Release Notes for Cisco 6400 NRP for Cisco IOS Release 12.1(5)DC3

These release notes for the Cisco 6400 node route processor (NRP) describe the enhancements provided in Cisco IOS Release 12.1(5) DC3.

For a list of the software caveats that apply to Release 12.1(5) DC3, see the "Software Caveats" section and Caveats for Cisco IOS Release 12.1 T. The caveats document is updated for every maintenance release and is located on Cisco.com and the Documentation CD-ROM.

Use these release notes in conjunction with the cross-platform Release Notes for Cisco IOS
Release 12.1 located on Cisco.com and the Documentation CD-ROM.

Note In these release notes, the acronym NRP refers to both the NRP-1 and the NRP-2. Where there are differences between the NRP-1 and the NRP-2, a clear distinction is made.

System Requirements

This section describes the system requirements for Cisco IOS Release 12.1(5) DC3 and includes the following sections:

Memory Recommendations

Table 1 Memory Recommendations for the Cisco 6400 NRP-1 and NRP-2
NRP Version	Product Names	Image Names	Recommended Minimum DRAM Memory	Recommended Minimum Flash Memory
Both	Boot Image	c6400r-boot-mz	Not applicable	Not applicable
NRP-1	IOS NRP-1 BASE IOS NRP-1 MULTIDOMAIN IOS NRP-1 WEB SELECTION	c6400r-g4p5-mz	64 MB for up to 750 sessions 128 MB for over 750 sessions	8 MB
NRP-2	IOS NRP-2 BASE IOS NRP-2 MULTIDOMAIN IOS NRP-2 WEB SELECTION	c6400r2sp-g4p5-mz	256 MB for up to 6500 sessions 512 MB for over 6500 sessions	Not applicable

Note In most NRP-1 configurations, 64 MB DRAM is adequate for up to 750 sessions. More sessions require 128 MB DRAM. Using the NRP-1, for an upgrade from an earlier release to Cisco IOS Release 12.1(5) DC3, 128 MB DRAM is recommended.

Note In most NRP-2 configurations, 256 MB DRAM is adequate for up to 6500 sessions. More sessions require 512 MB DRAM.

Supported Hardware

Software Compatibility

Cisco recommends that Cisco IOS Release 12.1(5) DC3 be used concurrently with Cisco IOS Release 12.1(5)DB for the Cisco 6400 node switch processor (NSP). For information about Release 12.1(5)DB for the NSP, see the Release Notes for Cisco 6400 Node Switch Processor (NSP) for Cisco IOS Release 12.1(5)DB.

For NRP-Service Selection Gateway (SSG) users, Cisco IOS Release 12.1(5) DC3 works with the Cisco Service Selection Dashboard (SSD) version 2.5(1) that supports the Single-Host Logon feature.

Determining the Software Version

To determine the version of Cisco IOS software currently running on the Cisco 6400 NRP, log in to the NRP and enter the show version EXEC command:

The output includes additional information, including processor revision numbers, memory amounts, hardware IDs, and partition information.

Upgrading to a New Software Release

This product bulletin does not contain information specific to Cisco IOS Release 12.1 DC but provides generic upgrade information that may apply to Cisco IOS Release 12.1 DC.

Feature Tables

The Cisco IOS software is packaged in software images. Each image contains a specific set of Cisco IOS features.

Table 2 lists the features supported by the Cisco 6400 NRP images in this release.

Table 2 Features Supported by the Cisco 6400 NRP in Cisco IOS Release 12.1(5) DC3
Feature	NRP-1	NRP-2
Feature	Supported as of Cisco IOS Release	Supported as of Cisco IOS Release
Access Protocols
Integrated Routing and Bridging (IRB)	12.0(3)DC	12.1(4)DC
Multilink Point-to-Point Protocol (MLPPP or MLP)	12.1(3)DC	12.1(4)DC
PPP ¹ IPCP ² Subnet Negotiation	12.0(5)DC	12.1(4)DC
PPP over ATM (PPPoA) terminated	12.0(3)DC	12.1(4)DC
PPP over Ethernet (PPPoE) terminated	12.0(3)DC	12.1(4)DC
PPPoA/oE autosense (SNAP ³)	12.1(1)DC	12.1(5)DC
Routed bridge encapsulation (RBE)	12.0(5)DC	12.1(4)DC
RBE Subinterface Grouping	12.1(4)DC	12.1(4)DC
RBE unnumbered DHCP ⁴	12.1(1)DC	12.1(4)DC
RBE with DHCP	12.0(5)DC	12.1(4)DC
RBE with DHCP Option 82	12.1(5)DC	12.1(5)DC
RFC 1483 bridging	12.0(3)DC	12.1(4)DC
RFC 1483 routing	12.0(3)DC	12.1(4)DC
VC ⁵ Traffic Shaping	12.0(3)DC	Not yet supported
Aggregation and Virtual Private Networks (VPN)
IP ⁶ Overlapping address pools (AOP)	12.1(5)DC	Not yet supported
L2TP ⁷ Multi-Hop	12.1(1)DC	12.1(4)DC
L2TP tunnel service authorization enhancement	12.1(1)DC	12.1(4)DC
L2TP tunnel sharing	12.1(1)DC	12.1(4)DC
L2TP tunnel switching ⁸	12.1(1)DC	12.1(4)DC
MPLS ⁹ Edge Label Switch Router (Edge LSR)	12.0(7)DC	Not yet supported
MPLS Label Switch Controller (LSC) for BPX	12.0(7)DC	Not yet supported
MPLS VPNs ¹⁰	12.0(7)DC	Not yet supported
PPPoA tunneled into L2TP	12.0(5)DC	12.1(4)DC
PPPoE tunneled into L2TP	12.0(5)DC	12.1(4)DC
Remote Access into MPLS VPN	12.1(5)DC	Not yet supported
RFC 1577	12.0(3)DC	12.1(4)DC
VLAN ¹¹ (ISL ¹²) on NRP	12.0(3)DC	12.1(4)DC
VLAN (802.1q) on NRP-2 GE¹³	Not applicable	12.1(5)DC
Configuration and Monitoring
ATM¹⁴ PVC ¹⁵ Range Command	12.1(4)DC	12.1(4)DC
Per VC error display	12.1(3)DC	12.1(5)DC
Hardware Support
ATM (OC-3, OC-12, DS3) Interfaces	12.0(3)DC	12.1(4)DC
FE ¹⁶ Interface: 10/100 auto-negotiation, auto-sensing	12.0(3)DC	Not applicable
GE Interface	Not applicable	12.1(5)DC
Network Management Ethernet (NME)	12.0(5)DC	12.1(4)DC
NRP 1+1 Redundancy	12.0(3)DC	Not yet supported
IP and Routing
Address Resolution Protocol (ARP)	12.0(3)DC	12.1(4)DC
Border Gateway Protocol version 4 (BGP4)	12.0(3)DC	12.1(4)DC
Enhanced Interior Gateway Routing Protocol (EIGRP)	12.0(3)DC	12.1(4)DC
Generic routing encapsulation (GRE)	12.0(3)DC	12.1(4)DC
Internet Group Management Protocol (IGMP)	12.0(3)DC	12.1(4)DC
Internet Protocol (IP) forwarding	12.0(3)DC	12.1(4)DC
IP multicast	12.0(3)DC	12.1(4)DC
Intermediate System-to-Intermediate System (IS-IS)	12.0(3)DC	12.1(4)DC
Network Address Translation (NAT) support for NetMeeting Directory	12.0(3)DC	12.1(4)DC
NetFlow for RFC1483 into MPLS VPN	12.1(5)DC	Not yet supported
Open Shortest Path First (OSPF)	12.0(3)DC	12.1(4)DC
PIM ¹⁷ Dense Mode & Sparse Mode	12.0(3)DC	12.1(4)DC
Routing Information Protocol (RIP)/RIP v2	12.0(3)DC	12.1(4)DC
Transmission Control Protocol (TCP)	12.0(3)DC	12.1(4)DC
Telnet	12.0(3)DC	12.1(4)DC
Trivial File Transfer Protocol (TFTP)	12.0(3)DC	12.1(4)DC
Transparent Bridging	12.0(3)DC	12.1(4)DC
User Datagram Protocol (UDP)	12.0(3)DC	12.1(4)DC
Web Cache Coordination Protocol (WCCP) version 1	12.0(3)DC	12.1(4)DC
WCCP (v2)	12.0(7)DC	12.1(4)DC
Network Management
Simple Network Management Protocol (SNMP) (v1, v2, and v3)	12.0(3)DC	12.1(4)DC
RADIUS/AAA
Password Authentication Protocol (PAP)/Challenge Handshake Authentication Protocol (CHAP)	12.0(3)DC	12.1(4)DC
Remote Authentication Dial-In User Service (RADIUS)	12.0(3)DC	12.1(4)DC
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests (IP Hint)	12.1(3)DC	12.1(4)DC
Terminal Access Controller Access Control System Plus (TACACS+) (admin login only)	12.0(3)DC	12.1(4)DC
VPI ¹⁸/VCI ¹⁹ RADIUS Request and RADIUS Accounting for PPPoA	12.0(3)DC	12.1(5)DC
VPI/VCI in RADIUS Request and RADIUS Accounting for PPPoE	12.1(1)DC	12.1(5)DC
Scalability and performance
GRE Cisco express forwarding (CEF)	12.1(1)DC	12.1(5)DC
LAC ²⁰ CEF switching	12.1(3)DC	12.1(4)DC
L2TP sessions per tunnel limiting	12.1(1)DC	12.1(4)DC
NAT CEF switching	12.1(1)DC	12.1(4)DC
Per VC buffer management	12.1(1)DC	12.1(4)DC
PPPoA CEF	12.1(1)DC	12.1(4)DC
PPPoE Fast Switching for Multicast	12.1(1)DC	12.1(5)DC
RBE CEF switching	12.1(5)DC	12.1(5)DC
Service Selection Gateway (NRP-SSG)
PPP Aggregation Termination over Multiple Domains (PTA-MD)	12.0(3)DC	12.1(4)DC
RADIUS Interim Accounting	12.0(5)DC	12.1(4)DC
SSG Automatic Service Logon	12.0(3)DC	12.1(4)DC
SSG CEF Switching	12.0(5)DC	12.1(4)DC
SSG Default Network	12.0(3)DC	12.1(4)DC
SSG DNS ²¹ Fault Tolerance	12.0(3)DC	12.1(4)DC
SSG enable (default is disabled)	12.0(7)DC	12.1(4)DC
SSG full username RADIUS attribute	12.1(3)DC	12.1(4)DC
SSG HTTP Redirect (Phase 1)	12.1(5)DC	12.1(5)DC
SSG Cisco IOS NAT support	12.0(5)DC	12.1(4)DC
SSG Local Forwarding	12.1(1)DC	12.1(5)DC
SSG Open Garden	12.1(5)DC	12.1(5)DC
SSG Passthrough and Proxy Service	12.0(3)DC	12.1(4)DC
SSG Sequential and Concurrent Service	12.0(3)DC	12.1(4)DC
SSG Service Defined Cookie	12.1(3)DC	12.1(4)DC
SSG single host logon	12.1(3)DC	12.1(4)DC
SSG with GRE	12.0(3)DC	12.1(5)DC
SSG with Multicast	12.0(3)DC	12.1(4)DC
SSG with L2TP Service Type	12.0(7)DC	12.1(4)DC
VPI/VCI Static binding to a Service Profile	12.0(5)DC	12.1(4)DC
WebSelection	12.0(3)DC	12.1(4)DC
Other Features and Feature Enhancements
Segmentation and Reassembly Buffer Management Enhancements	12.1(1)DC	Not applicable
Session Scalability Enhancements	12.1(1)DC	12.1(4)DC

¹PPP = Point-to-Point Protocol

²IPCP = Internet Protocol Control Protocol

³SNAP = Subnetwork Access Protocol

⁴DHCP = Dynamic Host Configuration Protocol

⁵VC = virtual circuit

⁶IP = Internet Protocol

⁷L2TP = Layer 2 Tunneling Protocol

⁸In Cisco IOS Release 12.1(5)DC, L2TP tunnel switching for the NRP-2 has been tested and is supported at the same session and tunnel levels as the NRP-1. For more information, see Table 5.

⁹MPLS = Multiprotocol Label Switching

¹⁰VPN = Virtual Private Network

¹¹VLAN = Virtual LAN

¹²ISL = Inter-Switch Link

¹³GE = Gigabit Ethernet

¹⁴ATM = Asynchronous Transfer Mode

¹⁵PVC = permanent virtual circuit

¹⁶FE = Fast Ethernet

¹⁷PIM = Protocol Independent Multicast

¹⁸VPI = Virtual path identifier

¹⁹VCI = Virtual channel identifier

²⁰LAC = L2TP access concentrator

²¹DNS = Domain Name System

New and Changed Information

The following sections list the new hardware and software features supported by the Cisco 6400 NRP for Release 12.1(5) DC3.

Note Most of the features documented in this section have a feature module. For information about feature modules, see the "Feature Navigator" section.

New Hardware and Software Features Supported in Release 12.1(5)DC3

No new hardware and software features are supported by the Cisco 6400 NRP for Cisco IOS Release 12.1(5)DC3.

New Hardware and Software Features Supported in Release 12.1(5)DC2

No new hardware and software features are supported by the Cisco 6400 NRP for Cisco IOS Release 12.1(5)DC2.

New Hardware and Software Features Supported in Release 12.1(5)DC1

No new hardware and software features are supported by the Cisco 6400 NRP for Cisco IOS Release 12.1(5)DC1.

New Hardware Features Supported in Release 12.1(5)DC

The following new hardware features are supported by the Cisco 6400 NRP for Cisco IOS Release 12.1(5)DC.

Gigabit Ethernet Interface (NRP-2 only)

As of Cisco IOS Release 12.1(5)DC, the Gigabit Ethernet (GE) interface on the NRP-2 is supported. The GE interface complies with the IEEE 802.3z specification and requires the appropriate Gigabit Interface Converter (GBIC) and optical fiber cable to enable one of the following connections:

•

1000BASE-SX (short wavelength)—Full-duplex operation with short-wavelength (850-nm) devices over multimode optical-fiber link spans of up to 1804 feet (550 m).

•

1000BASE-LX/LH (long wavelength/long haul)—Full-duplex operation with long-wavelength (1300-nm) devices over multimode or single-mode optical fiber. This enhancement to the IEEE 802.3z standard complies with the IEEE 802.3z 1000BASE-LX specification but extends the transmission distance up to 6.2 miles (10 km).

•

1000BASE-ZX (extended wavelength)—Full-duplex operation with extended-wavelength (1550-nm) devices over single-mode optical-fiber link spans of up to 43.5 miles (70 km). Link spans of up to 100 km are possible using premium single-mode fiber or dispersion-shifted single-mode fiber.

The GE interface supports auto-negotiation, flow-control, On-line Insertion and Removal (OIR), MAC and Drive loopback control, 802.1Q encapsulation over GE, and ISL encapsulation over GE.

The GE interface uses the same CLI commands as the Gigabit Ethernet Port Adapter for the Cisco 7200 series routers. For information about these commands, see the Gigabit Ethernet Port Adapter feature module at http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e4/gepa.htm.

For information on the GBICs, see the Gigabit Interface Converter Installation Instructions for the Cisco 6400 NRP-2 Module at http://www.cisco.com/univercd/cc/td/doc/product/dsl_prod/6400/hardnote/nrp2gbic.htm.

New Software Features Supported in Release 12.1(5)DC

The following new software features are supported by the Cisco 6400 NRP for Cisco IOS Release 12.1(5)DC.

8000 PPPoE Sessions Terminated on NRP-2

As of Cisco IOS Release 12.1(5)DC, 8000 PPPoE sessions are supported on a single NRP-2 for the following configuration:

•

PPPoE sessions are terminated directly on the NRP-2; no L2TP tunneling is involved

Cisco recommends 512 MB memory on the NRP-2 to support 8000 sessions. Session counts for PPPoE tunneled, PPPoA terminated or tunneled, RBE, and RFC 1483 IP routed remain at 4000 sessions on the NRP-2 for Release 12.1(5)DC.

CEF Switching for Routed Bridge Encapsulation

The CEF Switching for Routed Bridge Encapsulation feature adds Cisco Express Forwarding (CEF) switching support to ATM routed bridge encapsulation (RBE). Prior to this release, ATM RBE supported only fast switching and process switching. The ATM RBE feature is used to route IP over bridged RFC 1483 Ethernet traffic from a stub-bridged LAN.

DHCP Option 82 Support for Routed Bridge Encapsulation

The DHCP Option 82 Support for RBE feature provides support for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option (Option 82) when using ATM RBE.

Service providers are increasingly using ATM RBE to configure DSL access. The DHCP Option 82 Support for RBE feature enables those service providers to use DHCP to assign IP addresses and DHCP Option 82 to implement IP address assignment policies such as limiting the number of IP addresses on specific ports on specific ports or ATM VCs.

The DHCP Relay Agent Information Option enables a DHCP relay agent to insert information about itself when forwarding client-originated DHCP packets to a DHCP server. The DHCP server can use this information to implement IP address or other parameter-assignment policies.

The DHCP Option 82 Support for RBE feature uses a suboption of the DHCP Relay Agent Information Option called Agent Remote ID. The Agent Remote ID suboption enables the DHCP relay agent to report the ATM RBE subinterface port information to the DHCP server when a DHCP IP address request is processed through the ATM RBE subinterface. The DHCP server can use the ATM RBE subinterface information for making IP address assignments and security policy decisions.

HTTP Redirect (for the Service Selection Gateway)

The Hypertext Transfer Protocol (HTTP) Redirect feature works in conjunction with the Cisco Service Selection Dashboard (SSD) to implement captive portals. If a user has not logged in and sends packets upstream to a configurable group of TCP ports, SSG sends those packets to a captive portal group (one or more servers). The SSG handles the incoming packets in a suitable manner, such as returning a login page.

The group of captive portals consists of one or more SSDs, which may or may not be arranged in order of priority. The SSG will redirect packets to the captive portal groups on a round-robin basis.

The HTTP Redirect feature provides a means for user authentication without requiring the user to know about the dashboard URL. It enables service providers to implement captive portals, own the user experience, advertise value-added services, and build a brand experience.

Note The HTTP Redirect feature requires Release 3.0(1) of the SSD, which is scheduled to ship in June.

Note In Cisco IOS Release 12.1(5)DC, the HTTP Redirect feature is not supported for subscribers connecting to SSG using PPP and RBE.

Defining a captive portal group:
ssg http-redirect group <groupname> server < ip address> <port>

Adding a TCP port to a portal group:
ssg http-redirect port <incoming destination port number> group <groupname>

Adding a destination service address to a portal group:
ssg http-redirect bind <service name> group <groupname>

Setting a default group for unauthorized user redirection:
ssg http-redirect unauthorized-user group <groupname>

Setting the frequency of loading requests to send to servers in a group:
ssg http-redirect group <groupname> poll-frequency <frequency>

Setting the time before a server is declared inactive:
ssg http-redirect group <groupname> retry-count <count>

Displaying debug HTTP redirect information:
debug ssg http-redirect [packet |server]

For more information about the HTTP Redirect feature, see the Node Route Processor—Service Selection Gateway Enhancements V feature module.

IP Overlapping Address Pools (OAP) (NRP-1 only)

IPCP IP pool processing implements all IP addresses as belonging to a single IP address space and a given IP address should not be assigned multiple times. IP developments such as VPDN and NAT implement the concept of multiple IP address spaces where it can be meaningful to reuse IP addresses, although such usage must ensure that these duplicate addresses are not placed in the same IP address space. This release introduces the concept of an IP address group to support multiple IP address spaces and still allow the verification of nonoverlapping IP address pools within a pool group. Pools without an explicit group name are considered members of the base system group and are processed in the same manner as the original IP pool implementation.

Existing configurations are not affected by the new pool feature. The "group" concept is an extension of the existing ip local pool command. Processing of pools that are not specified as members of a group is unchanged from the existing implementation.

The IP OAP feature gives greater flexibility in assigning IP addresses dynamically. It allows the user to configure overlapping IP address pool groups to create different address spaces and concurrently use the same IP addresses in different address spaces.

Defining a pool:
This existing ip local pool syntax is extended to:
ip local pool <pool-name> <start-IP> [<end-IP>] [group <group-name>] [cache-size <size>]

Displaying a pool:
This existing show command syntax is extended to:
show ip local pool [[group <group-name>] | [ <poolname> ]]

For more information about the IP OAP feature, see the Overlapping IP Address Pools feature module.

NetFlow Switching with RFC 1483 (NRP-1 only)

NetFlow switching is now supported on the Cisco 6400 NRP-1 when used with RFC 1483 routed PVCs in MPLS VPNs. The netflow records only record-data flowing into the MPLS VPN. For more information about NetFlow switching, see the NetFlow Switching chapter of the Cisco IOS Switching Services Configuration Guide, Release 12.1. For examples of RFC 1483 routed PVCs in MPLS VPNs, see the Configuring Multiprotocol Label Switching on the Cisco 6400 UAC configuration note.

New NRP-2 features (Feature synchronization)

As of Cisco IOS Release 12.1(5)DC, the following features, which were already supported for the NRP-1, are also supported for the NRP-2:

Open Garden (for the Service Selection Gateway)

An Open Garden is one or more domains that may be accessed without user authentication. This differs from a "Walled Garden". A "Walled Garden" refers to a collection of websites, or networks in general, that a user can access after providing minimal authentication information.

The Open Garden enhancement enables a list of up to 100 domains to be associated with the default network. If a subscriber creates a DNS request for one of those domain names, the DNS request will be resolved by the SSG to the default network. This ensures that a subscriber will be able to access the Service Selection Dashboard, which typically resides on the management network with a private address, even when the subscriber is assigned a public DNS server.

With the Open Garden enhancement, a subscriber can access a limited number of websites without logging into the network. The administrator can configure which sites a non-authenticated user is allowed to access.

Local profile attributes "R","O", and "D", where networks and domain names lists can be configured for each Open Garden network:
"R" Open Garden Network
"O" Domain Names List
"D" DNS IP address in Open Garden network.

Entering a profile configuration mode and configuring a local RADIUS service profile:
Router(config)# local-profile profilename

Configuring an attribute in a local RADIUS service profile:
Router(config-prof)# attr radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value

Adding this newly created profile to the Open Garden list:
ssg open-garden <service profile name>

For more information about the Open Garden enhancement, see the Node Route Processor—Service Selection Gateway Enhancements V feature module.

RADIUS Attribute 4 and Format d—Introduction of a New Command

When using RADIUS attribute 4 and "format d" in a VPI/VCI configuration or in a SSG configuration, the new command radius-server attribute 4 nrp allows the default-selected IP address to be changed. This command can only be enabled if "format d" is already configured.

Table 3 shows how RADIUS global configuration commands can be combined to select an IP address.

New Hardware Features Supported in Release 12.1(4)DC2

The following new hardware features are supported by the Cisco 6400 NRP for Cisco IOS Release 12.1(4)DC2.

Node Route Processor 2 (NRP-2)

The second-generation node route processor (NRP-2) for the Cisco 6400 platform allows aggregation and termination of large numbers of broadband subscribers while supporting Layer 3 and integrated high-touch services such as authentication, policy routing, and Network Address Translation (NAT). The Cisco 6400 receives subscribers over OC-3, OC-12, or DS-3 interfaces on node line cards (NLCs). The node switch processor (NSP) switches incoming virtual circuits (VCs) or virtual paths (VPs) to the appropriate NRP-2. The NRP-2 aggregates and terminates the incoming virtual circuits (VCs), offering extended services based on user and service profiles through the Service Selection Gateway (SSG).

Benefits of the NRP-2

Table 3 RADIUS Global Configuration Commands and Selected IP Addresses
Global Configuration Commands	Selected IP Address
ip radius source-interface <int x>	radius-server attribute nas-port format d	radius-server attribute 4 nrp
Enabled			NRP IP address¹
	Enabled		NSP IP address
Enabled	Enabled		NSP IP address
Enabled	Enabled	Enabled	NRP IP address ¹
	Enabled	Enabled	NRP best-select IP address ²

The NRP-2 increases the session capacity of the Cisco 6400, providing a dramatic reduction in cost per subscriber. Table 5 shows the number of sessions and tunnels supported by the NRP-2 in Cisco IOS Release 12.1(4)DC2 and subsequent releases.

The NRP-2 supports a 622-Mbps ATM interface to the backplane and a Gigabit Ethernet (GE) packet interface on the faceplate.

The NRP-2 hardware includes two processor subsystems. In Cisco IOS Release 12.1(4)DC2, only one of the processors is used. In future software releases, the second processor will be used to provide increased session scalability.

Configuration storage, console traffic, and network management traffic are now controlled by the existing NSP, providing a more manageable and integrated platform. You can use a single console port on the NSP to access the console lines of all NRP-2s in the Cisco 6400 chassis and use a single management Ethernet interface on the NSP to monitor all NRP-2s in the system.

The NRP-2 can be deployed in a Cisco 6400 chassis with existing modules, including the first-generation NRP-1. This enables you to increase your network capacity without replacing the chassis.

Note In redundant configurations, NRPs must be paired with NRPs of the same type (NRP-1 with NRP-1, NRP-2 with NRP-2). However, note that Cisco IOS Release 12.1(4)DC2 and subsequent releases do not support redundancy on the NRP-2. Future software releases may introduce redundancy support on the NRP-2.

The modular nature of the NRP-2 allows you to upgrade as your subscriber base grows. As the demand for services rises, you can add NRP-2 modules to the Cisco 6400 to provide increased session and bandwidth support.

Differences Between the NRP-1 and NRP-2

More Information about the NRP-2

New Software Features Supported in Releases 12.1(4)DC2

The following new software features are supported by the Cisco 6400 NRP for Cisco IOS Release 12.1(4)DC2.

ATM PVC Range and RBE Subinterface Grouping by PVC Range

In a digital-subscriber line (DSL) environment, many applications require the configuration of a large number of ATM permanent virtual circuits (PVCs). The ATM PVC Range and routed bridge encapsulation (RBE) Subinterface Grouping feature enables you to group a number of PVCs together into a PVC range in order to configure them all at once.

For applications that use multipoint subinterfaces, such as PPP over Ethernet and PPP over ATM, the PVC range is on a single multipoint subinterface. For applications that use point-to-point subinterfaces, such as RBE, a point-to-point subinterface is created for each PVC in the range.

Configuring many PVCs and subinterfaces at once saves time for the user and the parser, and conserves NVRAM space.

A PVC range is defined by two virtual path identifier (VPI)/virtual channel identifier (VCI) pairs. The two VPIs define a VPI range, and the two VCIs define a VCI range. The number of PVCs in the PVC range equals the VPI range multiplied by the VCI range.

Table 4 Differences Between NRP-1 and NRP-2
Characteristic	NRP-1	NRP-2
Session scalability	Hardware supports as many as 2000 sessions per NRP-1.	Hardware supports as many as 16,000 sessions per NRP-2
Physical interfaces	Faceplate interfaces: •Console port •Auxiliary port •Ethernet port •Fast Ethernet port	Faceplate interfaces: •Gigabit Ethernet interface¹
Backplane interfaces: •155-Mbps ATM interface •Backplane Ethernet (BPE)	Backplane interfaces: •622-Mbps ATM interface •PAM² mailbox serial interface³
Location of software images, configurations, and crash information	NRP-1 memory (built-in or internal Flash)	PCMCIA⁴ disk on NSP
Message logging	Messages are logged on the NRP-1 as local messages.	NRP-2 messages are logged on both the NSP and NRP-2. NRP-2 messages on the NSP include the NRP-2 slot number.
Console line access	Direct external connection to NRP-1 console port or auxiliary port	Indirect external connection via the NSP. NSP contains a virtual communication server to access the NRP-2 console.
ROMMON⁵	ROMMON not upgradable; NRP-1 ROM state information stored locally on NRP-1	ROMMON is upgradable; NRP-2 ROM state information is stored on the NSP PCMCIA disk.
SNMP⁶	Standard SNMP services	Standard SNMP services, or can use the NSP as the proxy forwarder
LED display	None	On faceplate

Once the PVC range is defined, you can configure the range by using the existing Interface-ATM-VC configuration commands that are also supported in PVC range configuration mode. The shutdown PVC range command can be used to deactivate the range without deleting the configuration.

The ATM PVC Range and RBE Subinterface Grouping feature also introduces the pvc-in-range command, which allows you to explicitly configure an individual PVC within the defined range of PVCs on a multipoint subinterface. The shutdown PVC-in-range command allows you to deactivate an individual PVC within a range.

ATM PVC Range only supports multipoint ATM subinterfaces. You cannot configure individual PVCs within a PVC range on point-to-point subinterfaces. You must remove the individual PVC configurations from the configuration file to take advantage of the PVC range. If multiple configurations remain in the file, these configurations will override the PVC range commands.

For more information about this feature, see the ATM PVC Range and Routed Bridge Encapsulation Subinterface Grouping feature module.

New Hardware Features Supported in Release 12.1(3)DC1

There are no new hardware features for the Cisco 6400 NRP supported in Cisco IOS Release 12.1(3)DC1.

New Software Features Supported in Release 12.1(3)DC1

The following new software features are supported by the Cisco 6400 NRP for Cisco IOS Release 12.1(3)DC1.

IPCP Subnet Mask Support Enhancements

IP Control Protocol (IPCP) subnet mask support allows customer premise equipment (CPE) to connect to the Cisco 6400 NRP and obtain an IP address and subnet mask range that it can use to populate its Dynamic Host Configuration Protocol (DHCP) server database. However, the software default setting does not allow subnet negotiations.

To enable IPCP subnet mask support, issue the ppp ipcp mask CLI command. In addition, a value must be specified for the Framed-IP-Netmask attribute (Internet Engineering Task Force [IETF] RADIUS attribute 9) in the RADIUS user profile.

The Cisco 6400 NRP brings up PPP sessions with the CPE and authenticates each CPE as a separate user. The Cisco 6400 NRP adds a static route for the IP address with the subnet mask specified. If the subnet mask is specified in the user profile, the Cisco 6400 NRP passes the IP netmask value and the IP address to the CPE during IPCP negotiation. The CPE uses the subnet mask to calculate an IP address pool from which IP addresses are assigned to PCs using the access link.

For more information about the IPCP subnet mask support feature, see the PCP Subnet Mask Support Enhancements feature module.

Note The IPCP subnet mask support feature was introduced in Cisco IOS Release 12.0(5)DC.

Multilink PPP

Multilink Point-to-Point Protocol (PPP), referred to as MLPPP or MLP, is now supported on the Cisco 6400 NRP. MLP provides a method for spreading traffic across multiple physical WAN links while providing packet fragmentation and reassembly, proper sequencing, multivendor interoperability, and load balancing on inbound and outbound traffic. MLP provides bandwidth on demand and reduces transmission latency across WAN links.

For information about configuring MLP, see the chapter Configuring Media-Independent PPP and Multilink PPP in the PPP Configuration section of the Cisco IOS Dial Services Configuration Guide: Terminal Services.

L2TP LAC CEF Switching

Cisco express forwarding (CEF) is now supported on the Cisco 6400 NRP configured as an L2TP access concentrator (LAC).

For more information about CEF, see the chapter "Cisco Express Forwarding" in the Cisco IOS Switching Services Configuration Guide. For more information about L2TP, see the Layer 2 Tunnel Protocol Scalability Enhancements feature module.

Single-Host Logon

Single-Host Logon is an enhancement to the Node Route Processor—Service Selection Gateway (NRP-SSG). Single-Host Logon combines the PPP session logon and NRP-SSG host logon steps into one.

For more information, see the Node Route Processor-Service Selection Gateway Enhancements IV feature module.

Note For NRP-Service Selection Gateway (SSG) users, Cisco IOS Release 12.1(5)DC works with the Cisco Service Selection Dashboard (SSD) version 2.5(1) that supports the Single-Host Logon feature.

Note The SSG allows subscribers to log on to services and reach the service network, even when there is no static service binding on the SSG, nor a dynamic binding using a Next Hop Gateway (NHG) table.

Per VC Error Display

The command show controllers atm of the command language interface (CLI) was modified to allow the user to:

•

enable the output of cyclic redundancy check (CRC) error counts on a per-virtual circuit (VC) basis,

•

display only segmentation and reassembly (SAR) controller information as the default output,

•

control the output with new options, including error counters on a per-VC basis.

For more information about this feature, see the Per VC Error Display feature module.

RADIUS Attribute 8 (Framed-IP-Address) in Access Requests

The RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature makes it possible for a network access server to provide the RADIUS server with a hint of the user IP address in advance of user authentication. An application can be run on the RADIUS server to use this hint and build a table (map) of user names and addresses. Using the mapping information, service applications can begin preparing user login information to have available upon successful user authentication.

For more information about this feature, see the RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature module.

Service Selection Gateway (SSG) Proxy RADIUS Enhancements

The Cisco 6400 NRP-SSG feature was first released in Cisco IOS Releases 12.0(3)DC, while enhancements were added in subsequent releases. Releases 12.1(3)DC1 introduces the following Proxy RADIUS Enhancements:

•

Service-Defined Cookie—A configurable vendor-specific attribute (VSA) that allows user-defined information to be included in the RADIUS authentication and accounting requests.

•

Full Username RADIUS Attribute—Enables usage of the full username (user@service) in the RADIUS authentication and accounting requests.

For more information about these enhancements, see the Node Route Processor-Service Selection Gateway Enhancements IV feature module.

New Hardware Features Supported in Release 12.1(1)DC1

There are no new hardware features for the Cisco 6400 NRP supported in Cisco IOS Release 12.1(1)DC1.

New Software Features in Release 12.1(1)DC1

The following new software features are supported by the Cisco 6400 NRP for Cisco IOS Release 12.1(1)DC1.

Cisco Express Forwarding

CEF switching is now supported for PPP over ATM (PPPoA), generic routing encapsulation (GRE), and Network Address Translation (NAT).

Dynamic Host Configuration Protocol Relay for Unnumbered Interfaces Using ATM RBE

Dynamic Host Configuration Protocol (DHCP) Relay now supports unnumbered interfaces using ATM route bridge encapsulation (RBE). DHCP Relay automatically adds a static host route specifying the unnumbered interface as the outbound interface.

DHCP Relay now also can use the ip dhcp database global configuration command. This optional command allows the DHCP Relay to save route information to a TFTP, FTP, or RCP server for recovery after reloads.

For more information about DHCP, see "Configuring DHCP" in the Cisco IOS IP and IP Routing Configuration Guide and "DHCP Commands" in the Cisco IOS IP and IP Routing Command Reference. For more information about the ATM RBE feature, see the ATM Routed Bridge Encaps feature module.

Session Scalability Enhancements

•

Limiting the number of simultaneous link control protocol session initiations

For more information, see the Session Scalability Enhancements II feature module.

L2TP Tunnel Management Enhancements

•

Tunnel Sharing—Enables sessions authorized with different domains to share the same tunnel

•

Sessions per Tunnel Limiting—Enables the initiate-to command to limit the number of sessions per L2TP tunnel

For more information, see the L2TP Tunnel Management Enhancements feature module

L2TP Tunnel Service Authorization Enhancements

These enhancements enable the L2TP access concentrator (LAC) to conduct static or dynamic tunnel service authorization. A static domain name can be configured on the ATM permanent virtual circuit (PVC) port to override the domain name supplied by the client. If a static domain name is not configured, the LAC conducts dynamic tunnel service authorization, which now includes two steps:

Domain Preauthorization—The LAC checks the client-supplied domain name against an authorized list configured on the RADIUS server for each PVC. If successful, the LAC proceeds to tunnel service authorization. If domain preauthorization fails, the LAC attempts PPP authentication/authorization for local termination.

Tunnel Service Authorization—The user profile on the RADIUS server provides a list of domains accessible to the user, enabling tunnel service authorization for the client-supplied domain. If successful, the LAC establishes an L2TP tunnel.

For more information, see the L2TP Tunnel Service Authorization Enhancements feature module.

L2TP Tunnel Switching

This feature enables the Cisco 6400 NRP to terminate tunnels from LACs and forward the sessions through new L2TP tunnels selected independently of the client-supplied domains. The NRP as a tunnel switch performs virtual private dial-up network (VPDN) tunnel authorization based on the ingress tunnel names that are mapped to specified LTP Network Servers (LNSs).

Node Route Processor-Service Selection Gateway—Local Forwarding

This feature includes the Local Forwarding enhancement to the Node Route Processor—Service Selection Gateway (NRP-SSG). Local Forwarding enables NRP-SSG to forward packets locally.

For more information, see the Node Route Processor—Service Selection Gateway Enhancements III feature module.

Segmentation and Reassembly Buffer Management Enhancements for the NRP-1

This feature includes the following enhancements to segmentation and reassembly (SAR) buffer management:

For more information, see the Segmentation and Reassembly Buffer Management Enhancements
feature module.

PPP Autosense

•

Distinguish between incoming PPPoA and PPP over Ethernet (PPPoE) sessions with Subnetwork Access Protocol (SNAP) encapsulation

PPP over Ethernet (PPPoE) Fast Switching for Multicast

PPPoE now supports fast switching for multicast in addition to Cisco express forwarding (CEF).

VPI/VCI Identification in RADIUS Requests

This feature enables the RADIUS VC Logging [Cisco IOS Release 12.0(5)DC] feature to support PPPoE. With RADIUS VC Logging enabled, the RADIUS network access server port field is extended and modified to carry VPI/VCI information. This information is logged in:

Limitations and Restrictions

Cutting and Pasting through the NRP-2 Console Port

The NRP-2 does not support the cutting and pasting of configurations through the console port. Doing so might cause the NRP-2 to pause indefinitely.

Maximum Transmission Unit

The maximum transmission unit (MTU) of the NRP-2 ATM interface to the backplane is 1900 bytes. Any incoming packet larger than 1900 bytes is dropped by the NRP-2. To make sure that no incoming packets are larger than the NRP-2 MTU, see the section Matching the MTU Size of the NRP-2 and Its Network Neighbors (Optional) in the NRP-2 feature module.

Traffic Shaping on the NRP-2

In Cisco IOS Release 12.1(5) DC3, the NRP-2 does not support available bit rate (ABR), unspecified bit rate (UBR), or variable bit rate (VBR) traffic shaping. Future releases might support traffic shaping on the NRP-2.

VPI and VCI Limitations

VPI and VCI values on the NRP-2 must share 14 bits. By default, VPI values are limited to 4 bits (0-15), and VCI values are limited to 10 bits (0-1023). You can change the VPI and VCI ranges, but together the VPI and VCI values cannot exceed 14 bits. To change the allowed VPI and VCI values, see the Modifying VPI and VCI Ranges (Optional) section in the NRP-2 feature module.

Important Notes

Service Selection Gateway—Change in Service Object Behavior

Up to Cisco IOS Release 12.1(5) DC3, when there was no user who used a service, the Service Selection Gateway service object was removed automatically when the last user logged off the service.

As of Cisco IOS Release 12.1(5) DC3, the service object stays in the system after all users who have used the service have logged off. The same service object will be reused when a user logs on to the service again. If the administrator knows that the service has become obsolete, the administrator can remove the service object through the CLI command clear ssg service <service name>.

Session and Tunnel Scalability

Cisco IOS Release 12.1(5) DC3 supports the number of sessions and tunnels shown in Table 5. While using NRP-SSG, Cisco IOS Release 12.1(5) DC3 supports the number of sessions and tunnels shown in Table 6.

Table 5 Session and Tunnel Scalability in Cisco IOS Release 12.1(5) DC3
Protocol	NRP-1	NRP-2
Number of Supported Sessions	Number of Supported Tunnels	Number of Supported Sessions	Number of Supported Tunnels
L2TP PPPoA	1700	300	4000	1000
L2TP PPPoE	2000	300	4000	1000
L2TP Tunnel Switch PPPoA	940	50 Ingress 10 Egress	940	50 Ingress 10 Egress
L2TP Tunnel Switch PPPoE	940	50 Ingress 10 Egress	940	50 Ingress 10 Egress
PPPoA	2000	—	4000	—
PPPoE	2000	—	8000	—
PPP Autosense	2000	—	4000	—
RBE	2000	—	4000	—
RFC 1483 IP Routed	2000	—	4000	—

Table 6 NRP-SSG Session and Tunnel Scalability in Cisco IOS Release 12.1(5) DC3
Protocol with NRP-SSG	NRP-1	NRP-2
Number of Supported Sessions	Number of Supported Tunnels	Number of Supported Sessions	Number of Supported Tunnels
L2TP PPPoA	700	100	2000	1000
L2TP PPPoE	700	100	1500	1000
PPPoA	2000	—	4000	—
PPPoE	2000	—	4000	—
RBE	2000	—	4000	—
RFC 1483 IP Routed	2000	—	4000	—

Note In most NRP-2 configurations, 256 MB DRAM is adequate for up to 6500 (PPPoE) sessions. More sessions require 512 MB DRAM.

Note The default threshold at which Cisco IOS declares a process to have run "too long" is too short for some Cisco IOS processes, when very large numbers of sessions are established on the NRP-2. Use the command scheduler max-task-time 20000 to increase the default threshold. This will avoid unnecessary "CPUHOG" messages.

Session Scalability Commands

This section provides commands that can be applied to achieve the session counts listed in Table 5 and Table 6.

Table 7 and Table 8 list commands for which Cisco recommends a particular setting in Cisco IOS Release 12.1(5) DC3. Table 9 lists additional commands that might be useful to achieve high session counts, but for which no recommended settings are provided; the setting of these commands depends on the user's environment and configuration.

For additional information, refer to the Layer 2 Tunnel Protocol Scalability Enhancements feature module and the Session Scalability Enhancements feature module.

L2TP Session Scalability Commands with Recommended Settings for Both the NRP-1 and NRP-2

Table 7 lists L2TP session scalability commands with recommended settings that apply to both the NRP-1 and NRP-2 in Cisco IOS Release 12.1(5) DC3.

L2TP Session Scalability Commands with Recommended Settings for the NRP-2

Table 7 L2TP Session Scalability Commands with Recommended Settings for the NRP-1 and NRP-2
Configuration Task and Commands	Guidelines
Modifying the PPP Max Configure: NRP(config)# ppp max-configure number	1. Purpose Specifies the number of Configure Requests.
2. Symptoms Use when a large number of connections flap¹.
3. Recommended Settings To achieve a large number of sessions, Cisco recommends a setting of 225 (that is, the value for number) on the NRP-1 and NRP-2.
Precloning Virtual Access Interfaces: NRP(config)# virtual-template template-number preclone number	1. Purpose Specifies the number of virtual access interfaces to be created and cloned from a specific virtual template.
2. Symptoms Use to reduce the load on the system during call setup.
3. Recommended Settings The recommended setting depend on the number of sessions that need to be configured. For example, to configure 2000 sessions on the NRP-1, enter a value of 2000 for number; to configure 4000 sessions on the NRP-2, enter a value of 4000 for number.

Table 8 lists L2TP session scalability commands with recommended settings that apply to the NRP-2 in Cisco IOS Release 12.1(5) DC3.

Additional L2TP Session Scalability Commands

Table 8 L2TP Session Scalability Commands With Recommended Settings for the NRP-2
Configuration Task and Commands	Guidelines
Increasing the Input Hold-Queue Limit: •NRP(config)# interface atm slot/subslot/port •NRP(config-if)# hold-queue length in	1. Purpose Specifies the maximum number of packets in the input hold-queue.
2. Symptoms Use when the show interfaces EXEC command reveals an excessive number of discarded packets because of input hold-queue overflows.
3. Recommended Settings To accommodate more incoming control messages in the queue, set the maximum number of packets to a high value: NRP-2: 1000 packets or more
Increasing the Output Hold-Queue Limit: •NRP(config)# interface atm slot/subslot/port •NRP(config-if)# hold-queue length out	1. Purpose Specifies the maximum number of packets in the output hold-queue.
2. Symptoms Use when the show interfaces EXEC command reveals an excessive number of discarded packets because of output hold-queue overflows.
3. Recommended Settings To accommodate more outgoing control messages in the queue, set the maximum number of packets to a high value: NRP-2: 1000 packets or more

Table 9 lists additional commands that might be useful to achieve the session counts listed in Table 5 and Table 6, but for which no recommended settings are provided; the setting of these commands depends on the user's configuration and environment.

Table 9 Additional L2TP Session Scalability Commands Without Recommended Settings
Configuration Task and Commands	Guidelines
Limiting the Number of LCP Session Initiations: NRP(config)# lcp max-session-starts number	1. Purpose Specifies the maximum number of simultaneous LCP sessions to be negotiated.
	2. Symptoms Use when a large number of parallel LCP sessions causes many sessions to timeout and retry, which can result in a chain reaction of LCP session negotiations and excessive session recovery times.
	3. Settings Information To limit the number of simultaneous LCP session initiations, set the value for number between 100 and 3000.
Limiting the Load Metric: NRP(config)# lcp max-load-metric number	1. Purpose Specifies the maximum load metric based on the length of the PPP manager process input queue.
	2. Symptoms Use to shorten the session recovery time after a link dropout.
	3. Settings Information The nominal value for number depends on many factors. Cisco recommends that you start with 100. Try several values and select the one that results in the shortest session-recovery time after a link dropout.
Modifying the PPP Authentication Timeout: •NRP(config)# interface virtual-template number •NRP (config-if)# ppp timeout authentication seconds	1. Purpose Specifies the PPP authentication timeout.
	2. Symptoms Use when the number of stable sessions is low because the waiting time for a response from the remote peer is too short, resulting in a PAP¹ authentication request, CHAP² challenge, or CHAP response being retransmitted.
	3. Settings Information The default PPP authentication timeout is 10 seconds. On the NRP-2, to increase the PPP authentication timeout, start with 15 seconds. Try several numbers and select the one that results in the highest number of stable sessions. (The maximum number is 255 seconds.)
Modifying the PPP Retry Timeout: •NRP(config)# interface virtual-template number •NRP(config-if)# ppp timeout retry seconds	1. Purpose Specifies the PPP retry timeout.
	2. Symptoms Use when the number of stable sessions is low because the waiting time for a response from the remote peer is too short, resulting in a configuration request or connection-termination request being retransmitted.
	3. Settings Information The default PPP retry timeout is 2 seconds. On the NRP-2, to increase the PPP retry timeout, start with 15 seconds. Try several numbers and select the one that results in the highest number of stable sessions. (The maximum number is 255 seconds.)
Setting the Number of Retransmission Attempts: •NRP(config)# vpdn-group number •NRP(config-vpdn)# l2tp tunnel retransmit retries value	1. Purpose Specifies the number of retransmission attempts per selected VPDN group.
	2. Symptoms Use when the number of retransmission attempts is insufficient.
	3. Settings Information The default number of L2TP tunnel control channel retransmission attempts is 10.
Setting the Minimum and Maximum Retransmission Timeouts: •NRP(config)# vpdn-group number •NRP(config-vpdn)# l2tp tunnel retransmit timeout min seconds •NRP(config-vpdn)# l2tp tunnel retransmit timeout max seconds	1. Purpose Specifies the minimum or maximum timeout for retransmissions on a selected VPDN group.
	2. Symptoms Use when the timeout for retransmissions is too short or to long. To determine the best minimum and maximum timeouts for a given topology, use the privileged EXEC command show vpdn tunnel all and check the displayed retransmit time distribution.
	3. Settings Information Control channel retransmissions follow an exponential backoff, starting at the minimum retransmission timeout, and ending at the maximum retransmission timeout. The maximum timeout can be set to up to 8 seconds.
Setting the Local Control Channel Receive Window Size: •NRP(config)# vpdn-group number •NRP(config-vpdn)# l2tp tunnel receive-window packets •NRP(config-vpdn)# exit •NRP(config)# end •NRP# clear vpdn tunnel l2tp remote-name local-name	1. Purpose Specifies the size of the advertised receive window per selected VPDN group, clears all sessions, and drops the tunnel.
	2. Symptoms Use when the L2TP control channel sends requests too slowly.
	3. Settings Information The default local receive window size (RWS) is 3000 packets.
Setting the L2TP Tunnel Timeout: •NRP(config)# vpdn-group number •NRP(config-vpdn)# l2tp tunnel nosession-timeout seconds	1. Purpose Specifies the tunnel timeout length per selected VPDN group.
	2. Symptoms Use when a tunnel timeout is too short. For example, after all of its sessions are gone and you expect sessions to come back immediately, you might want to keep the tunnel open.
	3. Settings Information The default tunnel timeout is 10 seconds for an LNS and 15 seconds for an LAC.

¹PAP = Password Authentication Protocol

²CHAP = Challenge Handshake Authentication Protocol

Software Caveats

Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in the caveats document.

All caveats in Cisco IOS Release 12.1 and Cisco IOS Release 12.1 T are also in Cisco IOS Release 12.1(5) DC3.

For information on caveats in Cisco IOS Release 12.1, see Caveats for Cisco IOS Release 12.1.

For information on caveats in Cisco IOS Release 12.1 T, see the Caveats for Cisco IOS Release 12.1 T, which lists severity 1 and 2 caveats and select severity 3 caveats and is located on Cisco.com and the Documentation CD-ROM.

Note Cisco IOS Release 12.1(5) DC3 is in synchronization with Cisco IOS Release 12.1(5)T4.

Caveat numbers and brief descriptions are listed in Table 10. For details about a particular caveat, go to Bug Toolkit at:

To access this location, you must have an account on Cisco.com. For information about how to obtain an account, go to the "Feature Navigator" section.

Open Caveats—Cisco IOS Release 12.1(5) DC3

Resolved Caveats—Cisco IOS Release 12.1(5) DC3

Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available. Cisco has made software available, free of charge, to correct the problem. For more information, refer to the advisory posted at:

Open Caveats—Cisco IOS Release 12.1(5) DC2

Resolved Caveats—Cisco IOS Release 12.1(5) DC2

All the caveats listed in this section are resolved in Cisco IOS Release 12.1(5) DC2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.

An error can occur with management protocol processing. Please use the following URL for further information:

Open Caveats—Release 12.1(5)DC1

Resolved Caveats—Release 12.1(5)DC1

All the caveats listed in Table 10 are closed or resolved in Cisco IOS Release 12.1(5)DC1. This table lists only severity 1 and 2 caveats and select severity 3 caveats.

Open Caveats—Release 12.1(5)DC

This section describes possibly unexpected behavior by Cisco IOS Release 12.1(5)DC. This section describes severity 1 and 2, and selected severity 3 and 4 caveats.

Caveats that Apply to Both the NRP-1 and NRP-2

After all NRP-SSG users log off a specific service, the service object is cleared, but the subblock associated with the interface is not reset. As a result, all traffic from the interface is still treated by NRP-SSG as downstream traffic.

Table 10 Closed or Resolved Caveats for Release 12.1(5)DC1
Caveat ID Number	Description
CSCds15443	TAG TDP stops running after reboot on ethernet interface
CSCds30806	OSPF:scanner displays error messages for Type3 LSAs
CSCds73113	DHCP packets are not forwarded on second configured RBE interface
CSCdt02925	Relay gets bus error for relay_unnumber_db when C cant get reply
CSCdt31521	TFIB:TFIB tag-rewrite memory leak
CSCdt34231	NRP1FastEthernet0/0/0 flaps when adding/removing subinterfaces
CSCdt47730	OSPF and XtagATM interface issues on NRP when NSP reloads
CSCdt51547	Packet drop with ip verify unicast reverse-path
CSCdt65960	For NRP2, access-list not working on VTY when telnet GigEther port
CSCdt69283	Relay agent is not renewing the binding using dhcp unnumbered.
CSCdt69881	Memory leak, memory allocation failure
CSCdt85227	A watchdog forced crash - meaning, ExtractQNameAsDomainName
CSCdt92513	Bus Error with long L2TP Tunnel-Server-Auth-ID (50/60 chars)
CSCdt93857	Memory leak
CSCdt96357	Radius attribute 4 NRP configuration disappears upon reload of NRP
CSCdu10108	Service name not inherited from VC Class

–

Enter the no ssg bind direction uplink global configuration command for the affected interface

Changing service binding while using the service might cause an inconsistency in the service binding table and break the NRP-SSG data path forwarding table.

Traffic coming from a Fast Ethernet (FE) interface on an NRP with Inter-Switch Link (ISL) encapsulation, forwarded out of an ATM route bridge encapsulation (RBE) interface, might not be fast-switched but process-switched when you use the bridge irb global configuration command on the NRP.

Workaround: Remove the bridge irb global configuration command from the configuration.

If the atm ilmi-pvc-discovery subinterface command is configured on both the ATM 0/0/0 interface and an ATM subinterface, the ATM PVC will not come up after the NRP reloads, unless you do a shut command followed by a no shut command on the ATM 0/0/0 interface.

Workaround: Avoid using the atm ilmi-pvc-discovery command on ATM subinterfaces.

The NRP should use "big" buffers to do IP Multicast packet replication instead of using "very big" buffers when the payload size is 1500 bytes. Since the NRP has a limited number of "very big" buffers, memory allocation failure may be seen if the payload size is 1500 bytes and IP Multicast is enabled.

The system will exhibit higher than normal CPU utilization when a telnet connection is trying to send data into a TCP connection with a zero send window. This increased CPU utilization is mostly cosmetic, as higher priority tasks will continue to run normally, and packet switching should be unaffected. There is no workaround.

On an NRP-1, during an ATM interface-flapping test in a configuration with 2000 PPPoA/40 L2TP tunnels and without any traffic, the 2000 tunnels will not all be re-established after issuing a shut command, pausing 5 minutes, and issuing a no shut command. The same test with a configuration of 1700 PPPoA/300 L2TP tunnels recovers fine. There is no workaround.

A memory leak might happen when the NRP has 2000 PPPoA sessions with AAA authentication configured and has a very large volume of trace messages to display during NRP booting up.

Workaround: Turn off console logging. (The NRP should turn off console logging as a normal operation.)

If you turn on traffic shaping on 400 or more PVCs, and heavy traffic causes the PVCs to become congested simultaneously, random PPP sessions might be dropped.

When 800 sessions are brought up through the home gateway, NRP-1, and L2TP access concentrators, the send-receive counters are out-of-sync and the tunnels are torn down. Under these circumstances, all sessions are terminated. There is no workaround.

When SSG is enabled on the NRP, issuing the clear interface ATM 0/0/0 command causes the NRP to reload.

This behavior is observed only when SSG is enabled on the NRP and does not happen when SSG has been disabled with the no ssg enable command.

Workaround: When SSG is enabled on the NRP, do not issue the clear interface ATM 0/0/0 command during any ATM traffic volume.

Alternative workaround: When SSG is enabled on the NRP, after issuing a shut command on the ATM interface, wait at least 10 minutes before issuing a no shut command.

When memory corruption causes the NRP to reload, the reload-information file might not include the dump of the corrupted memory that caused the reload. There is no workaround.

With frequent CLI operations on the ATM interface (for example, reconfiguration commands, commands to clear the interface, etc.) during heavy traffic, the NRP might have a bus-error crash in the packet-receiving path.

Workaround: Avoid frequent CLI operations on the ATM interface during heavy traffic.

The aaa accounting update command does not change the frequency of the accounting updates that are sent to the RADIUS server. There is no workaround.

An NRP looses its Tag Distribution Protocol (TDP) or Open Shortest Path First (OSPF) neighbor relationship with the downstream router when traffic of 35K packets per second (pps) at 64byte packets is sent. Performance tests indicate that the NRP is able to sustain at least 45K pps. At 32K pps at 64 byte packets, the NRP drops about 1.78 percent of the packets but does not lose the TDP/OSPF neighbor relationship.

Using the scheduler allocate 4000 200 command results in a slightly improved performance but the TDP/OSPF neighbor relationship is still lost, albeit at a somewhat higher traffic load. There is no workaround.

When SSG is enabled, it is possible to configure NetFlow with the ip route-cache flow command, assuming that the ip cef command was enabled previously. However, this is not supported by SSG and will short-circuit the SSG functionality.

While reconfiguring PVCs on the NRP, you might experience an unexpected reload after a message similar to the following message:

On a Cisco 6400, when an ATM interface is configured with RBE with IP unnumbered, static routes are not created if dynamic addresses are handed out using a Cisco IOS DHCP server. The addresses are handed out correctly by the Cisco IOS DHCP server, but the static routes are not built in the routing table.

Under rare circumstances, and more likely when IP NAT is used, an NRP might reload with the following message:

This error might be caused by process writing beyond the allocated memory. There is no workaround.

On an NRP running Cisco IOS Release 12.1(3)DC1 or subsequent releases, MS NetMeeting might not function correctly if NAT is employed. There is no workaround.

In a PPPoE session between an NRP and a Cisco 7500 series router, the NRP might not be able to send a "RADIUS attribute 8 (framed-ip-address)" in its accounting "stop" packet. There is no workaround.

Allocation of a negative number of bytes might cause a watchdog-forced reload of the NRP. There is no workaround.

In a configuration with a fully-meshed BGP configured between provider edge (PE) routers, and with MPLS enabled on all PE routers, a Cisco 6400 connected to an ATM-LSR core reloads unexpectedly after the LSC reboots several times.

Upon a failover of a redundant NSP, some PVCs on the NRP might stop transmitting cells over the ATM interface.

Workaround: Issue a shut command followed by a no shut command on the subinterface (not on the main interface).

Alternative workaround: Remove and reapply the PVCs (using CLI commands) and reboot the NRP.

Resetting a virtual interface while SNMP polls for interface information might cause a bus-error exception. There is no workaround.

In a configuration that uses the NSP as a Label Switch Router (LSR) and the NRP as a Label Edge Router (LER), if the NSP is reloaded while the NRP is up, two problems might be observed:

The NRP loses the Open Shortest Path First (OSPF)-neighbor relationship with the NSP

Both symptoms disappear if the NRP is reloaded subsequently. Occasionally, the NSP reload causes an unexpected reload of the NRP.

CEF is not working properly for an ATM-to-ATM path. When a PPPoA user is logged in to a SSG pass-through service and CEF is enabled globally, both upstream and downstream packets are CEF-switched. However, when CEF is enabled globally and disabled only at the uplink ATM sub-interface, both upstream and downstream packets are not CEF-switched. For an ATM-to-GE path, CEF is working fine. There is no workaround.

In an NRP-SSG L2TP configuration, the number of sessions that an NRP can handle diminishes under extremely heavy traffic. There is no workaround.

An NSP switchover might cause an NRP installed in slots 5, 6, 7, and/or 8 to reset.

On a Cisco 6400 running Cisco IOS Release 12.1(4)DC or subsequent releases and acting as an L2TP Network Server, the default Maximum Transmission Unit (MTU) on the virtual-access interfaces is 1460. If the end host attempts to use the maximum MTU and TCP Path MTU Discovery is not working because some routers block Internet Control Message Protocol (ICMP) messages, this might cause connectivity to break for certain clients.

The HTTP Redirect feature is not supported for subscribers connecting to SSG using RBE. There is no workaround.

If only a few users download a large file in an NRP-SSG PPPoE configuration, the utilization of the NRP CPU might grow to more than 10 percent. There is no workaround.

When multiple PPPoE clients log on/log off to/from NRP-SSG L2TP services, the amount of memory held by the "Net Background" increases proportionally with the number of sessions that log on/log off. There is no workaround for this memory leak.

If SSG cannot perform CEF because a route to the next hop is not available, SSG does not jump to the next switching path (that is, to Fast Switching). There is no workaround.

When clients destroy a PPPoE session ungracefully, the process PPP manager might hold a small amount of memory and does not return it to the processor. There is no workaround.

Caveats that Apply to the NRP-1 Only

An NRP-1 running Cisco IOS Release 12.1(4)DC1 or subsequent releases might reload unexpectedly with a bus error for an unknown reason. The address combined with the return of the show region command indicate a software crash by accessing a non-existent address. There is no workaround.

A slow memory leak might occur on an NRP-1, which is related to PPPOE authentication. With the configuration of 128 MB RAM and an average of 200 to 300 concurrent users (VPDN sessions), the memory of the NRP is exhausted after three to four weeks and the NRP needs to be reloaded.

Caveats that Apply to the NRP-2 Only

The NRP-2 configuration is held on the NSP PCMCIA Disk. When you attempt to save the configuration on the NRP-2, the process on the NSP currently does not check for available disk space before trying to write the configuration to the disk. This might cause the file to be stored on the disk incompletely, or not at all. Generally this is not an issue, because a chassis alarm is generated when the disk space gets low.

Workaround: Check the disk space on the NSP and check any disk alarms before saving NRP-2 configurations.

The compress-configuration option is not currently available for the NRP-2 platform. The configuration command service compress-config is currently ignored and configurations are saved uncompressed. There is no workaround.

The NSP disk-format operations to the PCMCIA disk in slot 1 might affect concurrent disk operations to the disk in slot 0.

Workaround: As the disk in slot 0 is used for storing NRP-2 system configuration, the user should not perform formatting operations on disk 1 while the NRP-2 uses disk 0.

The NRP-2 booting and configuration operations depend on the presence of the PCMCIA disk in slot 0 of the NSP. Removal of that disk during NRP-2 disk operations, including booting and the saving of configurations, may result in an unexpected reload of the NRP-2.

Workaround: Assure that no NRP-2 disk operations are in progress before removing the PCMCIA disk from slot 0 of the NSP.

The NRP-2 running configuration is saved on the NSP PCMCIA disk. If that disk is not present, the configuration cannot be saved. The current NRP-2 software does not warn the user if the configuration has not been saved correctly.

Workaround: Make sure that the PCMCIA disk is present on the NSP before saving the NRP-2 running configuration.

The total memory size displayed for the NRP-2 in response to the show version command is incorrect. Systems with 512 MB installed display the following memory size:

The second value, the installed I/O memory, is too large by 64MB. Systems with 256 MB installed also show an I/O memory value that is too large by 64MB. There is no workaround.

When an ATM subinterface is configured, it does not show up in the running configuration.

Workaround: Issue the show ip interface command or the show interface command to show the ATM subinterface.

Resetting the NRP-2 with the hw-module slot x reset NSP command while the NRP-2 has pending console output, causes bus error warning messages to appear on the NSP console and in the NSP error log. Although there is no workaround, the messages are simply a warning and are harmless.

When an NRP-2 receives traffic that exceeds the Maximum Transmission Unit (MTU) specified on that NRP-2, the virtual access (VA) interfaces counter displays incorrect values. After issuing the show controller <atm0/0/0> command, the counter for giant packets (rx_drop_giant) displays the incorrect values.

Workaround: Use the giant discard statistic counter (rx_giant_discard) in the show controller <atm0/0/0> command to adjust the number shown in the giant packets counter in the following manner:
total giants discarded = (rx_drop_giant) minus (rx_giant_discard/2)

When a PPPoE session (on an ATM subinterface) is up and the ATM subinterface is shut on the NRP-2 LAC, the following message is logged on the NRP-2 console:

This message is due to a timing-race condition in shutting down PVCs within the SAR driver. There is no workaround.

When a PPPoE session is up, the NRP-2 drops sweep ping packets with a size is greater than 4000 bytes. There is no workaround.

While bringing up 4000 L2TP sessions on an LNS, spurious memory reads might be generated and might cause an "ALIGN-3-SPURIOUS" error message. Although there are no known negative effects of this problem, there is no workaround.

Some sessions do not come up when the ATM interface of either the LAC or the LNS is flapped many times. The test configuration has 4000 PPPoA sessions and uses a ppp-keepalive interval value of 10.

Workaround: Increase the keepalive interval to 200 (as per the recommended scalability guidelines).

Intermediate System-to-Intermediate System (IS-IS) routing updates are not sent with "AAL5NLPID" encapsulation. IS-IS/Connectionless Network Service (CLNS) updates from other routers are not seen by the NRP-2, but the NRP-2 sends out the routing updates of it's own networks. There is no workaround.

An NRP-2 configured with a large number of PPP sessions may report a "%SYS-3-CPUHOG" error message when the clear counters command is issued at the router's prompt. There is no workaround.

The NRP-2 stops passing traffic on interface "ATM0/0/0" in Cisco IOS Release 12.1(4)DC1 or subsequent releases. Issuing the shut command followed by the no shut command on the "ATM0/0/0" interface temporarily solves the problem. Debugging the ATM error on the NRP-2 shows the following error message (date and time will differ):

In a configuration with auto negotiation enabled and using the Cisco 7505 router as Pagent generator, sending constant traffic through the GE interface to the NRP-2 at a speed of nearly 40 Kpps and with a packet size of about 1024 bytes, will cause the NRP-2 to stop receiving traffic from the Cisco 7505 router after about 10 minutes. The interface will recover after issuing a clear interface command or a shut command followed by a no shut command.

Workaround: Do not configure auto negotiation for the GE interface in the above-mentioned configuration.

With many ATM subinterfaces configured on a Cisco 6400, the ip verify unicast reverse-path command might incorrectly drop a fraction of incoming traffic. There is no workaround.

An unexpected reload might occur when a Cisco 6400 looses its Tag Distribution Protocol (TDP)-neighbor relationship with a neighboring router due to extremely high data loads. This unexpected reload has only occurred in lab testing when injecting a steady data stream that overruns the router's ability to process the data.

Workaround: Use the tag-switching tdp discovery hello hold <time> command to increase the TDP timeout on both routers so that TDP-neighbor loss is less likely to occur. To check the current parameters, use the show tag-switching tdp parameters command.

A Cisco 6400 running Cisco IOS Release 12.1(4)DC1 or subsequent releases is not able to prevent Telnet access to routers using an access list (ACL), because the access-class command which is used to tie the ACL to the virtual terminal (VTY) interfaces is ignored. There is no workaround.

After the configuration of range-PVC entries together with PVC entries on one subinterface, the configuration of the range-PVC entries is lost during a reboot of the NRP-2. There is no workaround.

Resolved Caveats—Release 12.1(5)DC

This section describes caveats that have been closed and resolved in Cisco IOS Release 12.1(5)DC. Caveats that were already closed and resolved in previous releases are not included in this section.

Caveats that Apply to Both the NRP-1 and NRP-2

After a long period of correct operation and with the Network Access Server port ID format "d" enabled, RADIUS authentication requests and accounting records associated with certain PVCs begin to carry incorrect information (mostly zeros).

A Border Gateway Protocol (BGP) UPDATE contains Network Layer Reachability Information (NLRI) and attributes that describe the path to the destination. Each path attribute is a type, length, value (TLV) object.

The type is a two-octet field that includes the attribute flags and the type code. The fourth high-order bit (bit 3) of the attribute flags is the Extended Length bit. It defines whether the attribute length is one octet (if set to 0) or two octets (if set to 1). The extended length bit is used only if the length of the attribute value is greater than 255 octets.

The AS_PATH (type code 2) is represented by a series of TLVs (or path segments). The path segment type indicates whether the content is an AS_SET or AS_SEQUENCE. The path segment length indicates the number of autonomous systems (ASes) in the segment. The path segment value contains the list of ASes (each AS is represented by two octets).

The total length of the attribute depends on the number of path segments and the number of ASes in them. For example, if the AS_PATH contains only an AS_SEQUENCE, then the maximum number of ASes (without having to use the extended length bit) is 126 [= (255-2)/2]. If the UPDATE is propagated across an AS boundary, then the local Abstract Syntax Notation (ASN) must be appended and the extended length bit used.

The caveat was caused by the mishandling of the operation during which the length of the attribute was truncated to only one octet. Because of the internal operation of the code, the receiving border router would not be affected, but its iBGP peers would detect the mismatch and issue a NOTIFICATION message (update malformed) to reset their session.

The average maximum AS_PATH length in the Internet is between 15 and 20 ASes, so there is no need to use the extended length. The failure was discovered because of a malfunction in the BGP implementation of another vendor. There is no workaround.

Traffic shaping configuration using the vbr-nrt <pcr> <scr> <input burst> under VC-class command cannot be removed by entering no vbr-nrt <pcr> <scr> <input burst>.

Workaround: Remove the entire VC-class, and re-enter the VC-class configuration without traffic shaping

Cisco IOS software contains a flaw that permits the successful prediction of TCP Initial Sequence Numbers.

This vulnerability is present in all released versions of Cisco IOS software running on Cisco routers and switches. It only affects the security of TCP connections that originate or terminate on the affected Cisco device itself; it does not apply to TCP traffic forwarded through the affected device in transit between two other hosts.

To remove the vulnerability, Cisco is offering free software upgrades for all affected platforms. The defect is described in DDTS record CSCds04747.

Workarounds are available that limit or deny successful exploitation of the vulnerability by filtering traffic containing forged IP source addresses at the perimeter of a network or directly on individual devices.

This notice will be posted at http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml.

The PPP authentication process might cause a memory leak. This is most likely to happen when the 6400 is terminating a large number of PPP sessions and there is a high level of PPP-authentication processing. There is no workaround.

In a configuration with CEF enabled and virtual access precloned, about 15% of the packets might be lost during the first minute of a PPPoE session. After one minute the problem disappears and everything works fine.

When a PPP client or SSD (when a user tries to log in to SSG using PPP or the web) sends an authentication request to SSG, SSG will treat the authentication request as a proxy and forwards it to a RADIUS server. If there is no reply from the RADIUS server, SSG will not resend the request to the RADIUS server. There is no workaround.

When using IP multicast, the NRP might report "CPUHOG" errors, referencing the PIM and IGMP processes. These errors indicate that the processes are not relinquishing the CPU often enough to allow other packet-handling processes to perform. In extreme cases, this can lead to severe degradation in performance. There is no workaround.

When using multiple RADIUS servers, failure or lack of performance of one of the servers can prevent SSG from using one of the other servers. There is no workaround.

Multiple Cisco IOS software and CatOS software releases contain several independent but related vulnerabilities involving the unexpected creation and exposure of SNMP community strings. These vulnerabilities can be exploited to permit the unauthorized viewing or modification of affected devices.

To remove the vulnerabilities, Cisco is offering free software upgrades for all affected platforms. The defects are documented in DDTS records CSCds32217, CSCds16384, CSCds19674, CSCdr59314, CSCdr61016, and CSCds49183.

In addition to specific workarounds for each vulnerability, affected systems can be protected by preventing SNMP access.

This notice will be posted at http://www.cisco.com/warp/public/707/ios-snmp-community-vulns-pub.shtml.

CSCdr61016 was already resolved in Cisco IOS Release 12.1(4)DC and CSCds32217 was already resolved in Cisco IOS Release 12.1(4)DC2.

During configuration, the NRP might unexpectedly reload with the following error message:

This behavior might be due to a race condition in which a function might be called before its initialization. There is no workaround.

A configuration with PPPoA/SSG and NetMeeting may cause a red-zone violation and a reload on the NRP. There is no workaround.

An NRP that is running Cisco IOS Release 12.1(1)DC1 and that has 1900+ access interfaces and memory compression configured, experiences memory fragmentation: the largest block is about 45 KB and the free memory is 20 MB.

Workaround: Configure a free list size for the compression history block, using the memory free-list number command.

When the NRP is reloaded with a dead switch port, the NRP attempts to bring up the FE interface. The NRP reports the interface status as "reset with line down" instead of reporting the interface as down. There is no workaround.

The packets-out counter on the Virtual-Access interface of a Cisco 6400 LNS might be incorrect when the L2TP tunnel and the outgoing traffic use the same physical interface and CEF is enabled.

When using "dot1q" encapsulation on the Cisco 6400 and the native VLAN is VLAN 1, the communication between the devices stops.

If an ambiguous command (for example, config-if-atm-ran) is entered while in the PVC range configuration submode, a spurious memory traceback message will be displayed when the next command is entered. The traceback message is harmless.

Workaround: Do not enter incomplete commands while in the PVC range configuration submode.

This error is caused by process writing beyond the allocated memory. There is no workaround.

An NRP running Cisco IOS Release 12.1(3)DC1 or subsequent releases might reload due to malloc failures and might produce error messages such as the following ones:

This is due to a memory leak which ultimately results in exhaustion of the memory resource. As a result, some process(es) fail to acquire the needed memory and the system restarts. There is no workaround.

An NRP running Cisco IOS Release 12.1(3)DC might reload unexpectedly due to a bus error related to an Inverse ARP problem. There is no workaround.

An NRP might reload due to memory-allocation failures in the process and I/O memory. After malloc failures, the NRP eventually reloads, sometimes with redzone-violation errors and other times due to the watchdog timeout. There is no workaround.

After using the Belle application to modify the unspecified bit rate plus (UBR+) on VCs for a period of time, some VCs might pause indefinitely.

After an NRP running Cisco IOS Release 12.1(3)DC or Release 12.1(3)DC1 has reloaded unexpectedly, the boot date and time stamp and the uptime might not show correctly in the output of the show version command.

With NAT and Policy Based Routing (PBR) configured together on the NRP, fast switching does not work. There is no workaround.

When logging on and logging off consecutively with a different user name from the same host, SSG will reload. There is no workaround.

The AAA authentication process on an NRP that is running Cisco IOS Release 12.1(1)DC1 or subsequent releases with a PPPoA user, experiences a long delay: After the NRP receives the Challenge Handshake Authentication Protocol (CHAP) "response" message, it takes about one minute before the CHAP answers with a "success" message, while only link control protocol (LCP) keepalives are active during the process. There is no workaround.

In a PPP ATM configuration, when a remote ATM connection goes down for a period that exceeds the PPP idle-timeout value that was supplied by the AAA feature of the RADIUS server, a bus error might occur.

Workaround: Increase the PPP idle-timout value in the AAA feature or— if possible— minimize the time that the remote ATM connection is down.

An NRP might reload due to a software-forced crash related to Service Selection Gateway issues. There is no workaround.

The "vpn_select_tas" registry and related code is missing in Cisco IOS Release 12.1(3)DC1 and subsequent releases. There is no workaround.

SSG will check the RADIUS attribute length before accepting a RADIUS packet to ensure that a corrupted RADIUS packet will not affect the system.

The system generates a bus error when a user constantly logs on to or logs off from the PPP sessions. The problem is more likely to happen with a Windows 95 client machine. There is no workaround.

In a configuration that includes CEF and precloning of the virtual access, when making an initial PPPoE connection to the Cisco 6400, a packet loss of about 15 percent might occur. After one minute, the problem disappears and everything works fine.

Caveats that Apply to the NRP-1 Only

On an NRP-1, when adding or removing subinterfaces to or from the Fast Ethernet interface, the interface may go into a down or reset state. There is no workaround.

Caveats that Apply to the NRP-2 Only

When issuing a shutdown CLI command on an ATM interface with a large number (more than 1000) of VCs configured, the following "CPUHOG" message appears on the console output:

Although the operation is unlikely to be affected by this caveat, there is no workaround.

This caveat is closed in Cisco IOS Release 12.1(5)DC because it is caused by unusual conditions that will likely only exist under development tests.

Booting up an NRP-2 with a configuration that contains a large number of subinterfaces might cause the following (or very similar) "CPUHOG" message to appear on the console output:

Although the operation is unlikely to be affected by this caveat, there is no workaround.

When a write mem command is issued on the NRP-2, the configuration data is sent to the NSP for storage on the NSP disk. If this disk operation fails, the NSP will issue an error message; however, the NRP-2 itself will not indicate the failure on the console.

To ensure that the configuration data has been written to the NSP disk, the user can look at the time and date stamp for the configuration file on the NSP disk. Configuration data is stored in "disk0:/slotn/NRP2-startup-config", where "n" (in slotn) is the slot number of the NRP-2. A quick scan for error messages on the NSP console will also reveal any problems that might have occurred while writing the configuration to the NSP disk.

The contents of the current crashinfo file are not displayed as part of the output from the show stacks.

Workaround: View the current crashinfo file by using the more nsp_slot:nrp-crashinfo-data command of the NRP-2. The NRP-2 crashinfo files may also be viewed by looking in the appropriate slot directory on "disk0:" of the NSP.

Preexisting NRP-1 Hardware Caveats

This section describes possible unexpected behavior by earlier hardware versions of the NRP-1. To determine your NRP-1 part number (P/N), see the section "Determining Your NRP-1 Part Number" section.

•

CSCdk47837—NRP-1s reset when you reload or reset a nonredundant NSP in Slot 0A.

Symptom:
While the NSP is in Slot 0A of a single NSP system, the NRP-1s reset during NSP reloads or resets.

Workaround:
In a nonredundant system using an NSP of P/N 800-03785-03, place the NSP in Slot 0B.

•

CSCdk88262—NRP-1 ignores boot system command entries in the startup configuration.

Symptoms:
Regardless of any boot system global configuration command entries in the startup configuration, the NRP-1 boots the first image in Flash memory after a reset. This problem occurs after one of the following actions:

–

Two or more successive resets by using the hw-module EXEC command on the NSP.

Workaround:
To avoid this problem, make sure that the desired image is the first file on the Flash memory device. Complete the following steps in EXEC mode:

Enter delete flash:* to mark all files on the Flash memory device for deletion.

Use the copy flash: EXEC command to copy the desired image to the Flash memory device.

Use the dir flash: EXEC command to verify that the image file is the first file on the Flash memory device.

Recovery:
If you encounter the problem before implementing the workaround, reset the NRP-1 once by using the hw-module slot number reset EXEC command on the NSP. As long as the NSP sends a single reset to the NRP-1, the NRP-1 does not ignore the boot system global configuration command entries in the startup configuration.

Symptoms:
With or without redundancy configured, an NRP-1 inserted into a live system might reset the NRP-1 in the adjacent slot of the slot pair. NRP-1 slot pairs are slots 1-2, 3-4, 5-6, and 7-8.

–

If you are not using NRP-1 redundancy and your system contains four or fewer NRP-1s, place only one NRP-1 in each slot pair.

–

If this workaround is not feasible, replace your NRP-1(s) with P/N 800-03655-07 or higher.

Symptoms:
When the terminal server is configured such that hardware flow control is enabled on the port attached to the NRP-1 console, the NRP-1 console port does not respond.

Workaround:
Configure your terminal server to disable hardware flow control on the port attached to the NRP-1 console.

Affected Part Numbers:
800-03655-01, 800-03655-02, 800-03655-03, 800-03655-04, 800-03655-05, 800-03655-06, 800-03655-07, 800-03655-08

Symptom:
NSP reports unknown cardtype when the chassis is populated primarily with NRP-1s.

–

NRP-1-SSG is enabled and RFC 1483 IP Routed are used together with 1750 or more sessions.

–

ROMMON variable IOMEM is set to larger than 16 MB (By default, IOMEM = 36 MB)

–

Enable SSG but set the ROMMON variable IOMEM to 16 MB. Do not turn on traffic shaping.

When the SSG is enabled after an upgrade from Cisco IOS Release 12.0(3)DC or Release 12.0(5)DC to Release 12.0(7)DC or higher, the SSG transparent passthrough feature is no longer supported.

Workaround: To enable non-SSG connections to pass through the NRP-1, disable the SSG with the no ssg enable command.

The execution of the Show ip nat translation verbose may cause the 6400 NRP-1 to reload. Workaround: Set the terminal length to "term len 0" before executing the Show ip nat translation verbose.

Determining Your NRP-1 Part Number

To determine the NRP-1 part number, use one of the following methods with the information in Table 11:

•

If you are holding the board, look at the 800- part number label on the back of the NRP-1.

•

If you can only view the faceplate of the NRP-1, look at the CLEI code label.

•

Enter the show nrp privileged EXEC command to display the 73- part number.

The following example displays the show nrp command output for an NRP-1 with part number 73-3082-06:

CLEI Code	800- Part Number	73- Part Number
BAC5EEPDAA	800-03655-01	73-3082-03
BAC5EEPDAB	800-03655-02	73-3082-04
BAC5EEPDAC	800-03655-03	73-3082-05
BAC5EEPDAD	800-03655-04	73-3082-06
BAC5EEPDAE	800-03655-05	73-3082-07
BAC5EEPDAF	800-03655-06	73-3082-08
BAC7RUBCAA	800-03655-07	73-3082-09
BAC7RUBCAB	800-03655-08	73-3082-10
BAC7VUBCAA	800-03655-09	73-3082-11

Books	Major Topics
•Cisco IOS Configuration Fundamentals Configuration Guide •Cisco IOS Configuration Fundamentals Command Reference	Cisco IOS User Interfaces File Management System Management
•Cisco IOS Bridging and IBM Networking Configuration Guide •Cisco IOS Bridging and IBM Networking Command Reference, Volume 1 of 2 •Cisco IOS Bridging and IBM Networking Command Reference, Volume 2 of 2	Transparent Bridging SRB Token Ring Inter-Switch Link Token Ring Route Switch Module RSRB DLSw+ Serial Tunnel and Block Serial Tunnel LLC2 and SDLC IBM Network Media Translation SNA Frame Relay Access NCIA Client/Server Airline Product Set DSPU and SNA Service Point SNA Switching Services Cisco Transaction Connection Cisco Mainframe Channel Connection CLAW and TCP/IP Offload CSNA, CMPC, and CMPC+ TN3270 Server
•Cisco IOS Dial Technologies Configuration Guide •Cisco IOS Dial Technologies Command Reference	Preparing for Dial Access Modem and Dial Shelf Configuration and Management ISDN Configuration Signaling Configuration Dial-on-Demand Routing Configuration Dial Backup Configuration Dial Related Addressing Service Virtual Templates, Profiles, and Networks PPP Configuration Callback and Bandwidth Allocation Configuration Dial Access Specialized Features Dial Access Scenarios
•Cisco IOS Interface Configuration Guide •Cisco IOS Interface Command Reference	LAN Interfaces Serial Interfaces Logical Interfaces
•Cisco IOS IP Configuration Guide •Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services •Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols •Cisco IOS IP Command Reference, Volume 3 of 3: Multicast	IP Addressing and Services IP Routing Protocols IP Multicast
•Cisco IOS AppleTalk and Novell IPX Configuration Guide •Cisco IOS AppleTalk and Novell IPX Command Reference	AppleTalk Novell IPX
•Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Configuration Guide •Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Command Reference	Apollo Domain Banyan VINES DECnet ISO CLNS XNS
•Cisco IOS Voice, Video, and Fax Configuration Guide •Cisco IOS Voice, Video, and Fax Command Reference	Voice over IP Call Control Signaling Voice over Frame Relay Voice over ATM Telephony Applications Trunk Management Fax, Video, and Modem Support
•Cisco IOS Quality of Service Solutions Configuration Guide •Cisco IOS Quality of Service Solutions Command Reference	Packet Classification Congestion Management Congestion Avoidance Policing and Shaping Signaling Link Efficiency Mechanisms
•Cisco IOS Security Configuration Guide •Cisco IOS Security Command Reference	AAA Security Services Security Server Protocols Traffic Filtering and Firewalls IP Security and Encryption Passwords and Privileges Neighbor Router Authentication IP Security Options Supported AV Pairs
•Cisco IOS Switching Services Configuration Guide •Cisco IOS Switching Services Command Reference	Cisco IOS Switching Paths NetFlow Switching Multiprotocol Label Switching Multilayer Switching Multicast Distributed Switching Virtual LANs LAN Emulation
•Cisco IOS Wide-Area Networking Configuration Guide •Cisco IOS Wide-Area Networking Command Reference	ATM Broadband Access Frame Relay SMDS X.25 and LAPB
•Cisco IOS Mobile Wireless Configuration Guide •Cisco IOS Mobile Wireless Command Reference	General Packet Radio Service
•Cisco IOS Terminal Services Configuration Guide •Cisco IOS Terminal Services Command Reference	ARA LAT NASI Telnet TN3270 XRemote X.28 PAD Protocol Translation
•Cisco IOS Configuration Guide Master Index •Cisco IOS Command Reference Master Index •Cisco IOS Debug Command Reference •Cisco IOS Software System Error Messages •New Features in 12.1T-Based Limited Lifetime Releases •New Features in Release 12.1T •Release Notes (release note and caveat documentation for 12.1T-based releases and various platforms)

Table Of Contents