This release introduces OSPF extensions to support Segment Routing Flexible Algorithm.

Segment Routing Flexible Algorithm allows operators to customize IGP shortest path computation according to their own needs. An operator can assign custom SR prefix-SIDs to realize forwarding beyond link-cost-based SPF. As a result, Flexible Algorithm provides a traffic engineered path automatically computed by the IGP to any destination reachable by the IGP.

The SR architecture associates prefix-SIDs to an algorithm which defines how the path is computed. Flexible Algorithm allows for user-defined algorithms where the IGP computes paths based on a user-defined combination of metric type and constraint.

See Configuring Flexible Algorithm.

An Anycast SID is a type of prefix SID that identifies a set of nodes and is configured with n-flag clear. The set of nodes (Anycast group) is configured to advertise a shared prefix address and prefix SID. Anycast routing enables the steering of traffic toward multiple advertising nodes, providing load-balancing and redundancy. Packets addressed to an Anycast address are forwarded to the topologically nearest nodes.

See Anycast SID-Aware Path Computation.

Previously, prefix redistribution from IS-IS to another IS-IS instance or protocol was limited to SR algorithm 0 (regular SPF) prefix SIDs; SR algorithm 1 (Strict SPF) and SR algorithms 128-255 (Flexible Algorithm) prefix SIDs were not redistributed along with the prefix. The Segment Routing IS-IS Flexible Algorithm Prefix SID Redistribution feature allows redistribution of strict and flexible algorithms prefix SIDs from IS-IS to another IS-IS instance or protocols. This feature is enabled automatically when you configure redistribution of IS-IS Routes with strict or Flexible Algorithm SIDs.

See Flexible Algorithm Prefix-SID Redistribution.

Tree Segment Identifier (TreeSID) is a tree-building solution that uses a controller (SR-PCE using PCEP) to calculate the point-to-multipoint (P2MP) tree using SR policies. TreeSID uses a single MPLS label for building a multicast replication tree in an SR network. TreeSID does not require multicast control protocols such as RSVP, mLDP, and PIM.

A P2MP SR policy provides an SR-based TE solution for transporting multicast traffic. It works on existing data-plane (MPLS and IP) and supports TE capabilities and single/multi routing domains. At each node of the tree, the forwarding state is represented by the same segment (using a global TreeSID allocated from the SRLB). P2MP SR policy supports fast protection and prevents transient loop/loss when updating the path of a P2MP SR policy.

See Segment Routing Tree Segment Identifier.

SR-TE Affinity Maps provides a simplified and more flexible means of configuring link attributes and path affinities to compute paths for SR-TE policies. SR-TE Affinity Maps lets you assign, or map, color names for affinity and attribute-flag attributes instead of 32-bit hexadecimal numbers. This enhancement increases the number of color names you can assign on the head-end router from 32 to 256.

See Named Interface Link Admin Groups and SR-TE Affinity Maps.

The ltrace information is now stored in a persistence storage. This helps to store historic ltraces information in the memory. This trace information is used to augment diagnosis of platform issues.

Prior to this release, ltrace information was stored in a shared memory. The shared memory has limited buffer size. When the buffer was full, the historic data was lost.

To view the ltrace information use the show <component> trace file <filename> original location command.

From this release onwards, the hw-module shut and hw-module unshut commands are supported in the configuration mode.

This facilitates in automating the network hardware replacement procedure.

Earlier, the hw-module shut command was supported in admin mode.

From Cisco IOS XR Software Release 7.0.1 and later, the management plane and control plane components that were part of the Cisco IOS XR security package (k9sec package) are moved to the base Cisco IOS XR software image. These include SSH, SCP, SFTP and IPSec control plane. This segreg ation of package components makes the software more modular. It also gives you the flexibility of including or excluding the security package as per your requirements.

See SSH and SFTP in Baseline Cisco IOS XR Software Image.

The Cisco IOS XR software provides a new configuration option to control the key algorithms to be negotiated with the peer while establishing an SSH connection with the router. With this feature, you can enable the insecure SSH algorithms on the SSH server, which are otherwise disabled by default. A new configuration option is also available to restrict the SSH client from choosing the HMAC, or hash-based message authentication codes algorithm while connecting to the SSH server on the router. You can also configure a list of ciphers as the default cipher list, thereby having the flexibility to enable or disable any particular cipher.

See the SSH Configuration Option to Restrict Cipher Public Key and HMAC Algorithm.

Commands introduced:

• ssh algorithms cipher

• ssh server disable hmac

With this release, you now have the ability to perform Layer 2 (802.1p) marking on Layer 3 flows in the egress direction. This allows you to re-mark the priority of Ethernet packets on L3VPN traffic, but only in the peering mode. (To enable the peering feature, use the hw-module profile qos ingress-model peering configuration. You must reload the router for the hw-module configuration to be functional.)

See QoS L2 Re-Marking of Ethernet Packets on L3 Flows in Egress Direction.

The Layer 3 QinQ feature allows you to terminate Layer 3 VPN service transport over QinQ subinterfaces. This feature enables you to increase the number of VLAN tags in an interface and increment the number of subinterfaces. Customers of service providers often have specific requirements for VLAN tags and the number of VLANs they support. Different customers require separate VLAN ranges to avoid network overlaps in the same service-provider network, and to prevent mixing of traffic of different customers in the same network infrastructure. Assigning unique range of VLAN IDs to each customer restricts customer configurations and exceeds the VLAN limit of 4096 of the 802.1Q specification. This feature allows you to enable the dual tag and efficiently manage customers services.

See Layer 3 QinQ.

The following table lists timing features supported on NCS 5500 chassis:

See Timing Hardware Support Matrix.

On Cisco NCS 5500, the number of bridge domains that you can configure with BVI on physical and bundle interfaces is 1250. The number of bridge domains that you can have without BVI on physical and bundle interfaces is 1500.

The above mentioned scale value is calculated when a single attachment circuit is configured on a bridge domain. The scale value reduces if you want to configure more than one attachment circuit on a bridge domain.

The Tunable MAC Address Aging Timer feature allows you to configure the MAC aging time between 300 seconds to 30,000 seconds. The defualt value is 300 seconds.

See MAC Address Aging.

SSHv2 server and client connections support enabling of CBC mode ciphers 3DES-CBC and AES-CBC at the same time. These ciphers are disabled by default.

See Configuring CBC Mode Ciphers.

Type 6 password encryption securely stores plain text key strings for authenticating BGP, IP SLA, IS-IS, OSPF, and RSVP sessions.

See Implementing Type 6 Password Encryption.

Commands introduced or modified:

• key config-key password-encryption

• show type6

• show key chain

• key-string (keychain)

The IS-IS Restart Signaling feature provides a mechanism for a restarting router to signal to its neighbor that it is restarting. This feature allows the neighboring routers of a restarting router to reestablish their adjacencies without any disruption.

The restarting router sends Suppress adjacency advertisement (SA) towards the neighbour. Intermediate-to-Intermediate Hello (IIH) messages are sent to its neighbor to suppress the advertisement of the adjacency until the router is able to propagate newer versions of LSPs. The neighbor continues to suppress the advertisement of adjacency until the SA bit clear message is received.

The ISIS Restart Signaling Support conforms to the specifications detailed in RFC 5306.

See IS-IS Restart Signaling Support.

This feature helps capturing the exact packet size of the ingress Netflow packet.

Earlier, when a L2VPN packet with a destination MAC address starting with number 6 is received, the packet gets wrongly decoded as IPv6 packet; the packet size consequently gets reported inaccurately to the collector.

See Netflow Full Packet Capture.

The command, hw-module profile netflow fpc-enable is introduced.

This feature brings in the functionality of automatically generating the SSH host-key pairs for the DSA, ECDSA (such as ecdsa-nistp256 , ecdsa-nistp384 , and ecdsa-nistp521 ) and RSA algorithms. This in turn eliminates the need for explicitly generating each SSH host-key pair after the router boots up. Because the keys are already present in the system, the SSH client can establish connection with the SSH server soon after the router boots up with the basic SSH configuration. This is useful especially during zero touch provisioning (ZTP) and Golden ISO boot up scenarios.

See Automatic Generation of SSH Host-Key Pairs.

The command, ssh server algorithms host-key is introduced.

Users can clear the memory and the partitions of an RP or a line card before an RMA (Return Merchandise Authorization). Clearing the memory and partitions of the card is performed when the card is defective and has to be returned.

See Clear the Memory and the Partitions of a Card.

This release has the following enhancements to the Zero Touch Provisioning (ZTP) feature:

• You can perform these additional operations using Zero Touch Provisioning:

  • Enable or disable ZTP at boot using CLI (ztp enable, ztp disable).

  • Customize the ZTP configurable options using the configuration file (ztp.ini).

  • View the ZTP status as a Progress Bar on a console.

• ZTP follows a default sequential flow as defined in the ztp.ini file. ZTP first sends IPv4 DHCP request on all the management ports. In case there is a failure, then ZTP sends IPv6 DHCP request on all the management ports. Similarly, the same order is followed on all the data ports.

See Customize the ZTP Configurable Options.

The OpenConfig (OC) data models are defined by the OC community to create configuration and retreive operational state data of the network. This release supports:

• Event-driven Telemetry support for OC-LLDP data model.

See New and Changed Programmability Features.

The OpenConfig (OC) data models are defined by the OC community to create configuration and retreive operational state data of the network. This release supports:

• OC-LLDP data model for event-driven telemetry.

• OC-Interfaces-Aggregate data model to manage aggregated interfaces. This model augments the existing oc-interfaces data model.

See New and Changed Programmability Features.

Event-driven telemetry supports monitoring Multicast Label Distribution Protocol (MLDP) using NETCONF and YANG data model. If there is a state change in MLDP, the router streams data about flow statistics for multicast labels, and control plane statistics for mLDP.

See New and Changed Telemetry Features.

gRPC Network Operations Interface (gNOI) defines a set of gRPC-based microservices for executing operational commands on network devices. Extensible Manageability Services (EMS) gNOI is the Cisco IOS XR implementation of gNOI. gNOI uses gRPC as the transport protocol and the configuration is same as that of gRPC. These gNOI RPCs are supported:

• Reboot

• RebootStatus

• SetPackage

• File Get

• File Remove

See gRPC Network Operations Interface.