PDF(621.3 KB) View with Adobe Reader on a variety of devices
Updated:August 3, 2016
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document provides information about the Cisco IOS XE Denali 16.3.1 software release for the Cisco 4000 Series Integrated Services Routers (ISRs) and consists of the following sections:
Cisco 4000 Series Integrated Services Routers Overview
The Cisco 4000 Series ISRs are modular routers with LAN and WAN connections that can be configured by means of interface modules, including Cisco Enhanced Service Modules (SM-Xs), and Network Interface Modules (NIMs).
The following table lists the router models that belong to the Cisco 4000 Series ISRs.
Cisco 4400 Series ISR
Cisco 4300 Series ISR
Cisco 4431 ISR
Cisco 4321 ISR
Cisco 4451 ISR
Cisco 4331 ISR
Cisco 4351 ISR
Migrating to Cisco IOS XE Denali 16.3.1
The Cisco IOS XE Denali 16.3.1 Migration Guide for Access and Edge Routers contains important information for migrating successfully from Cisco IOS XE 3S to Cisco IOS XE 16.3.1. Before you begin the migration, read this information to ensure that you have completed all the prerequisites and understand the migration process.
The following are the minimum system requirements:
Memory: 4GB DDR3 up to 16GB
Hard Drive: 200GB or higher (Optional). (The hard drive is only required for running services such as Cisco ISR-WAAS.)
Flash Storage: 4GB to 32GB
NIMs and SM-Xs: Modules (Optional)
NIM SSD (Optional)
Determining the Software Version
You can use the following commands to verify your software version:
For a consolidated package, use the show version command
For individual sub-packages, use the show version installed command
Upgrading to a New Software Release
To install or upgrade, obtain a Cisco IOS XE Denali 16.3.1 consolidated package (image) from Cisco.com. You can find software images at http://software.cisco.com/download/navigator.html. To run the router using individual sub-packages, you also need to first download the consolidated package and extract the individual sub-packages from a consolidated package.
The hardware-programmable firmware is upgraded when Cisco 4000 Series ISR contains an incompatible version of the hardware-programmable firmware. To do this upgrade, a hardware-programmable firmware package is released to customers.
Generally, an upgrade is necessary only when a system message indicates one of the field-programmable devices on the Cisco 4000 Series ISR needs an upgrade, or a Cisco technical support representative suggests an upgrade.
Note: CPLD upgrade and ROMMON upgrade to 16.2(1r) is required for the NIM-ES2-8 module to boot up.
You can use Cisco Feature Navigator to find information about feature, platform, and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on cisco.com is not required.
Limitations and Restrictions
The following limitations and restrictions apply to all releases:
The Cisco Unified Threat Defense (UTD) service requires a minimum of 8GB of DRAM and 200GB SSD.
Cisco ISR-WAAS and AppNav-XE Service
The Cisco ISR-WAAS/AppNav service requires a system to be configured with a minimum of 8GB of DRAM and 16GB flash storage. For large service profiles, 16GB of DRAM and 32GB flash storage is required. Also, Cisco ISR-WAAS requires a minimum of 200GB SSD.
IPsec Traffic
IPsec traffic is restricted on the Cisco ISR 4451-X. The router has the same IPsec functionality as a Cisco ISR G2. The default behavior of the router will be as follows (unless an HSECK9 license is installed):
If the limit of 225 concurrent IPsec tunnels is exceeded, no more tunnels are allowed and the following error message appears:
%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.
When the throughput value for the inbound (decrypted) traffic exceeds 85Mbps, subsequent IPsec traffic in that direction will be dropped and the following message will be displayed:
%IOSXE-4-PLATFORM:cpp_cp: QFP:0.0 Thread:001 TS:00000001786413378010 %CERM_DP-4-DP_RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
To avoid this restriction and enable full IPsec functionality on the router, install an HSECK9 feature license.
The Cisco 4000 Series ISR does not currently support nested SA transformation such as:
For Cisco ISR 4000 Series UC features interpretation with CUCM versions, For detailed information, see the following Cisco document: Compatibility Matrix.
For High density DSPfarm PVDM (SM-X-PVDM) and PVDM4 DSP planning, For detailed information, see the following Cisco document: DSP Calculator for DSP planning.
Recommended Release for Cisco IWAN
Cisco IOS XE Denali 16.3.5 is not recommended for Cisco IWAN due to the following bugs: CSCvf98783, CSCvg35332, and CSCvg05896. Instead, it is recommended to use Cisco IOS XE Denali 16.3.5c for Cisco IWAN, which provides a fix for these bugs. For more details on these bugs, see Cisco Bug Search Tool.
New Features and Important Notes About Cisco 4000 Series ISRs Release Denali 16.3.1
This section describes new features in Cisco IOS XE Denali 16.3.1 that are supported on the Cisco 4000 Series ISRs.
Supported Technology Configuration Guides—When a technology is supported on Cisco 4000 series ISR, the corresponding technology configuration guide is displayed on the product landing page.
Cisco UCS E-Series EN140 NIM Support on Cisco 4000 Series ISR—For detailed information, see the following Cisco document: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/hw/e_series_install.html.
Cisco IOx Local Manager—Cisco IOx Local Manager is a platform-specific application that is installed on a host system as part of the installation of the Cisco IOx framework on that device. It provides a web-based user interface that you can use to manage, administer, monitor, and troubleshoot apps on the host system, and to perform a variety of related activities. For detailed information see the following document: Cisco IOx Local Manager Reference Guide.
Cisco Umbrella Branch—The Cisco Umbrella Branch feature enables cloud-based security service by inspecting the DNS query that is sent to the enterprise DNS server through Cisco 4000 Series Integrated Services Routers (ISR). For detailed information, see the following Cisco document: Security Configuration Guide: Cisco Umbrella Branch.
Cisco V.150.1 Minimum Essential Requirements Support on Cisco 4000 Series ISRs—The support for Cisco V.150.1 MER is available from Cisco IOS XE Denali Release 16.3.1. For detailed information, see the following Cisco document: Cisco V.150.1 Minimum Essential Requirements Configuration Guid e.
PKI Trustpool Enhancements—Effective with Cisco IOS XE Denali 16.3.1, the way PKI Trustpools are managed have changed. The PKI Trustpool Enahancements feature is used for authentication of HTTPS connections built from the router.Common features that leverage this feature include, but not exhaustive, Plug and Play (PnP), Cisco Web Security (CWS), Cisco Umbrella Branch. If you are upgrading to this release, please review the changes to the feature at the following Cisco document: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-16/sec-pki-xe-16-book/sec-pki-trustpool-mgmt.html
Virtual Routing and Forwarding (VRF) Support on Snort IPS—The VRF feature is supported on Snort IPS configuration from Cisco IOS XE Denali Release 16.3.1 and later releases. For detailed information, see the following Cisco document: Security Configuration Guide: Unified Threat Defense.
Web Filtering— The Web Filtering feature enables the user to provide controlled access to Internet websites or Interanet sites by configuring the domain-based or URL-based policies and filters on the device. For detailed information, see the following Cisco document: Security Configuration Guide: Unified Threat Defense.
Web User Interface—Supports an embedded GUI-based device-management tool that provides the ability to provision the router, simplifies device deployment and manageability, and enhances user experience. The following features are supported on Web User Interface from Cisco IOS XE Denali Release 16.3.1:
New Software Features in Cisco 4000 Series ISR Release Cisco IOS XE Denali 16.3.2
The following features are supported by the Cisco 4000 Series Integrated Services Routers for Cisco IOS XE Denali 16.3.2:
Web User Interface: Configuring EIGRP Routing—Enhanced Interior Gateway Routing Protocol (EIGRP) is an interior gateway protocol suited for many different topologies and media. In a well-designed network, EIGRP scales well and provides extremely quick convergence times with minimal network trafficConfiguring EIGRP Routing.
Configure the Router for Web User Interface
This section explains how to configure the router to access Web User Interface.
Web User Interface require the following basic configuration to connect to the router and manage it.
An http or https server must be enabled with local authentication.
A local user account with privilege level 15 and accompanying password must be configured.
Vty line with protocol ssh/telnet must be enabled with local authentication. This is needed for interactive commands.
If you don’t want to use the factory default configuration because the router already has a configuration, or for any other reason, you can use the procedure in this section to add each required command to the configuration.
To enter the Cisco IOS commands manually, complete the following steps:
Step 1 Log on to the router through the Console port or through an Ethernet port.
Step 2 If you use the Console port, and no running configuration is present in the router, the Setup command Facility starts automatically, and displays the following text:
--- System Configuration Dialog ---
Continue with configuration dialog? [yes/no]:
Enter no so that you can enter Cisco IOS CLI commands directly.
If the Setup Command Facility does not start automatically, a running configuration is present, and you should go to the next step.
Step 3 When the router displays the user EXEC mode prompt, enter the enable command, and the enable password, if one is configured, as shown in the following example:
Router> enable
password password
Step 4 Enter config mode by entering the config terminal command, as shown in the following example.
Router> configterminal
Router(config)#
Step 5 Using the command syntax shown, create a user account with privilege level 15.
Router(config)# username name privilege 15 secret 0 password
Step 6 If no router interface is configured with an IP address, configure one so that you can access the router over the network. The following example shows the interface Fast Ethernet 0 configured.
Router(config)# intFastEthernet0
Router(config-if)# ip address 10.10.10.1 255.255.255.248
Router(config-if)# noshutdown
Router(config-if)# exit
If you are going to connect the PC directly to the router, the PC must be on the same subnet as this interface.
Step 7 Configure the router as an http server for nonsecure communication, or as an https server for secure communication.
To configure the router as an http server, enter the ip http server command shown in the example:
Router(config)# ip http server
To configure the router as an https server, enter the ip http secure-server command shown in the example:
Router(config)# ip http secure-server
Step 8 Configure the router for local authentication, by entering the ip http authentication local command, as shown in the example:
Router(config)# ip http authentication local
Step 9 Configure the vty lines for privilege level 15. For nonsecure access, enter the transport input telnet command. For secure access, enter the transport input telnet ssh command. An example of these commands follows:
Router(config)# line vty 0 4
Router(config-line)# privilege level 15
Router(config-line)# login local
Router(config-line)# transport input telnet
Router(config-line)# transport output telnet
Router(config-line)# transport input telnet ssh
Router(config-line)# transport output telnet ssh
Router(config-line)# exit
Router(config)# line vty 5 15
Router(config-line)# privilege level 15
Router(config-line)# login local
Router(config-line)# transport input telnet
Router(config-line)# transport output telnet
Router(config-line)# transport input telnet ssh
Router(config-line)# transport output telnet ssh
Router(config-line)# end
Caveats
This section provides information about the caveats in Cisco 4000 Series Integrated Services Routers routers, Cisco IOS XE Denali 16.3.1 Caveats describe unexpected behavior. Severity 1 caveats are the most serious caveats. Severity 2 caveats are less serious. Severity 3 caveats are moderate caveats. This section includes severity 1, severity 2, and selected severity 3 caveats.
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products. Within the Cisco Bug Search Tool, each bug is given a unique identifier (ID) with a pattern of CSCxxNNNNN, where x is any letter (a-z) and N is any number (0-9). The bug IDs are frequently referenced in Cisco documentation, such as Security Advisories, Field Notices and other Cisco support documents. Technical Assistance Center (TAC) engineers or other Cisco staff can also provide you with the ID for a specific bug. The Cisco Bug Search Tool enables you to filter the bugs so that you only see those in which you are interested.
In addition to being able to search for a specific bug ID, or for all bugs in a product and release, you can filter the open and/or resolved bugs by one or more of the following criteria:
Last modified date
Status, such as fixed (resolved) or open
Severity
Support cases
You can save searches that you perform frequently. You can also bookmark the URL for a search and email the URL for those search results.
Note If the defect that you have requested cannot be displayed, this may be due to one or more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect has been marked Cisco Confidential.
We recommend that you view the field notices for the current release to determine whether your software or hardware platforms are affected. You can access the field notices from the following location:
Step 2 If you are redirected to a Log In page, enter your registered Cisco.com username and password and then, click Log In.
Step 3 To search for a specific bug, enter the bug ID in the Search For field and press Enter.
Step 4 To search for bugs related to a specific software release, do the following:
a. In the Product field, choose Series/Model from the drop-down list and then enter the product name in the text field. If you begin to type the product name, the Cisco Bug Search Tool provides you with a drop-down list of the top ten matches. If you do not see this product listed, continue typing to narrow the search results.
b. In the Releases field, enter the release for which you want to see bugs.
The Cisco Bug Search Tool displays a preview of the results of your search below your search criteria.
Step 5 To see more content about a specific bug, you can do the following:
Mouse over a bug in the preview to display a pop-up with more information about that bug.
Click on the hyperlinked bug headline to open a page with the detailed bug information.
Step 6 To restrict the results of a search, choose from one or more of the following filters:
Filter
Description
Modified Date
A predefined date range, such as last week or last six months.
Status
A specific type of bug, such as open or fixed.
Severity
The bug severity level as defined by Cisco. For definitions of the bug severity levels, see Bug Search Tool Help & FAQ.
Cisco 43xx ISR reloads with no crash or core file generated, the only evidence found is in the show version output, it should display: Last Reload Reason:Localsoft.
This product includes a version of OpenSSL that is affected by the vulnerability identified by one or more of the following Common Vulnerability and Exposures (CVE) IDs.
Aggregate dual authentication (Cert + AAA) is failing to lookup the TP for the certificate received from client after EAP 'cert-request' from the server.
When you take longer than ~15 seconds to enter username/password credentials, IKEv2/IPSEC Anyconnect session will establish briefly, and then disconnect within a few seconds.
when runninga Cisco 4000 IS router with NIM module for DSL connectivity, when the PPP interface is configured with "ip unnumbered loopback 1" then PPPoA session is established and ppp keepalives are passed across the virtual-access interface.
At a low shaper or an interface rate and few active flows, the conditional policer in a priority class may not be activated after adding the fair-queue command to other traffic class.
When show tech-support command is issued in any of the Cisco 4400 ISR and Cisco 4300 routers, the CLI output contains few incomplete commands and invalid command inputs in between.
Missing information for network throttle statistics, Libvirt - Storage information, Console connection status to VMs in show virtual-service tech-support.
The Cisco IOS XE Denali 16.x software documentation set consists of Cisco IOS XE Denali 16.x configuration guides and Cisco IOS command references. The configuration guides are consolidated platform-independent configuration guides organized and presented by technology. There is one set of configuration guides and command references for the Cisco IOS XE Denali 16.x release train. These Cisco IOS command references support all Cisco platforms that are running any Cisco IOS XE Denali 16.x software image.
Information in the configuration guides often includes related content that is shared across software releases and platforms.
Additionally, you can use Cisco Feature Navigator to find information about feature, platform, and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on cisco.com is not required.
Obtaining Documentation and Submitting a Service Request
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
This document is to be used in conjunction with the documents listed in the
“Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.