Application Hosting
CPU-Based Packet Generator
You can now use a CPU-based packet generator for IOS-XR routers to simplify the diagnostic process for routers experiencing problems. This tool allows you to generate a wide range of traffic streams directly within the production environment without physically isolating the routers and moving them to a lab setup. This tool is beneficial in environments that use routers from different vendors or different models from the same vendor.
The feature introduces the packetgen command with different options to generate different types of packets.
Cisco IOS XR Setup and Upgrade
Install Owner and Partner RPMs Using IOS XR Install Infrastructure
You can now use the existing IOS XR install infrastructure to install your proprietary Owner and Partner RPMs. This enhancement streamlines the process of integrating third-party software seamlessly into the IOS XR environment, including bundling the owner and partner RPMs into a GISO.
In previous releases, you could only install Owner and Partner applications using the Application Manager interface.
This feature introduces the keyword skip-implicit-owner-packages-checks in the following install commands:
-
install package add
-
install replace
-
install replace reimage
Telemetry
Stream Telemetry Data for ASIC Error Statistics
You can now stream and monitor the telemetry data remotely on a gNMI interface, after subscribing to a sensor path. This data is gathered directly from the Network Processor Unit (NPU) driver at regular, predefined intervals for each block. This streaming enables real-time monitoring and analysis of router health and network performance, including error reporting and key metrics, allowing for rapid response to dynamic network conditions.
Previously, you needed to log into the router to check the ASIC statistics.
Stream Telemetry Data for LLDP Statistics
You can now oversee and diagnose your network infrastructure in real time by periodically streaming the Link Layer Discovery Protocol (LLDP) information of a router through a gRPC Network Management Interface (gNMI) client. By continuously monitoring LLDP data from a switch or router, you gain immediate insights into network topology and the attributes of devices on the network, facilitating proactive management and troubleshooting.
Programmability
NETCONF Version 1.0 with YANG Support
You can now monitor and manage a larger number of network devices, ensuring comprehensive oversight and control over your network infrastructure with NETCONF-YANG version 1.0. This enhancement is possible because our system has increased the support for NETCONF YANG sessions from 50 to 128.
SPIFFE ID-Based Authentication and Authorization Services for gRPC Services
You can now ensure secure communication between microservices in modern distributed systems, especially in cloud-native environments, by leveraging SPIFFE-based authentication and authorization for your gRPC services.
The feature allows you to establish trust between the client and the server, verify client identity, and determine access permissions.
This feature introduces the following changes:
CLI:
-
aaa map-to username
Yang Data Models:
-
Cisco-IOS-XR-um-aaa-task-user-cfg.yang
-
Cisco-IOS-XR-aaa-locald-cfg.yang
(see GitHub, YANG Data Models Navigator)
gNMI Union Replace Operation
You can now update your router's entire configuration in one go to ensure that the actual settings of your network operating system align with the intended setup. The update includes OpenConfig (OC), Native YANG (NY), and CLI configurations and is done using the gRPC Network Management Interface (gNMI). The update is possible with the gNMI union-replace operation in a gNMI SetRequest
RPC message which supports mixing of the configuration schemas. The supported schema combinations are:
-
OpenConfig (OC) and CLI
-
OC and native YANG (NY)
To view the specification of gNMI union-replace, see the Github repository.
gNMI XPath-Based Authorization
We’ve introduced gNMI authorization through the gNSI pathz policy which is adding authorization of a user or a group to access a specified YANG XPath through gNMI. The policy configurations can be done on the router either when the router boots up or dynamically when the router is up and running. When a user or a group sends a gNMI SetRequest
message using a certain XPath, the system validates the request against the permissions specified in the policies associated with that user or the group.
To view the specification of gNSI for the OpenConfig XPath-based Authorization, see the Github repository.
The feature introduces these changes:
CLI:-
show gnsi path authorization policy
-
show gnsi path authorization counters
-
show gnsi trace pathz
-
show gnsi path authorization statistics
-
show tech-support gnsi
-
clear gnsi path authorization counters
gNOI Packet Link Qualification
You can now check and assess the reliability of the link speed and packet drops between the two network devices (generator and the reflector) by performing the gNOI packet-based link qualification service.
This can be achieved by sending the packets from the generator to the reflector, and receiving the looped back packets from the reflector within a certain tolerance limit.
The link transimmision rate and the link's capacity range for that interface can be obtained from the following gNSI Packet Link Qualification RPC messages:
-
Capabilities
—Minimum and maximum rate of the transmission link -
Get
—Expected rate and actual rate of link transmission
gNSI Credentialz Update
To improve communication confidentiality and security, you can now update or rotate account-specific and host-specific SSH credentials on a router. You can access the latest SSH credentials through the gNMI credentialz RPC. The updated SSH credentials encompass passwords, host keys, and certificates.
To view the specification of gNSI credentialz RPCs and messages, see the Github repository.
Routing
Bidirectional Forwarding Detection over VXLAN Tunnel
You can now monitor the health of VXLAN tunnel and detect failures in the tunnel rapidly which ensures faster rerouting of traffic, resulting in high availability of networks.
Multi-area Loopback Interface for OSPF
You can save IP addresses and resources, prevent the use of multiple node SIDs for labels associated with loopback interfaces, and save time configuring multiple loopback interfaces for an Area Border Router (ABR) in a network. These improvements are possible as you can now configure a single loopback interface for multiple areas. With this feature, an ABR can use a single loopback interface for all areas it connects to, eliminating the need for separate loopback interfaces for each area.
Previously, each loopback interface was linked to only one area.
The feature introduces these changes:
CLI:
The multi-area-interface command is extended to support loopback interfaces.
Policy-Based Routing
You can now create customised routing policies based on different parameters such as IP address, port numbers, or protocols. With Policy-Based Routing (PBR), you can enhance your network security by steering sensitive data away from potentially vulnerable network segments. Also, by allowing you to distribute traffic across multiple paths, PBR can help prevent traffic congestion in your network.
Protect IS-IS Processes in OOR Conditions
This feature enables prompt alerts for out-of-resource conditions in IS-IS processes that could otherwise cause network instability and disruption due to memory leaks and excessive link-state packets (LSPs). That, in addition, they can disable the overload bit status flag that's included in the router's LSP to prevent setting of the overload-bit, but it's not recommended without Cisco consultation
This ability to protect IS-IS processes in OOR conditions is enabled by default and you can't disable it.
Previously, during OOR conditions, IS-IS processes restarted themselves, but the OOR conditions could persist.
The feature introduces these changes:
CLI:
- The feature introduces fields that indicate the memory state of the IS-IS protocol in the
show isis protocol command.
-
oor-set-overload-bit disable command.
YANG Data Model
- New XPaths for
Cisco-IOS-XR-clns-isis-cfg
-
Cisco-IOS-XR-um-router-isis-cfg
(see GitHub, YANG Data Models Navigator)
Segment Routing
Data Plane Validation for SR-MPLS IPv6-based Controller Instantiated LSPs
You can now verify the network configuration and paths and policies set up, without interrupting or potentially disrupting live network traffic, for SR-MPLS (Segment Routing over Multiprotocol Label Switching) IPv6-based Label Switched Paths (LSPs). With this feature, you can validate controller instantiated LSPs programmed directly into the forwarding hardware.
Previously, SR data plane validation was possible over IPv4-based LSPs.
The feature introduces these changes:
CLI:
-
The dataplane-only keyword is introduced in the traceroute sr-mpls and ping sr-mpls commands.
YANG Data Models:
-
Cisco-IOS-XR-mpls-traceroute-act.yang
-
Cisco-IOS-XR-mpls-ping-act.yang
See (GitHub, Yang Data Models Navigator)
Delay Measurement for IP Endpoint over SRv6 Network
In Segment Routing over an IPv6 network (SRv6), you can measure packet delay from the source to a specific IP endpoint. You can use this information for troubleshooting, network maintenance, and optimizing network performance.
Additionally, you can use flow labels to verify the delay of each subsequent hop path towards the IP endpoint of that path. So that, when network traffic is distributed across multiple available paths towards an IP endpoint, delay measurement tracks the delay of each of these paths towards the IP endpoint.
The feature introduces these changes:
CLI:
-
The source-address ipv6 keyword is introduced in the performance-measurement endpoint command.
-
The segment-list name keyword is introduced in the segment-routing traffic-eng explicit command.
-
The flow-label keyword is introduced in the performance-measurement delay-profile name command.
YANG Data Model:
-
Cisco-IOS-XR-um-performance-measurement-cfg
-
Cisco-IOS-XR-perf-meas-oper.yang
(See GitHub, YANG Data Models Navigator)
Liveness Monitoring for IP Endpoint over SRv6 Network
In Segment Routing over an IPv6 network (SRv6), you can keep track of the operational status of both the forward and reverse paths of a particular node or IP endpoint. You can use this information for troubleshooting, network maintenance, and optimizing network performance.
Additionally, you can use flow labels to verify the liveness of each subsequent hop path toward the IP endpoint of that path. So that, when network traffic is distributed across multiple available paths towards an IP endpoint, liveness detection tracks the operational status of each of these paths towards the IP endpoint.
The feature introduces these changes:
CLI:
-
The reverse-path and segment-list name keywords are introduced in the segment-routing traffic-eng explicit command.
-
The source-address ipv6 is introduced in the performance-measurement endpoint command.
YANG Data Model:
-
Cisco-IOS-XR-um-performance-measurement-cfg
-
Cisco-IOS-XR-perf-meas-oper.yang
(see GitHub, YANG Data Models Navigator)
MPLS OAM support for SR-TE Policies using MPLS IPv6-based LSPs
You can now verify the network configuration and paths and SR-TE policies set up, without interrupting or potentially disrupting live network traffic, for SR-MPLS (Segment Routing over Multiprotocol Label Switching) IPv6-based Label Switched Paths (LSPs).
Previously, MPLS OAM support was only for IPv4-based LSPs.
The feature introduces these changes:
CLI:
The traceroute sr-mpls and ping sr-mpls commands are extended to support IPv6 nexthop addresses.
YANG Data Models:
-
Cisco-IOS-XR-mpls-traceroute-act.yang
-
Cisco-IOS-XR-mpls-ping-act.yang
See (GitHub, Yang Data Models Navigator)
Overriding MPLS Imposition (IP-to-MPLS) via Service Layer API (SL-API)
In scenarios where SR-prefer is enabled, this feature allows you to specify SR prefixes through an Access Control List where their imposition forwarding entry (IP-to-MPLS) gives preference to SL-API, instead of the SR native LSP.
The labeled forwarding entries (MPLS-to-MPLS or MPLS-to-IP) continue to follow the SR native LSP.
This feature introduces the following command under Router RIB AF configuration mode:
segment-routing mpls preserve-label-forwarding access-listacl_name [apply-inverse]
User-Defined Generic Metric Support for IS-IS Flex Algo
This feature adds support for user-defined generic metric as a metric type for IS-IS Flexible Algorithm.
You can now have more control over traffic flows using user-defined generic metrics. You can define a family of user-defined generic metrics that can advertise different types of administrative metrics such as jitter, reliability, and fiscal cost depending on the traffic class for Flexible Algorithms. You can selectively define and assign semantics of these metrics as per the network requirement.
The feature introduces the following changes:
CLI:
-
The feature introduces the generic-metric flex-algo and metric-type generic commands.
YANG Data Models:
-
Cisco-IOS-XR-um-router-isis-cfg.yang
BGP
Advertising IPv4 NLRI with IPv6 Next Hops in the non-default VRF
This feature enhances network efficiency and security by allowing you to create default and non-default virtual routing tables. These tables isolate traffic through customized routing policies, allowing for the communication of IPv4 address family over IPv6 next hops specifically within non-default VRFs.
BGP Fast Fallover
You can now terminate the external BGP sessions to an adjacent peer when the link to that peer goes down, without waiting for the hold timer to expire. With this feature you can enable fast fallover mechanism on a specific BGP neighbor even if bgp fast-external-fallover disable command is globally configured.
This feature enables quicker failure detection, and allows other recovery mechanisms to reroute the traffic quickly, thus resulting in faster convergence.
The feature introduces these changes:
CLI:
-
fast-fallover
YANG Data Model:
-
Cisco-IOS-XR-um-router-bgp-cfg.yang
(see GitHub, YANG Data Models Navigator)
Steering of BGP Control-Plane Traffic over IP Path
You can now steer the BGP control-plane traffic through an IP-only transport path even when MPLS Link State Packets (LSPs) are configured for BGP neighbor reachability.
This feature allows you to keep the BGP control-plane traffic independent of the data plane traffic, enabling you to have more granular control over your network traffic.
The feature introduces these changes:
CLI:
New Commands:
-
table ip-only activate vrf
-
tcp ip-only-preferred
Modified Commands:
-
The distribute-list command is modified with a new ip-only keyword.
YANG Data Models: New XPaths for
-
Cisco-IOS-XR-clns-isis-cfg.yang
-
Cisco-IOS-XR-ipv4-bgp-cfg.yang
-
Cisco-IOS-XR-ip-rib-cfg.yang
-
Cisco-IOS-XR-um-router-bgp-cfg.yang
-
Cisco-IOS-XR-um-router-isis-cfg.yang
(see GitHub, YANG Data Models Navigator)
Interface and Hardware Component
Default Carrier Delay Value on Physical Interfaces
We have introduced the carrier-delay up default value to ensure enough time to establish a stable hardware link state. If you haven’t configured the timer, the default carrier delay automatically delays the hardware link-up notifications by 200 ms.
Previously, we recommended that you set the carrier delay-up timer to 10 ms.
If you want to change the delay of the interface state change notification, you can use the carrier-delay command to set a different value.
Mirroring Buffer Drop Packets
The SPAN to File and ERSPAN mirroring capability is enhanced to mirror dropped packets by the Traffic Management (TM) buffer when it's full and starts dropping incoming packets. This capability allows you to retain and store a mirrored copy of the dropped packets, and work effectively even during process restarts or network failovers, providing a dependable solution for traffic monitoring.
This feature is supported only on Cisco Silicon One P100- and Q200-based routers.
This feature introduces the following changes:
-
CLI: drops
-
YANG Data Model:New XPath for
Cisco-IOS-XR-Ethernet-SPAN-cfg.yang
(see GitHub, YANG Data Models Navigator)
Monitoring Layer 3 Connectivity Using Down MEP on L3 Interfaces
This enhancement expands network diagnostics to L3 interfaces at L2 network termination, simplifying the management and maintenance of multilayer networks. Without impacting the underlying L2 infrastructure, this feature uses CFM packets to verify the connection of L3 paths.
Previously, CFM Down MEP support was limited to L2 interfaces associated with cross-connect or bundle members.
This feature is supported on both physical main and subinterfaces, bundle main and subinterfaces.
Untagged L2 Subinterface
You can now use untagged L2 subinterfaces to effectively manage and process traffic from customer edge (CE) devices that do not employ VLAN tagging. This capability allows you to apply services to untagged packets, which would not have been possible if the packets were to be logically received on the main interface. As a result, you can now push a dot1q or other supported Layer 2 encapsulation on the received frame.
This feature introduces the encapsulation untagged command.
User-Defined Fields for ECMP Hashing
We ensure that in cases where multiple paths are used to carry packets from source to destination, each path is utilized for this purpose and no path is over-utilized or congested. This is made possible because we now provide customized ECMP hashing fields that are used for path computation.
Previously, the router relied on fixed packet header fields for hashing, which were not user configurable. With additional user-defined bytes considered for hashing, the granularity at which the traffic can be analyzed for ECMP load balancing increases, resulting in better load balancing and path utilization.
The feature introduces these changes:
CLI:
-
cef load-balancing fields user-data
-
The show cef exact-route command is modified with a new user-data keyword.
-
The show cef ipv4 exact-route command is modified with a new user-data keyword.
-
The show cef ipv6 exact-route command is modified with a new user-data keyword.
YANG:
-
New Xpath for
Cisco-IOS-XR-8000-fib-platform-cfg.yang
(see Github, YANG Data Models Navigator).
IP Addresses and Services
HSRP over Physical interfaces and Bundle interfaces
This feature provides first-hop redundancy and enables failover to a standby interface within a group of physical or bundle interfaces or sub-interfaces in a network in the event of any failure in the active interface or sub-interface in that group.
The feature allows you to configure HSRP for IPv4 and IPv6 networks on the physical and bundle interfaces and sub-interfaces.
IPv4 and IPv6 ACLs in Layer 2
You can now configure both IPv4 and IPv6 ACLs on Layer 2 interfaces. This functionality is supported on the physical and bundle main layer 2 interfaces, enabling layer 3 ACLs. With this feature, you can implement traffic filtering at layer 2, effectively preventing undesired traffic from progressing deeper into the network, like using an IPV6 ACL as an IPV6 router advertisem*nt (RA) guard.
Previously, IPv6 and IPv4 ACLs weren’t supported on Layer 2 interface.
Internal VRF based Forwarding
We have now enhanced forwarding capabilities in VRFs, allowing internal VRFs (iVRF) to redirect incoming packets to a different destination using GRE tunneling. This functionality can be used to examine packets that do not match the predefined access control entries. Instead of discarding these packets by default, we can use a forwarding match ACE to send them to a VRF that can forward them using GRE tunnels. This allows for a more thorough inspection of these discarded packets, helping to identify any hidden threats or attacks in the contents and improving network security.
TCP Dump File Converter
You can now convert an entire TCP dump of packet traces in binary files into readable formats such as text or cap, which makes it easier to analyze them for troubleshooting using third-party or open-source tools. This feature saves time and effort by preventing the need to examine each packet for failure.
This feature introduces the tcp dump-file convert command.
VRRP over Physical interfaces and Bundle interfaces
This feature ensures high availability of routing paths by mitigating any failure in the primary interfaces within a group of physical or bundle interfaces or sub-interfaces in a network with a failover to a backup physical or bundle interface.
The feature achieves this failover through a backup router in the VRRP router group configured on the physical or bundle interfaces or sub-interfaces. The virtual IP addresses from the failed primary router are handed over to this backup router.L2VPN
G.8032 Ethernet Ring Protection Switching
Ethernet Ring Protection Switching (ERPS) protocol, defined in ITU-T G.8032, provides protection for Ethernet traffic in a ring topology, while ensuring that there are no loops within the ring at the Ethernet layer. The loops are prevented by blocking either a predetermined link or a failed link.
This feature introduces the ethernet ring g8032 and ethernet ring g8032 profile commands.
Withdraw Dynamic MAC Addresses Between Peer PE Routers
We now prevent packet drops between peer routers when the attachment circuit (AC) of a PE router goes down, by withdrawing all dynamic MAC addresses from that PE router. When the AC goes down, the PE routers remove or unlearn the MAC addresses learned from the peer routers, that do not need to be relearned. This enables faster convergence when the AC comes up.
EVPN
BUM Ingress Replication for EVPN E-LAN on P100-based line cards
You can now optimize the BUM traffic to prevent flooding of BUM traffic on routers with P100-based line cards.
CFM on EVPN
You can now proactively monitor connectivity and verify faults and isolate them for EVPN services. This is because Ethernet Connectivity Fault Management (CFM) is now available for EVPN and provides end-to-end service level OAM (Operations, Administration, and Maintenance) for EVPN services.
This feature is supported only on routers with Q200 and P100 based line cards..
Core Isolation by Interface Tracking on P100-based line cards
You can now isolate the core from the network to prevent customer site from advertising its routes to other sites on routers with P100-based line cards.
Detect and Block Duplicate MAC Addresses on P100-based line cards
You can now detect and freeze duplicate MAC addresses, and block all associated routes on routers with P100-based line cards.
EVPN Core Isolation through Peer Failure Detection on P100-based line cards
You can now isolate the the provider edge (PE) device from the network when there is a core link failure on routers with P100-based line cards.
EVPN Cost-Out
The cost-out node brings down the bundle interfaces on the PE to prepare the node for reload or software upgrade. By costing out a node, the traffic is steered away from the PE without any traffic disruption. This allows you to manage the network traffic effectively while reloading or upgrading a node.
This feature is supported only on routers with P100-based line cards.
EVPN Designated Forwarder Election
Designated Forwarder (DF) election enables the access network to control EVPN PE devices by defining the backup path much before the event of a link failure. During the link failure, the PE node is aware of the next PE that will take over the active role and this reduces the traffic loss.
DF election supports preference-based and access-driven mechanism.
This feature is supported only on routers with P100-based line cards.
EVPN E-LAN L2 Gateway Single-Homing on P100-based line cards
EVPN single-homing is now supported on routers with P100-based line cards.
EVPN E-LAN Single-Flow-Active Multi-Homing
This feature introduces EVPN E-LAN single-flow-active multi-homing load balancing mode to connect PE devices in an access network that run Layer 2 access gateway protocols. In this mode, only the PE that first advertises the host MAC address in a VLAN forwards the traffic in a specific flow. When the primary link fails, the traffic quickly switches to the standby PE that learns the MAC address from the originated path, thereby providing fast convergence.
The feature introduces the load-balancing-mode command with keyword, single-flow-active .
EVPN E-Tree (Scenario 1a)
We now support EVPN E-Tree with route-targets (RT) constraints using two RTs per EVI on routers with P100-based line cards.
EVPN E-Tree (Scenario 2)
We now enable a PE device to have both root and leaf sites for a given EVI, which increases the granularity of leaf designation from the entire bridge to AC bridge ports; ACs under a bridge may be root or leaf.
This feature is supported on routers with P100-based line cards.
EVPN MPLS Multi-Homing
EVPN multi-homing enables you to connect a customer edge (CE) device to two or more provider edge (PE) devices to provide redundant connectivity.
When the primary link fails, the standby PE device becomes active immediately, ensuring no traffic disruption and providing faster convergence.
This feature is supported only on routers with P100-based line cards.
EVPN Multiple Services per Ethernet Segment
You can configure EVPN to run multiple services on a single Ethernet Segment (ES), which enables the efficient use of network resources. While the services run on the same physical hardware resource, each service can be associated with a different EVPN instance and separated from each other. This allows traffic segregation, which enables users to employ their own traffic management configurations.
This feature is supported only on routers with Q200 and P100 based line cards.
EVPN Seamless Integration with Legacy VPWS on Q200 and P100 line cards
The seamless migration of VPWS to EVPN-VPWS services on PE nodes is now supported on routers with Q200 and P100 based line cards.
Ethernet VPN Virtual Private Wire Service on Q200 and P100 line cards
The EVPN VPWS or E-Line service is now supported on routers with Q200 and P100 based line cards.
MAC Mobility for EVPN E-LAN on P100-based line cards
You can now ensure uninterrupted communication for devices by seamlessly moving MAC addresses between network devices or locations on routers with P100-based line cards.
Seamless Migration of VPLS Network to EVPN Network on P100-based line cards
The seamless VPLS-to-EVPN migration is now supported on routers with P100-based line cards.
Split-Horizon Groups for EVPN E-LAN on P100-based line cards
You can now configure split-horizon group to prevent unnecessary BUM traffic flooding and conserve bandwidth on routers with P100-based line cards.
VRF Leaking for EVPN E-LAN on P100-based line cards
We now allow seamless intercommunication between different VRF instances, which enables controlled inter-VRF communication and resource-sharing on routers with P100-based line cards.
Virtual Ethernet Segment
A Virtual Ethernet Segment (VES) allows a Customer Edge (CE) device to connect to an EVPN service over an MPLS network, which can be used for redundancy and load balancing.
This feature is supported only on routers with P100-based line cards.
L3VPN
VXLAN Static Routing
You can now configure the source and destination virtual tunnel endpoints (VTEPs) for a particular traffic flow, which is particularly useful for scenarios where your data center is connected to an enterprise network, so multiple servers in the data center provide cloud services to your customers and the enterprise edge router. These endpoints help provide rapid convergence in case of failure. Plus, using the UDP header in the VXLAN packet, the VXLAN static routing (also called unicast VXLAN) facilitates network balancing by preventing the transmission of replicated packets.
Alternatively, you can use Service Layer API for faster provisioning of VXLAN static routing.
This feature is supported only on the following PIDs:
-
8202-32FH-M
-
8101-32H
-
8201-32FH
This feature introduces these changes:
-
CLI:
-
host-reachability protocol static
-
overlay-encapsulation
-
hw-module profile cef vxlan ipv6-tnl-scale
-
-
YANG Data Model: (see GitHub, YANG Data Models Navigator)
-
Cisco-IOS-XR-tunnel-nve-cfg
-
Cisco-IOS-XR-ip-static-cfg
-
MPLS
Conditional Label Advertisem*nt in Label-Switched Path Networks
You can now enhance your network's stability and performance with the streamlined label management. This can be achieved by configuring LDP to advertise labels to peers only when at least one labeled path is available for a prefix.
Previously, LDP would advertise local labels to peers even if all next-hop paths for a specific Forwarding Equivalence Class (FEC) had no labels.
This release has the following changes:
CLI:
-
Introduced a new keyword unlabelled-all in show mpls ldp forwarding command.
-
conditional minimum-one-labelled-nexthop
Modular QoS
Enhanced Running Configuration Display for Policy Maps and Class Maps
Now, you can view each class map or policy map running configuration instance on a separate line.
The feature modifies the output display of this command:
CLI: show run formal
Global Statistics Counters for Priority Flow Control and Priority Flow Control Watchdog
You can now view statistics for Priority Flow Control (PFC) and PFC Watchdog for all interfaces in a consolidated, compact, tabular, and easy-to-read format.
We’ve also made the display of these global statistics faster by ensuring data is collected from all line cards for their interfaces and cumulatively sent to the local statistics infrastructure from where the show commands collect the data.
Previously, you could view statistics only per interface for PFC and PFC Watchdog, wherein the show commands get the data from each interface.
This feature modifies the following command:
-
show controllers
Set IP Marking for SRv6 Encapsulation
With this feature support for IP marking for SRv6 packets that are encapsulated, there are some important updates to the QoS behavior.
This is an explicit packet marking feature that applies only to ingress QoS policies.
CLI: This feature introduces the set ip encapsulation command.
Set VXLAN Outer IP Header DSCP Value to 0
When a PE device transports IP traffic over a VXLAN tunnel that originates on the device, it automatically sets the DSCP value in the VXLAN outer IP header to 0 (CS0).
Traffic Class Queue High Water Marks Monitoring
Introduced in this release onCisco 8000 Series Routers withCisco Silicon One Q200 network processors.The Cisco 8608 router is not currently supported.
This feature monitors egress interface traffic class queues and records the queue occupancy and queue delay high water marks information for each traffic class. This information includes the virtual output queue that experienced the high water mark and a timestamp indicating when the high water mark was recorded.
You can use this data to identify network bottlenecks and prevent traffic congestion.
This feature introduces these changes:
Configuration CLI:
-
hw-module profile qos high-water-marks
EXEC commands:
-
show controllers npu qos high-water-marks
-
clear controller npu qos high-water-marks
YANG Data Models:
-
cisco-IOS-XR-ofa-npu-qos-oper.yang
-
cisco-IOS-XR-ofa-npu-qos-act.yang
-
cisco-IOS-XR-um-8000-hw-module-profile-cfg.yang
-
cisco-IOS-XR-npu-hw-profile-cfg.yang
View Traffic Class Queue Pause Duration
Introduced in this release onCisco 8000 Series Routers withCisco Silicon One Q200 network processors that support the PFC buffer-extended mode function.
For traffic flows between routers, you can view the pause duration of output and input queues in the transmitting and receiving routers, respectively.
The pause duration values of the impacted traffic class queues are displayed for regular intervals within a specified time duration.
With the information, you can view the extent of congestion on PFC-enabled interfaces over a period of time and identify whether traffic congestion is due to small bursts of traffic or other causes.
The feature introduces these changes:
CLI:
-
show controllers npu packet-memory interface
YANG Data Models:
-
Cisco-IOS-XR-platforms-ofa-oper
(see GitHub, YANG Data ModelsNavigator)
View VOQs Evicted to HBM
The newly introduced command displays the virtual output queues (VOQs) that are evicted to the High Bandwidth Memory (HBM) and the VOQs’ HBM buffer usage details. You can use this information whilst monitoring and debugging congestion scenarios.
This feature introduces the show controllers npu voq in-extended-memory instance command.
This feature modifies the Cisco-IOS-XR-8000-platforms-npu-evict-voq-buff-oper.yang
(see GitHub, YANG Data ModelsNavigator)data model.
Virtual Output Queue Watchdog
We ensure the continuous movement of traffic queues, which is crucial for enforcing QoS policies, even when hardware issues disrupt the Virtual Output Queue (VOQ) and impede the flow of traffic. With this feature, if the router detects a stuck queue on a line card, it shuts down the line card, and if it detects a stuck queue on a fabric card, the router triggers a hard reset on the NPU. A queue is considered stuck only when there is no transmission for one minute.
The feature is disabled by default and can be enabled using the command hw-module voq-watchdog feature enable .
The feature is supported only on Cisco 8000 Series Routers (Modular) with Cisco Silicon One Q100 or Q200 ASICs.
The feature introduces these changes:
CLI:
-
hw-module voq-watchdog feature enable
hw-module voq-watchdog cardshut disable
Multicast
Draft-Rosen Multicast VPN (Profile 0)
Draft-Rosen (profile 0) is a widely used MVPN model and uses GRE tunnels to securely transmit multicast traffic between the PE routers. It also enables ease of deployment by using the Protocol-Independent Multicast (PIM) protocol between edge routers (PE) and hosts (CE), and between PE routers that are running in VRF mode.
Protection-based MoFRR
We have made fault detection and convergence faster for multicast routes, ensuring multicast data, such as IPTV feeds, is delivered with minimum interruptions.
This is made possible because we enable the use of a Protection Global Identifier (GID) for Multicast-Only Fast Reroute (MoFRR), which allows the router to quickly identify and switch to a backup or secondary path when a failure is detected on the primary path.
This feature introduces the following changes:
CLI:
-
The protect keyword is introduced in the mofrr command.
YANG Data Model:
-
New XPaths for
Cisco-IOS-XR-ipv4-pim-cfg.yang
(see GitHub, YANG Data Models Navigator)
NetFlow and sFlow
Monitor GTP-U Traffic in 5G Network
You now get a comprehensive view of your 5G network's performance and gain detailed insights into slice utilization, deployed QoS policies, and their impact on traffic. This includes verifying deployed QoS policies, assessing 5G slice mechanisms, and tracking GTP-U endpoints for specific applications. This feature specifically applies to 5G network slicing when the GTP User Plane carries data within the core network and to the radio access network. This is achieved by exporting GTP-U related Information Elements using Netflow and IPFIX records to collectors for analysis.
This feature introduces these changes:
CLI:
-
The gtp keyword is introduced in the record ipv4 and record ipv6 commands.
Monitor GTP-U Traffic in 5G Network
You now get a comprehensive view of your 5G network's performance and gain detailed insights into the slice utilization, QoS policies applied, and their impact on traffic. This includes verifying the QoS policies of the deployed slices, assessing the effectiveness of 5G slice mechanisms and tracking GTP-U endpoints for specific applications or services. This information is available because we've enabled the exporting of GTP-U related Information Elements.
This feature introduces these changes:
CLI:
-
The gtp keyword is introduced in the record ipv4 and record ipv6 commands.
System Security
Lawful Intercept
You can now enable Lawful Intercept (LI) by installing and activating the LI package to enable service providers to perform surveillance on an individual (or target) as authorized by a judicial or administrative order and share the communication intercepts with law enforcement agencies.
This feature is supported on Cisco 8800 series routers that have the 88-LC1-36EH line card installed.
RADIUS with DTLS Protection
You can now secure communication for RADIUS packets by using Datagram Transport Layer Security (DTLS) as the transport layer for the RADIUS protocol. The RADIUS protocol continues to operate over UDP but now benefits from the added security provided by DTLS. Utilizing DTLS enables the manual distribution of long-term proof of peer identity through TLS-PSK cipher suites and the option to use X509 certificates in a PKI infrastructure.
In the absence of DTLS, RADIUS packets may be subject to potential security vulnerabilities, including data exposure, replay attacks, weak authentication, and encryption vulnerabilities, especially when transmitted across untrusted networks.
The feature introduces these changes:
CLI:
-
The keyword dtls-server is introduced in the radius-server host command.
YANG Data Models:
-
New Xpath for
Cisco-IOS-XR-um-aaa-cfg.yang
-
New Xpath for
Cisco-IOS-XR-aaa-lib-cfg.yang
(see GitHub, YANG Data Models Navigator)
System Management
Fabric Link Management for Un-correctable Errors
This feature allows you to monitor the noisy fabric links. Forward error correction (FEC) technique is used to determine the link quality.
The Cisco IOS XR router will not bring the link to the data plane if the link is noisy at inception (during bring up).
If the link becomes noisy post bring up, fabric link will be re-set and re-tuned. If this event continues for five times with in an hour then fabric link will be shutdown permanently. Post link up, polling interval for link error is 10 minutes.
This feature introduces the hw-module fabric-fec-monitor disable command.
Fabric Link Management for Un-correctable Errors
This feature allows you to monitor the noisy fabric links. Forward error correction (FEC) technique is used to determine the link quality.
The Cisco IOS XR router will not bring the link to the data plane if the link is noisy at inception (during bring up).
If the link becomes noisy post bring up, fabric link will be re-set and re-tuned. If this event continues for five times with in an hour then fabric link will be shutdown permanently. Post link up, polling interval for link error is 10 minutes.
This feature introduces the hw-module fabric-fec-monitor disable command.
Fault Recovery Handling
You can now configure the number of fault recovery attempts by a line card, fabric card or a route processor before it permanently shuts down, thus preventing a faulty card from entering into a cycle of automatic recovery.
This feature introduces the following change:
CLI:
-
hw-module fault-recovery
YANG DATA Model:
-
New XPaths for Cisco-IOS-XR-hw-module-cfg.yang (see [/bookmap/concept/concept/concept/conbody/section/table/tgroup/tbody/row/entry/ul/li/p/xref/u {"ph u"}) Github, YANG Data Models Navigator (u])
Increasing Commit Limit
The maximum number of commits is increased in the router that allows you to configure complex topology changes without interruptions caused by the default blocking of commit changes during rebase or ASCII backup operations. You can prevent the commit operation from getting blocked by using the cfs check command, which increases the commit (pacount) count from 20 to 40, and the commit file diff size (configuration data) from 2 MB to 4 MB, and by using the clear configuration ascii inconsistency command, which performs an ASCII backup after 55 minutes.
The feature modifies the following commands:
-
cfs check
-
clear configuration ascii inconsistency
View VRF-specific Configuration
You can now filter the configurations associated with a specific VRF using the show running-configuration filter vrf command. Earlier, the show running configuration command displayed configuration under a specific keyword only and that may not publish all configurations related to the object.
CLI:
show running-configuration filter vrfSystem Monitoring
Collect Comprehensive Tech-Support Information
You can now collect a comprehensive list of troubleshooting data and restore network operations quickly in case of a network disruption. This release allows you to collect more tech-support data than you could in previous releases by executing the show tech-support custom command.
Fabric Link Keepalive Monitoring
This feature allows you to monitor and identify the fabric links that are down due to failure to receive keep-alive messages.
If a fabric link doesn’t receive the keep-alive message, the CiscoIOSXR software performs a port-reset action and tries to activate the fabric link. This feature is enabled by default. You also have the option to disable the maximum port-reset threshold value of five, which causes the link to flap again, but we recommend you avoid using this command unless you have evaluated its impact on your traffic flow.
This feature introduces the hw-module fabric-tsmon-port-reset disable command, which disables the maximum port-reset threshold value.
Inbuilt Traffic Generator for Network Diagnostics
By introducing an inbuilt traffic generator in the Network Processing Unit (NPU) of line cards (LCs) of distributed systems and route processors (RPs) of fixed routers, we've ensured that the traffic generator is always available for network diagnostics. You also don't face compatibility issues because the traffic generator is inbuilt and easy to maintain. Previously, connecting an external traffic generator was necessary to inject packets to test networks.
This feature introduces these changes:
CLI:
-
diagnostic packet-generator create
-
diagnostic packet-generator start
-
diagnostic packet-generator stop
-
diagnostic packet-generator delete
-
show diagnostic packet-generator status
Monitor Data Plane Health
You can now easily detect fabric memory corruption and packet loss by checking the health of data plane components including fabric and NPUs on a distributed system using our on-demand diagnostic utility.
This functionality introduces the following commands:
-
monitor dataplane-health
-
show dataplane-health status
Online Diagnostics for NPU Slices and Fabric cards
You can now use the online diagnostics functionality to test the health of fabric cards and all the slices in an NPU. This feature can help you detect fabric, and slice level failures.
Supporting Custom Profile show tech command
We have simplified the process to collect technical support information for traffic, control-plane, and system by consolidating multiple commands for each of these parameters under the following options:
-
traffic - Generates tech-support information related to network traffic.
-
control-plane - Generates tech-support information related to the control-plane.
-
system - Generates tech-support information related to the system (router).
This release adds the keywords traffic , control-plane , and system to the show tech-support custom command.
System Log Facility and Source-address per Remote Server
You can now assign a facility type per remote syslog server, which the router uses to calculate the priority value of the syslog messages sent. You can also configure the source address to choose the interface to send remote syslog packets per remote server.
The feature introduces these changes:
Modified Command:
CLI
-
The keywords facility and source-address per remote syslog server are introduced in the logging command.
YANG Data Models:
-
New XPaths for
openconfig-system-logging.yang
(see GitHub, YANG Data Models Navigator)
Traffic Statistics with Packet Drop Location
We help you save debugging time to locate packet drops by automatically detecting nonzero traffic drops from the commands running in the background and giving you the exact location of the packet drop.
In earlier releases, you used multiple show commands with their respective locations to detect packet drops.
This feature introduces the show drops all command.
Low Voltage Threshold Value Alarms Disabled
The router will not raise a minor alarm from this release onwards when a voltage sensor goes below the lower threshold value, thus saving memory space that the alarm logs would've consumed otherwise. The router now generates alarms only when voltage sensors cross the critical threshold value.