Bridge Virtual Interface (BVI) on VRF feature enables VRF support on BVI when the BVI is part of the bridge domain that is configured with Layer 2 main interfaces and Layer 2 single-tagged sub-interfaces with rewrites. BVI is a virtual interface that is defined with Integrated Routing and Bridging (IRB).

BGP Session Authentication and Integrity using TCP Authentication Option feature enables you to use stronger message authentication codes that protect against replays, even for long-lived TCP connections.

It supports current infrastructure uses of TCP MD5, such as to protect long-lived connections, for example, as used in BGP. This feature supports a larger set of message authentication codes with minimal other system and operational changes.

This feature is compatible with both a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism. In either case, using traffic keys derived from the MKT, this feature also protects connections when using the same MKT across repeated instances of a connection, and it coordinates MKT changes between endpoints.

For more informnation about the feature, see the chapter Implementing BGP in the BGP Configuration Guide for Cisco NCS 5000 Series Routers, IOS XR Release 6.5.x.

Access lists perform packet filtering to control which packets move through the network and where. An access control list (ACL) consists of one or more access control entries (ACE) that collectively define the network traffic profile.

Bridge Virtual Interfaces (BVIs) provide a bridge between the routing and bridging domains on a router. A BVI is configured with an IP address and operates as a regular routed interface. You can configure an ACL on a BVI to filter the traffic for the network that uses the interface.

Prior to Release 6.5.1, ACLs could be applied only on the bridge domain interfaces. Therefore, both L2 and L3 traffic was filtered based on the ACLs applied on bridge domain interfaces. The feature ACL over BVI allows you to configure ACL on the BVI interfaces in the IRB domain. Thereby, only L3 traffic flows are filtered based on the ACLs applied on BVI interfaces. This helps in filtering the traffic flows towards the core-network and overall performance of the network improves.

For more information about the feature, see the chapter Ingress ACL over BVI in the IP Addresses and Services Configuration Guide for Cisco NCS 5000 Series Routers

Configuration of Unicast IPv4 and IPv6 Reverse Path Forwarding (uRPF) enables a router to verify the reachability of the source addresses, in the packets being forwarded. Configuring uRPF, both strict and loose modes, helps to mitigate problems caused by the introduction of spoofed IP source addresses into a network. Configuration of uRPF discards IP packets that lack a verifiable IP source address after a reverse lookup in the CEF table.

For more information about the feature, see the chapter Implementing Cisco Express Forwarding in the IP Addresses and Services Configuration Guide for Cisco NCS 5000 Series Routers

This feature provides support for EVPN-VxLAN on Cisco NCS 5000.

This feature supports DHCP circuit-ID and helper address interface configuration on Cisco NCS 5000.

Bridge Virtual Interface (BVI) on VRF feature enables VRF support on BVI when the BVI is part of the bridge domain that is configured with Layer 2 main interfaces and Layer 2 single-tagged sub-interfaces with rewrites. BVI is a virtual interface that is defined with Integrated Routing and Bridging (IRB).

This feature supports convergence enhancements on Cisco NCS 5000 in case of software upgrade or failure.

Earlier, in IOS-XR platforms, LLDP was enabled only with global LLDP configuration and administrators had to manually disable each interface.

With this feature, you can now enable the global LLDP configuration per-interface basis. To enable the feature, you must make the necessary configuration changes. For more information on the feature, see the Interface and Hardware Component Configuration Guide for Cisco NCS 5000 Series Routers.

The EVPN VXLAN All-Active Multihoming feature allows you to manage VXLAN Ethernet services in a spine-leaf data center or service provider network over VXLAN IP tunnel. This feature allows routers to be used as top of racks (ToRs). This feature simplifies fabric management, optimizes the fabric infrastructure, and automates provisioning across physical and virtual environments.

The MAC Move Notification feature enables you to configure MAC address security at the interfaces and at the bridge access ports (subinterfaces) levels. However, MAC security configured under an interface takes precedence to MAC security configured at the bridge domain level. When a MAC address is first learned on an Ethernet Flow Point (EFP) that is configured with MAC security and then the same MAC address is learned on another EFP, the following events occur:

• the packet is dropped

• the second EFP is shutdown

• the packet is learned and the MAC from the original EFP is flushed

Traditionally, install operations are executed using CLIs, which require access to the routers. The NETCONF protocol is designed to automate the CLI executions for install operations, and address the shortcomings where the router access is required by implementing RPC mechanism.

For more information about this feature, see Components to Use Data Models Chapter of the Programmability Configuration Guide for Cisco NCS 5000 Series Routers.

In Cisco IOS XR, the control packets, which are destined to the Route Processor (RP), are policed using a set of ingress policers in the incoming ports. These policers are programmed statically during bootup by Local Packet Transport Services (LPTS) components and applied on the basis of the flow type of the incoming control traffic.

This feature enables you to modify default policer rates and hence control traffic of a particular IPv6 LPTS session matching a IPv6 ACL rule and VRF ID.

For more information about the feature, see the chapter Configure IPv6 ACL-based LPTS Policers in the IP Addresses and Services Configuration Guide for Cisco NCS 5000 Series Routers.

IPv6 VPN Provider Edge (6PE/VPE) uses the existing MPLS IPv4 core infrastructure for IPv6 transport. 6PE/VPE enables IPv6 sites to communicate with each other over an MPLS IPv4 core network using MPLS label switched paths (LSPs).

The VLAN Switch feature enables you to configure L2 VLAN switching with minimum configuration. This feature allows you to configure L2 bridging without having to configure and manage separate bridge instances and sub-interfaces for each per VLAN L2 forwarding domain.

Prior to implementation of this feature, to configure and manage basic L2 bridging, numerous sub-interfaces were required. Using separate sub-interfaces for each VLAN on a port overloads the system scalability and consumes hardware resources, slows down provisioning, and makes the device harder to manage due to the large number of sub-interface constructs that exists in the system.

For more information on this feature, see the Configure Virtual LANs in Layer 2 VPNs chapter in the L2VPN and Ethernet Services Configuration Guide for Cisco NCS 5000 Series Routers.

RPF vector is a PIM proxy that lets core routers without RPF information forward join and prune messages for external sources (for example, a MPLS-based BGP-free core, where the MPLS core router is without external routes learned from BGP). The RPF vector encoding is now compatible with the new IETF encoding. Use the rpf-vector use-standard-encoding command to enable the feature.

For more information on RPF, see the Implementing Layer-3 Multicast Routing chapter in the Multicast Configuration Guide for Cisco NCS 5000 Series Routers

Golden ISO (GISO) upgrades to a version that has a predefined list of software maintenance update (SMUs) with a single operation. However, to update to the same version with a different set of SMUs requires a two-step process. This two-step process can be avoided using the install update replace functionality to replace the currently active version with the full package including the image and SMUs from the newly added GISO.

For information about the functionality and configuration, see Customize Installation using Golden ISO chapter in the System Setup and Software Installation Guide for NCS5000 Series Routers, IOS XR 6.5.x.

At present, an IS-IS purge does not contain any information to identify the Intermediate System (IS) that generates the purge. This makes it difficult to locate the source IS.

To address this issue, the Purge Originator Identification (POI) TLV for IS-IS feature defines a type, length, and value (TLV) that can be added to the purges, to record the system ID of the IS that had initiated the purge. This makes it easier to locate the origin of the purge and its cause. If you are using cryptographic authentication, then the enable-poi keyword in lsp-password command must be enabled to insert the Purge Originator Identification (POI). If you are not using cryptographic authentication, then the POI is inserted by default. This TLV is also helpful in lab environments.

For more information about this feature, see Implementing IS-IS Chapter of the Routing Configuration Guide for Cisco NCS 5000 Series Routers.

Cisco IOS XR supports Google network management interface (gNMI) protocol in dial-in mode where the client establishes a connection to the router. gNMI is an unified mangement protocol for streaming telemetry data using OpenConfig RPC framework. This framework and protocol does not need explicit configuration, but simplifies telemetry configuration on the router by only starting the gRPC server.

In addition, support is provided for transport layer security (TLS) ciphers in gRPC session. Two new gRPC configuration parameters max-streams and max-streams-per-user are provided to stream only the gRPC-specific requests.

To enable the gRPC server in dial-in mode, see Configure Model-driven Telemetry chapter in Telemetry Configuration Guide for Cisco NCS 5000 Series Routers.

OSPF Authentication with Keychain feature enables the support of Hashed Message Authentication Code (HMAC) during OSPF authentication. New crypto algorithms such as, HMAC-SHA-256 and HMAC-SHA1-96 are added under key-chain infra as part of this feature. These algorithms provide more secured authentication.

Keychains can be configured at different levels of OSPF like at the router level, or the area level, or the interface level.

For more information about OSPF Authentication, see Implementing OSPF Chapter of the Routing Configuration Guide for Cisco NCS 5000 Series Routers, IOS XR Release 6.5.x.

For more information about Keychain configuration, see Implementing Keychain Management Chapter of the System Security Configuration Guide for Cisco NCS 5000 Series Routers, IOS XR Release 6.5.x

The Minimum Remaining Lifetime for IS-IS feature helps to maintain the stability of the network when the Remaining Lifetime field in a Link State Protocol (LSP) is corrupted. Corruption of the Remaining Lifetime field in a LSP data unit can go undetected. In certain scenarios, this may cause or exacerbate flooding of LSPs. This feature resolves this problem by enabling IS-IS to reset the Remaining Lifetime value of the received LSP, to the maximum LSP lifetime (1200 seconds), if the Remaining Lifetime value of the received LSP is less than the maximum LSP lifetime configured in a local node. If the received LSP lifetime value is less than the Zero Age Lifetime (60 seconds), IS-IS generates an error message indicating that it’s a corrupted lifetime event.

IS-IS saves the received Remaining Lifetime value in LSP database. The value is shown in the show isis database command output under the Rcvd field.

For more information about the show isis database command, see IS-IS Commands Chapter of the Routing Command Reference for Cisco NCS 5000 Series Routers.

For more information about this feature, see Implementing IS-IS Chapter of the Routing Configuration Guide for Cisco NCS 5000 Series Routers.

IS-IS Authentication with Keychain feature enables the support of Hashed Message Authentication Code (HMAC) and Cipher-based Message Authentication Code (CMAC) during IS-IS authentication. New cryptographic algorithms such as, AES-128-CMAC-96, HMAC-SHA-256, and HMAC-SHA1-96 are added under Keychain infra as part of this feature. These algorithms provide more secured authentication.

Keychains can be configured at the router level (in case of the lsp-password command) and at the interface level (in case of the hello-password command) within IS-IS. These commands refer to the global keychain configuration and instruct the IS-IS protocol to obtain security parameters from the global set of configured keychains.

For more information about Keychain configuration, see Implementing Keychain Management Chapter of the System Security Configuration Guide for Cisco NCS 5000 Series Routers.

Golden ISO (GISO) upgrades to a version that has a predefined list of software maintenance update (SMUs) with a single operation. However, to update to the same version with a different set of SMUs requires a two-step process. This two-step process can be avoided using the install update replace functionality to replace the currently active version with the full package including the image and SMUs from the newly added GISO.

For information about the functionality and configuration, see Customize Installation using Golden ISO chapter in the System Setup and Software Installation Guide for NCS5000 Series Routers, IOS XR 6.5.x.

This feature provides resolution to prevent RDSFS process crash, and memory leakage at Name Registration Service (NRS) and Replicated Data Services File System (RDSFS) Server due to large number of configuration commits. To achieve this, nrs_purge API is enhanced to purge the NRS handles for files that are already deleted. This resolution provides significant improvements in the following aspects:

• Enables a large number of configuration commits, without any issues

• Ensures lower memory consumption for NRS server and RDSFS processes.

• Prevents the need to reload the router when it has to recover from the following scenarios:

  • Continuous restarting or crashing of RDSFS processes

  • Not being able to commit any configurations

Cisco IOS XR supports programmability of OC NI, OC local routing, OC-MPLS, OC-RSVP-SR, OC-RPL and OC-BGP-Policy OpenConfig data models for configuration and operational data.

For more information about YANG data models and configuration, see Using Data Models chapter in Programmability Configuration Guide for Cisco NCS 5000 Series Routers

There are no caveats in this release.