop configuration, the ingress tunnel also needs to arrive in the global routing table, but the tunnel can be switched out into a VRF towards the final LNS destination.

Important Notes

This section provides important information about the following topics:

•Configuring the aaa new-model Command

•Enhancing Scalability of Per-User Configurations

•Inserting a New Line Card

•Provisioning for Scaling

•Deferrals

Configuring the aaa new-model Command

The aaa new-model command is disabled by default on the Cisco 10000 series router. In previous releases, the default configuration did not appear in the running configuration file. However, in Cisco IOS Release 12.3(7)XI1 or later releases, the running configuration file now includes the no aaa new-model command. This is an intentional change in behavior for this command and is the first step in a 3-step process to change the default configuration to aaa new-model.

---

Note This change in behavior differs from Cisco IOS software, which typically does not include default configurations in the running configuration file.

---

For example, when you enter the show running-config command, no aaa new-model appears in the configuration if either of the following conditions previously occurred:

•You did not configure the aaa new-model command on the router and instead accepted the default configuration of the file: no aaa new-model.

•You entered the no aaa new-model command to remove the previously configured aaa new-model command.

Enhancing Scalability of Per-User Configurations

To enhance scalability of per-user configurations without changing the router configuration, use the ip:vrf-id VSA and ip:ip-unnumbered RADIUS attributes. These per-user vendor specific attributes (VSAs) are used to map sessions to VRFs and IP unnumbered interfaces. The VSAs apply to virtual access subinterfaces and are processed during PPP authorization.

In releases earlier than Cisco IOS Release 12.2(16)BX1, the lcp:interface-config RADIUS attribute is used to map sessions to VRFs. This per-user VSA applies to any type of interface configuration, including virtual access interfaces. Valid values of this VSA are essentially any valid Cisco IOS interface command; however, not all Cisco IOS commands are supported on virtual access subinterfaces. To accommodate the requirements of the lcp:interface-config VSA, the per-user authorization process forces the Cisco 10000 series router to create full virtual access interfaces, which consume more memory and are less scalable.

In Cisco IOS Release 12.2(16)BX1 and later releases, the ip:vrf-id VSA is used to map sessions to VRFs. Any profile that uses the ip:vrf-id VSA must also use the ip:ip-unnumbered VSA to install IP configurations on the virtual access interface that is to be created. PPP that is used on a virtual access interface to be created requires the ip:ip-unnumbered VSA. An Internet Protocol Control Protocol (IPCP) session is not established if IP is not configured on the interface. You must configure either the ip address command or the ip unnumbered command on the interface so that these configurations are present on the virtual access interface that is to be created. However, specifying the ip address and ip unnumbered commands on a virtual template interface is not required because any pre-existing IP configurations are removed when the ip:ip-vrf VSA is installed on the virtual access interface. Therefore, any profile that uses the ip:vrf-id VSA must also use the ip:ip-unnumbered VSA to install IP configurations on the virtual access interface that is to be created.

These per-user VSAs can be applied to virtual access subinterfaces; therefore, the per-user authorization process does not require the creation of full virtual access interfaces, which improves scalability.

Setting VRF and IP Unnumbered Interface Configurations in User Profiles

Although the Cisco 10000 series router continues to support the lcp:interface-config VSA, the ip:vrf-id and ip:ip-unnumbered VSAs provide another way to set the VRF and IP unnumbered interface configurations in user profiles. The ip:vrf-id and ip:ip-unnumbered VSAs have the following syntax:

Cisco:Cisco-AVpair = "ip:vrf-id=vrf-name"

Cisco:Cisco-AVpair = "ip:ip-unnumbered=interface-name"

Specify only one ip:vrf-id and one ip:ip-unnumbered value in a user profile. However, if the profile configuration includes multiple values, the Cisco 10000 series router applies the value of the last VSA received, and creates a virtual access subinterface. If the profile includes the lcp:interface-config VSA, the router always applies the value of the lcp:interface-config VSA, and creates a full virtual access interface.

Each time you specify a VRF in a user profile, but you do not configure the VRF on the Cisco 10000 series router, in Cisco IOS Release 12.2(15)BX, the router accepted the profile. However, in Cisco IOS Release 12.2(16)BX1 and later releases, the router rejects the profile.

Setting VRF and IP Unnumbered Interface Configuration in a Virtual Interface Template

You can specify one VSA value in the user profile on RADIUS and another value locally in the virtual template interface. The Cisco 10000 series router clones the template and then applies the values configured in the profiles it receives from RADIUS, resulting in the removal of any IP configurations when the router applies the profile values.

Redefining User Profiles to Use the ip:vrf-id and ip:ip-unnumbered VSAs

The requirement of a full virtual access interface when using the lcp:interface-config VSA in user profiles can result in scalability issues, such as increased memory consumption. This is especially true when the Cisco 10000 series router attempts to apply a large number of per-user profiles that include the lcp:interface-config VSA. Therefore, when updating your user profiles, we recommend that you redefine the lcp:interface-config VSA to the scalable ip:vrf-id and ip:ip-unnumbered VSAs.

Example 1 shows how to redefine the VRF named newyork using the ip:vrf-id VSA.

Example 1 Redefining VRF Configurations

Change:

Cisco:Cisco-Avpair = "lcp:interface-config=ip vrf forwarding newyork"

To:

Cisco:Cisco-Avpair = "ip:vrf-id=newyork"

Example 2 shows how to redefine the Loopback 0 interface using the ip:ip-unnumbered VSA.

Example 2 Redefining IP Unnumbered Interfaces

Change:

Cisco:Cisco-Avpair = "lcp:interface-config=ip unnumbered Loopback 0"

To:

Cisco:Cisco-Avpair = "ip:ip-unnumbered=Loopback 0"

Inserting a New Line Card

Unlike other Cisco routers, if you insert a new or different line card into a Cisco 10000 series router chassis slot that previously had a line card installed, the line card initially reports that it is administratively up.

Provisioning for Scaling

The following configuration parameters enhance scalability on the Cisco 10000 series router:

•PPPoA Sessions with IP QoS Static Routes

•AAA Authentication on the NME Port

•Call Admission Control

To configure the Cisco 10000 series router for high scalability, be sure to configure the configuration parameters as described in the sections that follow.

For more information, refer to the Cisco 10000 Series Broadband Aggregation, Leased-Line, and MPLS Configuration Guide.

PPPoA Sessions with IP QoS Static Routes

To scale to 32,000 PPPoA sessions with IP QoS enabled, you must limit the number of IP QoS static routes to 4,000 unidirectional QoS static routes.

AAA Authentication on the NME Port

If you use AAA authentication on the network management (NME) port, set both the in and out interface hold queues to 4096; for example:

Router(config)# int fa 0/0/0

Router(config-if)# hold-queue 4096 in

Router(config-if)# hold-queue 4096 out

Call Admission Control

We recommend that you set the Call Admission Control (CAC) to a maximum of 95; for example:

Router(config)# call admission limit 95

Deferrals

Cisco IOS software images are subject to deferral. To determine if your software release is affected, we recommend that you view the deferral notices at:

http://www.cisco.com/public/sw-center/sw-ios-advisories.shtml

Caveats for Cisco IOS Release 12.3(7)XI10

Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in the caveats section of this document.

This section contains open and resolved caveats for the current Cisco IOS maintenance release.

All caveats in Cisco IOS Release 12.3 and Cisco IOS Release 12.3 T that apply to the Cisco 10000 series are also in Cisco IOS Release 12.3(7)XI10.

For information on caveats in Cisco IOS Release 12.3, see Caveats for Cisco IOS Release 12.3.

For information on caveats in Cisco IOS Release 12.3 T, see Caveats for Cisco IOS Release 12.3 T, which lists severity 1 and 2 caveats and select severity 3 caveats and is located on Cisco.com.

---

Note If you have an account on Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in to Cisco.com and click Products and Services: Cisco IOS Software: Cisco IOS Software Releases 12.2: Troubleshooting: Bug Toolkit. Another option is to go to http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl.  (If the defect that you have requested cannot be displayed, this may be due to one or more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect is marked Cisco Confidential.)

---

The Dictionary of Internetworking Terms and Acronyms contains definitions of acronyms that are not defined in this document.

Open Caveats—Cisco IOS Release 12.3(7)XI10

This section describes caveats that are open in Cisco IOS Release 12.3(7)XI10.

CSCdk65707

After you issue the no router bgp command, the following error message may occur:

%SYS-2-CHUNKSIBLINGS: Attempted to destroy chunk with siblings, chunk... 

There is no observable consequence on the router behavior.

There are no known workarounds.

CSCdt94857

High impact commands or commands used in high scaling environments impact scaling by increasing CPU cycles, increasing boot time, and decreasing control plane run-time efficiency.

There are no known workarounds.

CSCdy19642

Performance counters under the VT1.5, T3, VT2 controllers for DS1/E1 are not updated/displayed correctly.

There is no known workaround.

CSCdy44066

When Single router-APS (SR-APS) is configured on 1-Port Channelized OC12/STM-4 line cards. If an APS switchover is executed, the controller state in the show aps command output shows as SignalFail.

There are no known workarounds.

CSCdy45049

When scaling over 3000 serial interfaces, line rate traffic may not be achieved. This problem occurs when thousands of serial interfaces (PPP or HDLC) are used on the port and line rate traffic is sent through all interfaces.

There are no known workarounds.

CSCdz40002

When you remove Automatic Protection System (APS) and then re-activate it, traffic convergence after an APS switchover takes longer than 2 seconds.

There are no known workarounds.

CSCea63115

When you enter the redundancy force-failover main-cpu privileged EXEC command on a router that is configured with two Performance Routing Engines (PREs), an automatic protection system (APS) switchover occurs on OC-12 Packet-over-SONET (POS) line cards, which is incorrect behavior.

This problem occurs when APS is configured on OC-12 POS line cards in two different Cisco 10000 series routers that are connected back-to-back and you enter the following sequence of commands:

1. Enter the aps force pos slot/subslot/port from working interface configuration command on both routers.

2. Enter the show aps EXEC command. The output displays the active channels for both routers.

3. Enter the redundancy force-failover main-cpu privileged EXEC command on one of the routers, causing an APS switchover to occur on this router.

There are no known workarounds. However, when problem occurs, there is no loss of data.

CSCea63638

When Automatic Protection Switching (APS) is enabled, if you issue the hw-module reset command on the primary APS slot, no change is observed because the router does not switch to the secondary APS slot. This problem occurs when the hw-module reset command is issued.

There are no known workarounds.

CSCec13372

The router can generate wrong or misleading sub-pool or global pool flooding messages when up or down thresholds for MPLS TE resource availability (bandwidth) are crossed. The configured thresholds for MPLS TE resource availability are crossed when defining bandwidth on the MPLS tunnel interface reserved on the physical interface/subinterface.

There are no known workarounds.

CSCec37207

On Cisco 10000 series routers running in PPP Termination and Aggregation mode, PPPoEoA sessions using bandwidth queues drop packets if a priority queue is also configured in the policy map. When there is traffic sent to priority queue, all other queues can drop packets below line rate if the traffic consists of small packets.

There are no known workarounds.

CSCec42315

When scaling to 12,000 Frame Relay DLCI interfaces, line rate traffic may not be achieved. This problem occurs when thousands of Frame Relay DLCIs are used on the port and line rate traffic is sent through all interfaces.

There are no known workarounds.

CSCec42451

The RIP routing protocol does not function properly over VLAN interfaces with IP unnumbered.

There are no known workarounds.

CSCec43937

ATM VP tunnel of 10Mb does not shape the traffic to the exact speed. There are violated cells on a connected ATM switch witch is policing the traffic.

Workaround: Lower the configured speed to 9999 Kbps to ensure the tunnel speed.

CSCec48111

When sending 64 byte packets through 300 serial interfaces or more, line rate traffic may not be achieved. This problem occurs with 64 byte packets and a large number of interfaces.

There are no known workarounds.

CSCec66364

Cisco 7301 router takes too long to boot up. About 4 to 5 minutes.

There are no known workarounds.

CSCec80927

Call setup rate slower is for a particular configuration running on Cisco Release 12.3(6)TX image compared with Cisco Release 12.2(16)BX. If the mtu command is added to the virtual template for sessions, the command processing for the command takes significantly longer on Cisco Release 12.3(6)TX image as compared to Cisco Release 12.3(16)BX image.

Workaround: Remove the mtu command from the virtual template configuration.

CSCec85628

Outgoing traffic is above VP speed on an 8-port E3/D3 ATM line card. For this problem to occur, the total SCR value of all VBR-nrt VCs in a VP is above 80 percent of the VPs PCR value but still smaller than the total VP bandwidth (PCR). All the VCs should be overdriven by outgoing traffic.

There are no known workarounds.

CSCed03248

The CLI error "IP address is already defined as an interface" appears when the address is not used anywhere in the running configuration. The error occurs when the IP address was used by a serial interface and the interface was removed or unconfigured from the system.

Workaround: Use the no ip address command before removing a serial interface or use a different IP address (if possible).

CSCed17570

When using thousands of QoS queues with WRED configured in each queue, a traceback message can appear when you execute the microcode reload pxf command. The traceback message appears only when thousands of PXF queues are configured with random-detect enabled and the microcode reload pxf command is issued.

There are no known workarounds.

CSCed19311

When SSG ARP auto logoff feature is configured, certain users may not get logged off with the feature. User logging off using SESM or other means do not get affected.

Workaround: Configure ICMP ping logoff. Upgrade the code to the appropriate version.

CSCed20626

Exec process shows high CPU usage. This is caused by the dir all command, probably due to the attempted accesses to the secondary's PCMCIA slots.

There are no known workarounds. The router continues to function, but the console is unusable for a short while (10-30 seconds). Alternatively, use the command: dir device command only for known good device names.

CSCed54867

The input service policy does not match traffic as shown by the show policy-map interface command if there is no action associated for that class.

Workaround: Use the set or police command to define a policy action.

CSCed59185

When you apply the following example configuration to an output interface that is MPLS enabled, and send traffic from the CPU of the local router (ping other routers or hosts), the traffic is not policed by the policy map.

policy-map exp2cos 

class exp0 

set cos 1 

class exp1 

police 104000 5000 150800 conform-action transmit exceed-action drop 
violate-action drop 

class exp2 

This problem only affects the traffic from the router CPU, and does not affect traffic passing through the router.

There are no known workarounds.

CSCed62503

When you apply a policy map to a tunnel interface on a router configured with a PRE2 processor, a traceback message appears. This problem occurs when the policy map is applied to a tunnel interface.

There are no known workarounds.

CSCed65349

When you configure 2,000 PPP interfaces, traffic does not reach 99 percent of the line rate after performing 4 HA RPR switchovers. The traffic rates keep fluctuating.

There are no known workarounds.

CSCed68868

A traceback message appears when you unconfigure the spoke PE router configured for half-duplex VRF over PPPoE. This problem occurs with 32,000 PPPoE sessions and 40 spoke VRFs, therefore, scaling to high values.

There are no known workarounds.

CSCed70202

A traceback message appears when you unconfigure the hub PE router configured for half-duplex VRF. This problem occurs with 32,000 sessions therefore, scaling to high values.

There are no known workarounds.

CSCed71107

When 2 time-based ACLs are configured to deny traffic at the same time and are applied to different interfaces, one of the ACLs fails to work properly.

There are no known workarounds.

CSCed72023

Excessive CPU use is detected for 5 minutes after unconfiguring half-duplex VRF with a large number of PPPoE user sessions. This problem occurs with 32,000 PPPoE sessions therefore, scaling to high values.

There are no known workarounds.

CSCed72338

The system allows non-nested queuing policy maps to be applied using the frame-relay map-class command on Frame Relay main interfaces and subinterfaces; it should not allow such policy maps to be configured.

There are no known workarounds.

CSCed86371

The Automation Protection Switching (APS) active state does not stay with the lowest active odd port after a PRE switchover.

There are no known workarounds.

CSCed88782

The secondary port does not go to a working state during a signal degrade of the primary port using threshold SON ERR RAT 1e-6.

Workaround: Set the BIP threshold to 6; do not set the BIP threshold to 7.

CSCee02536

When configuring MPLS Layer 3 VPN, the PXF CEF/FIB table can hold up to 4,085 VRFs, although it is designed to hold 4,095 VRFs. If more than 4,085 VRFs are configured, 10 of those VRFs do not have an entry in the PXF CEF/FIB table, so traffic is not forwarded in those 10 VRFs.

There are no known workarounds.

CSCee03801

After you issue the clear ip bgp * command, a Cisco 10000 series router takes longer than 30 minutes to achieve convergence. eBGP sessions between PE and CE routers can go up and down multiple times, and the IGP routing protocol and LDP session can also go down and up again.

These problems occur under the following conditions:

•4,095 VRFs are configured on a router

•500 eBGP sessions are established between the router (PE) and CE routers

•540 VRF routes per VRF in the 500 VRFs that are running eBGP between PE and CE routers

•40 VRF routes per VRF in the rest of 3595 VRF

There are no known workarounds.

CSCee06089

When you apply a nested policy map using the bandwidth command in the child policy map to a POS OC-48 interface, PXF stops responding. This problem occurs when you allocate a small amount of bandwidth, and it only occurs on POS OC-48 interfaces.

Workaround: Allocate more bandwidth in the child policy map.

CSCee14864

Policing under a created queue, when attached at an MLP interface, accounts for only 2 bytes of the L2 header, so that policing is done at a higher rate than configured. This can cause a problem with priority queue CBWFQ functionality because the priority queue is configured with policing and its dequeue rate can be higher than intended.

Workaround: Do not configure policing under a created queue.

CSCee15674

When broadband PTA is configured with 114,000 queues, executing the microcode reload pxf command causes the ATM interface to display a big number of total output drops.

Workaround: Clear the counters.

CSCee20418

If the you change the amount of intercepted streams from 8 to 2 streams, the wrong amount of packets is intercepted. This occurs in Lawful Interception scenarios.

There are no known workarounds.

CSCee25615

This problem occurs when almost all the system resources (VCCI) are in use, after an OIR (slot reset) is issued, and in the OC-3 ATM line card. The reason it occurs in the OC-3 ATM line card is that it happens in an ATM line card with multiple ports. The symptom is that all the sessions in the same port stop passing traffic after OIR.

There are no known workarounds.

CSCee27630

A low-bandwidth class can be allocated more than its share of bandwidth at the expense of a high-bandwidth class. This problem occurs when the ratio of the configured bandwidths between two data classes is high (8:1 or higher) and when there is a priority class that receives traffic at (at least) 20 percent of the line rate. The traffic that is received by the data classes should be in the ratio of the configured bandwidths.

There are no known workarounds.

CSCee42746

When using multiple intercepts in Lawful Intercept mode, the MIB information is not completely cleared after intercepts are cleared from SNMP. This problem occurs when 35 or more streams are intercepted at the same time.

Workaround: Use Cisco IOS to delete the stream that was not deleted by SNMP.

CSCee44273

The show activity line card debug command shows the VC configuration from the perspective of the line card, but the autovc information is not shown. Also, after you delete or create an auto-VC, the counter is inaccurate.

There are no known workarounds.

CSCee45306

With 40 or more intercept streams in Lawful Intercept mode, the LI engine fails to intercept correctly for UDP traffic. This problem occurs when 40 or more streams are intercepted at the same time.

There are no known workarounds.

CSCee45378

When intercepting streams at 5 Mbps or above in Lawful Intercept, the router CPU runs at about 78 percent of capacity. This problem occurs when 35 or more streams are intercepted at the same time.

There are no known workarounds.

CSCee50060

A Cisco 10000 series router with PPPoA VCs can, under abnormal conditions (such as a denial-of-service attack involving the sending of PPPoA data packets before the PPPoA session is up), experience heavy RP CPU use. The router with PPPoA VCs can forward PPPoA data packets for non-existent sessions.

This problem occurs when PPPoA data traffic is sent before the session reaches the PTA forwarded state. A normal PPPoA client does not send traffic before the session is up.

Workaround: Configure RPF on all ATM subinterfaces containing PPPoA sessions. The subinterface should have an RPF check in addition to using an RPF check in the virtual template. Configuring RPF on the subinterface forces all PPPoA data traffic to be dropped by the PXF before the session reaches the PTA forward state.

CSCee54408

When the 1-port channelized OC-12 line card uses SDH framing, the Path Trace Buffer is unstable for au3 mode. This problem occurs only with SDH framing; the Path Trace Buffer is stable with SONET framing.

There are no known workarounds.

CSCee54426

When the 1-port channelized OC-12 line card uses SDH framing, the J1 Path trace message is not received. This problem occurs only with SDH framing. The J1 Path Trace message is received when SONET framing is used.

There are no known workarounds.

CSCee54473

A loss of frame (LOF) alarm appears for a T1 when framing a Super Frame (SF) that is configured on both ends. This problem occurs when you configure T1 1 framing sf under AU-3 on a 1 port channelized OC-12 line card.

There are no known workarounds.

CSCee54971

The show policy-map interface command output does not display the Layer 2 frame size correctly. The actual output policing rate is 6.6 percent higher than the configured policing rate on gigabit Ethernet and POS OC-48 interfaces. The problem occurs when a police command is configured in a policy map, and the policy map is applied to a gigabit Ethernet or POS OC-48 interface as an output policy map.

Workaround: Use shaping instead of policing.

CSCee57219

The set cos command in an output policy map applied to a VLAN subinterface does not work if the outgoing traffic is MPLS packets (with MPLS labels). The problem occurs when outgoing traffic is MPLS packets.

There are no known workarounds.

CSCee57357

When scaling Frame Relay DLCIs on routers running Cisco IOS Release 12.3(7)XI, traceback messages can appear on the console when bringing up the high number of DLCIs. This problem occurs when there are more than 3,000 DLCIs on the interface.

There are no known workarounds.

CSCee58454

On a router running Cisco 12.3(7)XI, if the LAC tries to redirect a call to the bid-winning LNS and fails after three attempts, a new RADIUS disconnect cause code with the value as 608 is not being sent to RADIUS by the LAC.

There are no known workarounds.

CSCee60038

When a proxy service profile defined with V and X attributes is configured locally on the router, which is enabled to run SSG, an SSG host cannot activate the service it has been subscribed to.

There are no known workarounds.

CSCee60101

ALIGN-3 traceback messages are displayed while running regression tests on a channelized OC-12 line card with SONET 768 encapsulation with E1 framing. This problem does not seem to affect the functionality of the card.

There are no known workarounds.

CSCee61067

In 2-level policy map configurations using a parent shaper, the shaped traffic rate might not be within plus or minus 1 percent of the configured value. This problem occurs with certain parent shaper values and mostly small packet sizes.

There are no known workarounds.

CSCee61485

Several PIM-related messages appear on the console when you remove, then re-apply a PIM configuration on the interface. This problem occurs when the removal and re-application of the configuration is done in a rapid manner.

There are no known workarounds.

CSCee61502

When configuring an MLPPP interface on a redundant system, the standby PRE adds the no ip route-cache cef interface command to multilink interfaces. This additional line causes the system to generate the following error when the new standby PRE is reloaded:

May 19 13:20:47.222 EDT: %REDUNDANCY-3-CONFIG_SYNC: Active and Standby bulk configuration 
out of sync

Workaround: Remove the no ip route-cache cef command from each multilink interface.

CSCee62159

Actual output and expected output for packet 1 does not match at nibble 8. This packet (packet_no 1, fragment_no : 1) is received in the wrong order. Other packets are also received in the wrong order. This problem occurs with the bootflash:c10k2-p11-mz.v123_7_xi_throttle.040510 image and the test is passed with Feb17 bba image.

There are no known workarounds.

CSCee63636

MPLS:Traceroute does not show Labels being switched-propagate-ttl ON.

There are no known workarounds.

CSCee64067

Traffic is not forwarded to an RBE client in a VRF. This problem occurs when an RBE client that does not respond to ARP requests, exists in a MPLS VPN. A static ARP entry for the client must be configured on the access router but the traffic is still not forwarded due to this problem

There are no known workarounds.

CSCee65789

A 4 percent packet drop is seen for various packet sizes over a 1-port channelized OC-12-SDH interface when running performance/scalability tests.

There are no known workarounds.

CSCee66066

BERT testing over a clear channel DS3 interface for the 1-port channelized OC-12 line card fails as a result of the DS3 interface, which remains in a down state.

There are no known workarounds.

CSCee66091

During SNMP polling of the AAA Server MIB, the casDeadCount variable can cause high CPU usage on the router. This problem occurs with a large number of RBE interfaces (16,000) and bi-directional traffic running.

There are no known workarounds.

CSCee66314

In Lawful Intercept mode a traceback message might appear on the Intercept Access Point (IAP) router when the interface to the mediation router is shut down. This problem occurs when traffic is sent through the IAP and interception is turned on.

There are no known workarounds.

CSCee68404

If a PRE2 is in the early process of booting up, sometimes the SEND-BREAK character sequence can cause the router to reload instead of gracefully dropping back into ROMMON. This problem occurs when the PRE2 is in the early stages of the boot process and the SEND-BREAK is issued. If the PRE2 is already booted up, this is not an issue.

Workaround: To gracefully drop the PRE2 into ROMMON, if the configuration register is set to accept SEND-BREAK, wait until the PRE2 is fully booted.

CSCee68480

Priority queue latency can exceed the threshold of 2MTU+6msec. This problem occurs when more than 3 queues are configured on a interface, in addition to the priority queue.

There are no known workarounds.

CSCee72919

AAA accounting records for a PPPoA session terminated on a Cisco 10000 series router in a PTA fashion shows repeated entries for the Framed-Route attribute (attribute 22).

There are no known workarounds.

CSCee72931

When a PPPoA session is cleared on the PTA router using the clear pppatm interface ATM X/Y/Z.A command or the clear int virtual-access command, the accounting stop record does not display the Octet and Packet counters. This problem occurs only when the session is cleared on the PTA router. If the user disconnects the session, the counters are displayed correctly.

There are no known workarounds.

CSCee78728

Sometimes an ALIGN Traceback message displays for broadband PTA queue scaling after issuing a microcode reload PXF command.

There are no known workarounds.

CSCee78849

During a broadband PTA queue scaling traffic test, one-third of the subinterfaces' policy-map counters displayed a big number after issuing the microcode reload pxf command.

Workaround: Clear counter.

CSCee81270

When a source sends packets to a destination under the TCP protocol, the destination sends an echo response back to the sender. With the intercepting router configured to intercept "all", those echo packets should also be picked off. This does not occur.

There are no known workarounds.

CSCee83019

Malloc seen on reload 7300 when CDP is enabled.

Workaround: Disable CDP using the no cdp run command.

CSCee86091

The show version command does not display the bootloader image name.

There are no known workarounds.

CSCee88327

When the ipv6 multicast-routing command is configured on a router with 1000 sub-interfaces.

There are no known workarounds.

CSCee90904

In the presence of a large number of static routes (16,000- 32,000), line card flap/ router reload/OIR cause high CPU usage for a long period of time.

There are no known workarounds.

CSCee93055

When clearing a PPPoE session using the clear pppoe all or clear interface virtual-access x.y command, the router displays the following messages:

XCM access error at ../toaster/c10k_rp/c10kds2_qos.c (4888) Jun 23 12:34:12.587: 
c10k_ttcm_read: Invalid Address 3FC110A4

This problem occurs when the ATM interface VC is configured with the protocol pppoe and dbs enable (Dynamic Bandwidth Selection) commands.

There are no known workarounds.

CSCee95619

Attribute 1 User-Name is not included in Stop records from LNS. This problem occurs when the LNS router runs the 12.3(5a)B image.

There are no known workarounds.

CSCee96582

With broadband multipoint 31,500 PVCs with 30,000 sessions up, 126,000 queues, and you add a class with the set command in an output policy map on the fly, the router hangs for a long time then stops responding. This problem occurs with broadband multipoint PVCs with 30,000 sessions up, 120,000 queues, then you add a class with the set command in a policy map on the fly.

There are no known workarounds. With a large number of sessions and queue scaling, avoid changing policy map on the fly.

CSCef00808

The show pxf cpu stat security command shows incorrect statistics when Legal Intercept is configured along with time-based or regular access lists. This problem occurs only if Legal Intercept and access lists are configured and are interoperating.

There are no known workarounds.

CSCef08967

The WRED sampling frequency is too slow, which can cause jitter for the overall algorithm.

There are no known workarounds.

CSCef14249

When sending traffic with 1,024 byte large size packets over 120,000 queues with 80 percent OC-12 ATM line rate, traffic drops 10 percent due to buffer_low packet drop. This problem occurs when 120,000 queue scaling is configured with only large packet size traffic.

There are no known workarounds. Send traffic with mixed size packets, tending to small packets.

CSCef15141

On Cisco 10000 series routers running Cisco IOS Release 12.3(7)XI, the Priority Queue latency values (in milliseconds) is higher than 2*MTU + 6ms on 4Mbps and 8Mbps sub rates of the 8-port E3/DS3 line card.

There are no known workarounds.

CSCef17801

When configuring over 2,000 Frame-Relay DLCI interfaces on a 1-port channelized OC-12 line card, the router's CPU runs over 30 percent of its capacity. This problem occurs only if the number of Frame-Relay sub-interfaces is over 2,000.

There are no known workarounds.

CSCef18947

The show vlans command does not report the correct statistics when a second CPU is enabled on Cisco 7301 NPPEG1 platforms.

Workaround: Disable the second CPU, however, this affects performance.

CSCef19259

If autovc is configured, traceback messages can occur when an ATM VC is deactivated.

There are no known workarounds.

CSCef20523

PPPoEoA sessions using CBWFQ experience BQ drops. In some cases, when aggregate traffic is near the VC rate, the BQ tail drops packets. This problem appears with low bandwidth VCs, in this case 196 kbps.

Workaround: Changing the queue-limit using the policy map and/or the VC queue depth will improve the result.

CSCef24008

When using a 4-port channelized OC-3 line card and 300 or more VT T1 interfaces are configured with PPP encapsulation, some T1 links do not achieve full traffic line rate. This problem occurs when all 300+ interfaces are sending traffic at line rate concurrently.

There are no known workarounds.

CSCef24551

When running Automated Protection Switching (APS), the router can experience traffic loss after the hw-module slot x reset command is executed.

Workaround: Avoid executing hw-module slot x reset.

CSCef27202

On Cisco 10000 series routers running in PTA mode, a high CPU usage message appears if you execute the show vpdn session command when there are more than 30,000 sessions active. This problem occurs if the number of active sessions is large.

There are no known workarounds.

CSCef27221

When a router runs as a LAC and the rate at which PPPoA sessions are established is high, some sessions may not be established and the router can display an error message on the console. This problem occurs when 30,000 PPPoA sessions or more are established at high rate, such as when the ATM link to the DSLAM is restored after a link failure.

Workaround: Reduce the call admission rate for the PPPoA sessions.

CSCef27417

Output drops can be erroneously reported on the ATM OC-12 interface upon reloading the router and without any traffic sent or received on the interface. The output drops interface counter may also report invalid non-zero values with a light traffic load on the interface (PPPoX session establishment). This problem occurs when a high number of VCs is configured on the interface.

There are no known workarounds.

CSCef27539