Product Bulletin No. 393294
Last Updated: October 2008
This Product Bulletin introduces Cisco IOS® Software Release 12.2SR and includes the following sections:
1) Cisco IOS Software Release 12.2SR Introduction
2) Release 12.2(33)SRD Highlights
3) Release 12.2(33)SRC Highlights
4) Release 12.2(33)SRB Highlights
5) Release 12.2SR Additional Information
1) Cisco IOS Software Release 12.2SR Introduction
Cisco IOS Software Release 12.2S is designed for Service Provider edge and Enterprise campus networks that require world-class IP and Multiprotocol Label Switching (MPLS) services.
Release 12.2SR is the premier Cisco IOS Software for delivering industry-leading Carrier Ethernet, Broadband Aggregation and Subscriber Services, and MPLS Provider Edge functionality for next generation Service Provider edge, Enterprise MAN/WAN, and Federal networks that run the Cisco 7600 Series Routers, Cisco 7200 Series Routers, and the Cisco 7301 Router. Releases 12.2(33)SRD, 12.2(33)SRC, and 12.2(33)SRB are available from Cisco.com.
Release 12.2(33)SRD, the latest customer release of Release 12.2SR, delivers over 75 new Cisco IOS Software features and powerful new hardware support for the Cisco 7600 Series Routers. Release 12.2(33)SRD also provides support for the Cisco 7200 Series Routers, the Cisco 7201 Router, and the Cisco 7301 Router.
Release 12.2(33)SRC, the third release of 12.2SR supports the Cisco 7200 Series Routers, the Cisco 7201 Router, the Cisco 7301, and the Cisco 7600 Series Routers. Release 12.2(33)SRB, the second release of Release 12.2SR, is specific to the Cisco 7600 Series Routers.
Not all features may be supported on all platforms. Use Cisco Feature Navigator to find information about platform support and Cisco IOS Software image support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. You must have an account on Cisco.com.
2) Release 12.2(33)SRD Feature Highlights
The following sections include Release 12.2(33)SRD hardware and software feature highlights.
Like all 12.2SR releases, Release 12.2(33)SRD integrates Cisco IOS Software innovations that span multiple technology areas, including Carrier Ethernet Flexible Infrastructure, Manageability, and Quality of Service. It also features further improvements in the areas of Resiliency, Subscriber Aware Ethernet, Mobility, and Layer 2 functionality.
The 12.2(33)SRD Release also includes support for the Cisco 7600 Ethernet Services Plus (ES+) Series line cards that will be released in Q1CY2009. The 7600-ES+ series of line cards enables 40G per slot performance for video, voice, data, and mobility services.
Table 1. Release 12.2(33)SRD Highlights
2.1) Hardware
2.2) Carrier Ethernet Flexible Infrastructure
2.3) Carrier Ethernet Manageability
2.4) Carrier Ethernet Quality of Service
Cisco 7600 Series - Ethernet Services Plus 40G Line Cards*
SPA-8X1FE-TX-V2 & SPA-4X1FE-TX-V2 Support on Cisco 7600-SIP-400
Cisco 7200 Series Routers, Cisco 7201 Router, and Cisco 7301 Router Support
Service Instance (EVC) on Portchannel for Cisco 7600 40G Ethernet Services Plus Line Cards
Broadcast Storm Control on Switchports and Ports with Service Instances (EVCs)
DHCP Snooping on Service Instance (EVC)
Uni-Directional Link Detection on Service Instance (EVC)
Dual Rate Three Color ingress policer on Service Instances
IP SLAs Metro-Ethernet 2.0 (EVC)
Bandwidth Remaining Ratio Support
L2 Access Control List on Service Instance (EVC)
2.5) Resiliency
2.6) Subscriber Aware Ethernet
2.7) Mobile
2.8) L2 Enhancements
MST on Service Instance (EVC) Bridge Domain
NSF/SSO - E-LMI support
NSF/SSO - 802.3ah OAM support
NSF/SSO - CFM Support
Asymmetric Carrier Delay
SAE: DHCP - Relay Option 82 encapsulation
SAE: Authentication - DHCP Option 60 Support and VPN-ID Support
SAE: RSVP support for IP Sessions
IMA Core Facing Support
Port Mode Cell Relay Support
ISG Support on SAMI Blade
L2VPN Routed Mode Interworking: Ethernet/VLAN to ATM/FR/PPP on Cisco 7600
L2TPv3 - Layer-2 Tunneling Protocol Version 3 on Cisco Ethernet Services Plus Line Cards
Bridging using RFC1483 Routed Encapsulation (BRE) on 7600-SIP-400
Mini Protocol Analyzer using SPAN
* Ethernet Services Plus 40G Line cards will be available in Q1 CY2009
2.1) Hardware
2.1.1) Cisco 7600 Series Ethernet Services Plus 40G Line Cards
The Cisco® 7600 Series Ethernet Services Plus 40 Gbps (ES+40) Line Cards utilize an extensible design that enables service prioritization for voice, video, data, and wireless mobility services. Service Provider and Enterprise customers benefit from the improved economics, density, advanced Carrier Ethernet features, and the high performance of the ES+40 fixed-configuration line cards. With the same architecture and features, the Cisco 7600 Series Ethernet Services Plus 20 Gbps (ES+20) Line Cards are designed for networks with lower interface density requirements. In the following sections, the ES+40 and ES+20 Line Cards will be referred to as the ES+ series.
The ES+ series programmable interface processors protect network investments and reduce total cost of ownership. The design maximizes connectivity options and offers superior service intelligence through programmable interface processors operating at line rate. The family of Cisco 7600 ES+ series Line Cards is shown in Figure 1.
Figure 1. Cisco 7600 ES+ Series Line Cards: 4-port 10GE and 40-port GE; 2-port 10GE and 20-port GE
Benefits
• Higher density, greater scalability
– Offers up to 40G density per slot
– 256K queues (128K ingress and 128K egress)
– Available with DFC3C or DFC3CXL
• Line rate with services enabled
– Provides line rate forwarding performance on GE and 10GE interfaces with services enabled.
• Cisco Service Instance (EVC) Support
– ES+ supports Cisco Service Instance (EVC) to enable flexible UNI
• 10GE and GE port options
– Offers 4x10GE, 40xGE, 2x10GE, and 20xGE options
• DWDM and CWDM optics supports
– ES+ line cards support DWDM and CWDM optics that should reduce operational costs
2.1.2) SPA-8X1FE-TX-V2 & SPA-4X1FE-TX-V2 Support on Cisco 7600-SIP-400
The Cisco 4- and 8- port Fast Ethernet SPAs version 2 are now available on Cisco 7600-SIP-400, offering the benefits of network scalability with lower initial costs and easy upgrades. The Cisco SPA/SIP portfolio continues the company's focus on investment protection along with consistent feature support, broad interface availability, and the latest technology. The Cisco SPA/SIP portfolio allows deployment of different interfaces (packet over SONET/SDH [POS], ATM, Ethernet, etc.) on the same interface processor.
Fast Ethernet interfaces are commonly used to interconnect routers or other devices within a central office or data center or in a metropolitan-area network (MAN). With Cisco Fast Ethernet SPAs, users can mix and match SPA ports with other types of interfaces in the same slot. Each SPA provides standards-based Fast Ethernet implementation for compatibility and interoperability. The 8-port SPA is shown below in Figure 2.
The Cisco Fast Ethernet SPAs can be used in any combination of the following applications:
• Residential triple-play services
• Metro Ethernet services
• Converged residential and business services
• Internet peering
• Inter- and intra-point of presence (POP) aggregation
Figure 2. Cisco 8-Port 10BASE-T/100BASE-TX Fast Ethernet SPA
Benefits
• Member of the Cisco SIP/SPA portfolio
– Allows mixing and matching with other compatible port adaptors
– Provides improved slot economics when increasing density to reduce capital expenditures (CapEx)
• Expands interface breath on the 7600-SIP-400
– Adds Fast Ethernet interface to the 7600-SIP-400
2.1.3) Cisco 7200 Series Routers, Cisco 7201 Router, and Cisco 7301 Router Support
Cisco IOS Software Release 12.2(33)SRD includes support for the Cisco 7200 Series Routers and Cisco 7301 Router. Release 12.2(33)SRD also includes support for the Cisco 7201 Router, the latest generation of the Cisco 7200 Series Family.
Within the Cisco IOS Software Release 12.2S family, the migration path for new features on the Cisco 7200 Series Routers and Cisco 7301 Router is from Release 12.2SB to Release 12.2SR. Release 12.2(31)SB2 is the last Release 12.2SB release to include support for the Cisco 7200 Series Routers and Cisco 7301 Router.
Cisco 7200 Series Routers
The industry's most widely deployed universal services aggregation router for enterprise and service provider edge applications, the Cisco 7200 Series offers (See Figure 3):
• Exceptional price/performance - The NPE-G2 Network Processing Engine aggregates services at up to 2 Mpps
• A wide range of connectivity options and numerous features including serviceability and manageability
• Increased VPN performance with VPN Services Adapter
• Increased scalability and flexibility with the Port Adapter Jacket Card
Figure 3. Cisco 7200 Series Routers
Cisco 7201 Router
The Cisco 7201 Router is the latest generation of the Cisco 7200 Series Family. It is a compact, high performance Single Rack Unit (RU) router that uses the latest Cisco 7200VXR Network Processing Engine NPE-G2 coupled with a comprehensive range of interface options. (See Figure 4.)
Figure 4. Cisco 7201 Router
The Cisco 7201 Router addresses the demand for the same performance enhancements, and Cisco IOS Software features of the latest Cisco 7200VXR NPE-G2 but in a smaller form-factor and with low power consumption. The Cisco 7201 provides four built-in Gigabit Ethernet ports and one Port Adapter (PA) slot which make it ideal for various Service Providers and Enterprise applications. It also offers redundant and field-replaceable AC and DC power supplies
With its combination of scalable performance, compact architecture, high density, and low price per port, the Cisco 7301 is ideally suited for a variety of key applications within both the Service Provider and Enterprise markets.
Cisco 7301 Router
The Cisco 7300 Series is optimized for flexible, feature rich IP/MPLS services at the customer network edge, where service providers and enterprises link together. (See Figure 5.) With 3 built-in Gigabit Ethernet interfaces (copper or optical) and a single slot for any Cisco 7000 Series port adapter, the Cisco 7301 is highly flexible for a variety of applications. Additionally for broadband aggregation, the Cisco 7301 supports up to 16,000 subscribers sessions making it ideal for pay-as-you-grow broadband deployment models.
2.2.1) Service Instance (EVC) on Portchannel for Cisco 7600 40G Ethernet Services Plus Line Cards
802.3ad or port-channel has become a requirement for many Cisco 7600 customers. The predominant application for this feature is the aggregation of U-PE nodes or access nodes that don't have 10Gbps interfaces but require more than 1Gbps as an uplink. This translates to support on the Cisco 7600 for UNI facing link bundles/ether channels.
This particular feature allows for the bundling of EVC service instances into an 802.3ad bundle on the Ethernet Services Plus line cards.
Benefits
There are primarily two main reasons for implementing 802.3ad bundles:
1. increased bandwidth between nodes
2. increases redundancy by having link(s) protected by other member link(s) in the bundle
2.2.2) Broadcast Storm Control on Switchports and Ports with Service Instances (EVCs)
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast, multicast traffic storm on physical interfaces. Traffic storm control (also called traffic suppression) monitors incoming traffic levels over a 1-second traffic storm control interval and, during the interval, compares the traffic level with the traffic storm control level that you configure. The traffic storm control level is a percentage of the total available bandwidth of the port. Each port has a single traffic storm control level that is used for all types of traffic (broadcast, multicast).
Traffic storm control monitors the level of each traffic type for which you enable traffic storm control in 1-second traffic storm control intervals. Within an interval, when the ingress traffic for which traffic storm control is enabled reaches the traffic storm control level that is configured on the port, traffic storm control drops the traffic until the traffic storm control interval ends.
The following are examples of traffic storm control behavior:
• If you enable broadcast traffic storm control, and broadcast traffic exceeds the level within a 1-second traffic storm control interval, traffic storm control drops all broadcast traffic until the end of the traffic storm control interval.
• If you enable broadcast and multicast traffic storm control, and the combined broadcast and multicast traffic exceeds the level within a 1-second traffic storm control interval, traffic storm control drops all broadcast and multicast traffic until the end of the traffic storm control interval.
• If you enable broadcast and multicast traffic storm control, and broadcast traffic exceeds the level within a 1-second traffic storm control interval, traffic storm control drops all broadcast and multicast traffic until the end of the traffic storm control interval.
If you enable broadcast and multicast traffic storm control, and multicast traffic exceeds the level within a 1-second traffic storm control interval, traffic storm control drops all broadcast and multicast traffic until the end of the traffic storm control interval.
Benefits
This feature adds support for broadcast storm control on switch-ports and on ports with Service Instances on Ethernet Services and Ethernet Services Plus Line Cards.
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:
• Validates DHCP messages received from untrusted sources and filters out invalid messages.
• Rate-limits DHCP traffic from trusted and untrusted sources.
• Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
• Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
Other security features, such as dynamic ARP inspection (DAI) and IP Source Guard, also use information stored in the DHCP snooping binding database. DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
The DHCP snooping feature is implemented in software on the Route processor. Therefore, all DHCP messages for enabled VLANs are intercepted in the PFC and directed to the Route processor for processing.
Benefits
This feature addresses the support of DHCP snooping with service instances.
2.2.4) Uni-Directional Link Detection on Service Instances (EVCs)
UDLD is a Layer 2 protocol that works with Layer 1 mechanisms to determine the physical status of a link. At Layer 1, auto-negotiation takes care of physical signaling and fault detection. UDLD performs tasks that auto-negotiation cannot perform, such as detecting the identities of neighbors and shutting down misconnected ports. When you enable both auto-negotiation and UDLD, Layer 1 and 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols.
Benefits
This feature extends the benefits of UDLD to a port that has a service instance configured underneath it.
IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings. This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host. Any IP traffic coming into the interface with a source IP address other than that assigned (via DHCP or static configuration) will be filtered out on the untrusted Layer 2 ports.
The IP Source Guard feature is enabled in combination with the DHCP snooping feature on untrusted Layer 2 interfaces. It builds and maintains an IP source binding table that is learned by DHCP snooping or manually configured (static IP source bindings). An entry in the IP source binding table contains the IP address and the associated MAC and VLAN numbers.
Benefits
This feature extends the IP Source Guard benefits to a service instance on Ethernet Services Plus Line Cards.
Currently, the default ether type is 0x8100 on a Cisco 7600 for the Q-in-Q outer tag. However, a few non-Cisco vendors use 0x9100 or 0x9200 ether type for the Q-in-Q outer tag. For Cisco 7600 router to operate seamlessly with other vendors it is required to provide a mechanism to change the default ethertype.
Moreover, there is a need to support ethertype 0x88A8 to support provider bridge defined by IEEE 802.1ad. Custom ethertype feature is proposed as a solution for this problem that enable change of ethertype as per requirements. Under the custom ethertype model, ethertype 0x9100, 0x9200 and 0x88A8 can be configured using "dot1q tunneling" CLI under a physical port.
Benefits
This provides for a seamless interoperability with other vendors and solutions when using default ethertype.
2.2.7) MAC address security for Service Instances (EVC)
The Cisco 7600 supports the Port Security feature on a per-port basis. With the advent of the Service Instance (EVC) infrastructure, it is now possible to provide the same type of functionality on a per-service instance basis. Since multiple customers and multiple services can be supported on a single port, it becomes useful to provide this functional to the granularity of the service instance. For instance, when a violation requires a shutdown, just the customer assigned to a given service instance is affected rather than all customers using the port.
MAC security operation is enabled on a service instance by configuring the "mac security" configuration command.
Benefits
The MAC Security functionality can be roughly divided into the following categories:
1. Configuration
• Enabling/Disabling MAC Security on service instance
• MAC Address whitelist configuration on service instance
• Sticky configuration
• Aging
• MAC Address limiting on service instance
• MAC Address limiting on BD
• Violation response configuration on service instance
The Private Hosts feature provides Layer 2 (L2) isolation between the hosts in a VLAN. You can use Private Hosts as an alternative to the Private VLAN isolated-trunks feature, which is currently not available on the Cisco 7600 router.
Service Providers (SPs) worldwide face increasing demand to provide their customers with triple-play services (voice, video, and data) over a single physical interface (copper or fiber). Typically, triple-play services are delivered over three different VLANs for each user, even though the VLAN for video traffic is often shared by multiple end users.
The key benefits of the Private Hosts feature are the ability to:
• Isolate traffic among hosts (subscribers) that share the same VLAN ID
• Reuse VLAN IDs across different subscribers, which improves VLAN scalability by making better use of the 4096 VLANs allowed
• Prevent MAC spoofing to prevent denial of service (DOS) attacks
The Private Hosts feature uses port-based Protocol-Independent MAC ACLs (PACLs) to provide Layer 2 isolation between hosts on trusted ports within a purely Layer 2 domain. The PACLs isolate the hosts by imposing Layer 2 forwarding constraints on the router ports.
Benefits
This feature addresses adding SVI's into the Private Host configuration, thus eliminating the need for an external router.
In the ITU-T specification Y.1731 a superset of fault management options have been defined that extend some of the Service Management functions outlined in the IEEE's Connectivity Fault Management (CFM) 802.1ag standard. Two of these are the Alarm Indication Signal (AIS) and the Remote Defect Indication (RDI)*. The added benefits of these two options are expanded upon below.
Alarm Indication Signal (ETH-AIS)
Ethernet Alarm Indication Signal function (ETH-AIS) is used to suppress alarms following detection of defect conditions at the server (sub) layer. Due to independent restoration capabilities provided within the Spanning Tree Protocol (STP) environments, ETH-AIS are not expected to be applied in the STP environments. In our case AIS is configurable and it's up to administrator to enable and disable AIS in STP environment or not.
Transmission of frames with ETH-AIS information can be enabled or disabled on a MEP (or on a Server MEP).
Frames with ETH-AIS information can be issued at the client Maintenance Level by a MEP, including a Server MEP upon detecting defect conditions. For example, the defect conditions may include:
• Signal fail conditions in the case that ETH-CC is enabled
• AIS condition or LCK condition in the case that ETH-CC is disabled.
For multipoint ETH connectivity, a MEP cannot determine the specific server (sub) layer entity that has encountered defect conditions upon receiving a frame with ETH-AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received ETH-AIS information does not contain that information. Therefore, upon reception of a frame with ETH-AIS information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not.
For a point-to-point ETH connection, however, a MEP has only a single peer MEP. Therefore, there is no ambiguity regarding the peer MEP for which it should suppress alarms when it receives the ETH-AIS information.
Only a MEP, including a Server MEP, is configured to issue frames with ETH-AIS information. Upon detecting a defect condition the MEP can immediately start transmitting periodic frames with ETH-AIS information at a configured client Maintenance Level. In Cisco IOS we send at MIP level configured at the interface. A MEP continues to transmit periodic frames with ETH-AIS information in the opposite direction of the defect until the defect condition is removed. AIS will automatically clear the defect condition of no AIS frames are received for a period of 3.5 times the AIS transmit interval.
Benefits
• AIS provides an mechanism for asynchronous notification of a failure in the network.
• AIS suppresses multiple redundant alarms from being transmitted to the NMS for a particular fault
Remote Defect Indication (ETH-RDI)
Ethernet Remote Defect Indication (ETH-RDI) can be used by a MEP to communicate to its peer MEPs that a defect condition has been encountered. ETH-RDI is used only when ETH-CC transmission is enabled as it is carried as bit in the Flags field of the ETH-CC message.
ETH-RDI has the following two applications:
• Single-ended fault management: The receiving MEP detects an RDI defect condition, which gets correlated with other defect conditions in this MEP and may become a fault cause. The absence of received ETH-RDI information in a single MEP indicates the absence of defects in the entire Maintenance.
• Contribution to far-end performance monitoring: It reflects that there was a defect condition in the far-end which is used as an input to the performance monitoring process.
A MEP that is in a defect condition transmits frames with ETH-RDI information. A MEP, upon receiving frames with ETH-RDI information, determines that its peer MEP has encountered a defect condition. However, for multipoint ETH connectivity, a MEP, upon receiving frames with ETH-RDI information, cannot determine the associated subset of its peer MEPs with which the MEP transmitting RDI information encounters defect conditions, as the transmitting MEP itself does not always have that information.
Benefits
• The Remote Defect Indication (RDI) serves to inform upstream MEPs that there has been a downstream failure and can be used as input to far-end performance monitoring.
