Build the Next-Generation Data Center
6 week online course starting in spring 2017

The impact of tx-ring-limit

Setting the size of the hardware output queue in Cisco IOS with the (then undocumented) tx-ring-limit (formerly known as tx-limit) has been a big deal when I was developing the first version of the QoS course that eventually became the initial release of the Implementing Cisco Quality of Service training. However, while it's intuitively clear that the longer hardware queue affects the QoS, years passed before I finally took the time to measure the actual impact. The results are available in my wiki.

Display operational IPv6 interfaces

The brief display of the state of IPv6 interfaces in the router (show ipv6 interface brief) is significantly different from the well-known show ip interface brief display as the IPv6 address might not fit in the same line as all the other data. To filter the printout and display only the operational interfaces, you have to replace the include filter with the section filter, which displays all the lines matching the regular expression as well as associated follow-up lines.

PE-A#show ipv6 interface brief | section up
Serial1/0 [up/up]
Serial1/1 [up/up]
Loopback0 [up/up]

The definition of the associated follow-up lines depends on the printout. Usually the indented lines are assumed to belong to a section, but you might be surprised.

UDP flood in Perl: version 2

I had to do some precise QoS tests and needed a flooding tools that I could tightly control, so I rewrote the PERL UDP flooding program to include a few additional parameters: you can specify the desired bandwidth or inter-packet delay. You can download the new source code from the CT3 wiki.

As my readers have mentioned in a comments to my previous post on this topic, you should use kernel-based floods for high-performance or you could use Iperf to do the UDP floods or TCP bandwidth measurements. However, as I do the QoS tests in a remote lab with virtual PCs that have no Internet connectivity for obvious security reasons, it's easiest to make changes to a PERL script over the console window.

X.25 anyone?

The last time I've configured X.25 on a router was probably 10 years ago, but based on features recently added to Cisco IOS it looks like the technology is still around somewhere … so I'm wondering: do you still use it in your network? Please respond to this week's readers' poll.

What is CLNS?

According to the results of the recent “Do you use CLNS?” poll, around 10% of my readers use CLNS in their network, while 36% of them wonder what that acronym stands for.Let's start with the acronyms. CLNS (Connection-Less Network Service) in combination with CLNP (Connection-Less Network Protocol) is the ISO (International Standards Organization) equivalent to IP.

ISO makes a fine semantic distinction between the service offered to higher layers (CLNS) and the protocol used to implement it (CLNP). There is no such distinction in the IP world.

CLNS (and CLNP) uses long variable-length addresses, making it a viable successor to IPv4. At the time when the IETF community started to design the next-generation IP (before IPv6 appeared on the drawing board), the proposals to use CLNS were taken pretty seriously even though they used interesting acronyms like TUBA (TCP and UDP over Big Addresses) and FOOBAR (FTP Operation Over Big Address Records).

Follow the links in the previous paragraph, they point to actual RFCs.

In the end, IETF decided to invent yet another protocol (IPv6), effectively quadrupling the IPv4 address size while retaining most of the benefits and drawbacks of IPv4. If I remember correctly, the technical explanation for this decision was the variable-length of the CLNS addresses (which make the hardware implementation of layer 3 forwarding pretty complex), while one of the real reasons was probably also the "not-invented-here" syndrome (and the lack of total control over a new protocol inherited from another organization).

CLNS was widely used in early large IP networks primarily due to the multi-protocol implementation of IS-IS (the CLNS routing protocol that is roughly equivalent to OSPF), which came from DECnet phase V(anyone remember DEC, the maker of great minicomputers and probably the best operating system ever written?). Several very large networks used IS-IS at that time, forcing Cisco to optimize IS-IS code before they managed to fix the OSPF code. This led to an interesting phenomenon: the best-performing IP routing protocol was a protocol endorsed by ISO that was never designed (initially) to carry IP prefixes.

When network engineers claim that they use CLNS in their networks, they usually want to say that the use IS-IS, which uses CLNS addresses to identify routers (similar to IPv4 addresses used by OSPF as the Router ID). The actual forwarding of CLNP datagrams (what I would consider the real usage of CLNS) is very rare today; the last time I've seen it, CLNP was used in the management networks to manage Sonet/SDH devices. According to one of the comments to my initial post, most of these devices support IP as the transport protocol today, making CLNP mostly obsolete.

Anyhow, I've recently discovered that Cisco supports CLNS routing over BGP and wanted to write about it … obviously, based on the poll results, that would be a purely academic exercise.

MAC addresses on VLAN interfaces

CCIE Pursuit writes about the usage of MAC addresses on SVI (VLAN) interfaces on various Catalyst switches. Some switches might reuse the same MAC address on multiple VLANs, leading to interesting problems if another box bridges those VLANs (for example, a transparent firewall).

BGP Convergence Quick Learning Module

If you network has endless BGP convergence problems, our new BGP Quick Learning Module will improve your knowledge on this topic and enhance your hands-on configuration and troubleshooting skills.

This e-lesson describes how you can optimize BGP convergence in your network without overloading the routers running BGP. The hands-on remote exercise will enable you to configure fast BGP convergence under various conditions and test the convergence times in a controlled lab environment instead of trying these techniques in a production network.

Software and hardware queues in FIFO queuing

I ran a few tests to document the differences between the fair queuing and FIFO queuing in Cisco IOS as well as the impact of queuing mechanism on the software/hardware queue used. The results are stored on CT3 wiki.

Almost-dynamic routing over ADSL interfaces

Recently I had to implement Internet access using ADSL as the primary link and ISDN as the backup link. Obviously the most versatile solution would use the techniques described in my IP Corner article Small Site Multi-homing, but the peculiarities of Cisco IOS implementation of the ADSL technology resulted in a much simpler solution.

IOS implementation of PPPoE links uses dialer interfaces. However, the “dialing” on these interfaces is activated as soon as the underlying PPPoE session is active (before the first interesting packet is routed to the interface). When the simulated dial-out occurs, the router starts PPP negotiations including the IPCP handshake, which usually results in an IP address assigned to the dialer interface. Net result: if the dialer interface has an IP address, the PPPoE session is obviously active (and vice versa).

As my ADSL link and the ISDN backup used the same service provider (and very probably the same Radius servers), it made no sense to define additional IP SLA measurements to figure out if the service provider's network is operational; the IP route to the primary dialer interface is installed as soon as the interface is ready to route IP packets. The relevant parts of the router's configuration are included below.

interface FastEthernet0
 description outside LAN
 no ip address
 ip virtual-reassembly
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 3
interface BRI0
 description ISDN line
 encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-net3
interface Dialer0
 description ADSL primary uplink
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 dialer pool 3
interface Dialer1
 description ISDN backup
 ip address negotiated
 ip nat outside
 dialer pool 1
track 100 interface Dialer0 ip routing
 delay down 10 up 10
ip route Dialer0 10 track 100
ip route Dialer1 250

IOS Queuing 101

A while ago I've been a co-mentor to a graduate student who investigated the difference between shaping and policing for his thesis. While doing the lab tests, he stumbled across an interesting problem: he could not configure fancy queuing (for example, CB-WFQ) on a point-to-point Frame Relay subinterface. The solution was to configure a QoS hierarchy, doing shaping first and queuing within the shaping queues.

A few days ago, Arden Packeer covered the same topic in one of his blog posts, so it looks like the underlying problem (and the solution) is not as widely known as I had assumed. Time to write a tutorial on Queuing Principles in Cisco IOS.

Cookbook: collect router printouts in an EEM applet

Quite often, you'd like to include results of various show printouts as the body of the e-mail sent by an EEM applet. It's easy to include a single printout: execute the show command with the action cli command and include the $_cli_result variable in the e-mail body (more details can be found in the Send email from EEM applet article).

It's trickier to include outputs from several show commands in the same e-mail: you have to collect the outputs into a file in the router's flash, list the contents of the file and send the result.

Hot air party

Cisco recently announced a Linux-based add-on board for the ISR router models. It might not be the best thing ever invented, it's probably overpriced and we still have to see what we really get; the materials available on the Cisco's web site are another good example of a great marketing machinery (when I see a title "Our Strategy is Integration and Convergence"on the slide #11 of a Technical Overview presentation, I start wondering whether it's worth my time to continue looking at the presentation). But at least this time they talk about supporting Perl and Python, not Tcl :))

However, what really prompted me to start writing this post was the "wisdom" spread by industry journalists. Network world was still moderate; the gentleman at LinuxWorld had some strong opinions. It would be OK if they would stop at bashing the new module (and questioning the value-for-price is always fair), but of course it's more fun being all over the place, evangelizing the beauties of PC-based open-source routers and the demise of traditional router vendors. While there's (yet again) nothing wrong with open-source, let's bring a bit of the history into the picture:

  • 15 years ago, someone had a great idea to install WAN cards and routing software into PC servers. The journalists greeted that idea as the downfall of dedicated routers. Guess what ... it flopped and the router market continued to grow.
  • Cheap Layer-3 switches have been greeted as the next router killer. We still have routers and switches in our networks.
  • People have been using Linux as their home firewalls for years ... and it hasn't really impacted the low-end router market; SOHO users are still preferring to buy Linksys (or whatever other cheap low-end brand) over configuring firewall on Linux.
  • Public-domain BGP implementations have been around for as long as I can remember and they are not bad. Some people with very low budget use them for route servers ... but Cisco and Juniper are still selling high-end boxes.

In the real world of networks that have more than a few routers, if you have enough budget to buy yourself a good night's sleep, you usually install dedicated routing hardware ... but I guess this is not the sort of story that would sell the industry journals.

Interesting posts

A few interesting posts found on the Internet:

OSPF quick learning module

A while ago I've described a scenario where OSPF behaves like a distance-vector protocol, including creating temporary routing black holes. If you think this behavior might affect your network, it's best you test the details in a controlled lab environment. Our OSPF quick learning module will tell you how to tweak the OSPF parameters and how to prevent IP prefix reappearance in the original area. The blended solution also includes a remote lab exercise, where you can test the IOS behavior on actual routers.

E-lessons are subscription-based; you can repeat each module in the lesson (including the lab) as many times as needed.

IPv4 forever?

One of the obscure facts of IPv6 OSPF (OSPFv3) is that it uses a 32-bit router ID like OSPFv2. It's a reasonable choice, I haven't seen an OSPF network with more than a billion routers yet. However, could you guess how this requirement is implemented in Cisco IOS? OSPFv3 searches for an IPv4 address (effectively the same algorithm used by OSPFv2) to get the router ID for the IPv6 routing process. Neat, isn't it?

You might wonder what happens if you want to configure an IPv6-only router. OSPF won't start unless you configure the router ID manually. And, no, you cannot enter a number (which would be the expected format, as the router ID is just a number in the IPv6 world), you have to enter an IPv4 address. Long live IPv4 :))Here is a sample printout from a router. First, let's check the interface status:

Site-D(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES manual up up
FastEthernet0/1 unassigned YES manual up up
Loopback0 unassigned YES manual up up
No IPv4 running anywhere. Good. Let's continue and configure IPv6:
Site-D(config)#ipv6 unicast
Site-D(config)#ipv6 router ospf 1
*Mar 1 01:18:46.423: %OSPFv3-4-NORTRID: OSPFv3 process 1 could not pick a router-id,
please configure manually
Oops, IPv6 OSPF won't start if the router doesn't have an IPv4 address. Let's configure the router ID:
Site-D(config-rtr)#router-id ?
A.B.C.D OSPF router-id in IP address format


If you're a Cisco partner, you can run the Configuring OSPFv3 remote lab exercise free-of-charge from Partner Education Connection. Everyone else can get the same exercise as part of the IPv6 remote lab bundle from our learning store, where you can also buy the IPv6 Fundamentals, Design and Deployment (IP6FD) e-course.

Browser trivia

I've started using Google Analytics just over a year ago, so I could do a nice analysis on which browsers my visitors are using compared to the situation a year ago. Firefox gained almost 10% market share while Internet Explorer has lost 13%.In the same period, the number of visits has increased by a factor of five. Not bad for an extremely geeky blog :)

BGP Essentials: Non-Transit Autonomous System Design

It's evident from the comments to my previous post on the non-transit AS implementation that I forgot to do my homework: I jumped straight into the implementation details without explaining the basics of non-transit AS and associated design rules. I hope I did a better job in a short article “(Non)Transit Autonomous System” which starts with the definition, describes the usual challenges of multi-homed end-users and the non-transit AS design and (at the very end) its implementation.

Cisco partners can test the non-transit AS implementation in the Using Multihomed BGP Networks and Employing AS - Path Filters remote lab exercises. If you're don't have access to Partner Education Connection, you can buy our Configuring BGP on Cisco Routers e-learning solution or the BGP Remote Lab Bundle.

AI (Artificial Intelligence) in Cisco IOS release 12.4T

Years ago, when the "fourth-generation computers" (looks like they've been renumbered to the fifth generation in the meantime) were as hot as Web 2.0 is today, we started talking about the generation after that which you could control with statements like “Do what I don't know how” ... and some of that mentality is already built into Cisco IOS.

In a comment to my recent NTP-related post mentioning OSPF configuration, Wan Tajuddin correctly stated that the OSPF network statement should contain the wildcard bits, not the subnet mask. But I was positive I had running networks with the network area 0 OSPF configuration, so it was time for one more lab test. As it turns out, at least the IOS release 12.4T accepts either the wildcard bits or the subnet mask and figures out which one you've used.Here is the printout from the test run. First the traditional configuration:

R1#show run ¦ sect router ospf
router ospf 1
network area 0
R1#show ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 1 LOOP 0/0
Se1/1 1 0 70 P2P 1/1
Se1/0 1 0 64 P2P 1/1
Fa0/0 1 0 10 WAIT 0/0
The configuration uses the wildcard bits and all interfaces are in area 0 as expected. Now let's try to specify the network:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no router ospf 1
Mar 1 00:09:37.640: %OSPF-5-ADJCHG: Process 1, Nbr on Serial1/1 from FULL to DOWN, Neighbor Down: Interface down or detached
Mar 1 00:09:37.648: %OSPF-5-ADJCHG: Process 1, Nbr on Serial1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R1(config)#router ospf 1
R1(config-router)#network area 0
Mar 1 00:09:50.944: %OSPF-5-ADJCHG: Process 1, Nbr on Serial1/1 from LOADING to FULL, Loading Done
Mar 1 00:09:51.104: %OSPF-5-ADJCHG: Process 1, Nbr on Serial1/0 from LOADING to FULL, Loading Done
R1#show ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 1 LOOP 0/0
Se1/1 1 0 70 P2P 1/1
Se1/0 1 0 64 P2P 1/1
Fa0/0 1 0 10 WAIT 0/0
OK, it works for the default route, how about a specific subnet (
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no router ospf 1
Mar 1 00:09:37.640: %OSPF-5-ADJCHG: Process 1, Nbr on Serial1/1 from FULL to DOWN, Neighbor Down: Interface down or detached
Mar 1 00:09:37.648: %OSPF-5-ADJCHG: Process 1, Nbr on Serial1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R1(config)#router ospf 1
R1(config-router)#network area 0
Mar 1 00:09:50.944: %OSPF-5-ADJCHG: Process 1, Nbr on Serial1/1 from LOADING to FULL, Loading Done
Mar 1 00:09:51.104: %OSPF-5-ADJCHG: Process 1, Nbr on Serial1/0 from LOADING to FULL, Loading Done
R1#show ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Se1/1 1 0 70 P2P 1/1
Se1/0 1 0 64 P2P 1/1
As expected, only the WAN interfaces with IP addresses in the specified IP address range are in the OSPF process, so IOS properly recognizes IP prefix specifications including subnet masks. OK, but let's see how the router stores the OSPF configuration:
R1#show running-config ¦ section router ospf
router ospf 1
network area 0
Cool. The router automatically inverts the subnet mask into wildcard bits, so even if you use the “wrong” format on the CCIE lab, the automatic grading program will get the expected results :)

Cookbook: send e-mail from EEM applet

I've described the action mail command that allows you to send e-mails from EEM applets in several posts. However, the posts were always focused on a particular task and the various action mail options were mentioned in passing. The Send e-mail from EEM applet article contains a step-by-step recommendations on portable and scalable usage of the action mail command.

Do you use CLNS in your network?

A few years ago, we've seen a lot of requests to design CLNS networks (primarily for network management purposes). I haven't heard about CLNS recently, so I'm wondering: is it still used or did it go the way X.25 did? You can help us all understand what's going on by responding to the quick poll I've set up: just open any page in my blog, select the answer from the poll in the top-right corner of the page and click Vote (the button might be labeled in your local language).

More detailed observations are also most welcome: just add a comment to this post.

The “IP fragmentation” quick learning module

In the IP Corner article The Never-Ending Story of IP Fragmentation, I've described the various challenges posed by IP fragmentation in modern IP networks. If you want a more in-depth look at that topic, check the new IP fragmentation e-lesson. It includes a recorded presentation and a remote lab exercise where you can test various fragmentation scenarios, including MPLS VPN backbone, GRE tunnels and GRE+IPSec combination.

E-lessons are subscription-based; you can repeat each module in the lesson (including the lab) as many times as needed.

Technology is supposed to be simple, right?

In his comment to the announcement of my NTP article, Joe said:

This is part of the problem with NTP. It's way more complicated then it needs to be. You shouldn't have to understand so much of it to use it on your routers. Take a look at openntpd. It's free and runs on bsd or linux.

I have to disagree with him on several counts:

  • NTP is supposed to solve a pretty hard problem of synchronizing multiple independent time sources over communication paths with unpredictable delay and jitter. Considering the limitations it's faced with, it does an amazingly good job.
  • NTP configuration on IOS is no more complex than the openntpd configuration if the only thing you want is to do is to configure an upstream NTP server. The only commands you need are ntp server and ntp master.

However, the most important point, in my opinion, is the difference between "aiming for a short recipe" and "understanding the technology". If the only task you ever need to perform is to configure upstream NTP servers, don't even bother to read the IOS documentation or my article, you don't need more than a single configuration command … but then, when things really break, you'll be in trouble.

Likewise, the only thing some people want to know about OSPF are the following two commands:

router ospf 1
 network area 0

There are others, however, that might need a slightly more in-depth understanding of OSPF design, configuration and troubleshooting (that's why we developed an OSPF course and corresponding set of remote lab exercises and Tom Thomas wrote a whole book about it).

Visit our virtual booth in Cisco Partner Space

Just before this year's Partner summit, Cisco has launched Cisco Partner Space, a “virtual collaborative environment”. While I don't believe in the added value of eye candy, it sure looks nice.

During the Partner summit, the Cisco Partner Space hosts the virtual version of the event, including the exhibitor booths. You can visit us by choosing the Reseller Exhibition Hall (what a nice name, isn't it … all of a sudden, their Gold Partners are caller Resellers) from the menu on the first page (after you log in), selecting Booths 26-36 and NIL from the Booth List. If you let me know when you'll go there, I might even be there to chat with you (I can't promise it, though).

BGP essentials: Non-transit AS

Sometimes I find the information on the Internet that is so far from the facts that it might actually hurt someone. For example, the configuration in this post supposedly prevents you from becoming a transit AS (which is a really bad idea if you're a multi-homed end-user). Actually, it achieves the goal as it drops all incoming routes due to a malformed AS-path access-list that denies everything :) … but then, why do you need BGP in the first place?

Create initial router configurations from dynagen topology

I've always considered building (almost identical) initial router configurations a waste of time, more so when I had to enter them manually, enabling interfaces, configuring IP addresses and Frame Relay subinterfaces on the fly … as well as entering dozens of commands that I feel should be present in every router configuration.

When I finally had enough, I've stopped my non-critical lab tests for a few weeks (that's why there's still no answer on the very good question whether the NBAR started by NAT is of any use) and wrote configMaker: a PERL script that parses dynagen lab topology and produces initial router configurations based on a template file that you can adjust to your own needs. Read more about it in the CT3 wiki.

Cisco IOS NTP Essentials

A while ago I've been involved in an interesting discussion focusing on NTP authentication and whether you can actually implement it reliably on Cisco IOS. What I got out of it (apart from a working example :) was the feeling that NTP and it's implementation in Cisco IOS was under-understood and under-documented, so I planned to write an article about it.

However, as I did my research, I figured out there's so much I didn't know about NTP (do you know what's the essential difference between a peer and a server?)that I decided to start with an introductory article explaining the basics of NTP, SNTP and their IOS implementation. It's been published under the name “It’s Good to be on Time” in the IP corner section of our company's web site.

Use UDP flood to increase router's CPU load

If you want to test the ERM policies in a controlled environment, it's almost mandatory to have tools that allow you to overload the router. One of these tools is the UDP flood: if you flood a router's IP address, you're guaranteed to raise the CPU to 100%, with majority of the process CPU being used by the IP Input process (the interrupt CPU load will also be significant).

This phenomenon illustrates very clearly why it's so important to have inbound access lists protecting the router's own IP addresses on all edge interfaces.

If you want to stress-test the router's forwarding functionality, you could use the host route to the null0 interface; all packets sent to that IP address will be CEF-switched, so the only impact of the UDP flood to the unreachable IP address will be the increased interrupt CPU load. I was able to increase the interrupt CPU load to close to 50% on a 2800 router using a virtual PC with a Fast Ethernet interface.

And just in case you need it, here is the configuration from my test router. All packets sent to are CEF-switched and dropped (the CPU load from the IP input process is negligible).

interface FastEthernet 0/0
ip address
ip route null 0

Do bootcamps make sense?

My recent post about a CCNP bootcamp program we've launched generated interesting comments, most of them focusing on the question: “Does it make sense to attend a bootcamp?”

The answer depends on how you got to the stage where you want to (or need to) attain the CCxP certification. Before going into discussions on “experience” versus “knowledge retention” (potentially “aided” by brain dumps), please read The Top 10 Problems with IT Certification in 2008 article published by InformIT. My potential disagreements with this article are so minor that I will not even try to document them.

OK, now that we're on the same page, let's analyze why someone would want to pursue CCxP certification:

  • To increase the salary or have better job options (as HR departments ask for people with specific set of certifications). From what I hear, this reason is more viable in US than the rest of the world (in most of Europe we can still test the technical skills of the candidates in any way we want without running the risk of being sued). Bootcamps might not be the best option for these candidates, as they tend to be priced similarly to the regular classes. Reading books or e-learning material (not to mention certain not-so-very-legitimate activities) will get you through the exams as long as they don't have the hands-on part ... and of course you'll end up having certification with zero experience;
  • To learn something new and valuable resulting in a formal recognition of the effort. Don't even think about attending the bootcamps. If you're learning completely new concepts, go through the regular courses (or use e-learning combined with hands-on lab exercises). Highly intensive format of the bootcamps (after all, we're trying to squeeze almost two weeks worth of material into a single week) will fly way over your head.
  • To formalize your experience ... either because you want to or because your employer needs certified head count (very common with Cisco partners trying to get better discount based on their partner status). In this case, a condensed bootcamp is usually the best option. For example, we had very successful bootcamp program a few years ago running back-to-back with the exams ... and, mind you, we used no cheating or brain dumps, the fact that the students took the exam right after the course obviously helped.

Last but definitely not least, it's worth mentioning that not all five-day courses have five days worth of content. In these cases, condensing them into bootcamps makes even more sense.

RFC 3514 implemented by the ASR series of routers

The information on the IOS XE software used by the recently launched ASR 1000 router is pretty scarce (there is still no link to the documentation available on CCO), but obviously some backdoor links already exist, as I was able to find some IOS XE-related documents with Google. One of the most amazing features I've found is the support for the security-oriented RFC 3514 which allows you to mark the security level of an IP packet.

The RFC 3514 requires the end host to participate in the process, but as most operating system vendors still don't have a trusted computing platform, a transparent proxy has to be implemented on the network edges to properly tag the ingress packets. ASR 1000 has the first high-speed implementation of the RFC 3514 proxy thanks to its non-deterministic parallel QuantumFlow processors.

The configuration of the RFC 3514 proxy is extremely simple: all you need to do is to configure auto-secure mark on the ingress interfaces of the ASR 1000. Once the security bit has been set, you can use the match ip security-bit 0|1 command in a class-map or a route-map on any router running IOS release 12.4(11)T or later (the command is still hidden).