This Product Bulletin introduces Cisco IOS Software Release 12.2SB and includes the following sections:
1) Cisco IOS Software Release 12.2SB Introduction
2) Release 12.2(33)SB Highlights
3) Release 12.2(31)SB2 Highlights
4) Release 12.2(28)SB Highlights
5) Release 12.2SB Additional Information
1) Cisco IOS Software Release 12.2SB Introduction
Cisco IOS®Software Release 12.2SB integrates leading-edge Broadband Aggregation and Subscriber Services, Leased Line Aggregation, and MPLS Provider Edge functionality on a comprehensive portfolio of midrange routers, including the Cisco 7200, 7301, 7304, and 10000 Series Routers.
Developed for Service Provider edge aggregation, Release 12.2SB leverages the infrastructure innovation and technology leadership in the Release 12.2S family to deliver the very latest advances in High Availability (HA), MPLS and VPNs, Quality of Service (QoS), and next generation Broadband subscriber and service control with the Cisco Intelligent Services Gateway (ISG). These enhancements allow Service Providers to deliver value-added subscriber services to both business and residential customers across a variety of access technologies. These services enable higher-margin revenue streams while also helping Service Providers to attract and retain new and existing subscribers.
Releases 12.2(33)SB, 12.2(31)SB2, and 12.2(28)SB are available from Cisco.com. Release 12.2(33)SB, the latest release of Release 12.2SB, includes support for more than 50 new Cisco IOS Software features and new hardware for the Cisco 10000 Series Routers and the Cisco 7304 Router.
Release 12.2(31)SB2 and Release 12.2(28)SB include new software features and new hardware for the Cisco 7200, 7301, 7304, and Cisco 10000 Series Routers.
Note: Release 12.2(31)SB2 was the last Release 12.2SB release to include support for the Cisco 7200 Series Routers and the Cisco 7301 Router. The Release 12.2SB migration path for new software features and hardware for the Cisco 7200 Series Routers and the Cisco 7301 Router is Cisco IOS Software Release 12.2(33)SRC or later.
Not all features may be supported on all platforms. Use the Cisco Feature Navigator to find information about platform support and Cisco IOS Software image support. Access the Cisco Feature Navigator http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. You must have an account on Cisco.com.
2) Release 12.2(33)SB Feature Highlights
Like all Release 12.2SB releases, Release 12.2(33)SB integrates innovations that span multiple technology areas, including Cisco IOS Broadband, High Availability, Quality of Service, MPLS and VPNs, IP Services, IP Multicast and Routing, IPv6, and Infrastructure and Embedded Management.
Powerful new hardware support in Release 12.2(33)SB includes the Cisco 10000 Series Performance Routing Engine 4 (ESR-PRE4) and Cisco 10000 Series SPA Interface Processor-600 (10000-SIP-600), and Cisco 10000 Series support for the 1-port 10 Gigabit Ethernet Shared Port Adapter and the 5-port and 2-port Gigabit Ethernet Shared Port Adapters.
Table 1 and the following sections summarize some of the key highlights of Release 12.2(33)SB.
Table 1. Release 12.2(33)SB Highlights
Hardware
Broadband
Layer 2 VPN and Layer 2 Protocols
MPLS and Layer 3 VPN
• Cisco 10000 Series Performance Routing Engine 4 (ESR-PRE4)
• Cisco 10000 Series SPA Interface Processor-600 (10000-SIP-600)
• Cisco 1-port 10 Gigabit Ethernet, and 5-Port and 2-Port Gigabit Ethernet Shared Port Adapters for Cisco 10000 Series Routers
• Cisco ISG: Service Control Engine Common Control Bus
• Cisco ISG: MQC Support for IP Sessions
• Cisco ISG: IP Session Keepalives (ARP and ICMP)
• L2TP Forwarding of PPPoE Tag Information
• Throttling of AAA Accounting Records
• PPPoE Smart Server Selection
• MLP at LNS
• Any Transport over MPLS: NSF with SSO
• Any Transport over MPLS Interworking
• Link Aggregation Control Protocol (802.3ad) Enhancements
• VPN Provider Edge Router (6VPE) over MPLS for Cisco 10000 Series Routers
2.1.1) Cisco 10000 Series Performance Routing Engine 4 (ESR-PRE4)
The Cisco 10000 Series Performance Routing Engine 4 addresses the demand for increased performance, scalability and hierarchical Quality of Service to support diverse network edge requirements for residential and business services markets. (See Figure 1.)
Figure 1. Cisco 10000 Series Performance Routing Engine 4
Designed to meet new requirements from Service Providers for high-capacity aggregation with sophisticated IP services, the Cisco 10000 Series PRE-4 uses the latest generation of the Cisco patented Parallel Express Forwarding (PXF) technology. PXF is a parallel multiprocessor architecture that enables deployment of multiple IP services while maintaining peak performance throughput. The Cisco 10000 Series PRE-4 also supports the flexible Hierarchal Queuing Framework (HQF) available on Cisco 10000 Series Routers. The HQF implementation on the Cisco 10000 Series PRE-4 allows three levels (class, logical, and physical) of scheduling to apply queuing and shaping (see Figure 2).
Figure 2. Examples of Three-Level Scheduling with HQF and the Cisco 10000 Series PRE-4
Benefits
The Cisco 10000 Series PRE-4 delivers both scalability improvements and new features:
• Provides up to 10 million packets per second (mpps) of processing power for increased throughput
• Delivers Hierarchal Queuing Framework (HQF) for up to three levels of service granularity
• Supports increased bandwidth through link bonding connections between the Cisco 10000 Series PRE-4 and Cisco 10000 Series SPA Interface Processor-600 (10000-SIP-600)
– 11.2 Gbps transmit and receive to each SIP
– 3.2 Gbps transmit and receive to each full-height line card
– 1.6 Gbps transmit and receive to each half-height line card
• Includes 800-MHz route processor with 4GB ECC protected DRAM for new features and scalability improvements
• Delivers enhanced storage options for larger and more complex configurations
– 14 MB Nonvolatile RAM (NVRAM)
– 128 MB Compact Flash-fixed internal memory
– 512 MB or 1GB Compact Flash-front panel removable memory
• Uses Cisco patented PXF technology to provide maximum IP service flexibility without performance impact
• Provides a Building Integrated Timing Supply (BITS) interface, a component of the Cisco 10000 Series BITS architecture that will enable network service synchronization
2.1.2) Cisco 10000 Series SPA Interface Processor-600 (10000-SIP-600)
The Cisco® I-Flex design combines Shared Port Adapters (SPAs) and SPA Interface Processors (SIPs), leveraging an extensible design that enables service prioritization for voice, video and data services. Service Provider customers can benefit from improved slot economics resulting from modular port adapters that are interchangeable across Cisco Systems routing platforms.
The I-Flex design maximizes connectivity options and port density with SPAs that deliver line-rate performance. I-Flex enhances speed-to-service revenue and supports the rich set of QoS features from the Cisco 10000 Series Performance Routing Engines while effectively reducing total cost of ownership.
The Cisco 10000 Series SPA Interface Processor-600 is designed to enable four single-height or two double-height SPAs using two adjacent line-card slots of the Cisco 10000 Series. Using Application Specific Integrated Circuits (ASIC) with flexibility to bond together point-to-point links, the SIP provides up to 11.2 Gbps of bandwidth and support for the 10GE interface at line-rate. (See Figure 3.)
Figure 3. Cisco 10000-SIP-600 with GE and 10GE SPAs
Benefits
Key benefits and features of the Cisco 10000-SIP-600 include:
• Increased Port Density, Bandwidth and SPA Support-Enables four single-height SPAs; two double-height SPAs or a combination to increase port density per chassis. Link bonding enables greater bandwidth and new connectivity such as modular 10GE SPA.
• Modularity-Provides support for up to four SIPs or combination of SIPs plus legacy Cisco 10000 line cards installed in same chassis.
• Investment Protection-Same carrier card used for various SPA types supported on the Cisco 10000 Router. In addition, SPA interfaces can be shared across multiple platforms.
• Online Insertion and Removal (OIR)-Provides hitless OIR to minimize impact of add, change, and remove operations. Individual SPAs can be removed without impacting traffic on other SPA interfaces.
• Link Protection and Link Bundling
– Ethernet-802.3ad/EtherChannel®
– SONET- Automatic Protection Switching (APS)
• Managed Oversubscription-Hierarchical QoS provided on PRE3/4 allows oversubscription of interfaces with predictable performance. SIP memory includes 128MB buffering to support ingress bursts of 20Gbps for 50 msec.
• Building Integrated Timing Supply (BITS)-Support for BITS enabled SPAs
2.1.3) Cisco 1-port 10 Gigabit Ethernet, and 5-Port and 2-Port Gigabit Ethernet Shared Port Adapters for Cisco 10000 Series Routers
The Cisco Gigabit Ethernet SPAs are available on high-end Cisco routing platforms, offering the benefits of network scalability with lower initial costs and ease of upgrades. The Cisco SPA/SIP portfolio continues the company's focus on investment protection along with consistent feature support, broad interface availability, and the latest technology. The Cisco SPA/SIP portfolio allows deployment of different interfaces (Packet over SONET/SDH [PoS], ATM, Ethernet, etc.) on the same interface processor.
The Cisco 1-Port 10-GE SPA, 5-Port GE SPA, and 2-Port GE SPA offer the benefits of network scalability with lower initial costs and ease of upgrades. (See Figure 4 through Figure 6.) Within a central office or data center or in a Metropolitan-Area Network (MAN), 10-GE and GE interfaces are commonly used to interconnect routers or other devices. The Cisco 1-Port 10-GE SPA, 5-Port GE SPA, and 2-Port GE SPA meet the customer need for various applications. With these SPAs, users can mix and match SPA ports with other types of interfaces in the same slot. The SPAs provide standards-based 10-GE and GE implementation for compatibility and interoperability.
The Cisco 1-Port 10-GE SPA, 5-Port GE SPA, and 2-Port GE SPA can be used in any combination for the following applications:
• Residential Triple Play
• Metro Ethernet Services
• Converged Residential and Business Services
• Internet Peering
• Inter- and Intra-Point of Presence (POP) Aggregation
Figure 4. Cisco 1-Port 10-GE SPA with XFP Optics
Figure 5. Cisco 5-Port Gigabit Ethernet SPA, Version 2
Figure 6. Cisco 2-Port Gigabit Ethernet SPA, Version 2
In addition to the two Small Form-Factor Pluggable (SFP)-based Gigabit Ethernet ports, two additional built-in RJ-45 ports are provided on the 2-port Gigabit Ethernet SPA, Version 2. A combination of these Gigabit Ethernet ports is permitted, limited to a total of 2 Gigabit Ethernet ports (both copper, both optical, or one copper and one optical).
2.2.1) Cisco ISG: Service Control Engine (SCE) Common Control Bus
Cisco ISG in Cisco IOS Software and the Service Control Engine (SCE) are critical components of the Cisco NGN SP network. Cisco ISG is becoming the primary mechanism for PPP and IP Session by which subscribers are authenticated and administered into a broadband network of any type. The scaleable, high performance deep-packet-inspection capabilities of SCE make it the platform of choice for the delivery of granular application-based services. Together, they provide an ideal toolset to implement high-touch broadband services.
The ISG-SCE common control bus project provides a mechanism by which Cisco ISG and SCE can communicate to co-manage subscriber sessions, without requiring coordination and orchestration by additional components (namely a policy-server or AAA server). The primary benefit that emerges is the simplification of the design and implementation of these platforms into an operational network. This reduces the dependency on third party components and reduces overall solution cost. (See Figure 7.)
This new, tighter integration between these two Cisco products, with Cisco ISG providing Subscriber Management and Layer 1-4 Policies, and SCE providing Layer 5 through 7 Deep Packet inspection capabilities, open up numerous possible use cases including:
• Parental Control-Limit access to restricted websites for a specific user; limit access to specific applications for specific users at specific times of day
• Value Added Premium Packages-Offer differential services based on specific application traffic for a specific user
• Application Boost-Boost the bandwidth of a specific application
• Limit Resources for Basic Subscribers-In tiered services models, the basic level of service could have specific limits placed on specific users
Figure 7. Cisco ISG and SCE Integration
Benefits
• Simplified Architecture-Only one interface needs to be utilized to control both ISG and SCE
• Advanced Per-User Per-Application Services-By utilizing the best of both ISG and SCE products, new use cases can be created
Within ISG Sessions, full Modular QoS CLI (MQC) support was previously only available for dynamic PPP Sessions. With the inclusion of MQC support for IP Sessions in Cisco IOS Software Release 12.2(33)SB, full MQC support is now available for setting QoS shapers and policers on IP Sessions, IP Subnet Sessions, and IP Interface Sessions.
MQC is a Command-Line Interface (CLI) structure that allows users to create traffic polices and attach these polices to interfaces. A traffic policy contains a traffic class and one or more QoS features. A traffic class is used to classify traffic, while the QoS features in the traffic policy determine how to treat the classified traffic.
Benefits
ISG Session Control High Availability enhancements provide a route-processor protection solution with the following benefits:
• Common Configuration-The same configuration used to define QoS characteristics for other WAN interfaces now applies to IP sessions
• Flexible Services-Increased flexibility in defining QoS behavior for IP sessions beyond simple rate policing
2.2.3) Cisco ISG: IP Session Keepalives (ARP and ICMP)
IP Session Keepalives provides end-to-end keepalive support for IP and IP interface sessions, similar to the functionality supplied by PPP keepalives for PPP sessions. (See Figure 8.) This determines if an individual customer premises end-device (PC, set top box, CPE, etc) is still connected to an aggregation network in an IP-only environment. Often in public and private networks, users may walk away with or power down their client devices without gracefully signing-off from the network. This can lead to a longer-lasting session context for the user in a Cisco ISG if the session doesn't periodically ensure user connectivity or existence.
Two types of keepalives are provided by this functionality:
• ARP Keepalives-ARP Keepalives are used in a network where the Cisco SG/BRAS is directly connected to the client host device without any Layer 3 device in the circuit. Cisco ISG will be able to reach the client device by Layer 2 ARP Ping. The primary advantages of using ARP ping are that ARP has a relatively low packet overhead and that firewalls usually don't block ARP Pings.
• ICMP Keepalives-ICMP Keepalives are used in a network where the Cisco ISG/BRAS is not directly connected to the client host device or if there are any Layer 3 devices between the host and the Cisco ISG/BRAS. In a layer 3 path, only ICMP keepalives will be able to be used.
Session lifecycle management can also be controlled by idle-timers, absolute timers, or disconnect events, but IP Session keepalives allow the system to have greater control of when a user session should be disconnected.
When traffic has not been seen for the configured amount of time, the ICMP or ARP ping is sent directly to the end-device. If no response is received, the session is torn down, the resources are returned to the system, and an accounting stop record is sent to the AAA server.
Figure 8. IP Session Keepalives
Benefits
• Advanced Session Life Cycle Management-Cisco ISG can proactively disconnect sessions where the end-device is no longer present, freeing up system resources.
• More Accurate Billing-By disconnecting sessions as soon as the end device is powered off or moved, more accurate usage information is obtained.
• Greater Security-Remove sessions as quickly as possible, when no longer in use, to reduce the chance of address spoofing.
In an Ethernet access aggregation network, there are no unique mappings between the subscriber line ID and Ethernet interface like the Virtual Circuit (VC) in an ATM based network, especially when a separate Virtual LAN (VLAN) per subscriber is not used. DSL Forum TR-101 proposed a method by which the Digital Subscriber Line Access Multiplexer (DSLAM) sends a DSL Remote-ID and circuit-id in the discovery phase. By obtaining this information, future subscriber decisions can be made at later points during the call set-up phase. However, before this feature was introduced, the implementation did not extend to the LNS in a VPDN environment. This feature allows for the PPPoE tag information containing the DSL-Forum attributes to be forwarded from the L2TP Access Concentrator (LAC) to the LNS. (See Figure 9.)
The DSLAM port information contained within the PPPoE tags can be used by the local Authentication, Authorization, and Accounting (AAA) servers on the LNS in addition to the LAC. This is especially useful in wholesale environments where the LAC and LNS may belong to different owners.
Figure 9. Forwarding the DSLAM circuit-id over L2TP
Benefits
• Increased LNS security by being able to authenticate users based on DSLAM port information
AAA Remote Authentication Dial-In User Service (RADIUS) protocol operates over User Datagram Protocol (UDP) transport layer and can not take advantage of transport layer built-in flow control mechanisms such as those available in Transmission Control Protocol (TCP).
The ever increasing demand for reduced capital spending has resulted in development of NAS/BRAS platforms with higher port/interface density and capability to efficiently generate a high volume RADIUS load in a dynamic network environment. Ironically, such improvement in scaling exacerbates the lack of flow control problem in RADIUS. The heavy RADIUS load from the AAA client experiencing changing network conditions such as reload, may cause irrecoverable failure in RADIUS server.
Throttling of AAA records helps to limit RADIUS load on RADIUS servers and its surrounding network, by allowing the customers to configure a required throttling rate to reduce sudden bursts of RADIUS traffic on the RADIUS servers.
Benefits
• Helps protect the health of RADIUS servers by avoiding sudden bursts of RADIUS traffic to the servers
• Avoids loss of critical accounting data at RADIUS servers by preventing sudden bursts of accounting records sent to the AAA server from NAS/BRAS
In a PPPoE broadcast domain (such as in an Ethernet aggregation network) with multiple Broadband Remote Access Servers (BRASs), Service Providers do not have a deterministic way of knowing ahead of time which BRAS (PPPoE server) the call will ultimately terminate on. (See Figure 10.) All BRASs will respond to the PPPoE Active Discovery Initiation (PADI) message from the PPPoE client with a PPPoE Active Discovery Offer (PADO) message. The PPPoE client will establish the connection with PPPoE server whose response reaches the client first.
The PPPoE Smart Server Selection feature allows a Service Provider with multiple redundant PPPoE BRASs to predict the BRAS that a given customer will most likely connect to. This is achieved by establishing an order in which the BRASs respond to PADIs by delaying their responses to PADIs at various degrees (ie: the most preferred BRAS is configured to not delay its response and the least preferred to respond with the highest delay). The preference order could be introduced among the BRASs for all sessions, or for sessions matching a set of circuit id or remote id strings. (See Figure 11.)
Figure 11. Ordering Broadband Remote Access Server Response to PADI Message
Benefits
• Helps Service Providers establish a preference among BRASs on which traffic from a particular source will be terminated (separating residential and business traffic, for example) thus helping them optimize their network
• Allows Service Providers to achieve box-to-box redundancy with provision for preferred BRASs for PPPoE
• Offers Service Providers a deterministic way to terminate PPPoE sessions on preferred BRASs
In a broadband aggregation environment, Service Providers are considering an Ethernet access network as an alternative to an ATM access network with the Digital Subscriber Line Access Multiplexer (DSLAM) bridging the ATM/DSL local loop to the Ethernet-based access network, which allows Ethernet-based connectivity to the BRAS. As DSL aggregation networks migrate to Ethernet-based connectivity to BRAS usage, with the mix of Ethernet and ATM access networks, this feature allows Service Providers to support MLP and Link Fragmentation and Interleaving (LFI) on single-link MLP bundles. (Figure 12.) This enables high-priority low-latency packets to be interleaved between fragments of lower-priority higher-latency packets. Voice over IP (VoIP) is an example of a low-latency service.
Figure 12. MLP at LNS
Benefits
• Allows Service Providers to enhance performance of high-priority low-latency applications, such as VoIP, by allowing packets to be interleaved between fragments of lower-priority higher-latency packets.
2.3.1) Any Transport over MPLS (AToM): NSF with SSO
Cisco IOS Software Release 12.2(33)SB delivers High Availability (HA) functionality for Any Transport over MPLS (AToM) for Cisco 10000 Series Routers.
Any Transport over MPLS (AToM) Nonstop Forwarding (NSF) with Stateful Switchover (SSO) improves the availability of a network that uses AToM to provide Layer 2 VPN services. AToM NSF/SSO provides the ability to detect failures and handle them with minimal disruption to the service being provided. AToM NSF is achieved by Stateful Switchover (SSO) and Nonstop Forwarding (NSF) mechanisms. A standby Route Processor (RP) provides control-plane redundancy. The control plane state and data plane provisioning information for the Attachment Circuits (ACs) and AToM Pseudowires (PWs) are checkpointed to the standby RP to provide NSF for AToM L2VPNs upon switchover from the primary RP.
Benefits
• NSF with SSO together for AToM provides the ability to detect failures and handle them with minimal disruption to the AToM service being provided. The following are the AToM services protected by AToM NSF with SSO:
2.3.2) Any Transport over MPLS (AToM) Interworking
The fundamental benefit of an MPLS network is being able to support a multitude of applications over a single infrastructure. Any Transport over MPLS (AToM) is the Cisco Layer 2 (L2) Virtual Private Network (VPN) over MPLS network solution. Prior to the availability of AToM, Enterprises and Service Providers had to build separate networks for providing L2 connectivity based on the subscriber's existing network encapsulation. For example, a provider could be required to build separate Asynchronous Transfer Mode (ATM) and Frame Relay networks, which would result in increased operational and capital expenses. AToM enables Enterprise and Service Providers to consolidate these different networks, so they can save significant capital and operational expenses.
AToM also allows Enterprise and Service Providers the ability to expand their services portfolio without having to build a new infrastructure to accommodate L2 VPN service. With AToM, the same Provider Edge (PE) router can support both Layer 3 (L3) VPNs as well as L2 VPNs. Adding or removing VPN sites doesn't require network wide changes. Only the adjacent PE routers need provisioning. In the case of connectivity problems, troubleshooting is also narrowed down to the adjacent PEs.
The MPLS L3 VPN approach was the most popular MPLS connectivity service before the advent of AToM. AToM allows subscribers to extend the reach of their network without changing any L3 network implementation or policies.
Figure 13. AToM Architecture
As illustrated in Figure 13, a Pseudowire (PW) is a connection between two PE devices that connects two Pseudowire Emulated Service (PWES) end points. The PWES end points connect to the PE router using various attachment circuit types. Pseudowires are setup using directed Label Distribution Protocol (dLDP) sessions between two PE devices. Ingress (local) PE routers allocate Virtual Circuit (VC) labels for new interfaces and binds to its relative (configured) Virtual Circuit ID (VCID). VC labels are exchanged with the egress (remote) PE router using dLDP label mapping messages. In the forwarding plane, VC labels are appended to the VPN traffic by the local PE router and switched through the pseudowire connection to the remote PE. The remote PE removes the VC label and sends traffic to the subscriber's network in its original encapsulation.
