Showing results for 
Search instead for 
Did you mean: 
Community Manager

Ask The Expert: Introduction to Cisco ASR 1000 Series Aggregation Services Routers

Manigandan B

Welcome to the Cisco Support Community Ask the Expert conversation. Learn from Cisco expert Manigandan B about the architecture, features, performance and benefits of Cisco ASR 1000 Series Routers. This event is a continuation of the Cisco live Facebook Forum, where you can ask additional questions to the expert.

Manigandan B. is a technical services engineer at Cisco working as a team leader for the Enterprise Services team. He works primarily with customers and their escalations in the Europe, Middle East and Africa (EMEA) region. His areas of expertise are architecture of routers, Cisco IOS, QoS, packet tracing, Cisco Express Forwarding, Cisco NetFlow, Network Address Translation, and other router platform issues. Mani has been associated with Cisco for more than 3 years, having joined Cisco after receiving a bachelor's degree in electronics and communication engineering. He also holds CCNA, CCNP, and ITIL certifications.

Remember to use the rating system to let Manigandan know if you have received an adequate response. 

Manigandan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infrastructure sub-community discussion forum shortly after the event.   This event lasts through March 6 , 2012. Visit this forum often to view responses to your questions and the questions of other community members.


Hello Michel,

Its worth to open TAC case for this as we need to deal more with QFP NAT.

Anway, Can you please add this:

show tech

show logging  - - > This will be covered under "show tech" if the IOS-XE version is

15.0(1)S or later.

sh ip nat translation

sh ip nat statistics

sh plat hard qfp active statistics drop | e _0_

sh platform hardware qfp active feature nat datapath stats

sh plat har qfp act inf ex st us

Some of the reasons why 1:1 NAT can happen with PAT is

when some non-IP traffic flowing through the box that needs

to be PAT'd. These could be some of non-TCP/UDP/ICMP.

Always better to employ an ACL to do:

1 permit only TCP/UDP/ICMP

2 deny DNS, netbios, LDAP (if they don't use these ALGs).

Please be noted that GRE is one such traffic that can cause

the whole IP address to be used - we can't PAT. 

ACL changes are definitely needed not just as a workaround, but as a best practice, to avoid these in the future - 1:1 issues.

We can disable a few ALGs but without knowing the network I cannot suggest that.

I think we may need a detail TAC-Analysis, so please open a TAC case with the above suggestion info.  Thanks and have a nice day.




HI friends,

need your urgent help.need to convert legancy cct.(OPX,tietrunk,FX,hotline,ATM,Framerelay) into lastest and cheap me directly@


Hello Mani,

Got a question regarding 2 ASR1001's that I have that occasionally receive false temperature warnings from the power supply.  I think I see bug CSCtr38540 that might exactly describe this but I can't view any details to know for sure. Apparently there is propritary info on this bug..   I think what I need to know is if there is a new IOS that would fix this? if so what would that be?  is there anyway I can view info on this bug minus the info Cisco doesn't want me to see? 

Thanks much, Joe

Hello Joe,

Can you paste me the logs you see?.  I guess you see something like:

"%ENVIRONMENTAL-1-ALERT: Temp: Inlet, Location: P1, State: Shutdown, Reading: 127 Celsius"

You can verify if its false alarm checking with "show platform" command.  You would see something like:

show platform 

Chassis type: ASR1001            

Slot      Type                State                 Insert time (ago)
--------- ------------------- --------------------- -----------------
0         ASR1001             ok                    1w3d         
0/0      ASR1001             ok                    1w3d         
R0        ASR1001             ok, active            1w3d         
F0        ASR1001             ok, active            1w3d         
P0        ASR1001-PWR-AC      ok                    1w3d         
P1        ASR1001-PWR-AC      ok                    1w3d     >>>    
P2        ASR1001-FANTRAY     ok                    1w3d         

These 2 bugs: CSCtr43123  CSCtu16388  are the duplicates of

CSCtr38540, so you saw the release notes talking about

CSCtu16388.  Nothing to worry.  ASR1k team is working with

Emerson vendor for providing the right info about the PS, as

ASR1k code relies on that info.  This issue is on its way to

get fixed.  Thanks.




Hi Mani,

I pasted the things in this email.. its exactly as you described. So when you say “this issue is on its way to being fixed”, <- that means so far that there is no fix yet?

So far this has not caused us any issues, its just one of those things that makes you nervous when you see it in a log.

Have a great day! Joe

Feb 10 04:01:12: %ENVIRONMENTAL-1-ALERT: Temp: Inlet, Location: P1, State: Minor, Reading: 72 Celsius

Feb 21 00:09:22: %ENVIRONMENTAL-1-ALERT: Temp: Inlet, Location: P0, State: Shutdown, Reading: 127 Celsius

LMAN-ALLEGAN#show platform

Chassis type: ASR1001

Slot Type State Insert time (ago)

Hi Joe,

ASR1k development team is actively working on the fix for this vendor stats issue from power supply.  It has nothing to impact, as "show plat" command will say us that health

of the PS is perfectly fine.  Please omit for now and we will fix it sooner:).  Have a wonderful day.  Thanks.




We experieced this on several of our ASRs (1001 & 1002)

We opened a TAC case and found out that this is fixed in 15.2(1)S and 15.1(3)S2.  We've got 15.2(1)S burning in the lab before we deploy it to production in a few weeks.


Ven Taylor
Brendon Bell

Hi Mani,

I am attempting to set up traffic policing inbound on the ASR1001.

I want to police the incoming traffic in a vlan from a service provider to 100M (all traffic - no bursting permitted).

My config looks like this:

class-map match-all FX_INTERNET_CLASS

match access-group name FX_INBOUND




  bandwidth 100000

  police cir 10000000

   conform-action transmit

   exceed-action drop

   violate-action drop

interface Port-channel1.202

description FX Internet National

encapsulation dot1Q 202

ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip ospf 100 area 0

service-policy input FX_INBOUND_POLICY

ip access-list extended FX_INBOUND

permit ip any any

I have tested this using iperf and it doesnt work.

Also the following message is displayed:

ttpchcrt04#sh policy-map interface


  Service-policy input: FX_INBOUND_POLICY

    Service policy FX_INBOUND_POLICY is in suspended mode


  Service-policy input: FX_INBOUND_POLICY

    Service policy FX_INBOUND_POLICY is in suspended mode

Can you help with this please?

Hello Brendon,

What you see is expected, as we don't support ingress QOS on port-channel or its sub interfaces.  This feature will make into the ASR1k's XE38/15.3(1)S/3.8.0S.  Anytime this month - tentative. 

The following applies for GEC on ASR in release 15.1(2)S:

Ingress Qos :
Application point     Policing     Queueing
port-channel sub     Supported     No support
port-channel main     No support     No support
member-link             No support     No support

And for egress QoS:
Application point     Polcing              Queueing
port-channel sub     No support     No support
port-channel main     No support     No support
member-link             Supported     Supported

Thanks for the question.



Dear Mani,

Kinldy your input is highly apreciated.



Hello Manigandan,

We have implemented a few dozens of ASR 1004 as Internet Gateways, but unfortunately we are having lots of problems when running PAT.

Two issues have been faced so far and are critical to operations:

1- PAT pooling fails, whereas if we have a pool with N entries, lots of protocols are consuming 1 to 1 NAT, which leave us with shortage of ports. A pool of 5 IP addresses should serve about 320000 ports thus 320000 simultaneous connections. but we only end up in using the first 4 IP addresses as 1-to-1 NAT and the remaining 5th is doing PAT ! We tried to increase the Pool mask (eg 20 IP addresses) and still the same issue. We expect to serve 2000000 simultaneous connections per ESP-40 (as per the datasheet).

2- On another unit we have the following output in the NAT stats:

sh ip nat statistics

Total active translations: 75727 (0 static, 75727 dynamic; 75727 extended)

Outside interfaces:

  GigabitEthernet0/0/2, GigabitEthernet0/0/3

Inside interfaces:

  GigabitEthernet0/0/0, GigabitEthernet0/0/1

Hits: 1842060462  Misses: 52429354

CEF Translated packets: 0, CEF Punted packets: 0

Expired translations: 52225597

Dynamic mappings:

-- Inside Source

[Id: 9] route-map NATALL pool natpool refcount 75320

pool natpool: netmask

        start end

        type generic, total addresses 50, allocated 1 (2%), misses 0

nat-limit statistics:

max entry: max allowed 0, used 0, missed 0

Pool stats drop: 0  Mapping stats drop: 1

Port block alloc fail: 0

IP alias add fail: 0

Limit entry add fail: 0

Note that we have 75727 simultaneous connections for a SINGLE IP... That is a bit ackward, don't you think?

Your feedback is much apprecaited.

One last question, is there any document related to which applications are supported by PAT on the ASR1K ?





Is there an SVI equivalent for ASR1002 platform?

Single IP address visible on 2 physical ports?


We have bridge domain groups and BDI interfaces (instead of

Vlan, SVI interfaces), please see the same below:


Best wishes.




The command "interface BDI" is not supported on our device.

Here is the version I'm running,

Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 12.2(33)XND2, RELEASE SOFTWARE (fc1)

Is BVI my only other option?



Hello JD,

Few points:-

1. Legacy bridging is not supported on ASR1k. Please see: CSCth68125 ASR1k : Remove unsupported command

'bridge-group' from the parser.  The commands were 'bridge-group ...' and 'interface BVI'.

2. The only solution is BDI.  The support for the same started from:


Please also be noted that you are running an IOS-XE software that's quite old and end of software engineering as well:

Hope this helps.  Best wishes.




Hi Mani,

what it means in the datasheet for ESP 10 : FW or NAT: 1,000,000 sessions ?

We are currently having an issue with ASR1006 with ESP10, processing almost 2Gbps with 500.000 firewall sessions and 350.000 total PAT translations in traffic peak, and status control-procesor output is like this :

ASR_1006#show platform software status control-processor brief

Load Average

Slot  Status  1-Min  5-Min 15-Min

  RP0 Healthy   1.11   1.07   1.10

  RP1 Healthy   0.11   0.15   0.09

ESP0 Healthy   2.86   2.81   2.73

ESP1 Healthy   0.00   0.00   0.00

SIP0 Healthy   0.00   0.02   0.00

SIP1 Healthy   0.01   0.24   0.16

Memory (kB)

Slot  Status    Total     Used (Pct)     Free (Pct) Committed (Pct)

  RP0 Healthy  2009868  1625524 (81%)   384344 (19%)   1169504 (58%)

  RP1 Healthy  2009868  1432636 (71%)   577232 (29%)   1021776 (51%)

ESP0 Healthy  2009892   640784 (32%)  1369108 (68%)    407384 (20%)

ESP1 Healthy  2009892   597048 (30%)  1412844 (70%)    404456 (20%)

SIP0 Healthy   449768   308368 (69%)   141400 (31%)    253088 (56%)

SIP1 Healthy   449768   309032 (69%)   140736 (31%)    253704 (56%)

CPU Utilization

Slot  CPU   User System   Nice   Idle    IRQ   SIRQ IOwait

  RP0    0  13.28  23.67   0.00  62.13   0.09   0.79   0.00

  RP1    0   0.10   0.10   0.00  99.79   0.00   0.00   0.00

ESP0    0  47.00  38.42   0.00  13.57   0.39   0.59   0.00

ESP1    0   0.09   0.19   0.00  99.50   0.00   0.19   0.00

SIP0    0   0.50   0.60   0.00  98.90   0.00   0.00   0.00

SIP1    0   0.60   0.50   0.00  98.90   0.00   0.00   0.00

This high CPU Utilization values for ESP used to be 4% for User + System in traffic peak for 1.6 Gbps 350.000 PAT translations and 450.000 firewall sessions.

We have opened TAC case, but we still do not know if this is too much for ASR1006 to handle this amonut of traffic.

Thanks and reagrds,


Content for Community-Ad