Guest

Cisco IOS Software Releases 12.4 T

Cisco IOS Software Release 12.4T Features and Hardware Support

  • Viewing Options

  • PDF (6.7 MB)
  • Feedback

Contents

1) Introduction

1.1) Migration Guide

1.2) Release 12.4T Additional Information

1.3) Cisco IOS Packaging Consideration

2) Release 12.4(24)T Highlights

2.1) IP Routing

2.1.1) Cisco IOS BGP Support for 4-byte Autonomous System Numbers (ASN)

2.1.2) Mobile IP-Policy and Application-Based Routing for Mobile Router Multi-Path Support

2.1.3) Multi-VRF Selection Using Policy-Based Routing (PBR)

2.2) IP Services

2.2.1) Secure Neighbor Discovery (SeND)

2.2.2) DHCPv6 Individual Address Assignment

2.3) Embedded Management and Instrumentation

2.3.1) Web Services Management Agent (WSMA)

2.3.2) Smart Call Home Support for the Cisco 7200 Series Router

2.4) Voice

2.4.1) Cisco Unified Communications Manager Express 7.1

3) Release 12.4(22)T Highlights

3.1) Cisco IOS Security

3.1.1) IOS Firewall Support for Trusted Relay Point

3.1.2) Access Control List (ACL) Syslog Correlation

3.1.3) Per Dynamic Multipoint VPN (DMVPN) Tunnel Quality of Service (QoS)

3.1.4) Certificate IP Address Extension Support

3.1.5) Time-Based Anti-Replay on The VPN Services Adapter (VSA)

3.1.6) Group Encrypted Transport VPN (GET VPN) Enhancements

3.1.7) IOS SSL VPN Internationalization

3.1.8) IOS Support for Lawful Intercept

3.2) Embedded Management

3.2.1) Cisco IOS Embedded Event Manager Version 3.0

3.2.2) Flexible NetFlow-NetFlow v5 Export Format

3.2.3) Flexible NetFlow-TopTalkers CLI Support

3.2.4) Flexible NetFlow-Multicast Statistics for IPv4 Support

3.3) Voice

3.3.1) Cisco VG202 and Cisco VG204 Analog Phone Gateways

3.3.2) Session Initiation Protocol (SIP) Enhancements

3.4) Hardware

3.4.1) Cisco 880 3G and Cisco 880 SRST Router Series

3.4.2) Cisco IAD2435-8FXS Integrated Access Device

3.4.3) Intrusion Prevention System Enhanced Network Module

4) Release 12.4(20)T Highlights

4.1) Cisco IOS Security

4.1.1) Group Encrypted Transport VPN (GET VPN) Support for the Cisco VPN Services Adapter (VSA) for Cisco 7200 NPE-G2 Series Routers

4.1.2) Cisco IOS Content Filtering

4.1.3) VRF-Aware Cisco IOS Intrusion Prevention System (IPS)

4.1.4) User-based Cisco IOS Firewall

4.1.5) Application Inspection and Control for Simple Mail Transfer Protocol (SMTP)

4.1.6) Cisco IOS Firewall Support for Skinny Local Traffic

4.1.7) Cisco IOS Firewall Session Initiation Protocol (SIP) Application Layer Gateway (ALG) Enhancements

4.1.8) Cisco IOS Firewall H.323 Version 3 (v3) and Version 4 (v4) Support

4.1.9) Instant Messaging Blocking Support in Cisco IOS Firewall for "I Seek You" (ICQ) and Windows Messenger

4.1.10) Object Groups for Access Control Lists (ACL)

4.1.11) Cisco IOS SSL VPN Access Control Enhancements

4.1.12) Cisco IOS SSL VPN AnyConnect Client Support

4.1.13) Cisco IOS SSL VPN Back End HTTP Proxy

4.1.14) Cisco IOS SSL VPN Full-Tunnel Performance Enhancements

4.1.15) Cisco IOS SSL VPN URL Split Rewrite Support

4.1.16) Next Hop Resolution Protocol (NHRP) MIB for Dynamic Multipoint VPN (DMVPN)

4.1.17) IPv6 Over Dynamic Multipoint VPN (DMVPN) Support

4.1.18) Group Encrypted Transport (GET) VPN Support for VRF-Lite

4.1.19) Cisco Tunnel Control Protocol (cTCP) Support on Easy VPN Hardware Clients

4.1.20) IPSec Usability Enhancements

4.1.21) Secure Shell Protocol Version 2 (SSHv2) Feature Enhancements

4.1.22) Command Line Interface (CLI) for Displaying Certificates

4.1.23) CLI to Control Certification Revocation List (CRL) Cache

4.1.24) Secure Device Provisioning (SDP) Connect Template

4.2) Cisco IOS Infrastructure

4.2.1) Cisco Express Forwarding Scalability and Selective Rewrite (CSSR)

4.2.2) Network Time Protocol (NTP) Version 4

4.3) MPLS

4.3.1) Cisco IOS MPLS Label Distribution Protocol (LDP) Enhancements

4.3.2) Cisco IOS MPLS Traffic Engineering and Resource Reservation Protocol (TE/RSVP)

4.4) Quality of Service

4.4.1) Cisco IOS QoS: Hierarchical Queuing Framework (HQF)

4.4.2) Resource Reservation Protocol (RSVP) Penultimate Hop Overwrite

4.5) IP Version 6

4.5.1) IPv6 VPN Provider Edge Router (6VPE) over MPLS

4.5.2) IPv6 Access Control List (ACL) enhancements for IPv6 IPSec Authentication Header (AH)

4.5.3) Mobile Network v6-Basic NEMO Support

4.6) Embedded Management

4.6.1) Cisco IOS Service Diagnostics

4.6.2) Embedded Event Manager Version 2.4

4.6.3) Cisco IOS Embedded Packet Capture

4.6.4) Flexible NetFlow (FNF) Exporter-Outgoing Features Support

4.6.5) Flexible NetFlow for IPv6

4.6.6) Deprecating NetFlow for IPv6 Record

4.7) Hardware

4.7.1) Cisco 1861 Integrated Services Router

4.7.2) Intrusion Prevention System (IPS) Advanced Integration Module

4.7.3) Cisco 860 and 880 Series Routers

4.7.4) Cisco Business-Class IAD880 Series Integrated Access Devices

4.8) Voice

4.8.1) Communications Manager Express (CME) 7.0 Voice Features

4.8.2) Survivable Remote Site Telephony 7.0 Voice Features

4.8.3) Cisco Unified Border Element (CUBE) 1.2

4.8.4) Voice Quality Improvements on Cisco VoIP Gateways

5) Release 12.4(15)T Highlights

5.1) Cisco IOS Security

5.1.1) Cisco IOS Intrusion Prevention System (IPS) Support for Microsoft Vulnerabilities

5.1.2) Flexible Packet Matching (FPM) Full Packet Filtering

5.1.3) Cisco IOS SSL VPN Enhancements

5.1.3.1) SSL VPN Clientless Performance Enhancements

5.1.3.2) SSL VPN GUI Enhancements

5.1.3.3) SSL VPN User-Level Bookmarking

5.1.3.4) Front door-VRF (fVRF) Support

5.1.4) Cisco IOS Software Support for AnyConnect VPN Client

5.1.5) Reverse Route Injection Distance Metric Enhancements

5.2) Routing and Multicast

5.2.1) OSPF Mechanism to Exclude Connected Prefixes

5.2.2) Optimized Edge Routing (OER) Application Aware Routing

5.2.3) OER Link Grouping

5.2.4) Bandwidth Call Admission Control (CAC) for IP Multicast

5.3) IP Services

5.3.1) Gateway Load Balancing Protocol (GLBP) Client Cache

5.3.2) Dynamic Host Configuration Protocol (DHCP) Server Multiple Subnet

5.3.3) Hot Standby Routing Protocol (HSRP) Bidirectional Forwarding Detection (BFD) Peering

5.3.4) DHCPv6 Stateless Enhancements

5.4) High Availability

5.4.1) Bidirectional Forward Detection (BFD) Support for Cisco Integrated Services Routers

5.5) Connectivity

5.5.1) Multiple PPP-over-Ethernet (PPPoE) Clients per VC Support

5.5.2) Layer 2 Tunneling Protocol (L2TP) Forwarding of PPPoE Tags

5.6) Management, Instrumentation, and User Interface

5.6.1) Cisco IOS Auto-Upgrade Manager

5.6.2) Cisco IOS Embedded Resource Manager

5.6.3) Toolkit Command Language (TCL) Signing

5.7) Mobility and Wireless

5.7.1) Mobile Ad Hoc Networking (MANET) Networking Enhancements for Router Radio Links

5.7.2) Access Point Link Role Flexibility

5.7.3) IP Pool Address Holdback Timer

5.8) Voice

5.8.1) Communications Manager Express (CME) 4.1 Voice Features

5.8.2) Survivable Remote Site Telephony 4.1 Voice Features

5.9) Hardware

5.9.1) Cisco 7201 Router

5.9.2) ATM T3/E3 for the Cisco 2800 and 3800 Series Integrated Services Router

5.9.3) HWIC-2SHDSL & HWIC-4SHDSL

5.9.4) Cisco 1- and 2-Port Enhanced Capability T3/E3 Clear Channel Port Adapters and Feature Offload Support for Multichannel T3 Port Adapters

5.9.5) USB eToken 64KB Enhancement

5.9.6) Boot from USB Flash Enhancement

6) Release 12.4(11)T Highlights

6.1) Cisco IOS Security

6.1.1) Cisco IOS SSL VPN Enhancements

6.1.2) SSL VPN Netegrity Single Sign-on (SSO) Support

6.1.3) SSL VPN Application ACL Support

6.1.4) SSL VPN Port-forwarding Enhancement

6.1.5) SSL VPN Debug Infrastructure

6.1.6) SSL VPN URL Obfuscation Support

6.1.7) Group Encrypted Transport (GET) VPN

6.1.8) MPLS VPN (RFC 2547) over Dynamic Multipoint VPN (DMVPN)

6.1.9) EasyVPN Phase 8.0 Enhancements

6.1.10) Cisco IOS Firewall H.323 Registration, Admission, and Status (RAS) Message Inspection Support

6.1.11) Cisco IOS Intrusion Prevention System (IPS) Version 5.0 Signature Format Support

6.2) Layer 2 VPN

6.2.1) L2VPNs over MPLS-Any Transport over MPLS (AToM)

6.2.2) Ethernet over MPLS (AToM)

6.2.3) VLAN ID Rewrite

6.2.4) Frame Relay over MPLS (FRoMPLS)

6.2.5) Any Transport over MPLS (AToM) Interworking

6.2.6) Multilink Frame Relay over MPLS (AToM)

6.2.7) Any Transport over MPLS (AToM) High Availability

6.2.8) AToM Pseudowire Redundancy

6.2.9) AToM Graceful Restart

6.2.10) Layer 2 Local Switching with Interworking

6.2.11) Layer 2 Tunnel Protocol Version 3 (L2TPv3) Enhancements

6.3) Multiprotocol Label Switching Management

6.3.1) Cisco IOS Multiprotocol Label Switching Embedded Management

6.4) IP Services

6.4.1) DHCP Relay per interface VPN ID support

6.4.2) DHCP Class Support for Option 60, 77, 124, 125

6.4.3) Hot Standby Routing Protocol Bidirectional Forwarding Detection Peering

6.4.4.) Enhanced Object Tracking support for Mobile IP, PDSN or GGSN

6.4.5) Show and Clear Commands for Cisco IOS Sockets

6.4.6) Cisco Express Forwarding (CEF) L4 Port Load Balancing

6.4.7) Tunnel Source Address Selection

6.4.8) Radius Server Load Balancing

6.5) IP Mobility and Wireless

6.5.1) Mobile IPv6 Authentication Option Support

6.5.2) Mobile IPv6 Network Access Identifier (NAI) Support

6.5.3) Cisco Mobile Wireless Home Agent Release 3.0

6.5.4) Cisco Packet Data Serving Node (PDSN) Release 3.0

6.6) Quality of Service

6.6.1) ATM QoS Features for the Asymmetric Digital Subscriber Line (ADSL2/ADSL2+) High-Speed WAN Interface Card (HWIC-1ADSL) for Cisco 1800, 2800, and 3800 Series Routers

6.7) Voice

6.7.1) Enhancements to Cisco IOS Session Border Controller (SBC)- Cisco Multiservice IP-to-IP Gateway

6.7.2) VoiceXML Browser Update-Support of W3C VoiceXML Forum Standard VXML 2.0

6.7.3) Internet Low Bit Rate (iLBC) Codec Support for SIP and H.323

6.7.4) Internet Low Bit Rate codec (iLBC) Support on IP-to-IP Gateway for Flow-through and Flow-around Modes

6.7.5) Support for the Second Generation 1- and 2-port T1/E1 Multiflex Trunk Voice (MTF) WAN Interface Cards on the 2430 Series Integrated Access Devices

6.7.6) Support for the Multiflex Trunk Dedicated Echo Cancellation (MFT ECAN) Modules on the 2430 Series Integrated Access Devices

6.7.7) Skinny Call Control Protocol (SCCP) Controlled Analog (FXS) Ports with Enhanced Supplementary Features in IOS Gateway

6.8) Hardware

6.8.1) Network Processing Engine G2 (NPE-G2) for Cisco 7200 Series Router

6.8.2) VPN Services Adapter (VSA) for Cisco 7200VXR Series Routers

7) Release 12.4(9)T Highlights

7.1) Cisco IOS Security

7.1.1) Cisco IOS Firewall Enhancements

7.1.2) Cisco EasyVPN 7.1

7.1.3) DMVPN Manageability Enhancements

7.1.4) Virtual Private Network (VPN) Advanced Integration Module (AIM) for Cisco 1841/2800/3800 Integrated Services Routers (ISRs)

7.1.5) Cisco IOS WebVPN-Auto-Applet Port Forwarding Download

7.1.6) Cisco IOS WebVPN-HTTP Authentication

7.1.7) Cisco IOS WebVPN-RADIUS Accounting

7.2) Voice

7.2.1) Cisco Unified CallManager Express 4.0

7.2.2) Cisco Multiservice IP-to-IP Gateway-Hosted NAT Traversal

7.2.3) Skinny Call Control Protocol (SCCP) Controlled Analog (FXS) Ports with Supplementary Features in Cisco IOS Gateway

7.2.4) High-Density Packet Voice for Cisco AS5400XM and AS5350XM Universal Gateways

7.3) Management Instrumentation

7.3.1) Flexible NetFlow

7.3.2) Cisco Networking Services (CNS) Security Enhancements

7.3.3) Netconf Access for Configuration over SSH and BEEP

7.4) IP Routing

7.4.1.) Bidirectional Forwarding Detection (BFD) Echo Mode

7.4.2) ACL-based Rate Based Satellite Control Protocol (RBSCP)

7.4.3) Open Shortest Path First version 3 (OSPFv3) IPsec ESP Encryption and Authentication

7.5) Mobility

7.5.1) Mobile IP-Mobile Router Multi-path Support

7.6) IP Services

7.6.1) Enhanced Object Tracking (EOT) Support for Carrier Delay

7.6.2) Domain Name Service-Split DNS

7.7) High Availability

7.7.1) Hot Standby Router Protocol-HSRP Group Shutdown

8) Release 12.4(6)T Highlights

8.1) Hardware Support

8.1.1) G.SHDSL WAN Interface Card (WIC-1SHDSL-V3)

8.2) Cisco IOS Security

8.2.1) Cisco IOS Firewall Enhancements

8.2.2) Cisco IOS Web VPN

8.2.3) Scalability Enhancements for Dynamic Multipoint VPN with Next Hop Resolution Protocol-Cisco Express Forwarding

8.2.4) Complete Certificate Chain Validation in Cisco IOS Public Key Infrastructure

8.2.5) Enhanced Online Certificate Status Protocol in Cisco IOS Public Key Infrastructure

8.2.6) EasyVPN Password Aging via Authentication, Authorization and Accounting

8.2.7) EasyVPN Dynamic Firewall/Access Control List Policy Push to Cisco VPN Software Client

8.2.8) Secure Multicast

8.2.9) Control Plane Logging

8.2.10) Management Plane Protection

8.2.11) Network Address Translation ARP Ping

8.3) Voice

8.3.1) Cisco Resource Reservation Protocol Agent for Call Admission Control

8.3.2) Local Voice Busyout and Advanced Local Voice Busyout Enhancements

8.3.3) Cisco Text Relay for Baudot Text Phones

8.3.4) Extended Session Initiation Protocol-Session Initiation Protocol Support on the Cisco Multiservice IP-to-IP Gateway

8.3.5) In-Service Updates to Gatekeeper Zone Prefix Configuration

8.3.6) Packet Mode Services on D Channel

8.3.7) Skinny Call Control Protocol Private Line Automatic Ringdown with DTMF Out Pulse Digits for FXS Analog Phones

8.3.8) Session Initiation Protocol Gateway Support for Busyout

8.3.9) Session Initiation Protocol Transport Layer Security (TLS) Support

8.4) High Availability

8.4.1) Cisco Gateway Load Balancing Protocol for IPv6

6.4.2) Hot Standby Router Protocol-Multiple Group Optimization

6.5) Management Instrumentation

6.5.1) Cisco IOS IP Service Level Agreements-Label Switched Path Health Monitor

6.5.2) Cisco IOS IP Service Level Agreements-ICMP Jitter Operation

6.5.3) Cisco IOS IP Service Level Agreements: Real Time Protocol-based Voice over IP Operation

6.5.4) Multiprotocol Label Switching Label Switched Path Ping and Label Switched Path Traceroute

6.6) IP Routing

6.6.1) Enhanced Interior Gateway Routing Protocol for IPv6

6.6.2) Routing Information Protocol Version 2: RFC 1724 MIB Extension

6.6.3) Open Shortest Path First Version 2 RFC 3623 Graceful Restart-Helper Mode

6.7) IP Services

6.7.1) Dynamic Host Configuration Protocol Option 82-Per Interface Support

6.8) VPN

6.8.1) ANI Suppression During L2TP Set-Up for the Cisco AS5000 Series

6.9) Connectivity

6.9.1) Asynchronous Transfer Mode Oversubscription for DSL

6.9.2) Private VLAN Edge on Cisco 1800 Fixed Configuration Routers

9) Release 12.4(4)T Highlights

9.1) Hardware

9.1.1) Cisco 1801, 1802, and 1803 Integrated Services Routers

9.1.2) Multi-Processor Forwarding for Broadband LAC, LNS, and PTA

9.1.3) ADSL2/ADSL2+ Support for Integrated Service Routers (ISRs)

9.2) Cisco IOS Security

9.2.1) Flexible Packet Matching

9.2.2) Application Firewall for Instant Message Traffic Enforcement

9.2.3) VRF-Aware Domain Name System

9.2.4) Easy VPN Phase 6

9.2.5) Control Plane Protection

9.2.6) VRF-Aware IPsec MIB

9.2.7) IPv6 Support for Site-Site IPsec VPN

9.2.8) Dynamic Multipoint VPN Quality of Service Support

9.3) Voice

9.3.1) Cisco IOS IP Service Level Agreements for VoIP with Real Time Protocol

9.3.2) Secure Communication between IP-STE and PSTN STE Endpoints

9.3.3) Interoperability Enhancements to the Cisco Multiservice IP-IP Gateway

9.3.4) Identify Alternate Endpoint Call Attempts in RADIUS Call Accounting Records

9.3.5) Cisco Modem Relay

9.3.6) Session Initiation Protocol: CLI for Passing Calling Name when Privacy Exists

9.3.7) Fax Relay Support for SG3 Fax Machines at G3 Speeds

9.3.8) SIP-SIP Basic Support on the Cisco Multiservice IP-to-IP Gateway

9.3.9) Cisco CallManager Express 3.4

9.3.10) Survivable Remote Site Telephony Version 3.4 Support with Release 12.4(4)T

9.4) High Availability

9.4.1) Cisco Hot Standby Router Protocol for IPv6

9.4.2) NetFlow Reliable Export via Stream Control Transport Protocol

9.5) Management Instrumentation

9.5.1) NetFlow Top Talkers CLI

9.6) Quality of Service

9.6.1) Skype Classification via NBAR Packet Description Language Modules

9.6.2) Direct Connect Packet Description Language Modules Native Implementation

9.7) Broadband

9.7.1) Multicast User Authentication and Profile Support

9.7.2) Point-to-Point Protocol over Ethernet Circuit ID Tag Processing

9.8) IP Routing

9.8.1) Bidirectional Forwarding Detection Support

9.8.2) Border Gateway Protocol Route-Map Continue Support for Outbound Policy

9.8.3) Border Gateway Protocol Selective Next-Hop Route Filtering

10) Release 12.4(2)T Feature Technology Highlights

10.1) Hardware

10.1.1) Cisco 850 Series Integrated Services Routers

10.1.2) Cisco 870 Series Integrated Services Routers

10.1.3) Cisco 1800 Series Integrated Services Routers-Fixed Configuration Models

10.1.4) Cisco High-Speed Intra Chassis Module Interconnect

10.1.5) Inline Power Auto Negotiation

10.2) Cisco IOS Security

10.2.1) Cisco Router and Security Device Manager 2.1.2

10.2.2) Transparent Cisco IOS Intrusion Prevention System

10.2.3) Easy VPN Dynamic Virtual Tunnel Interfaces

10.2.4) Other Easy VPN Enhancements

10.2.5) Certificate Authority Key Rollover

10.2.6) Configurable Certificate Storage Location

10.2.7) Network Address Translation Optimize Media Path for Session Initiation Protocol Traffic

10.2.8) Zeroization

10.3) Voice

10.3.1) Session Initiation Protocol Support of Resource Priority Header and Reason Header

10.3.2) Session Initiation Protocol: User Agent MIB

10.3.3) Configurable Hostname in Locally Generated Session Initiation Protocol Headers

10.3.4) Secure Communication between IP-STE Endpoint and STE Endpoint

10.3.5) Land Mobile Radio over IP Enhancement

10.3.6) Media Gateway Control Protocol Controlled Backhaul of Basic Rate Interface Signaling

10.3.7) Skinny Client Control Protocol Analog (FXS) Ports Supplementary Feature Support for Cisco VG 224

10.3.8) E1 R2 Collect Call Blocking

10.4) Cisco IOS Infrastructure

10.4.1) Cisco IOS Embedded Event Manager Version 2.2

10.5) Access Technology

10.5.1) Authentication, Authorization, and Accounting CLI Stop Record Enhancement

10.5.2) Calling Number Suppression for Layer 2 Tunnel Protocol Setup

10.5.3) Multilink Frame Relay (FRF.16.1) Variable Bandwidth Class Support

10.5.4) Service Selection Gateway-Configurable Maximum Number of Allowed Subscribers

10.5.5) Service Selection Gateway Support of WISPr RADIUS Attributes

10.5.6) Routed Bridge Encapsulation Client Side Encapsulation with Quality of Service

10.5.7) Define Interface Policy-Map AV Pairs Authentication, Authorization, and Accounting

10.6) Management Instrumentation

10.6.1) Cisco IOS IP Service Level Agreements Random Scheduler

10.6.2) NetFlow Top Talker CLI-Phase 2

10.6.3) Advanced Encryption Standard and Triple-Data Encryption Standard Algorithm Encryption Support for SNMPv3

10.7) Quality of Service

10.7.1) BitTorrent Packet Description Language Modules Native Implementation

10.7.2) Citrix ICA Published Applications Native Implementation

10.7.3) Multiple Matches Per Port

10.7.4) Modular Quality of Service CLI Policy Map Support on Configured Virtual Circuit Range Asynchronous Transfer Mode

10.8) IP Multicast

10.8.1) Multicast Listener Discovery Group Limits

10.8.2) IPv6 Boot Strap Router-Ability to Configure Rendezvous Point Mapping

10.8.3) IPv6 Source Specific Multicast Mapping

10.8.4) Multicast Source Discovery Protocol MD5 Password Authentication

10.9) IP Routing

10.9.1) Application-Aware Routing: Policy Based Routing

10.9.2) TCP Show Extension

10.9.3) Internet Control Message Protocol Unreachable Rate Limiting User Feedback

10.9.4) "Clear IP Traffic" CLI

10.10) IP Services

10.10.1) IPv6 Access Control List Extensions for Mobile IPv6

10.10.2) IPv6 Default Router Preference

10.10.3) Foreign Agent Local Route Optimization


PB3001

Last Updated: February 2009

This Product Bulletin introduces Cisco IOS Software Release 12.4T, and includes the following sections:

1) Introduction

1.1) Migration Guide

1.2) Release 12.4T Additional Information

1.3) Cisco IOS Packaging

2) Release 12.4(24)T Highlights

2.1) IP Routing

2.2) IP Services

2.3) Embedded Management

2.4) Voice

3) Release 12.4(22)T Highlights

4) Release 12.4(20)T Highlights

5) Release 12.4(15)T Highlights

6) Release 12.4(11)T Highlights

7) Release 12.4(9)T Highlights

8) Release 12.4(6)T Highlights

9) Release 12.4(4)T Highlights

10) Release 12.4(2)T Feature Technology Highlights

1) Introduction

Cisco IOS ® Software is the world's premiere network infrastructure software, delivering seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, from small home office routers to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.
Cisco IOS® Software Release 12.4T integrates a comprehensive portfolio of new capabilities, including security, voice, and IP services, with powerful hardware support to deliver advanced services for Enterprise and access customers.
Release 12.4(24)T, the latest release of the 12.4T family, adds Cisco IOS BGP Support for 4-byte Autonomous System Numbers (ASN), Application-Based Routing for Mobile Router (MR) Multi-Path Support, Web Services Management Agent (WSMA), for advanced embedded capabilities to provision, manage, configure and adapt Cisco devices, Smart Call Home Support for the Cisco 7200 Series Router, and Cisco Unified Communications Manager Express and Cisco Unified SRST 7.1 enhancements.
Release 12.4(22)T provided QoS support for IPSec tunnels, Trusted Relay Point (TRP) IOS firewall security for Unified Communications, Flexible NetFlow enhancements, and support for the Cisco 880 SRST and 880G Integrated Services Routers.
Release 12.4(20)T added significant embedded management enhancements, category-based productivity and security ratings support, multi-level Quality of Service (QoS) scheduling, and support for the Cisco 860, 880, and 1861 Routers.
Release 12.4(15)T streamlined the Cisco IOS Software upgrade process, provided sub-second link failure detection and faster convergence, delivered next-generation Layer 2-7 flexible packet classification, enhanced intrusion protection (IPS) and SSLVPN capabilities, and support for the new Cisco 7201 Router.
Release 12.4(11)T delivered new Layer 2 VPN transport over MPLS capabilities, enhanced MPLS management, mobile IPv6 authorization and identity support, and support for the high performance Network Processing Engine G2 (NPE-G2) and VPN Service Adapter (VSA) for the Cisco 7200 Series Router.
Release 12.4(9)T delivered improved manageability, integrated IP communications capability, enhanced HTTP and P2P security, and faster routing protocol convergence.
Release 12.4(6)T delivered highly available firewalls, comprehensive endpoint and network security for SSL VPN environments, and optimized bandwidth management for improved VoIP call quality.
Release 12.4(4)T enhanced threat protection against malicious worm and virus attacks, improved performance monitoring of VoIP networks, and extended support for secure concurrent services on the Cisco 1800 Series router.

1.1) Migration Guide

Cisco recommends that customers running Release 12.3T, 12.3, or prior releases upgrade to Release 12.4T or 12.4. Customers should determine their functionality needs and choose the appropriate release.

Note: Release 12.3 reached End of Software Maintenance on March 15, 2008. For additional information please visit: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6947/ps5187/prod_end-of-life_notice0900aecd8052e110.html

Release 12.4(15)T will receive extended bug fix support through December 2010. Cisco is taking this action to indicate that Release 12.4(15)T maintenance releases are treated in a similar manner as Release 12.4. Both undergo comprehensive testing and review cycles to continuously improve and increase reliability, quality, and stability. As per Cisco policies, no new technologies or features are added to either Release 12.4 or maintenance rebuild releases of Release 12.4(15)T. For more information please visit: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/ps8258/product_bulletin_c25-496283.html
AppleTalk Support Discontinuation in IOS T
Due to a significant decrease in AppleTalk usage and demand among its customer base, and given the fact that Apple now fully supports the TCP/IP family of protocols, Cisco has reached the decision to discontinue AppleTalk support on Cisco IOS. The AppleTalk feature removal will be permanent and will apply to future IOS releases after Release 12.4(24)T.
Cisco Service Selection Gateway (SSG) Feature Discontinuation in IOS T
The Cisco Service Selection Gateway (SSG) feature will no longer be available after Cisco IOS Software Release 12.4(24)T. Refer to the following product bulletin for more information: http://www.cisco.com/en/US/prod/collateral/routers/ps341/end_of_life_notice_c51-501483.html
Figure 1 illustrates the current migration path from Cisco IOS Releases 12.3T, 12.3, and prior releases to Release 12.4T or Release 12.4.

Figure 1. Release 12.4T Migration Plan

Figure 2 below illustrates the relationship between Release 12.4T and Release 12.4.

Figure 2. Release 12.4T and Release 12.4 Relationship

Figure 3 below shows the relationship between Release 12.4T and individual 12.4(n)T new feature releases.

Figure 3. Release 12.4T and Individual 12.4(n)T Release Relationship

Note: Cisco IOS Software Release 12.4(20)T and later Release 12.4T releases do not support several Cisco hardware platforms that were supported in Release 12.4(15)T and prior releases. These platforms will be supported by Release 12.4(15)T via regularly scheduled software maintenance rebuilds and bug fix support until the end of software maintenance date for the respective platform is reached.

• Cisco SOHO 90 Series

• Cisco 831, 836, 837, and 850 Series

• Cisco 1701, 1711, 1712, 1721, 1751, 1751-V, and 1760 Series

• Cisco 2610XM-2611XM, 2620XM-2621XM, 2650XM-2651XM, and 2691 Series

• Cisco 3631 and 3660 Series

• Cisco 3725 and 3745 Series

• Cisco 7400 Series

• Cisco AS5850 Universal Gateway

The Cisco release delivery process, rigorous software testing, and regularly scheduled software maintenance results in significant incremental enhancements and improvement to the quality, stability, and resiliency of Cisco IOS Software Release 12.4T and Release 12.4.

1.2) Release 12.4T Additional Information

Release 12.4T

Cisco IOS Software Releases 12.4 T-Products & Services-Cisco Systems

Cisco IOS Software Product Lifecycle Dates & Milestones, Product Bulletin No. 2214

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_bulletin0900aecd801eda8a_ps6441_Products_Bulletin.html

Changes to Cisco IOS Software Product Support in Release 12.4T, Product Bulletin No. 3000

http://www.cisco.com/go/124thardware/

Cisco IOS Software Download Center

Download Cisco IOS Software releases and access software upgrade planners.

http://www.cisco.com/public/sw-center/sw-ios.shtml

Cisco Feature Navigator

A web-based application that allows you to quickly match Cisco IOS Software releases to features, to hardware.

http://www.cisco.com/go/fn/

Cisco Software Advisor

Determine the minimum supported software for selected hardware.

http://tools.cisco.com/Support/Fusion/FusionHome.do

Cisco IOS Upgrade Planner

View all major releases, hardware, and software features from a single interface.

http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi

1.3) Cisco IOS Packaging Consideration

Figure 4. Cisco IOS Packaging for Cisco Routers

2) Release 12.4(24)T Highlights

Table 1. Release 12.4(24)T Feature Highlights

2.1) IP Routing

2.1.1) Cisco IOS BGP Support for 4-byte Autonomous System Numbers (ASN)

Border Gateway Protocol (BGP) is an Internet Engineering Task Force (IETF) standard, and the most scalable of all routing protocols. BGP is the routing protocol of the global Internet, as well as for enterprise and service provider private networks. BGP has expanded upon its original purpose of carrying Internet reachability information, and can now carry routes for Multicast, IPv6, VPNs, and a variety of other data. Cisco supports all IETF BGP standards, as well as the majority of Internet Drafts for BGP. In addition, Cisco is an active participant in the Inter-Domain Routing (IDR) Working Group at IETF, and a frequent contributor of new BGP extensions.
Cisco IOS Software Release 12.4(24)T release adds BGP Support for 4-byte ASN.
At the early time of BGP development and standardization, it was assumed that availability of a 16 bit binary number to identify the Autonomous System (AS) within BGP would have been more than sufficient. The 16 bit AS number, also known as the 2-byte AS number, provides a pool of 65,536 unique Autonomous System numbers. The Internet Assigned Numbers Authority (IANA) manages the available BGP Autonomous System Numbers (ASN) pool, with the assignments being carried out by the Regional Registries.
The current consumption rate of public AS numbers suggests that the entire 2-byte ASN pool will be fully depleted by early to middle 2011. A solution to this depletion is the expansion of the existing 2-byte AS number to a 4-byte AS number, which provides a theoretical 4,294,967,296 unique AS numbers. ARIN has made the following policy changes in conjunction with the adoption of the solution.
As of January 1, 2009, per the American Registry for Internet Numbers (ARIN), all new Autonomous System Numbers (ASNs) issued will be 4-byte by default, unless otherwise requested. For more information please visit: https://www.arin.net/announcements/2008/07242008.html
The Cisco IOS BGP 4-byte ASN feature allows BGP to support the ASN encoded as a 4-byte entity. The addition of this feature allows an operator to use an expanded 4-byte AS number granted by IANA.
As shown in Figure 5 below, backwards compatibility is provided between the 4-byte and 2-byte AS numbers, since BGP and Multiprotocol BGP is already widely deployed in ISP and MPLS VPN environments. Specifically, advertisement via standard based BGP capability code, two new "optional transitive" attributes: AS4_AGGREGATOR and AS4_PATH, and a newly reserved AS TRANS#: 23456 for interoperability between 4 bytes ASN capable and non-capable BGP speakers are introduced to a smooth migration from a 2-byte to a 4-byte ASN environment.
The implementation is in compliance with IEFT RFC 5396 and RFC 4893 standards.

Figure 5. Use Case Example of Both 4-byte Capable and 2-byte ASN BGP Speakers

Benefits

• Allows BGP to carry a Autonomous System Number (ASN) encoded as a 4-byte entity

• Includes the following enhancement to ensure a smooth migration from a 2-byte to 4-byte ASN environment

– Advertisement via standard based BGP capability code

– Two new "optional transitive" attributes: AS4_AGGREGATOR and AS4_PATH

– A newly reserved AS TRANS#: 23456 for interoperability between 4 bytes ASN capable and non-capable BGP speakers

• To further reduce operation change requirements when an operator migrating from a 2 bytes to a 4 bytes ASN environment, the implementation provides a default "asplain" and an optional "asdot" AS output format

Considerations

• The initial support for 4-byte ASN in Release 12.4(24)T supports all existing BGP features (including IPv4, IPv6, VPNv4, and VPNv6 address and sub address families) with the exception of Cisco IOS NetFlow

Hardware

Routers

• Cisco 1800, 2800, 3800, 7200 Series Routers

Additional Information:
Product Management Contact: Ted Qian ( tqian@cisco.com)

2.1.2) Mobile IP-Policy and Application-Based Routing for Mobile Router Multi-Path Support

Cisco Mobile Routers (MRs) running Cisco Mobile Network technology, offer seamless network connectivity for devices connecting to it. Network connectivity remains uninterrupted even when the mobile router roams among various wireless and wired networks.
Prior to the introduction MR Multi-Path support in Cisco IOS Software Release 12.4(9)T, a Cisco MR could only support seamless mobility to the Home Agent (HA) via a single mobile tunnel at a time. The Multi-Path Support for Mobile Router feature allows a MR and a HA to establish multiple Mobile IP tunnels over all available roaming interfaces. When the Multi-Path feature is enabled, the MR registers through all of its available roaming interfaces to the HA. Each registration is independent of the other registrations taking place on other roaming interfaces. Once registered through the roaming interfaces, the MR will have multiple routes or multiple paths back to the HA (assuming the Mobile IP Reverse Tunnel feature is configured). The mobile traffic from or to the mobile network is then load-balanced among the multiple routes based on the CEF load balancing algorithms, either per packet or per destination (default). In addition, this feature supports unequal load balancing. The Multi-Path feature enables users to utilize all the possible bandwidth available from all the enabled links.
New in Cisco IOS Software Release 12.4(24)T is Application-Based Routing for Mobile Router Multi-Path Support. This feature extends existing MR Multi-Path routing support to enable static Access Control Lists (ACLs) and dynamic Policy-Based Routing (PBR) route-map commands to define unique traffic types and route these traffic classes over specified interfaces or paths. This feature enables you to bi-directionally define how specific traffic types should be routed across the multiple tunnels established between the MR and HA. The same ACL and PBR policies are used on both the MR and HA.

Figure 6. Application-Based Routing for Mobile Router (MR) Multi-Path Support

Benefits

Better Investment Protection: Enables the customer to optimize performance, scalability, and availability of applications traversing the multi-path mobile network via application routing policies

Hardware

Routers

• Cisco 1700, 1800, 2800, 3200, 3270, 3600, 3700, 3800, 7200, and 7301 Series Routers

Product Management Contact: Kevin Delgadillo ( delgadil@cisco.com)

2.1.3) Multi-VRF Selection Using Policy-Based Routing (PBR)

Multi-VRF Selection using Policy Based Routing is an extension of VRF Selection based on Source IP Address. This functionality takes advantage of the existing Route-map (which is capable of supporting multiple selection criteria) and uses Policy Based Routing (PBR) as a way to classify packets and set the relevant routing/forwarding decision. Classification criteria include source and/or destination IP addresses, protocol number, source and/or destination port number, IP precedence value, DSCP value, TCP flags, packet length and ICMP type.

Note: This feature only supports VRF-Lite. Only IP routing protocols are supported with this feature. Multiprotocol Label Switching (MPLS) VPN is not supported.

Benefits

• Enables flexible VRF selection policies to optimize VRF-enabled network architectures.

Hardware

Routers

• Cisco 7200 and 7301 Series Routers

Product Management Contact: Kevin Delgadillo ( delgadil@cisco.com)

2.2) IP Services

2.2.1) Secure Neighbor Discovery (SeND)

Secure Neighbor Discovery (SeND) protocol is designed to counter the threats of Neighbor Discovery Protocol (NDP), as detailed in RFC3756. SeND comes as an addendum on top of ND. It defines a set of new ND options, and two new ND messages (Certification Path Solicitation & Answer). It also defines a new auto-configuration mechanism, to be used in conjunction with the new ND options, to establish address ownership.
There are essentially two security features introduced by SeND to mitigate address spoofing and rogue routers, two of the biggest threats related to NDP. The first feature enables nodes to establish address ownership using IPv6 Cryptographically Generated addresses (CGA), as specified in RFC3972. The second feature provides router authorization through X.509 certificates, and is specified in RFC3971.
Deployment-wise, CGA is a very light-weight mechanism, as it does not involve cryptographic key distribution (other than providing the public key in one of the new NDP option), nor any identity of any sort or certificates.
Router authorization is more challenging, since router must have an "identify", certified through a certificate signed by a Certificate Authority, and that Certificate Authority must be known by all nodes. RFC3971 also specifies two important additional elements. Certificates can contain the list of prefixes that the router owns, so that any node could verify prefixes announced by the router prior to performing stateless auto-configuration. And last but not least, a node running SeND is expected to be able to arbitrage between concurrent claims coming from a mixture of peers speaking SeND and nodes speaking ND, in favor of the former.
The Cisco implementation, which is fully compliant with SFC3971 and 3972, supports:

• Cryptographically Generated addresses (CGA)

• Router authorization through X.509 certificates

• Prefixes embedded in certificates, as specified in RFC 3779

• Transitioning situation, where it is capable of giving preference to SeND peers over ND peers

In addition, the IOS-PKI and the IOS-CS (Certificate Server) has been upgraded to allow building certificate requests with embedded IPv6 prefixes, read and store these prefixes, and validate a certificate chain with embedded IPv6 prefixes. This is useful to install on a Cisco SeND router, a fully complied X.509 certificate with embedded prefixes, and enable Router Authorization.

Figure 7. Generation of a SeND Packet (simplified version)

Benefits

• Router interface addresses are generated in a way that the ownership can be verified by a third party

• Received address ownership is dynamically verified; Only validated neighbors are inserted into the Neighbor Discovery cache

• Router Advertisement content is dynamically verified, so no one can pretend to be a valid router on a link without a valid matching X.509 certificate

Hardware

Routers

• Cisco 800, 1800, 3800, 7200, 7301 Series Routers

Product Management Contact: Benoit Lourdelet ( blourdel@cisco.com)

2.2.2) DHCPv6 Individual Address Assignment

At the heart of the IP address distribution architecture for IPv4, DHCP has been selected by the IPv6 community to fulfill similar functions. While stateless address auto-configuration is mandated by IPv6 specifications, there is a business demand to have DHCP offer stateful address and prefix delegation in an easily deployable fashion (VoIPv6 for instance).
The new feature of allocating individual addresses is now supported for Client, Server and Relay functions.

Figure 8. DHCPv6 Individual Address Assignment Topology

DHCPv6 Client, Server, and Relay Functions
The DHCPv6 client, server, and relay functions are mutually exclusive on an interface.
Client Function
The DHCPv6 client function can be enabled on individual IPv6-enabled interfaces and benefits from the new following features:

• Support for multiple IPv6 addresses (IA_NA options) on an interface

• Rapid Commit: The Rapid Commit option is supported

• The DHCPv6 Client works in an IPv6 VRF environment

Server Selection
A DHCPv6 client builds a list of potential servers by sending a solicit message and collecting advertise message replies from servers. These messages are ranked based on preference value, and servers may add a preference option to their advertise messages explicitly stating their preference value. If the client needs to acquire prefixes from servers, only servers that have advertised prefixes are considered.
Server Function
The DHCPv6 server function can be enabled on individual IPv6-enabled interfaces.
The DHCPv6 server is providing the following features:

• RFC3041 Compliance: IPv6 addresses will be allocated in a non-sequential fashion

• Allocating multiple IPv6 addresses to a client. (ie: if multiple address pools apply, then one address will be allocated from each address pool)

• Rapid Commit: The Rapid Commit option is supported

• The DHCPv6 server works in an IPv6 VRF environment

• The DHCPv6 server writes current allocated addresses to a TFTP server and can read currently allocated addresses back from the TFTP server upon startup

• Configuration and support of Vendor-Specific Options

DHCP Relay Agent
A DHCP relay agent, which may reside on the client's link, is used to relay messages between the client and server. DHCP relay agent operation is transparent to the client. A client locates a DHCP server using a reserved, link-scoped multicast address. Therefore, it is a requirement for direct communication between the client and the server that the client and the server be attached to the same link. However, in some situations in which ease of management, economy, or scalability is a concern, it is desirable to allow a DHCP client to send a message to a DHCP server that is not connected to the same link.
Benefits of using DHCPv6 individual Address assignment:
Flexibility, Scalability, and Customization: DHCPv6 in terms of individual address assignment now offers similar functionality as DHCPv4, which includes easy configuration of address pool and scalability.
Hardware

Routers

• Cisco 800, 1800, 3800, 7200, 7301 Series Routers

Additional Information: http://www.cisco.com/go/ipv6
Product Management Contact: Patrick Wetterwald, pwetterw@cisco.com

2.3) Embedded Management and Instrumentation

2.3.1) Web Services Management Agent (WSMA)

Web Services Management Agent (WSMA) allows customers, partners and developers to provision, configure, manage and adapt Cisco IOS devices using industry standard Web Services protocols. Combined with Extensible Markup Language (XML), Web Services provides secure, reliable and robust access to IOS using a familiar set of protocols already in use by the majority of customers and partners. WSMA leverages existing investments in IOS CLI as well as existing Web Services expertise and tools.
External management systems can be built to perform the following functions with a WSMA agent inside IOS:

• Retrieve configuration information in tagged and well-formed XML

• Change the running configuration using CLI or XML

• Test a candidate configuration before applying it to the running configuration

• Bulk transfer multiple CLI/Exec commands in a single Simple Object Access Protocol (SOAP) envelope

• Allow atomic rollback if a transaction fails

• Receive full audit trails of configuration changes and operation returns codes

• Control whether the WSMA agent listens for inbound sessions (listener mode) or establishes an outbound session to the external NS system (initiator mode)

• Perform "show" commands and receive the output in tagged XML format

• Copy images, apply updates and archive configurations

• Retrieve directory listings

• Run Exec commands

• Receive configuration change notifications including before and after audit trails of the configuration change

• Group Web Services using profiles which allow different transports and protocols to be assigned to different groups and services.

WSMA supports two important modes of communication; listener and initiator modes:

Initiator Mode: The WSMA agent can establish an outbound session to the external NMS system to avoid opening up inbound connections to the router or switch. For customers wanting a highly secure environment which traverses firewall and resolves NAT issues, initiator mode is a significant capability

Listener Mode: The WSMA listens for inbound Web Service session requests in a traditional Web Services client/server architecture

WSMA allows several highly secure methods of authentication currently used by customers; SSH and HTTPs. Future versions of WSMA support TLS as well.
Benefits

Increased Provisioning/Configuration Speed: Making configuration changes through WSMA, configurations can be applied many times faster than using off-box expect scripts or manual configuration using SSH/Telnet. In addition, multiple CLI commands can be operated as an atomic operation.

Reduced Development Effort: WSMA frees up web services developers to use their existing tools and expertise to rapidly build management applications. Based on industry standard web services protocols (SOAP 1.1, SOAP 1.2, etc) and transports (SSH, TLS and HTTPs) developers can rapidly build applications which are reusable and flexible.

Improved Automation: In addition to return codes and audit trails, WSMA provides atomic rollback in case of failure. Should the worst occur, WSMA will return the configuration to a working state.

Improved Accuracy: WSMA brings the benefits of XML and web services; accuracy and consistency. Using WSMA to provision, configure, manage and adapt a Cisco device, customers get a robust, self-describing system with the accuracy of XML access.

Hardware

Routers

• Cisco 800, 1800, 3800, 3800, 7200, 7301 Series Routers

Product Management Contact: Steve Giles, stgiles@cisco.com

2.3.2) Smart Call Home Support for the Cisco 7200 Series Router

Smart Call Home is a powerful component of Cisco SMARTnet Service that offers proactive diagnostics, real-time alerts, and personalized web-based reports on select Cisco devices.
Cisco Smart Call Home offers:

• Visibility into your network through diagnostic reports

• Real-time trouble shooting and alerts

• Automatic generation of Cisco service requests to Cisco technical engineers

• Secure, reliable data transport

• Personalized Web-based portal to review Call Home messages, detailed diagnostics, recommendations, and inventory

Cisco IOS Software Release 12.4(24)T adds Smart Call Home support for the Cisco 7200 Series Router.
Additional Information: http://www.cisco.com/go/smartcall
Product Management Contact: Tim Johnson ( tijohnso@cisco.com)

2.4) Voice

2.4.1) Cisco Unified Communications Manager Express 7.1

Cisco Unified Communications Manager Express is the Cisco router based call processing solution that provides a smart, simple and robust Unified Communications solution for small and medium businesses and enterprise branch offices. Cisco IOS Software 12.4(24)T contains several new features for customers using Communications Unified Communications Manager Express.
Single Number Reach (SNR)
The Single Number Reach feature allows users to consolidate all their incoming calls into a single business phone number which reaches both their Cisco IP Phone and their cell phone. This feature enables users to answer incoming calls on their desktop IP phone or at a remote destination, such as a mobile phone.
The Single Number Reach feature includes:

1. Option to dynamically change alternate phone number from phone Telephony User Interface (TUI)

2. Allows calls to be switched between IP phone and alternate phone with the touch of a button

3. Users can toggle SNR functionality on/off from the phone

Whisper Intercom
The Whisper Intercom feature allows a receptionist to perform a whisper page to the manager phone to provide one-way voice from the calling to the called party, regardless of whether the called party is busy or idle. In case the manager is already on a call, the audio from the receptionist will not be heard on the manager's other call.
The Whisper Intercom feature includes:

1. The phone receiving a whisper page displays the extension and name of the party initiating the whisper page and Cisco Unified CME plays a zip zip tone before the called party hears the caller's voice

2. If the called party wants to speak to the caller, the called party selects the intercom button on their phone.

3. The lamp for intercom buttons is colored amber to indicate one-way audio for whisper intercom and green to indicate two-way audio for standard intercom.

SIP Line Side Enhancements
SIP Line side enhancements in Cisco Unified Communications Manager Express for Cisco SIP endpoints builds on an already robust feature set for SIP endpoints.
SIP Line Side Enhancement includes:

1. Shared line support across up to 16 Cisco SIP phones

2. Ability to barge into calls for Cisco SIP phones with shared lines

3. Calls put on hold on Cisco SIP phones with shared lines can be resumed by other shared line members

4. Privacy for SIP phones enables phone users to block other users from seeing call information or barging into a call on a SIP shared-line directory number. Users can toggle privacy on/off dynamically for shared lines.

5. Call Park and Pickup between SCCP and SIP endpoints. Both SCCP and SIP endpoints can park and retrieve calls that are parked.

6. Call Park slots can now be reserved for specific departments

Busy Lamp Field (BLF) Monitoring of Devices
Support device-based BLF monitoring, allowing a watcher to monitor the status of a phone, not only a line on the phone.
Busy Lamp Field (BLF) Monitoring of DnD, Call Park, Paging and Conferencing Directory Numbers
Provide BLF indicators for directory numbers that become DND-enabled, or are configured as call-park slots, paging numbers, or conference numbers.
SIP Trunk Video Support for SCCP Endpoints
Supports video calls between SCCP endpoints across different Cisco Unified CME routers connected through a SIP trunk. Support H.264 codec for video calls.
DSCP Enhancements
Supports Differentiated Services Code Point (DSCP) packet marking for Cisco Unified IP phones.
Multilevel Precedence and Preemption (MLPP)
MLPP service allows validated users to place priority calls, and if necessary, to preempt lower-priority calls. This capability assures high-ranking personnel can communicate with critical organizations and personnel during network stress situations, such as a national emergency or degraded network situation.
Benefits

Improves end user experience and productivity: Cisco SIP IP Phone users now have access to more robust IP Telephony features available on Cisco Unified Communications Manager Express. Users have presence information for other users and can reach them seamlessly. They are also able to join calls with the touch of a button and can enable privacy to when needed.

Enhanced mobility: Allows IP Phone users to provide a single number to other parties and receive calls on their desk or cell phone. This allows users to be connected while away from the office and reduces missed calls and sales opportunities.

Support for Public Safety and Department of Defense (DOD) initiatives: Assure that critical calls from high ranking personnel and emergency calls are always serviced.

Hardware

Routers

• Cisco UC500, 1800, 2800, 3800 Series Routers

Product Management Contact: Tony Huynh, tonhuynh@cisco.com

3) Release 12.4(22)T Highlights

Table 2. Release 12.4(20)T Feature Highlights

3.1) Cisco IOS Security

3.2) Embedded Management

3.3) Voice

3.4) Hardware

3.1.1) IOS Firewall Support for Trusted Relay Point (TRP)

3.1.2) Access Control List (ACL) Syslog Correlation

3.1.3) Per (DMVPN) Tunnel Quality of Service (QoS)

3.1.4) Certificate IP Address Extension Support

3.1.5) Time-based Anti-replay on VPN Services Adapter (VSA)

3.1.6) Group Encrypted Transport VPN (GET VPN) Enhancements

3.1.7) IOS SSL VPN Internationalization

3.1.8) IOS Support for Lawful Intercept

3.2.1) Cisco IOS Embedded Event Manager

3.2.2) Flexible NetFlow-NetFlow v5 Export format

3.2.3) Flexible NetFlow-TopTalkers CLI support

3.2.4) Flexible NetFlow-Multicast statistics for IPv4 support

3.3.1) Cisco VG202 and Cisco VG204 Analog Phone Gateways

3.3.2) Session Initiation Protocol (SIP) Enhancements

3.4.1) Cisco 880 3G and Cisco 880 SRST Router Series

3.4.2) Cisco IAD2435-8FXS Integrated Access Device

3.4.3) Intrusion Prevention System Enhanced Network Module

3.1) Cisco IOS Security

3.1.1) IOS Firewall Support for Trusted Relay Point

Cisco IOS firewall enhances security for Unified Communications (UC) by supporting Trusted Relay Point (TRP). This solution provides a trusted anchor within the network for seamless UC related services including media recording, QoS enforcement, and intelligent firewall traversal.

Figure 9. IOS Firewall Trusted Relay Point Use Case Scenario

Trusted Relay Point is a multi-functional architecture covering Quality of Service (QoS), Optimized Edge Routing (OER), and virtual network traversal. It eliminates the deep packet inspection and overhead associated with firewalling by signaling the firewall to permit traffic.
Benefits of UC-Trusted Firewall Control

• Provides authentication required to open port requests on the firewall

• Supports asymmetric signaling/media paths control, cases where signaling and media may not traverse the same paths in the network (such as internal "firewalling") and might ordinarily be blocked

• Provides encrypted signaling between voice entities, cases where the firewall has the group key to look at the signaling and allow pinholes for media

• Ports for media and signaling remain open for session length only, providing more secure sessions

Hardware

Routers

• Cisco 871, 1800, 2800, 3700, 3800, 7200, and 7301 Series Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

3.1.2) Access Control List (ACL) Syslog Correlation

Cisco IOS ACL Syslog Correlation feature provides a correlation mechanism for ACLs that can be used by Network Management System (NMS) tools to correlate the triggered syslog with the specific Access Control Entry (ACE) within the ACL that triggered the syslog. The ACL Syslog Correlation feature utilizes a `tag' which is appended to the ACE generated syslog. The `tag' can either be a user-configured alpha-numeric cookie or an IOS generated 32-bit hash. If the user does not configure the cookie, IOS will create the hash for ACEs configured with the `log' keyword.

Figure 10. Define a tag to be used for ACE generated syslogs

Figure 11. Configured tags are appended to ACE generated syslogs

Benefits

• Provides a consistent monitoring solution for IOS ACLs, allowing network management tools to easily correlate the triggered syslog with the specific Access Control Entry (ACE) within the ACL that triggered the syslog

• Reduces complexity of managing and monitoring ACL rules for access and control by simplifying the correlation of ACE rules with their corresponding syslog events

• Assists network administrators in troubleshooting issues that occur as a result of ACE rules and allows them to monitor ACE rules' effectiveness

Hardware

Routers

• Cisco 800, 1800, 2800, 3700, 3800, and 7200 Series Routers

Additional Information: http://www.cisco.com/go/iossecurity
Product Management Contact: ask-stg-ios-pm@cisco.com

3.1.3) Per Dynamic Multipoint VPN (DMVPN) Tunnel Quality of Service (QoS)

This feature enables the DMVPN hub to dynamically allocate a QoS service policy for each spoke. The DMVPN hub can have multiple QoS policies for all the remote spokes. If QoS is configured, each spoke requests a QoS policy from the hub during Next Hop Resolution Protocol (NHRP) registration. This QoS service policy is applied on the hub in the outbound direction. A typical QoS policy provides multiple classes of service, including a priority queue for voice, and traffic shaping for the total bandwidth of all classes.

Table 3. Detailed Capabilities of DMVPN Per Tunnel QoS Functionality

Feature

Benefit

Dynamic QoS policy allocation for spokes during the NHRP registration with hub

Simplifies QoS configuration on the hub router for dynamically addressed spokes

Cisco Modular QoS CLI (MQC) support configuration in every spoke policy

Allows prioritization to VoIP/delay sensitive data traffic

Protect critical control traffic before and after encryption

Enhances network stability

Dynamic QoS on the hub ensures optimal traffic flow when a spoke connects to the hub

Simplifies QoS enablement in VPN networks

Protect the crypto engine by supporting full tunnel queuing hierarchy in hierarchical queuing format; QoS queuing and shaping happens before encryption

Avoids anti-replay error reporting with IPSec

Shaping and queuing happens at the physical interface

Centralizes QoS policy in the router and simplifies configuration

Protection for critical control traffic before and after encryption

Enhances network stability

Dynamic QoS allocation on the hub router protects the spoke from traffic bursts

Protects small spokes from becoming overwhelmed from large hub sites

Hardware

Routers

• Cisco 800, 1800, 2800, 3700, 3800, and 7200 Series Routers

Additional Information: http://www.cisco.com/go/iossecurity
Product Management Contact: ask-stg-ios-pm@cisco.com

3.1.4) Certificate IP Address Extension Support

This feature enables support for RFC3779, X.509 Extensions for IP addresses. One of the first protocols to use this feature will be the SEcure Neighbor Discovery Protocol (SEND). IPv6 hosts run Neighbor Discovery Protocol (NDP) to discover other devices on a link. If this link is not secured, NDP is vulnerable to various attacks such as neighbor solicitation/advertisement spoofing and duplicate address detection DoS attacks. SEND is designed to counter the threats to NDP and can use X.509 IP extensions to provide a stronger control on prefix advertisements.
Note that with SEND, RFC3779 (X.509 Extensions for IP addresses) is an optional feature. While SEND will provide its full capabilities with this version of PKI, it could still be deployed with older PKI versions that don't support IP extensions.
Benefits

• Generates certificates with IP extensions

• Counters threats to NDP

• Allows for stronger control on prefix advertisements

Hardware

Routers

• Cisco 87x, 88x, 1800, 2800, 3700, 3800, 7200, and 7301 Series Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

3.1.5) Time-Based Anti-Replay on The VPN Services Adapter (VSA)

This feature enables Time-Based Anti-Replay (TBAR) support on the VPN Services Adapter (VSA) of the 7200 NPE-G2 platform. TBAR is used in the Group Encrypted Transport VPN (GETVPN) solution to detect replay attacks since standard sequence-based anti-replay attack detection is not supported. This feature prevents `man in the middle' attacks.
The Cisco GETVPN solution allows organizations to have branch-to-branch secure connectivity without having to incur the cost of establishing and maintaining full-mesh connections.
Benefits

• Supports anti-replay in the Cisco GET VPN solution

• Allows protection against `man in the middle' attacks, bolstering overall GET VPN security

Hardware

Routers

• Cisco 7200 with Network Processing Engine (NPE) G2

Additional Information: http://www.cisco.com/go/vsa
Product Management Contact: ask-stg-ios-pm@cisco.com

3.1.6) Group Encrypted Transport VPN (GET VPN) Enhancements

Several new GET VPN feature enhancements are introduced in Release 12.4(22)T:

Passive Security Association (SA)

This feature enables a new mode of IPSec Security Association (SA) with GET VPN. In this mode, the SA will accept unencrypted traffic and encrypted traffic on the inbound, while it will always encrypt traffic on the outbound. Passive SA mode is configured on the Group Member (GM), and is persistent over router restarts: this allows the Group Member to modify the SAs downloaded from the Key Server (KS). Passive SA can be used similar to the SA receive-only to enable transitions in large scale deployment.

Fail-Close

This feature enables GET VPN traffic forwarding to follow the "fail-close" model, wherein an unregistered Group Member (GM) stops forwarding data packets rather than send them out unencrypted.

The fail-close command sets up an implicit "permit ip any any" at the end of the crypto map during the pre-registration phase. Post successful GDOI registration, the "permit ip any any" is removed from the crypto map.

You can specify exceptions that need to be forwarded in the clear, through a deny entry in the ACL. This is useful to allow routing packets and management packets from a particular host to get through. However, note that the deny ACL in the GDOI crypto map still takes precedence. After the registration is successful, the deny entry in the ACL goes away while the deny entry in the GDOI crypto map is persistent.

Once the GM is successfully registered to all its groups, the policies downloaded from the KS take over, governing the GMs behavior and the fail-close ACL and implicit "permit ip any any" are taken out. GMs keep the policies downloaded from the KS even if the re-registration fails and IPSec SA has expired.

When fail-close is activated, unencrypted packets are prevented prior to and during registration. Once the GM is successfully registered to all its groups however, the policies downloaded from the KS take over, governing the GMs behavior and the fail-close ACL and implicit "permit ip any any" are dropped. GMs keep the policies downloaded from the KS even if the re-registration fails and IPSec SA has expired.

Note: GET VPN supported fail-close previously, using an interface ACL. With the above feature, interface ACL may not be required. Fail-close with interface ACL might still be useful to customers looking to enforce a policy that certain packets must always be encrypted, regardless of the downloaded key server policy.

Change Key Server Role

This feature allows you to switch the primary Key Server (KS)by forcing an election. Issuing the new clear crypto gdoi ks coop role command on the primary Key Server makes it relinquish the primary role and initiate an election. If the priorities have changed, a new primary will be declared elected. Note: This command does not clear any policies-it merely facilitates switching the primary KS.

Co-operative Key Server: Sharing Keys

This feature optimizes the number of rekeys that are sent out in the event of a network split, thereby allowing the network to stabilize rapidly. When there is a network split, a secondary KS takes the partition that cannot reach the primary; with this new feature, the new primary reuses the existing policies where possible. At split, the rekey is sent only if there are keys that are due to expire within the lifetime threshold (150 seconds). Unless this threshold is met, the current keys and policies are retained on the KS separated from the primary. This new ability to share the keys created by another KS reduces the number of policies to manage, thereby improving the cooperation between the KS'es.

Re-key From Secondary on Merge

This feature distributes rekeying when a partitioned network merges back. When the merge occurs, the newly-demoted secondary KS takes responsibility to send out rekeys to the group members in its database. The primary KS is freed from having to send out all rekeys, and is able to focus on sending rekeys to only the members in its own database.

Benefits

• Enables controlled deployments in phases

• Provides ability to eliminate flow of unencrypted data packets

• Allows primary key server to be changed midstream ie: for scheduled maintenance

• Optimizes cooperative key server communications during split and merge, providing better stability

Hardware

Routers

Group Member (GM): Cisco 870, 88, 1800, 2800, 3800 and 7200 Series and Cisco 7301
Key Server (KS): Cisco 1840, 2800, 3800 and 7200 Series and Cisco 7301

Additional Information: http://www.cisco.com/go/getvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

3.1.7) IOS SSL VPN Internationalization

Cisco IOS SSL VPN Internationalization lays the framework to support multiple languages in the login and portal pages. Users will be able to select their language preference for their session from a drop down menu at the time of login.

Figure 12. IOS SSL VPN Internationalization Support

Benefits

• Allows content to be presented in the local language.

Hardware

Routers

• Cisco 87x, 88x, 1800, 2800, 3700, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

3.1.8) IOS Support for Lawful Intercept

Cisco IOS provides a cost effective, yet powerful Communications Assistance for Law Enforcement Act (CALEA) compliant solution with the ability to monitor digital communications. The Cisco Service Independent Intercept (SII), Control Point Discovery (CPD) and Packet Cable 2.0 support Dynamic Discovery of Intercept Access Point (IAP). Cisco Lawful Intercept provides an out-of-band control mechanism when using a third-party mediation device to request intercepts on the network elements within the organizations trust boundaries. When performing captures for Lawful Intercept, this activity is transparent to everything else going on in the network, providing access only to authorized personnel.

Figure 13. IOS Control Point Discovery (CPD) Lawful Intercept - Use Case Scenario

1. The Cisco IOS Router will act as a platform for lawful intercept, offering a complete end-to-end solution for the network with all communication sessions and intercept details preserved.

2. The Cisco Lawful Intercept solution offers scalable packet captures and an effective, powerful solution for organizations looking to comply with CALEA requirements.

Benefits

• Cost effective way to leverage existing infrastructure to meet LI regulatory obligations

• Provides easy, proactive compliance and offers quick deployment

Hardware

Routers

• Cisco 7200 Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

3.2) Embedded Management

3.2.1) Cisco IOS Embedded Event Manager Version 3.0

The Cisco IOS Embedded Event Manager (EEM) is a unique subsystem within Cisco IOS Software. EEM is a powerful and flexible tool to automate tasks and customize the behavior of Cisco IOS and the operation of the device. Customers can use EEM to create and run programs or scripts directly on a router or switch. The scripts are referred to as EEM Policies and can be programmed using a simple CLI-based interface or using a scripting language called Tool Command Language (Tcl). EEM allows customers to harness the significant intelligence within Cisco IOS Software to respond to real-time events, automate tasks, create customer commands and take local automated action based on conditions detected by the Cisco IOS Software itself.
The latest version of the EEM subsystem within Cisco IOS Software is EEM Version 3.0.
Applications
The applications are endless and only limited by your imagination.
Suppose, for example, you would like to automatically configure a switch interface depending on the device that is connected to a port or interface, an IP phone. A script can be devised that is triggered on the interface up condition and determines the details of the connected device. Upon discovery and verification of a newly connected IP phone, the port can be automatically configured according to prescribed parameters.
Another example might be to react to an abnormal condition, such as the detection of a high error rate on an interface, by forcing transit traffic over a more stable and error-free path. EEM can watch for the increased error rate and trigger a policy into action. The policy could notify network operations personnel and take immediate action to reroute traffic.
A third example might be to collect detailed data upon detection of a specific failure condition in order to gather information that can allow the root cause of the problem to be determined faster, leading to a lower mean time to repair and higher availability. EEM could detect a specific Syslog message and trigger a script to collect detailed data using a series of show commands. After automatically collecting the data, it can be saved to flash memory or sent to an external management system or via email to a network operator.
The control is in the network administrator's hands. You control what events to detect and what actions to take. EEM is optional-it is up to the network administrator if and when it should be used and only takes the actions you program it to take.
Features and Benefits
Cisco IOS Embedded Event Manager provides a level of embedded systems management not previously seen in Cisco IOS Software. Over twenty event detectors provide an extensive set of conditions that can be monitored and defined as event triggers. The system is extensible with new capabilities and further subsystem integration is planned. The feature is mostly product independent and available across a wide range of Cisco products. Each new version of the EEM feature introduces new event detectors or new capabilities. Consult the Cisco documentation for detailed information.
EEM Version 3.0 Enhancements
The latest version of the EEM subsystem is EEM v3.0. This version ushers in a significant number of enhancements over previous versions. This development enhances the performance, increases feature integration, adds new capabilities, and extends the flexibility, so EEM can be used in new and exciting ways.
With EEM v3.0 comes:

• Four new Event Detectors

– Routing Event Detector

Monitors the events relative to the Routing Information Base (RIB). Events are raised for conditions such as when a particular route is added or removed or when a route is modified.

– Flexible NetFlow Event Detector

Detects events related to Flexible NetFlow

Provides a powerful set of triggers to detect and react to real-time network activity

Triggers policies based on the detection of flows that match particular criteria such as when a new flow is seen with a particular destination IP address and port number; or detect conditions like when the rate of new flow entries exceeds some threshold you define.

– IP SLA Event Detector

Provides event triggers based on IP SLA operation results

Integrates IP SLA directly with the EEM subsystem

Provides an event-driven mechanism to take immediate action when an IP SLA operation fails. For example, take local action to direct traffic out another interface, when an IP SLA icmp-echo operation, that pings a headquarters server over the current interface every 3 seconds, fails three times in a row.

– Enhanced CLI Event Detector

Offers enhancements to make creation of your own custom CLI commands easier and more powerful

Provides new event triggers when special characters like "Tab", "?", and the "Enter" key are seen. Provides a way for you to offer `help' for your new commands and make them like Cisco-developed commands.

• High performance "Turbo" Tcl policies

– Provides an order-of-magnitude increase in event handling

– Up to 150 events per second depending on the product

• SNMP Library Tcl Extensions

– Provides actions for Get, Set, and Notify for local and remote SNMP devices

– Offers more power to communicate with neighbor devices or to interrogate local MIB variables from within your policies

• Enhanced Interactive Applets

– Increases the power of the EEM Applet (CLI-based) policies

– Do more without resorting to Tcl-based policies

– Includes support for variables and logical functions and if-then-else constructs

• CLI Library Support for XML Programmable Interface

– Provides a set of Tcl library functions to facilitate the parsing of output from the Cisco IOS CLI "format" extension in the form of: show <show-command> | format {spec-file}

– Makes extracting data from the Cisco IOS CLI within EEM policies easier

• Support authenticating SMTP email servers

– More practical support for email actions

• Class Based Scheduling

– Power users have the ability to schedule policy execution according to specific requirements

• Digital Signature Support

– Infrastructure is included to verify policies that are digitally signed by Cisco

• Additional Support for IPv6

– The SNMP proxy feature introduced in EEM 2.4 has been enhanced to support IPv6

– SMTP actions have been enhanced to support IPv6

Table 4. EEM Version 3.0 Features and Benefits

Feature

Benefit

Extensible and powerful subsystem architecture

Architecture

The EEM subsystem is designed with modularity in mind. It consists of Event Detectors, an Event Manager Server, and action routines called Policies

CLI interface

An interface to the Cisco IOS CLI to allow automated commands and access to any information that can be displayed. Includes support for XML Programmable Interface from within EEM policies.

Policy scheduler

EEM policies are scheduled one at a time or concurrently according to the number of threads configured. An enhanced class-based scheduling option for fine control over policy execution.

Built-in actions

Policies can invoke a number of built-in actions for easy automation

Extensive set of Event Detectors (ED)

Application

Custom application events, action script interaction

Enhanced Cisco IOS CLI ED

CLI command match and run with even more capabilities for creating your own commands

Counter

Custom counter events

GOLD

Generic Online Diagnostics (GOLD) event detection

Interface

Interface counters and events

IP SLA

Tighter integration with the SLA monitoring and measurement subsystem. Easy event triggers and automation when conditions are not satisfactory.

Memory Threshold (Deprecated)

Detect memory resource related events

NetFlow

Event triggers based on traffic flow. Many uses from capacity planning to DoS alert and automated actions.

None (by run command)

Allows execution of an EEM policy by direct command, event manager run

Object Tracking

Integration with Enhanced Object Tracking (EOT)

OIR

Card Online Insertion & Removal detection

Remote Procedure Call

Allows for authorized programs outside of the device to invoke specific device-resident, embedded policies by sending a SOAP request over an SSHv2 connection.

Resource Threshold

Integration with Embedded Resource Manager, supersedes Memory Threshold ED.

RF

Cisco IOS infrastructure Redundancy Facility (RF) events

Routing

Event triggers based on routing changes

SNMP

Detect MIB Variable match and thresholds

SNMP Proxy

Creates events when a specified SNMP trap or inform is received at the device. This allows for policies to be triggered by events from other devices.

Syslog

Regular expression pattern match on emitted Syslog messages

Timer

Custom timed events

IOS Watchdog Monitor

Cisco IOS scheduler, watchdog events

WDSysMon

Cisco IOS Software Modularity: System monitor event

Secure system operation

EEM scripts run within system constraints

Protects system from harm. ie: A looping script will not stop Cisco IOS

User scripts run in Safe-Tcl mode

Certain programmable options are disabled for protection

Controlled environment

Only a network administrator with privileged access can define and set up EEM scripts. No one else can install software to compromise the system.

Support for TACACS+/RADIUS

EEM scripts can be associated with a configured User ID. All CLI commands issued by the scripts are authorized before they are executed.

EEM is optional

If you don't want to use this powerful capability, you don't have to enable it.

Online scripting community

Cisco Beyond-Product Extension Community

A place for customers to share and download scripts. Don't reinvent the wheel. Build and extend the work of others. Learn by example. Go to: http://www.cisco.com/go/ciscobeyond

Product Architecture
The Cisco IOS Embedded Event Manager is a primarily product independent software feature consisting of a series of Event Detectors, an Embedded Event Manager Server, and interfaces to allow action routines called Policies to be invoked. There are also internal application programming interfaces for other Cisco IOS subsystems to take advantage of the EEM subsystem. The diagram in Figure 10 illustrates the EEM components.

Figure 14. EEM Architecture

Notice there are two types of EEM Policies:

• Applet Policies-Easy-to-use interface, defined using the configuration CLI

• Tcl Policies-More flexible and extensive capabilities, defined using the Tcl programming language

Once one or more policies are defined, the Event Detector software will watch for the conditions that match those defined by the policy. When a condition occurs, the event is passed to the Event Manager Server. The server then invokes any policy that has registered for that particular event. The actions defined within the policy are then carried out.
Each type of event has specific options, parameters and detailed information that is available to the policy when it is invoked. All of these details are described in the Cisco IOS documentation.
Feature Specifications
Please use the Cisco IOS Feature Navigator application on Cisco.com to check the latest information on software and product availability. Go to: http://cisco.com/go/fn. The following table includes EEM feature availability information.

Table 5. EEM Feature Specifications

Product compatibility

EEM is available for the Catalyst 6500 Series Switches, Cisco Integrated Services Routers, Cisco 7200 Series Routers, Cisco 7300 Series Routers, Cisco 7600 Series Routers, Cisco 10000 Series Routers; EEM is also available for the Catalyst 4500 Series Switches and the Catalyst 3700 Series Switches and the ASR-1000 Series Routers. Please refer to the Cisco IOS Feature Navigator for the latest device support information.

Software compatibility

EEM is available in Cisco IOS Software Releases 12.2SX, 12.2SR, 12.2SB, 12.4, and 12.4T, 12.2SG, 12.2SE, Cisco IOS XE and future versions. EEM function is also included in Cisco IOS XR and Cisco NX OS.

Software Packaging

Some Cisco products require an enhanced feature set license to acquire support for EEM. Please refer to the Cisco IOS Feature Navigator for the latest packaging information.

System Requirements
The EEM software subsystem will consume CPU and memory resources in its operation. Tcl-based policies reside on flash disk and will take up space. Customers should examine the operation in their environment to ensure resources exist for their specific scenarios. Some basic guidelines are included in Table 5.

Table 6. EEM System Requirements

Disk Space

Tcl-based policies are files stored on flash disk. The amount space required depends on the size and number of policies and any programmed storage requirements

Hardware

CPU utilization requirements are solution dependent

Memory

Each Tcl-based policy will use approximately 500KB when initialized. Beyond that utilization is specific to the policy's operational requirements

Software

A Tcl interpreter is included within the Cisco IOS Software. The current version is Tcl 8.3.4.

For More Information
For more information about the Cisco IOS Embedded Event Manager, visit http://cisco.com/go/eem or contact your local account representative or send email to askabouteem@cisco.com.
Product Management Contact: Rick Williams, rwill@cisco.com

3.2.2) Flexible NetFlow-NetFlow v5 Export Format

Flexible NetFlow exporter introduces the support of NetFlow v5 export format. NetFlow v5 export format must be used in conjunction with the v5 tupple in Flexible NetFlow (FNF) for one pre-defined flow record named original-NetFlow.
When transitioning from traditional NetFlow to Flexible NetFlow, the user will be able to create a Flow Monitor with the original-NetFlow record and export it using NetFlow v5 to the existing NetFlow v5 collector. In addition, the user will be able to create a second Flow Monitor to take advantage of other innovative FNF capabilities, such as Flow record customization and NetFlow v9 export.
Benefits

• Enable smooth migration from traditional NetFlow to Flexible NetFlow.

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7300 Series Routers

Additional Information:

http://www.cisco.com/go/netflow

http://www.cisco.com/go/fnf

Product Management Contact: Jean-Charles Griviaud, jgriviau@cisco.com

3.2.3) Flexible NetFlow-TopTalkers CLI Support

Understanding who is using the network and for how long, what protocols and applications are being utilized and where the network data is flowing is a necessity for today's IP network managers. NetFlow data can be used for a variety of purposes, including network management and planning, user and security monitoring, protocol and application monitoring, Enterprise accounting, and departmental charge backs, Internet Service Provider (ISP) billing, data warehousing, and data mining for marketing purposes.
Flexible NetFlow CLI is used extensively for troubleshooting and understanding network behavior. Flexible NetFlow CLI has been enhanced to provide advanced search capabilities. The new CLI provides a generic set of tools to display any kind of Flow Monitor (IPv4, IPv6, Layer2, etc.) in a more efficient way. Flexible NetFlow CLI allows filtering, aggregating and sorting the content of a Flow Monitor:

Flow Filtering: The user will be able to filter on any field available in the Flow Record used by the Flow Monitor being examined. The filtering can be an exact match or a match on a range or a regular expression.

Flow Aggregation: The user will be able to display the Flows that are formed by aggregating any subset of the key fields available in the Flow Record used by the Flow Monitor being examined.

Flow Sorting: the user will be able to control the sorting of Flows using the fields that are available in the FNF Cache to be shown. This could be the primary or secondary (post aggregation step) cache.

Benefits

Security: Able to view the list of top talkers to see if traffic patterns consistent with a Denial of Service (DoS) attack are present in the network.

Load balancing: Able to identify the most heavily used parts of the system and move network traffic over to less-used parts of the system

Traffic analysis: Consulting the data retrieved Top talker CLI

• Talkers feature can assist in general traffic study and planning for the network.

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7300 Series Routers

Additional Information:

http://www.cisco.com/go/netflow

http://www.cisco.com/go/fnf

Product Management Contact: Jean-Charles Griviaud, jgriviau@cisco.com

3.2.4) Flexible NetFlow-Multicast Statistics for IPv4 Support

The Flexible NetFlow IPv4 Multicast support feature allows users to capture multicast-specific data (both packets and bytes) for multicast flows. For example, you can capture the packet replication factor for a specific IPv4 flow, as well as for each outgoing stream.
Flexible NetFlow IPv4 Multicast Support feature can identify and count multicast IPv4 packets on the ingress side or the egress side (or both sides) of a router. Multicast ingress accounting provides information about the source and the number of times the traffic was replicated. With multicast ingress accounting, the destination interface field will be set to null, and the IP next hop field is set to zero for multicast flows. Multicast egress accounting creates a unique flow record for each outgoing interface.
Flexible NetFlow IPv4 Multicast Support feature lets you enable NetFlow statistics to account for all packets that fail the Reverse Path Forwarding (RPF) check, that are dropped in the core of the service provider network. Accounting for RPF-failed packets provides more accurate traffic statistics and patterns.
Flexible NetFlow IPv4 Multicast requires NetFlow v9 export format to export Multicast statistics.
Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7300 Series Routers

Additional Information:

http://www.cisco.com/go/netflow

http://www.cisco.com/go/fnf

Product Management Contact: Jean-Charles Griviaud, jgriviau@cisco.com

3.3) Voice

3.3.1) Cisco VG202 and Cisco VG204 Analog Phone Gateways

The Cisco VG202 and Cisco VG204 Analog Phone Gateways are Cisco IOS Software-based analog voice gateways, which extend the Cisco VG224 offering. The Cisco VG202 and Cisco VG204 offer 2 FXS ports and 4 FXS ports per unit, respectively. Integrating into the Cisco Unified Communications solution for Enterprise branch offices and SMBs just like the Cisco VG224, these analog voice gateways enable analog phones, fax machines and modems to connect to an IP infrastructure. They will be supported by the Cisco Unified Communications Manager releases 6.1(3) and 7.0(1) or later. The Cisco VG202 and Cisco VG204 offer, in a desktop form-factor with fanless design, the entire set of rich Cisco IOS Software based voice and security features offered by the VG224. They also offer proven DSP technology that is consistent across the VG224 and the Cisco Integrated Services Router Voice Gateways.
Product Management Contact: Jay Chokshi, jayesh@cisco.com

3.3.2) Session Initiation Protocol (SIP) Enhancements

Cisco is consistently leading the development of Session Initiation Protocol (SIP). This is part of IOS that runs on all routers in the Integrated Services Router (ISR) portfolio. This is also a key development for the unified communications solution for service providers, Enterprises, SMBs and small branch offices that provide voice, data, voicemail, Automated-Attendant, video, and security capabilities.
In this current release, core components include the following:

• RSVP Preconditions (RFC3312) for TDM Gateway and Cisco Unified Communications Manager Express. It extends negotiation of RSVP CAC/QoS across CUCM clusters*, Gateways, CUCME and CUBE

• Audio RSVP enhancements to support RE-INVITE or 302-Response based supplementary services on gateways

• RSVP support on the SIP trunk of SCCP-CUCME

• SIP SRTP Fallback to Non-secure RTP and SRTP over sip: scheme for CUBE:

This feature extends the existing SRTP fallback on the SIP-TDM gateway to interoperate with the SRTP fallback method of CUCM on SIP trunk. It adds the CUCM interoperable SRTP fallback support to SIP-SIP and SIP-H323 call-flow of CUBE. This is supported on CUBE for the following call flows-EO-EO, DO-DO, FS-EO, EO-FS, SS-DO:

• SIP Diversion Header Enhancements

• SIP History INFO (RFC 4244): Many services that SIP is anticipated to support, require the ability to determine why and how the call arrived at a specific application. SIP History-Info header provides a standard mechanism for capturing the request history information to enable a wide variety of services for networks and end-users. The History-Info header provides a building block for development of new services.

• SIP Multicast Music on Hold: When the IP-Phone puts a call on hold, the CUCM will ask the MOH server to stream the RTP packets on a pre-configured multicast address. The CM will also send mid-call Invite with Send-Only attribute and multicast address to the IOS SIP gateway to listen on that multicast address.

*Need the correct version of CUCM
Product Management Contact: David Sauerhaft, dsauerha@cisco.com

3.4) Hardware

3.4.1) Cisco 880 3G and Cisco 880 SRST Router Series

Cisco Systems is pleased to announce the orderability of the Cisco 880 3G and Cisco 880 SRST Router Series. The Cisco 880 Series is part of the Cisco 800 fixed-configuration router family and offers Internet access, security, voice, and wireless services over broadband speeds in a single, secure device that is simple to use and manage, for small businesses and small remote offices.
The Cisco 880 Series Integrated Services Routers are fixed-configuration routers that provide collaborative business solutions for secure data communication to small businesses and Enterprise teleworkers. The Cisco 880 Series offers concurrent broadband services over 3G, Metro Ethernet, and multiple types of DSL for business continuity. Wireless 802.11n and 3G offer LAN and WAN mobility.

Figure 15. Cisco 880 3G and Cisco 880 SRST Router Series

The 880G Series with the 3G Wireless option offers a cost-effective, rapidly deployable, reliable and secure backup solution. In addition to 3G Wireless WAN, the Cisco 880G Series offers additional WAN options like xDSL and Fast Ethernet (FE) WAN interface, a 4-port 10/100 FE managed switch with VLAN support and the latest 802.11n Wireless LAN capability. The 880G Series supports the latest 3G standards (HSPA and EVDO Rev A) and are backward compatible with UMTS/EDGE/GPRS and EVDO Rev0/1xRTT respectively. The 880G series has 2 variants:

• GSM/UMTS models are based on 3GPP and support HSPA, UMTS, EDGE and GPRS

• CDMA models are based on 3GPP2 and support EVDO RevA/Rev0 and 1xRTT

The Cisco 880 SRST Series is ideal for small remote sites and teleworkers who need to be connected to a larger Enterprise. These routers help extend corporate networks to secure remote sites while giving users access to the same applications found in a corporate office. The Cisco 880 SRST Series routers offers WAN options like xDSL and Fast Ethernet (FE) WAN interface, a 4-port 10/100 FE managed switch with power over Ethernet, and the latest 802.11n Wireless LAN capabilities. Additionally, the Cisco 880 SRST Series offers 4 FXS ports, FXO or BRI for PSTN connectivity, and a 4 SRST user license.

Table 7. Cisco 880 3G and Cisco 880 SRST Router Series Part Numbers

Part Number

Product Name

Ethernet and 3G

Configurable 3G Bundles

CISCO881G-K9

Cisco 881 Ethernet Security Router with 3G

CISCO881GW-GN-A-K9

Cisco 881 Ethernet Security Router with 3G, 802.11n FCC Compliant

CISCO881GW-GN-E-K9

Cisco 881 Ethernet Security Router with 3G, 802.11n ETSI Compliant

G.SHDSL and 3G

Configurable 3G Bundles

CISCO888G-K9

Cisco 888 G.SHDSL Router with 3G

CISCO888GW-G-AN-K9

Cisco 888 G.SHDSL Wireless Router with 3G; 802.11n FCC Compliant

CISCO888GW-G-EN-K9

Cisco 888 G.SHDSL Wireless Router with 3G; 802.11n ETSI Compliant

SRST

 

C881SRST-K9

Cisco 881 SRST Ethernet Security Router with FXS, FXO

C881SRSTW-GN-A-K9

Cisco 881 SRST Ethernet Security Router with FXS, FXO; 802.11n FCC Compliant

C881SRSTW-GN-E-K9

Cisco 881 SRST Ethernet Security Router with FXS, FXO; 802.11n ETSI Compliant

C888SRST-K9

Cisco 888 SRST G.SHDSL Router with FXS, BRI

C888SRSTW-GN-A-K9

Cisco 888 SRST G.SHDSL Router with FXS, BRI; 802.11n FCC Compliant

C888SRSTW-GN-E-K9

Cisco 888 SRST G.SHDSL Router with FXS, BRI; 802.11n ETSI Compliant

Product Contact: Contact your Cisco representative or visit http://www.cisco.com/go/isr.

3.4.2) Cisco IAD2435-8FXS Integrated Access Device

The Cisco IAD2435-8FXS Integrated Access Device provides small and medium-sized businesses with a cost effective platform for managed data, voice, and security services.
The Cisco IAD2435-8FXS Series offers unparalleled value to both Small and Medium-sized Businesses (SMBs) and service providers delivering managed services to these customers. As an addition to the Cisco IAD2430 Series Integrated Access Device Family, IAD2435-8FXS comes loaded with integrated features and services and is designed with the scalability required for delivering managed solutions for broadband data, packet voice, unified communications and security ―all in one router platform.
Cisco IAD2435-8FXS Integrated Access Device is a fixed configuration platform and comes with the following hardware and support for industry standard voice protocols like SIP, MGCP and H.323:

• 1 T1/E1 WAN Port

• 8FXS Voice Ports

• 2 10/100Mbps Ethernet Ports

• 1 Console/Aux Port

Product Contact: Contact your Cisco representative or visit http://www.cisco.com/go/iad.

3.4.3) Intrusion Prevention System Enhanced Network Module

Intrusion Prevention System Enhanced Network Module is an integrated IPS module on the Cisco 2811, 2821, 2851 and 3800 Series Routers. It provides an advanced and accelerated threat control to protect the SMB and branch offices and extend the security perimeter out to the entire corporate network. The IPS NME has the following features:

• Supports inline and promiscuous modes upon configuration

• Runs same software (CIPS 6.1) and features as Cisco IPS 4200

• Has dedicated CPU and DRAM to offload host CPU

• Runs up to 75 Mbps

• Can be managed by Cisco IPS Device Manager (IDM), Cisco Configuration Professional (CCP), Cisco Security Manager (CSM), IPS Manager Express (IME) and CS-MARS

Figure 16. Intrusion Protection System Enhanced Network Module

Additional Information: http://www.cisco.com/go/ipsnme
Product Management Contact: ask-ips-pm@cisco.com

4) Release 12.4(20)T Highlights

Table 8. Release 12.4(20)T Feature Highlights

4.1) Cisco IOS Security

4.2) Cisco IOS Infrastructure

4.3) MPLS

4.4) Quality of Service

4.1.1) Group Encrypted Transport VPN (GET VPN) Support for the Cisco VPN Services Adapter (VSA) for Cisco 7200 NPE-G2 Series Routers

4.1.2) Cisco IOS Content Filtering

4.1.3) VRF-Aware Cisco IOS Intrusion Prevention System (IPS)

4.1.4) User-based Cisco IOS Firewall

4.1.5) Application Inspection and Control for Simple Mail Transfer Protocol (SMTP)

4.1.6) Cisco IOS Firewall Support for Skinny Local Traffic

4.1.7) Cisco IOS Firewall Session Initiation Protocol (SIP) Application Layer Gateway (ALG) Enhancements

4.1.8) Cisco IOS Firewall H.323 Version 3 (v3) and Version 4 (v4) Support

4.1.9) Instant Messaging Blocking Support in Cisco IOS Firewall for "I Seek You" (ICQ) and Windows Messenger

4.1.10) Object Groups for Access Control Lists (ACLs)

4.1.11) Cisco IOS SSL VPN Access Control Enhancements

4.1.12) Cisco IOS SSL VPN AnyConnect Client Support

4.1.13) Cisco IOS SSL VPN Back End HTTP Proxy

4.1.14) Cisco IOS SSL VPN Full-Tunnel Performance Enhancements

4.1.15) Cisco IOS SSL VPN URL Split Rewrite Support

4.1.16) Next Hop Resolution Protocol (NHRP) MIB for Dynamic Multipoint VPN (DMVPN)

4.1.17) IPv6 Over Dynamic Multipoint VPN (DMVPN) Support

4.1.18) Group Encrypted Transport (GET) VPN Support for VRF-Lite

4.1.19) Cisco Tunnel Control Protocol (cTCP) Support on Easy VPN Hardware Clients

4.1.20) IPSec Usability Enhancements

4.1.21) Secure Shell Protocol Version 2 (SSHv2) Feature Enhancements

4.1.22) Command Line Interface (CLI) for Displaying Certificates

4.1.23) CLI to Control Certification Revocation List (CRL) Cache

4.1.24) Secure Device Provisioning (SDP) Connect Template

4.2.1) Cisco Express Forwarding Scalability and Selective Rewrite (CSSR)

4.2.2) Network Time Protocol (NTP) Version 4

4.3.1) Cisco IOS MPLS Label Distribution Protocol (LDP) Enhancements

4.3.2) Cisco IOS MPLS Traffic Engineering and Resource Reservation Protocol (TE/RSVP)

4.4.1) Cisco IOS QoS: Hierarchical Queuing Framework (HQF)

4.4.2) Resource Reservation Protocol (RSVP) Penultimate Hop Overwrite

4.5) IP Version 6

4.6) Embedded Management

4.7) Hardware

4.8) Voice

4.5.1) IPv6 VPN Provider Edge Router (6VPE) over MPLS

4.5.2) IPv6 Access Control List (ACL) enhancements for IPv6 IPSec Authentication Header (AH)

4.5.3) Mobile Network v6-Basic NEMO Support

4.6.1) Cisco IOS Service Diagnostics

4.6.2) Embedded Event Manager Version 2.4

4.6.3) Cisco IOS Embedded Packet Capture

4.6.4) Flexible NetFlow (FNF) Exporter-Outgoing Features Support

4.6.5) Flexible NetFlow for IPv6

4.6.6) Deprecating NetFlow for IPv6 Record

4.7.1) Cisco 1861 Integrated Services Router

4.7.2) Intrusion Prevention System (IPS) Advanced Integration Module

4.7.3) Cisco 860 and 880 Series Routers

4.7.4) Cisco Business-Class IAD880 Series Integrated Access Devices

4.8.1) Communications Manager Express (CME) 7.0 Voice Features

4.8.2) Survivable Remote Site Telephony 7.0 Voice Features

4.8.3) Cisco Unified Border Element (CUBE) 1.2

4.8.4) Voice Quality Improvements on Cisco VoIP Gateways

4.1) Cisco IOS Security

4.1.1) Group Encrypted Transport VPN (GET VPN) Support for the Cisco VPN Services Adapter (VSA) for Cisco 7200 NPE-G2 Series Routers

Cisco IOS Release 12.4(20)T adds GET VPN support for the Cisco VSA, the latest high-performance encryption and key-generation services module for IPSec VPN applications on Cisco 7200 NPE-G2 Series Routers.
GET VPN offers a new standards-based IP Security (IPSec) security model that is based on the concept of "trusted" group members. Trusted member routers use a common security methodology that is independent of any point-to-point IPSec tunnel relationship. GET VPN simplifies securing large Layer 2 or MPLS networks requiring partial or full-mesh connectivity.
Benefits
The VSA offers increased IPSec performance over the Cisco VPN Acceleration Module 2+ (VAM2+) module.
Hardware

Routers

• Cisco 7200 NPE-G2 Series Routers

Additional Information:
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.2) Cisco IOS Content Filtering

Cisco IOS Content Filtering offers category-based productivity and security ratings. Content-aware security ratings protect against malware, malicious code, phishing attacks, and spyware. URL and keyword blocking help to ensure that employees are productive when accessing the Internet. This is a subscription-based hosted solution that leverages Trend Micro's global TrendLabs™ threat database, and is closely integrated with Cisco IOS Software. It is supported on routers running the Advanced Security image. Feature licenses can be purchased directly from the Cisco.com ordering tool or through your Cisco partner/account team.

Figure 17. IOS Content Filtering Use Case Scenario

Benefits

• Secures Internet access to branch, without the need for additional devices

• Controls spyware and malware at the remote site; conserves WAN bandwidth

• Improves employee productivity and protects network resources by enabling content filtering

Hardware

Routers

• Cisco 800, 1800, 2800, and 3800 Series Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.3) VRF-Aware Cisco IOS Intrusion Prevention System (IPS)

VRF-Aware Cisco IOS IPS allows Enterprises or service providers to put different groups of users or network segments into separate Virtual Routing and Forwarding (VRF) groups and to configure IPS on only certain VRFs or to configure IPS differently on each VRF. Divisions or functional groups separated by VRF segments may have different threat protection needs. Examples include:

• Vendor-provided applications vs. native applications

• Administrative users vs. regular employees vs. contractors/guests

• Vendor (photo shop, deli, pharmacy, etc.) network vs. point-of-sale network

• Students vs. faculty members vs. school administration

VRF-aware Cisco IOS IPS will also enable network security operators to distinguish between the IPS event alarms generated within each user group or network segment based on their VRF ID.

Figure 18. Typical Use Case for VRF Aware Cisco IOS IPS

Benefits

• Allows the configuration of IPS on only certain virtual network segments (VRFs) or in a different way on each VRF

• Distinguishes between IPS alarms/events generated within each group (VRF segment) based on VRF ID

• Supports IPS on VRF interfaces in addition to physical interfaces with or without overlapping IP addresses

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, and 7200 Series Routers

Additional Information: http://www.cisco.com/go/iosips
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.4) User-based Cisco IOS Firewall

Cisco IOS Firewall offers the ability to deploy secure access policies at all network interfaces: Internet perimeter, remote-site connectivity, business-partner access, and telecommuter connections. User-based Cisco IOS Firewall dynamically binds unique zone-based firewall policies to a group where members, regardless of IP address entry point, are authorized using authentication proxy or Network Admission Control (NAC).

Figure 19. User based Cisco IOS Firewall Example

Benefits

• Facilitates the support of Enterprise mobile workers where user access is dynamic, while maintaining source IP address and user group associations

• Secures granular access to the branch, without the need for additional devices

• Enforces non-intrusive, per-user security policies

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200 Series, 7301 Routers

Additional Information: http://www.cisco.com/go/iosfw
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.5) Application Inspection and Control for Simple Mail Transfer Protocol (SMTP)

Cisco IOS Firewall Application Inspection and Control (AIC) has expanded the SMTP capability to support a more detailed inspection, providing more control over how SMTP inspection is performed.
Benefits

• Inspects SMTP at a more granular level

• Scans actual e-mail data like attachment types and encoding types

• Detects a limited number of attack signatures

• Ability to use signatures in SYSLOG message alerts to warn of a possible attack, such as the detection of illegal SMTP commands in a packet

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iosfw
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.6) Cisco IOS Firewall Support for Skinny Local Traffic

Cisco IOS Firewall enhances Skinny Local Traffic support. This feature offers inspection for locally generated and locally terminated SKINNY protocol data in two main deployment scenarios:

1. Cisco Call Manager Express (CME) is enabled on the Cisco IOS Firewall and manages the VoIP phones using SCCP over intranet or Internet.

2. Analog and VoIP phones are connected and managed by the Cisco IOS Firewall-enabled CME router.

Benefits

• Improves user groups SCCP locally generated traffic support

• Provides inspection of CME using SCCP over the intranet/Internet

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iosfw
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.7) Cisco IOS Firewall Session Initiation Protocol (SIP) Application Layer Gateway (ALG) Enhancements

Cisco IOS Firewall SIP ALG and protocol inspection feature prevents unauthorized calls, call hijacking, SIP protocol exploits, and related DoS attacks. It supports both pass-through and local traffic.
Benefits

• Removes malformed packets from reaching Cisco Unified Communications Manager at the head office

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iosfw
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.8) Cisco IOS Firewall H.323 Version 3 (v3) and Version 4 (v4) Support

Cisco IOS Firewall adds support for H.323 v3 and v4 to maintain high availability of mission-critical IP telephony calls while upholding high level call experience.
Benefits

• Includes H.323 v3 and v4 Annex E, Annex G, and Annex D support

• Supports H.323 v3 and v4 fax and call transfer capabilities

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iosfw
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.9) Instant Messaging Blocking Support in Cisco IOS Firewall for "I Seek You" (ICQ) and Windows Messenger

Cisco IOS Firewall Application Inspection and Control (AIC) adds comprehensive management and control of Instant Messaging (IM) applications such as ICQ and Windows Messenger.
Benefits

• Detects, blocks or throttles ICQ and Windows Messenger services

• Enforces associated policy of "I Seek You" (ICQ) Instant Messenger Version 2001b and above as well as Windows Instant Messenger Version 5.1

• Provides granular control when managing things such as file transfers and attachments, application sharing, games, video/audio conferencing, and pop-ups

• Offers the ability to send syslog information of the event

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, 7301 Series Routers

Additional Information: http://www.cisco.com/go/iosfw
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.10) Object Groups for Access Control Lists (ACL)

ACL Object Groups allow network administrators to classify users, devices, and protocols into groups allowing them to apply policies based on group classification. IP hosts and networks, protocols and ports are defined in object groups. Once configured, object groups can then be used in the place of IP addresses, protocols or ports within Access Control Lists (ACLs).
The two steps required to configure object groups for ACLs is shown below:

Step 1. Define the Object Group:

! Define network type object-groups to group IP hosts and networks
object-group network Engineering
10.240.12.0 255.255.255.0
10.245.10.0 255255.255.0
object-group network Web-Servers
10.1.1.0 255.255.255.0
host 10.10.10.100
object-group network Mail-Servers
10.32.1.0 255.255.255.0
! Define a service type object group to group you protocols and ports
object-group service Web-ports
tcp www
tcp 8080
object-group service Mail-ports
tcp smtp
tcp pop3
tcp 587
tcp 143

Step 2. Use Object Groups in ACL Configurations:

ip access-list extended access-policy
10 permit object-group Web-ports object-group Engineering object-group Web-Servers
20 permit object-group Mail-ports object-group Engineering object-group Mail-Servers
Benefits

• Provides a simple and intuitive mechanism for configuring and managing large ACLs, especially ones that frequently change

• Reduces ACL configuration size and make ACLs more readable and easier to manage

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iosfw
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.11) Cisco IOS SSL VPN Access Control Enhancements

Depending on the network security design, the need to repeatedly provide user credentials to gain secure access may be redundant. This is especially true for cellular providers that authenticate users as they join the network. Using Cisco IOS SSL VPN Access Control Enhancements, login credentials can be embedded in the URL used by the client machine to connect to the SSL VPN gateway. Users would not be challenged for credentials but would instead immediately start their secure SSL VPN session.
Benefits

• Simplifies the user login procedures

• Reduces intrusive and repetitive login prompts

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.12) Cisco IOS SSL VPN AnyConnect Client Support

AnyConnect is the Cisco next generation SSL VPN client. It replaces the current Cisco SSL VPN Client (SVC), and requires no pre-installation or pre-configuration on the client machine.
The Cisco IOS SSL VPN AnyConnect Client is pushed from the secure gateway to the client machine when needed. Traffic is encrypted and authenticated using a Layer 2 tunneling functionality that is similar to traditional IPSec, and is agnostic to traffic type. Performance is greatly improved because there is no need to apply URL mangling on the secure traffic as is required with clientless connections.
AnyConnect provides added functionality beyond the current SVC client with support for multiple operating systems including Windows Vista, Apple Mac OS X, and Linux. Administrators can now support a mixed operating system network environment.
Once pushed down to the user, the Cisco AnyConnect client can be configured to stay installed so that subsequent connections do not require repeated downloads and installations. Standalone mode allows users to initiate new SSL VPN tunnel sessions without the need of a web browser, simplifying the login procedure.

Figure 20. Cisco IOS SSL VPN AnyConnect Client Support

Benefits

• Avoids pre-configuration and pre-installation requirements

• Improves performance over clientless only traffic

• Offers support for multiple operating systems

• Reduces bandwidth requirements in Standalone mode

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.13) Cisco IOS SSL VPN Back End HTTP Proxy

In the past, all clientless mode user requests were sent to internal servers directly. This meant that the internal servers had to be directly addressable by the SSL VPN gateway for connectivity to succeed. This feature enhancement adds HTTP proxy client functionality to the Cisco IOS SSL VPN gateway so requests can now be passed through to an internal proxy server in the protected network.
Benefits

• Provides increased flexibility and control in supporting more diverse internal network architectures

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.14) Cisco IOS SSL VPN Full-Tunnel Performance Enhancements

Cisco Express Forwarding (CEF) Scalability and Selective Rewrite (CSSR) technology for IP has been added to full-tunnel mode as well as clientless SSL VPN deployments. Combining CSSR with SSL VPN full-tunnel traffic provides greater throughput and reduces router CPU utilization.

Note: CSSR, supported in Cisco IOS Release 12.4(20)T onward, is a scalable, distributed, Layer 3 switching technology designed to meet the future performance requirements of Enterprise networks. Refer to the Cisco IOS Infrastructure section for more information on CSSR support.

Benefits

• Increases scalability and performance

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.15) Cisco IOS SSL VPN URL Split Rewrite Support

In SSL VPN clientless operation, the SSL VPN gateway acts as a proxy between client and server, inspecting all web-based traffic and rewriting URLs in the content. This process is very CPU intensive and time consuming, affecting performance and scalability.
Conceptually similar to split tunneling in IPSec, the URL Split Rewrite for Cisco IOS SSL VPN feature enables the administrator to select which URLs are processed through the SSL VPN gateway, and which URLs the client can reach directly. Internal web-based connections to protected resources are still processed normally through the SSL VPN gateway, while external traffic can be allowed a direct connection.

Figure 21. Cisco IOS SSL VPN URL Split Rewrite Support

Benefits

• Provides flexibility to selectively define what traffic needs SSL VPN protection

• Improves scalability and performance by not having to process all of a remote users traffic

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.16) Next Hop Resolution Protocol (NHRP) MIB for Dynamic Multipoint VPN (DMVPN)

To manage DMVPN deployments most effectively, administrators are not only interested in knowing about individual IPSec and tunnel protected Multipoint GRE (mGRE) tunnels, but also the control plane (ie: NHRP) statistics associated with corresponding tunnels.
The NHRP MIB for DMVPN feature addresses this by providing information on NHRP usage, routes, sessions, NHRP supported hub maximum throughput, and memory in a DMVPN network.
Benefits

• Improves manageability of DMVPN networks.

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/dmvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.17) IPv6 Over Dynamic Multipoint VPN (DMVPN) Support

DMVPN has added support for IPv6 in combined IPv4 and IPv6 network environments. Where secure connectivity is required, DMVPN can now be used to connect IPv4 and IPv6 networks.
Benefits

• Supports standards-based IPv6

• Supports IPSec native mode

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/dmvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.18) Group Encrypted Transport (GET) VPN Support for VRF-Lite

GET VPN support for VRF-Lite allows Enterprises or service providers to support multiple VPN Routing and Forwarding (VRF) instances on Customer Edge (CE) devices. VRF-Lite extends limited Provider Edge (PE) functionality to a CE device, giving it the ability to maintain separate VRF tables and extending the privacy and security of a VPN to the branch office. This also allows the capability of sharing the same CE device for various internal departments while maintaining separate VRF tables for each department.
The GET VPN key server is not VRF aware. As a result, there can be 2 possible scenarios (cases) for deployment depending on whether single or multiple MPLS VPNs (PE VRFs) are used on the PE router for each GETVPN group:

Case 1: PE uses a single MPLS VPN (PE VRF) for all group member VRFs (CE VRFs). For this, group members can use the same certificate for authentication, for all the crypto maps applied on VRF interfaces. No overlapping addresses can be supported in the group member VRFs because the PE has all the group member addresses in a single VRF. However, traffic excluded from any of the encryption policies are subject to be routed across group member VRFs.

Case 2: To use overlapping addresses between group member VRFs, the PE router should use a unique MPLS VPN (PE VRFs) for each group member VRFs. In addition, a separate key server must be dedicated to each VRF because the key server is not VRF-aware. Group members should also use a separate certificate to authenticate each crypto map.

Benefits

• Allows customers to share the same CE router for various internal departments while maintaining separate VRF tables for each department

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/getvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.19) Cisco Tunnel Control Protocol (cTCP) Support on Easy VPN Hardware Clients

There are many situations where customers require a VPN client to operate in an environment where standard ESP (Protocol 50) or UDP 500 (IKE) can either not work, or not function transparently without modifications to existing firewall rules. With Cisco Tunnel Control Protocol (cTCP), users can establish VPN tunnels from the client to an Easy VPN Server through a third-party Network Address Translation (NAT) device or firewall.

Figure 22. Cisco Tunnel Control Protocol (cTCP) Support on Easy VPN Hardware Clients

Benefits

• Requires no modification of firewall rules

• Creates fewer limitations from where clients can connect

• Offers transparent interoperability with third party firewalls

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/easyvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.20) IPSec Usability Enhancements

A variety of IPSec usability enhancements are being introduced in Release 12.4(20)T:
Intelligent Defaults
Support for eight Internet Key Exchange (IKE) default policies and IPSec transform set policies. By default, the IKE option is turned on. The default IPSec transform set will be used only if no other transform set is configured for a crypto map.
To display the default IKE policy, the following CLI command has been created:
show crypto isakmp default policy
If the default policies are turned off, then show crypto isakmp default policy will not display the default policies. If the user configures the isakmp policy then the default policy will not be used during negotiation. This command is not available in the K8 images.
To display the default IPSec transform set policy, the following CLI command has been created:
show crypto ipsec default transform-set
The default transform-sets is not available in the K8 images.
IPSec Show Command Enhancements
Using IOS show commands to display MIB agent maintained data helps monitor CPE devices. The following show commands are some examples (MIB table information is for a specific VRF if the VRF-name is provided; otherwise, the information for all vrfs is displayed):
show crypto mib isakmp flowmib failure { vrf <vrf-name> }
show crypto mib isakmp flowmib global { vrf <vrf-name> }
show crypto mib isakmp flowmib history { vrf <vrf-name>}
Show Tech Support IPSEC
Often to resolve technical issues, multiple show commands need to be executed and the output needs to be collected. To simplify this process, the show tech-support IPSEC [vrf <vrf>] [peer-ip <address>] has been created to collect the same output in one show command.
Benefits

• Improves administration

• Simplifies configuration with default policies

• Improves problem reporting

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/ipsec
Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.21) Secure Shell Protocol Version 2 (SSHv2) Feature Enhancements

A number of SSHv2 enhancements have been added including additional debugging functionality, VRF-aware SSH support, SSH keyboard mode, and Diffie-Hellman group exchange key support for mods 2048 and 4096.
Benefits

• Simplifies debugging

• Supports larger Diffie-Hellman key sizes

• Provides VRF-aware SSH client-side functionality

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, 7301 Series Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.22) Command Line Interface (CLI) for Displaying Certificates

Cisco IOS CLI introduces a new command to allow administrators to easily display all certificates in the Cisco IOS Certificate Server database.
Benefits

• Improves manageability by allowing all certificates in the Cisco IOS Certificate Store (CS) database to be displayed

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.23) CLI to Control Certification Revocation List (CRL) Cache

When processing X.509 certificates, the Certificate Revocation List (CRL) is consulted. To improve performance of certificate validation, IOS keeps a cache of the downloaded CRL in volatile storage on the router. Instead of using a fixed amount of volatile memory, administrators can reduce the cache size for low memory conditions or increase it for better performance when dealing with a large number of CRLs.
Benefits

• Helps to optimize router memory allocation

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

4.1.24) Secure Device Provisioning (SDP) Connect Template

SDP Connect Template increases the usability and range of applications for configuring the device for Internet connectivity. This eases the deployment process for routers, particularly routers that do not already have Internet connectivity.
Benefits

• Eases deployment burden on administrators

• Reduces deployment costs

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

4.2) Cisco IOS Infrastructure

4.2.1) Cisco Express Forwarding Scalability and Selective Rewrite (CSSR)

Cisco Express Forwarding (CEF) technology for IP is a scalable, distributed, layer 3 switching solution designed to meet the performance requirements of the Internet and Enterprise networks. The CEF infrastructure has been adapted and rewritten as Cisco Express Forwarding Scalability and Selective Rewrite (CSSR) in order to meet the requirements and scalability of Internet traffic evolution as well as support new platforms and features developed by Cisco.
This infrastructure is also supported in Cisco IOS Software Releases 12.2SB, 12.2SE, 12.2SG, 12.2SR, and 12.2SX.
Benefits
CSSR delivers the following benefits:

• Enhances scalability to sustain the Internet growth, support larger numbers of:

– IPv4/IPv6 prefixes and adjacencies

– Load balanced paths

– VPNs (VPN routing/forwarding instances)

• Simplifies fast switching path decisions for both IPv4 and IPv6 traffic

• Offers improved manageability:

– CEF logging for both IPv4 and IPv6

– Unicast Reverse Path Forwarding Strict and Loose mode for both IPv4 and IPv6

– CEF MIB support

– uRPF MIB support

– CLI display enhancements

Considerations
CSSR infrastructure enhancements in Release 12.4(20)T might result in changed performance characteristics in your networks. Please test your configurations prior to upgrading to this software release.
Hardware

Routers

• Cisco 1800, 2800, 3800, and 7200 Series Routers

Product Management Contact: Patrick Grossetete, pgrosset@cisco.com

4.2.2) Network Time Protocol (NTP) Version 4

NTP Version 4 is a protocol designed to time-synchronize a network of machines. It is widely used in the Internet to synchronize hosts and routers clocks as a large number of manufacturers include NTP software for their systems.
As the Internet evolves from thousands to millions of devices, improvements to NTP are required to better scale, enhance security, and comply with next generation of Internet Protocol Version 6 (IPv6).
The NTP Version 4 IETF draft is a significant revision to the NTP Version 3 standard, with a number of NTP v4 implementations in production today. The Cisco implementation prior to Release 12.4(20)T was based on NTP Version 3, an Internet draft standard formalized in RFC 1305.
Benefits

• Provides NTPv4 client and server functionality

• Allows NTPv4 configuration in IPv4 environments, including backward compatibility with NTPv3

• Enables NTP configuration in IPv6 environments

• Enables NTP configuration in VRF environment for both IPv4 and IPv6

Hardware

Routers

• Cisco 1800, 2800, 3800, and 7200 Series Routers

Additional Information:
Public NTP server information: http://support.ntp.org/bin/view/Servers/WebHome
Product Management Contact: Patrick Grossetete, pgrosset@cisco.com

4.3) MPLS

4.3.1) Cisco IOS MPLS Label Distribution Protocol (LDP) Enhancements

Cisco IOS MPLS LDP offers standards-based feature capabilities for MPLS label information signaling between MPLS-enabled routers. In addition to RFC3036-compliant MPLS signaling, Cisco MPLS LDP also offers a number of value-added feature capabilities, which enable improved configuration and usability. MPLS LDP feature capabilities are focused on MPLS LDP CLI configuration enhancements, enhanced security, and coexistence support with Cisco High Availability (HA) feature set, including Nonstop Forwarding (NSF) with Stateful Switchover (SSO).
The following LDP features and enhancements are introduced in Cisco IOS Release 12.4(20)T:
MPLS LDP-Message Digest 5 (MD5) Global Configuration
The MPLS LDP MD5 Global Configuration feature provides enhancements to the use of MD5 passwords for LDP session authentication. This feature allows the user to enable LDP MD5 globally (ie: in global router configuration context) instead of on a per-LDP peer basis. Using this feature allows setup of password requirements for a specific LDP neighbor, or a set of LDP neighbors (ie:LDP peer group) to help prevent unauthorized peers from establishing LDP sessions and to block spoofed TCP messages.
MPLS LDP-Lossless MD5 LDP Session Authentication
The MPLS LDP MD5 Global Configuration feature provides a configuration enhancement for enabling MD5-based session authentication of LDP sessions. This prevents unauthorized LDP peer applications from establishing LDP sessions with the local LDP process and also helps to block spoofed TCP messages.
The feature allows configuration of LDP MD5 support globally (ie: for all LDP-enabled interfaces on a MPLS-enabled router) instead of on a per-LDP peer basis. In addition, MD5 session authentication can be enabled for a selective set of LDP sessions via access-control lists.
Additional LDP feature enhancements are also introduced to provide the ability to dynamically change the configuration of MD5 keys for LDP session authentication. Via a configurable MD5 keychain, multiple MD5 authentication keys with specific activation intervals can be configured for a given LDP session. These new LDP enhancements complement existing MD5 LDP session authentication capabilities, which prior to Release 12.4(20)T only enabled configuration of one single MD5 key per LDP session.

Figure 23. MPLS LDP MD5 Global Configuration feature overview

Benefits
Key benefits of the new MPLS LDP feature enhancements include the following:

MPLS LDP-MD5 Global Configuration: Enhanced configuration capabilities for enabling MD5-based LDP session authentication, including MD5 authentication configuration for specific LDP peer groups and ability to update existing MD5 keys without impacting current state of LDP sessions.

MPLS LDP-Lossless MD5 LDP Session Authentication: No need anymore to tear down LDP session to activate new MD5 key for LDP session authentication. Configurable key chain enables flexible scheduling of multiple MD5 keys to be used for LDP session authentication.

Hardware

Routers

• Cisco 2800, 3800, and 7200 Series Routers

Product Management Contact: Harmen van der Linde ( havander@cisco.com)

4.3.2) Cisco IOS MPLS Traffic Engineering and Resource Reservation Protocol (TE/RSVP)

Cisco IOS MPLS TE offers standards-based feature capabilities for MPLS traffic management, including explicit path configuration and protection, via signaling of TE/RSVP tunnels. In addition to RFC-compliant RSVP/TE signaling procedures, Cisco MPLS TE also offers a number of value-added feature capabilities, which enable improved configuration and usability of MPLS TE functionality, such as coexistence support with the Cisco High Availability (HA) feature set.
Starting with Cisco IOS Release 12.4(20)T, a full set of MPLS TE/RSVP capabilities will also be available including the following features:
Basic MPLS TE/RSVP:
The following capabilities are now supported as part of the base MPLS TE/RSVP feature set:

• MPLS Traffic Engineering (TE)

• MPLS TE-OSPF Flooding Support

• MPLS TE-IS-IS Flooding Support

• MPLS TE-Support for LSP Attributes

• MPLS TE-Autoroute Announce

• MPLS TE-Verbatim Path Support

• MPLS TE-Configurable Path Calculation Metric for Tunnels

• MPLS TE-Hello State Timer

• MPLS TE-RSVP Refresh Reduction

Advanced MPLS TE/RSVP Signaling:
The following features enable advanced MPLS TE/RSVP signaling and support selective, flexible, and automated setup of traffic engineered paths in a MPLS network:

• MPLS TE-Explicit IP Address Exclusion

• MPLS TE-Link Affinity Attributes

• MPLS TE-Autotunnel Primary and Backup

• MPLS TE-Automesh (OSPF only)

• MPLS TE-Shared Risk Link Group (SRLG)

Explicit Traffic Mapping onto TE/RSVP Tunnels:
The following feature items enable explicit configuration of policies for mapping ingress traffic onto specific MPLS TE/RSVP tunnels:

• MPLS TE-Static Route Mapping into TE Tunnels

• MPLS TE-Policy-based Routing

• MPLS TE-Forwarding Adjacency

Inter-Domain MPLS TE/RSVP Support:
The following MPLS TE/RSVP feature items enable signaling of traffic engineered paths across multiple IGP and AS domains in a MPLS network:

• MPLS TE-Inter-Area Support

• MPLS TE-Inter-AS Support

MPLS TE/RSVP for Providing Network Protection (FRR):
The following MPLS TE/RSVP feature items enable support for Fast Re-Route (FRR) link and node protection in a MPLS network:

• MPLS TE-Fast ReRoute Link and Node Protection (RSVP Hellos)

• MPLS TE-Fast ReRoute (FRR) Bandwidth Protection

• MPLS TE-Fast Tunnel Interface Down

• MPLS TE-Node Protection Desired Bit

• MPLS TE-Path Protection

• MPLS TE-RSVP Graceful Restart

MPLS TE/RSVP for Providing Bandwidth (BW) Optimization:
The following MPLS TE/RSVP feature capabilities facilitate automated bandwidth optimization capabilities for TE tunnels:

• MPLS TE-Auto Bandwidth

MPLS TE/RSVP Management:
The following embedded management capabilities are available for support of MPLS TE/RSVP resource monitoring and TE tunnel connectivity validation and trouble shooting:

• MPLS EM-TE MIB based on IETF Draft Version 05

• MPLS OAM-LSP Ping/Trace for RSVP IPv4 FECs-RFC4379 (available since Release 12.4(6)T)

Benefits
Key benefits of the new MPLS TE/RSVP feature capabilities in Release 12.4(20)T:

Sub-second Traffic Protection: Via Fast Re-Route (FRR), MPLS TE/RSVP offers fast recovery of link and node failures in a MPLS network and this way minimizing potential traffic loss as result of network failures.

Bandwidth protection and network capacity engineering: Via RSVP bandwidth allocation and signaling, MPLS TE enables optimized traffic bandwidth allocation and distribution in a MPLS network.

Tight QoS traffic control: Via explicit routing and QoS mapping procedures (ie: mapping of QoS traffic onto specific traffic engineered tunnels) MPLS TE offers the ability to control the flow of QoS-market traffic across a MPLS network.

Deterministic traffic flow control: MPLS TE/RSVP enables setup of explicitly routed traffic paths across a MPLS network, which can facilitate temporary reroute of traffic during network maintenance activities.

Hardware

Routers

• Cisco 2800, 3800, and 7200 Series Routers

Product Management Contact: Harmen van der Linde ( havander@cisco.com)

4.4) Quality of Service

4.4.1) Cisco IOS QoS: Hierarchical Queuing Framework (HQF)

Cisco IOS Software today offers an extensive set of QoS features for queuing and shaping which network managers use for optimizing network bandwidth utilization. However, as more services are being deployed on the network, the general network implementation architecture becomes extremely complex, creating the need for more structured QoS queuing and shaping capabilities.
Cisco IOS Release 12.4(20)T introduces Hierarchical Queuing Framework (HQF), which enables customers to manage their QoS at multiple levels (physical interface level, logical interface level, and class level) of scheduling for applying QoS queuing and shaping. This provides the most comprehensive, granular, and flexible QoS network operating system architecture available in the industry today.
Benefits of HQF

• Extensive abstraction layer for consistent queue definitions within QoS

• Faster deployment of QoS queuing & shaping in large-scale networks

• Consistent queuing behavior applied with common Cisco Command Level Interface (CLI) commands across HQF supported Cisco IOS Software releases

Figure 24. HQF Layers of Hierarchy

Hardware

Platforms Supported

• Cisco 1801, 1802, 1803, 1805, 1811, 1812, 1841, 1861, 2821, 2851, 2811, 2801, 3250, 3220, 3270, 3825, 3845, AS5300XM, AS5400XM, IAD2430, IAD2431, IAD2432, VG224, 7204VXR, 7206VXR (NPE-400, NPE-G1, NPE-G2), 7201, and 7301 Series

Product Management Contact: Michael Lin, ( mhelin@cisco.com)

4.4.2) Resource Reservation Protocol (RSVP) Penultimate Hop Overwrite

The RSVP Penultimate Hop Overwrite feature allows you to configure an RSVP enabled router on a per interface basis to populate an address other than the interface address in the previous hop address field of the Previous Hop (PHOP) object when forwarding a PATH message onto that interface. You can configure the actual address for the router to use, or which interface, including a loopback, from which to borrow the address.
RSVP Penultimate Hop Overwrite Operation
Figure 12 below shows a sample network in which the following scenario occurs (no RSVP reservation is established):
An RSVP PATH message contains PHOP object that is rewritten at every RSVP hop. The object's purpose is to enable an RSVP router (R1) sending a PATH message to convey to the next RSVP router (R2) downstream that the previous RSVP hop is R1. R2 uses this information to forward the corresponding RESV message upstream hop-by-hop towards the sender.
The behavior in Cisco IOS Software prior to Release 12.4(20)T was that an RSVP router always set the PHOP address to be the IP address of the egress interface onto which the router transmits the PATH message. There are situations, however, where even though some IP addresses of R1 are reachable, the IP address of its egress interface is not reachable from a remote RSVP router (R2). This results in the corresponding RESV message generated by R2 never reaching R1, and the reservation never being established.

Figure 25. RSVP Penultimate Hop Overwrite Use Case

In the illustration shown in Figure 12 above, when a call is made from Branch Office 1 to Branch Office 2, the RSVP agent on customer edge router 1 (CE1) tries to set up a RSVP session with customer edge router 2 (CE2) and sends a PATH message. CE1 records its outgoing interface IP address (192.168.54.1), which is an un-routable IP address, in the PHOP object of the PATH message. This PATH message is tunneled across the service provider network and processed by CE2. CE2 records this IP address in the PHOP object of the received PATH message in the Path State Block (PSB).
CE2 has a receiver proxy configured for the destination address of the session. As a result, when CE2 replies back with a RESV message, CE2 tries to send the RESV message to the IP address that CE2 had recorded in its PSB. Because this IP address (192.168.54.1) is un-routable from CE2, the RESV message will fail.
Benefits
Flexibility and Customization: The user has the flexibility to specify RSVP PHOP IP address (example: loopback 0), which enables the deployment of RSVP over L3VPN RSVP-unaware core network even if the L3VPN network provider makes the CE-PE IP addresses un-routable (ie: using unnumbered IP addresses).
Hardware

Routers

• Cisco 1800, 2800, 3800, and 7200 Series Router

Additional Information: http://www.cisco.com/go/rsvp
Product Management Contact: Bertrand Duvivier, bduvivie@cisco.com

4.5) IP Version 6

4.5.1) IPv6 VPN Provider Edge Router (6VPE) over MPLS

6VPE, the Cisco implementation of IPv6 VPN provider edge router over MPLS, enables IPv6 locations in a VPN to communicate with each other over an MPLS IPv4 core network infrastructure levering MPLS Label Switched Paths (LSPs).
The 6VPE feature relies on multiprotocol Border Gateway Protocol (BGP) extensions in the IPv4 network configuration on the Provider Edge (PE) router to exchange IPv6 VPN reachability information, in addition to an MPLS label for each IPv6 address prefix to be advertised.
Edge routers are configured to be dual stack running both IPv4 and IPv6, and IPv4 VPN and IPv6 VPN can co-exist with similar coverage and policies.
The Cisco 6VPE implementation also provides IPv6 VRF-Lite support, enabling low-end Customer Edge (CE) routers without MPLS support to be supported.
6VPE was originally proposed at the IETF and published as RFC 4659.
6VPE is also supported in Cisco IOS Software Release 12.2SR for Cisco 7200 and 7600 Series Routers, and Cisco IOS-XR 3.5.2 for the Cisco 12000 Series Router.

Figure 26. 6VPE over MPLS Deployment

Benefits
6VPE allows IPv6 VPN to be deployed over existing MPLS Multiservice infrastructure with marginal operational impact, cost, and risk.
Key benefits include:

• IPv4 or MPLS Core Infrastructure is IPv6-unaware

• Cisco routers configured as PEs are updated to support Dual Stack/6VPE

• Cisco routers can be configured with IPv6 VRF-Lite

• IPv6 VPN reachability exchanged among 6VPEs via iBGP (MP-BGP)

• IPv6 VPN can co-exist with IPv4 VPN-same coverage and policies

Hardware

Routers

• Cisco 1800, 2800, 3800, and 7200 Series Routers

Additional Information: http://www.cisco.com/ipv6
Product Management Contact: Patrick Grossetete, pgrosset@cisco.com

4.5.2) IPv6 Access Control List (ACL) enhancements for IPv6 IPSec Authentication Header (AH)

IPv6 Extended Access Control List (ACL) support, first introduced in Cisco IOS Software Release 12.2(2)T, included the ability to parse IPv6 extension headers to examine upper layer information. One exception was the ability to parse beyond the IPSec Authentication Header (AH). Some recent 3rd party operating system releases enable IPv6 traffic authentication between hosts in a managed domain through the use of the IPv6 IPSec AH extension header.
Cisco IOS Release 12.4(20)T introduces the capability to parse beyond the IPSec AH and process upper layer information (TCP, UDP, etc.), which offers greater flexibility in packet matching for ACLs and Quality of Service (QoS).

Figure 27. Parsing IPv6 Option Headers

Benefits
The IPv6 ACL enhancement for IPv6 IPSec Authentication Header allows network managers to keep control of key networking features when IPv6 Hosts generate traffic using IPv6 IPSec AH:

• IPv6 packet filtering continues to permit or deny IPv6 packets with IPSec AH

• IPv6 QoS marking or re-marking can be applied to packets with IPSec AH

Hardware

Routers

• Cisco 1800, 2800, 3800, and 7200 Series Routers

Additional Information:
Product Management Contact: Patrick Grossetete, pgrosset@cisco.com

4.5.3) Mobile Network v6-Basic NEMO Support

Cisco Mobile Network v6-Basic NEMO Support enables IPv6 networks, such as networks in a vehicle, to stay connected when moving from one location to another.
The Cisco Mobile Networks v6-Basic NEMO is based on IETF standard-RFC 3776 Network Mobility (NEMO) Basic Support Protocol. It is part of the Cisco IP Mobility technology offering, which includes Cisco Mobile IPv4, Cisco Mobile IPv6, and Cisco Mobile Network v4: http://www.cisco.com/en/US/products/ps6591/products_ios_protocol_group_home.html
Today, an increasing number of business operations occur outside of offices and often involve movement from one geographic location to another. IT departments look for ways to extend existing office applications and introduce new applications to where the operations take place. Through these practices, organizations expect their business operations to become more streamlined, and mobile workers are able to perform their job functions remotely in an efficient and effective manner.
However, simply extending IP networks is not sufficient to support mobile operations. When an IP network moves from one location to another, its network point of attachment is often changed. Without proper provisioning, the IP network can become unreachable. As a result, application traffic to IP devices on that IP network is dropped. The diagram below illustrates this point.

Figure 28. Traffic is dropped when IP networks are moved from one location to another

The bus shown in Figure 15 above has an IP network associated with a router. The router provides backhaul connectivity to the data center and there are multiple IP devices, such as video surveillance camera, connected to the IP network on the router. At time 1, the bus is in a parking lot and its network point of attachment is through a WiFi network in the parking lot. At time 2, when the bus leaves the parking lot and drives onto the street, it losses its WiFi connection and is now using a 3G wireless connection as the network point of attachment. When this happens without IP mobility technology, the traffic destined to the IP network is dropped (since the rest of the network has routing tables that point the IP network toward the WiFi network).
The Cisco Mobile Network (for both IPv4 and IPv6) resolves this issue by automatically routing the traffic for the IP network to the new point of attachment. When the router moves to its new point of attachment, it registers with a Mobile IP Home Agent to inform its new point of attachment. The rest of the network continues forwarding the traffic to the Home Agent, and the Home Agent forwards the traffic to the IP network via the new point of attachment. This results in no routing convergence, eliminating disruptions in network connectivity.
With Mobile Networks v6-Basic NEMO support, both mobile networks and transport networks can also be IPv6 networks, allowing the extension of the number of mobile nodes to large scale in situations where an IPv6 addressing scheme is available.

Figure 29. Mobile Network v6-Basic NEMO Support for Home Agent

Benefits

• Application sessions are not interrupted during movement (underlying IP address remains constant)

• Supports large number of mobile devices through IPv6 mobile network infrastructures

• Eases mobile networking deployment without impacting routing operations

• Improves operation efficiency and worker productivity

Hardware

Routers

• Cisco 1800, 2800, 3200,3800, and 7200 Series Routers

Product Management Contact: Richard Shao, rshao@cisco.com

4.6) Embedded Management

4.6.1) Cisco IOS Service Diagnostics

Cisco IOS Service Diagnostics is an embedded feature that enables customers, partners and Cisco TAC engineers the ability to diagnose software and network neighborhood issues on Cisco platforms, minimizing troubleshooting time. It can be used to run diagnostic audits on the network and monitor device health and state.
Cisco IOS Service Diagnostics provides a simple interface for deploying and receiving diagnostic information from scenario-specific troubleshooting scripts. It automates the Cisco comprehensive troubleshooting expertise in the BGP, OSPF, QoS, and resource diagnostics areas, with the goal of reducing the configuration burden of defining TCL scripts and/or EEM policies.
The benefits of Cisco IOS Service Diagnostics feature include but are not limited to:

• Cost savings (Reduced MTTR)

• Increased network uptime

• Automatically identify the most common root causes for the most common failure scenarios related to BGP, OSPF, QoS

• Send automatic alerts on resource monitoring when configured thresholds are crossed

• Automatically collect additional context information that is relevant to diagnosing a problem (accelerates problem resolution)

• Provide an infrastructure to customize and add additional diagnostics

• Enhance programmable platform capabilities of Cisco IOS Software

Cisco IOS Service Diagnostics also includes a new feature called Embedded Menu Manager (EMM). EMM provides a programmable framework which allows Cisco IOS to present a custom, character-based menu wizard user interface to guide users through complex configuration tasks.
EMM also allows the extension of the Cisco IOS user interface though the use of Menu Definition Files (MDF).

Figure 30. Example of OSPF Diagnosis Workflow

Benefits

• XML MDF file very flexible and file based

– Definitions can be centrally stored on network servers

– Menu elements can be made more dynamic with Tcl

• Built-in customizable context-sensitive help

• Wizard mode steps users through menu application

• Built-in input validation

• Ability to record and play back menu sessions

Additional Information:
Product Management Contact: Madhu Vulpala, mvulpala@cisco.com

4.6.2) Embedded Event Manager Version 2.4

Cisco IOS Embedded Event Manager (EEM) is a unique subsystem within Cisco IOS Software. EEM is a powerful and flexible tool to automate tasks and customize the behavior of Cisco IOS and the operation of the device. Customers can use EEM to create and run programs or scripts directly on a router or switch. The scripts are referred to as EEM Policies and can be programmed using a simple CLI-based interface or using a scripting language called Tool Command Language (Tcl).
EEM allows customers to harness the significant intelligence within Cisco IOS Software to respond to real-time events, automate tasks, create customer commands and take local automated action based on conditions detected by the Cisco IOS Software itself.
EEM provides a level of embedded systems management not previously seen in Cisco IOS Software. Over fifteen event detectors provide an extensive set of conditions that can be monitored and defined as event triggers. The system is extensible with new capabilities and further subsystem integration is planned.
EEM Version 2.4 Feature Enhancements and Benefits
EEM Version 2.4 ushers in a significant number of enhancements over previous versions:

1. Two new event detectors:

Remote Procedure Call Event Detector: Allows for programs outside of the device to invoke specific device-resident, embedded policies by sending a SOAP request over an SSHv2 connection. The device-resident policy runs on the device and may reply with information in a subsequent SOAP response.

SNMP Proxy Event Detector: Creates events when a specified SNMP trap or inform is received at the device. This allows for policies to be triggered by events from other devices.

2. Multiple Event Correlation: EEM 2.4 now allows for multiple events to be considered for policy invocation. Previously, a single event specification triggered a policy. Now up to 8 events may be correlated together using logical operators allowing for more granular and very powerful policy triggers.

3. Script Policy Refresh: This feature allows for easy management, distribution, and update of device resident polices using a pull model.

4. Additional ease of use enhancements and extensions:

Interface Counter ED: Rate based trigger; Bytecode support; Support for parameters on the event manager run command; Clear command to kill a policy; Registration substitution enhancement; SNMP ED enhancement - delta value; Tcl package support

Table 9. EEM 2.4 Features and Benefits

Feature

Benefit

Extensible and powerful subsystem architecture

Architecture

The EEM subsystem is designed with modularity in mind. It consists of Event Detectors, an Event Manager Server, and action routines called Policies

CLI interface

An interface to the Cisco IOS CLI to allow automated commands and access to any information that can be displayed

Policy scheduler

EEM policies are scheduled one at a time or concurrently according to the number of threads configured

Built-in actions

Policies can invoke a number of built-in actions for easy automation

Extensive set of Event Detectors (ED)

Application

Custom application events, action script interaction

CLI

CLI command match and run

Counter

Custom counter events

GOLD

Generic Online Diagnostics (GOLD) event detection

Interface

Interface counters and events

Memory Threshold (Deprecated)

Detect memory resource related events.

None (by run command)

Allows execution of an EEM policy by direct command, event manager run.

Object Tracking

Integration with Enhanced Object Tracking (EOT).

OIR

Card Online Insertion & Removal detection.

Remote Procedure Call

Allows for authorized programs outside of the device to invoke specific device-resident, embedded policies by sending a SOAP request over an SSHv2 connection.

Resource Threshold

Integration with Embedded Resource Manager, supersedes Memory Threshold ED.

RF

Cisco IOS infrastructure Redundancy Facility (RF) events

SNMP

Detect MIB variable match and thresholds.

SNMP Proxy

Creates events when a specified SNMP trap or inform is received at the device. This allows for policies to be triggered by events from other devices.

Syslog

Regular expression pattern match on emitted Syslog messages.

Timer

Custom timed events.

IOS Watchdog Monitor

Cisco IOS scheduler, watchdog events.

WDSysMon

Cisco IOS Software Modularity: System monitor event.

Secure system operation

EEM scripts run within system constraints

Protects system from harm. ie: A looping script will not stop Cisco IOS.

User scripts run in Safe-Tcl mode

Certain programmable options are disabled for protection

Controlled environment

Only a network administrator with privileged access can define and set up EEM scripts. No one else can install software to compromise the system.

Support for TACACS+/RADIUS

EEM scripts can be associated with a configured User ID and be checked for permission.

EEM is optional

If you don't want to use this powerful capability, you don't have to enable it.

Online scripting community

Cisco Beyond-Product Extension Community

A place for customers to share and download scripts. Don't reinvent the wheel. Build and extend the work of others. Learn by example. Go to: http://www.cisco.com/go/ciscobeyond .

Hardware

Routers

• Cisco Integrated Services Routers and Cisco 7200 Series Routers (refer to the Cisco IOS Feature Navigator for the latest device support information).

Additional Information: For more information about Cisco IOS EEM visit http://cisco.com/go/eem or contact your local Cisco account representative.
Product Management Contact: Rick Williams, rwill@cisco.com

4.6.3) Cisco IOS Embedded Packet Capture

Cisco IOS Embedded Packet Capture (EPC) is a powerful troubleshooting and tracing tool which allows network administrators to capture data packets flowing through, to, and from, a Cisco router. EPC be used in troubleshooting scenarios where it is helpful to see the actual data being sent through, from, or to the network device.
Suppose, for example, help desk personnel need to determine why a particular device cannot access the network or some application. It might be necessary to capture IP data packets and examine the data to determine the problem.
Another case might be when trying to determine an attack signature for a network threat or server system security breach. EPC can help capture packets flowing into the network at the origin or perimeter.
EPC is also useful whenever a network protocol analyzer might be useful in debugging a problem, but when it's not practical to install such a device.
Features and Benefits
EPC provides the following capabilities:

• Ability to capture IPv4 and IPv6 packets in the Cisco Express Forwarding path

• A flexible method for specifying the capture buffer size and type

• EXEC-level commands to start and stop the capture

• Show commands to display packet contents on the device

• Facility to export the Packet Capture in PCAP format suitable for analysis using an external tool such as Wireshark

• Extensible infrastructure for enabling packet capture points

Hardware

Routers

• Cisco Integrated Services Routers, Cisco 7200 Series Routers

Product Management Contact: Rick Williams, rwill@cisco.com

4.6.4) Flexible NetFlow (FNF) Exporter-Outgoing Features Support

Flexible NetFlow (FNF) Exporter is the FNF component in charge of pulling flow records out of the cache and sending those flows records to NetFlow collectors. Prior to Cisco IOS Release 12.4(20)T, NetFlow packets generated by Flexible NetFlow exporter were bypassing output features (QoS and Crypto) configured on the outgoing interface exported packets are sent through.
Flexible NetFlow Exporter can be configured to run output features, which allows NetFlow exported packets to be classified using QoS, and sent encrypted when IPSec is configured on the outgoing interface where exported packets are sent through.
Benefits

• Enables classification of NetFlow export packets using MQC

• Enables encryption of NetFlow export packets when crypto is configured on the outgoing interface

Hardware

Routers

• Cisco 1800, 2800, 3800, 7200, and 7300 Series Routers

Product Management Contact: Jean-Charles Griviaud, jgriviau@cisco.com

4.6.5) Flexible NetFlow for IPv6

Flexible NetFlow is the next-generation in flow technology. It allows optimization of the network infrastructure, reducing operation costs, improved capacity planning and security incident detection with increased NetFlow flexibility and scalability beyond other flow based technologies available today.
Benefits
Key Advantages of Flexible NetFlow include:

• Flexibility, scalability, and customization of flow data

• The ability to monitor a wider range of packet information

• Enhanced network anomaly and security detection

• User configurable flow information to perform customized traffic identification and the ability to focus and monitor specific network behavior

• Convergence of multiple accounting technologies into one accounting mechanism

• Multiple configurable flow caches

Flexible NetFlow can track multiple NetFlow applications simultaneously. For example, the user can create concurrent flow data for both security analysis and traffic analysis. Cisco IOS Flexible NetFlow provides enhanced security detection and or network troubleshooting by allowing customization of flow information. For example, the user can create a specific flow definition to focus and analyze a particular network issue or incident.

Figure 31. Flexible NetFlow Customizable Flow Monitors

Flexible NetFlow for IPv6 is a superset of NetFlow for IPv6. It will allow customers to replicate all existing features available in NetFlow for IPv6 without impact to existing collectors. This includes the collection of flows records using a pre-defined set of key fields, and the export of flow records using NetFlow v9 with pre-defined aggregations.
In addition to existing NetFlow for IPv6 features, Flexible NetFlow for IPv6 provides customers the following capabilities:

• Ingress and Egress NetFlow support

• Sampling for IPv6 Flows

• Multiple Monitor support for IPv6 Flows

• Support of IPv6 Options header

• Custom IPv6 Flow records definition

Table 10. IPv6 fields available for custom IPv6 Flow record definition

Hardware

Routers

• Cisco 1800, 2800, 3800, 7200, and 7300 Series Routers

Product Management Contact: Jean-Charles Griviaud, jgriviau@cisco.com

4.6.6) Deprecating NetFlow for IPv6 Record

NetFlow allows you to collect traffic flow statistics on Layer 3 devices, analyze traffic patterns to detect DoS attacks, perform network capacity planning and performance management, and many other applications. NetFlow for IPv6 allows customers to collect data from IPv6 and export traffic flows using the NetFlow Version 9 export format.
From Cisco IOS Software Release 12.4(20)T onward, NetFlow for IPv6 is no longer available, and is being replaced by Flexible NetFlow for IPv6. Flexible NetFlow for IPv6 leverages the enhanced CSSF infrastructure introduced in Release 12.4(20)T, enabling greater scalability and performance.
Flexible NetFlow provides a set of features that enable customers to migrate smoothly without any modification of existing collectors. This can be achieved by using predefined records and pre-defined aggregation.
Migrating from NetFlow for IPv6 to Flexible NetFlow for IPv6
Cisco IOS does not provide automatic configuration conversion between NetFlow for IPv6 and Flexible NetFlow for IPv6. Below is a snapshot of Cisco IOS CLI configuration modifications required to migrate from NetFlow for IPv6 to Flexible NetFlow for IPv6:

Figure 32. NetFlow for IPv6 to Flexible NetFlow for IPv6 Migration Configuration Example

Hardware

Routers

• Cisco 1800, 2800, 3800, 7200 and 7300 Series Routers

Product Management Contact: Jean-Charles Griviaud, jgriviau@cisco.com

4.7) Hardware

4.7.1) Cisco 1861 Integrated Services Router

The Cisco 1861 Integrated Services Router, which is part of the Cisco 1800 Series Integrated Services Router portfolio. It is a unified communications solution for small to medium size businesses and Enterprise branch offices that provide voice, data, voicemail, automated-attendant, video, and security capabilities while integrating with existing desktop applications such as calendar, email, and Customer Relationship Management (CRM) programs.

Figure 33. Cisco 1861 Integrated Services Router

This easy-to-manage platform takes full advantage of business-class, proven unified communications technologies and supports flexible deployment models based on your needs-a wide array of IP phones, Public Switched Telephone Network (PSTN) interfaces, and Internet connectivity.
Core components include the following:

• Integrated Cisco Unified Communications Manager Express or Cisco Unified Survivable Remote Site Telephony (SRST) for call processing

• Optional Cisco Unity® Express for voice messaging and Automated Attendant

• Integrated LAN switching with Power over Ethernet (PoE)-expandable through Cisco Catalyst® Switches

• Optional support for a range of High-speed WAN Interface Cards (HWICs)

• Optional security with firewall, VPN, Secure Sockets Layer (SSL), and Intrusion Prevention System (IPS) capabilities

Additional Information:
For more information about the Cisco Integrated Services Routers, please visit http://www.cisco.com/en/US/prod/routers/networking_solutions_products_genericcontent0900aecd806cab99.html
Product Management Contact: cs-1800@cisco.com

4.7.2) Intrusion Prevention System (IPS) Advanced Integration Module

The IPS AIM provides accelerated threat control for the Cisco 1841, Cisco 2800 and the Cisco 3800 family of Integrated Service Routers.
The IPS AIM has a dedicated CPU and DRAM to offload the host CPU and up to 45Mbps on the Cisco 3845 ISR.
It enables inline IPS and runs the same software (CIPS 6.0) and enables the same features as the Cisco IPS 4200.
The IPS AIM can be managed through Cisco IPS Device Manager or Cisco Security Manager, and it is supported by CS-MARS for event monitoring and correlation.

Figure 34. Intrusion Prevention System (IPS) Advanced Integration Module

Hardware

Routers

• Cisco 1841, 2800, and 3800 Series Routers

Product Management Contact: Tina Lam ( tinalam@cisco.com)

4.7.3) Cisco 860 and 880 Series Routers

The Cisco 860 and 880 Series Routers are part of the Cisco 800 fixed-configuration router family and offer Internet access, security, and wireless services over broadband speeds onto a single, secure device that's simple to use and manage for small businesses.
Cisco 880 Product Overview
Cisco 880 Series Integrated Services Routers are fixed-configuration routers that provide collaborative business solutions for secure data communication to small businesses and Enterprise teleworkers. The Cisco 880 Series offers concurrent broadband services over 3G 1, Metro Ethernet, multiple types of Digital Subscriber Line (DSL) and business continuity. Wireless 802.11n and 3G supported by the Cisco 880 support LAN/WAN mobility.
The Cisco 880 Series provides the performance required for concurrent services, including firewall, intrusion prevention, content filtering, and encryption for VPNs; optional 802.11g/n for mobility; and Quality of Service (QoS) features for optimizing voice and video applications.
In addition, Cisco Configuration Professional is a Web-based configuration tool that simplifies setup and deployment. Centralized management capabilities give network managers visibility and control of the network configurations at the remote site.
Benefits
Cisco 880 Series Integrated Services Routers offer:

• High performance for broadband access in small offices and small branch and teleworker sites

• Collaborative services and data communication

• Business continuity and WAN diversity with redundant WAN links: Fast Ethernet, G.SHDSL, 3G, and ISDN

• Enhanced security:

– Firewall with advance application and control for email, Instant Messaging (IM) and HTTP traffic

– Site-to-site remote access and dynamic VPN services: IPSec VPNs (Triple Data Encryption Standard [3DES] or Advanced Encryption Standard [AES]), Dynamic Multipoint VPN [DMVPN], Group Encrypted Transport VPN with onboard acceleration, and Secure Sockets Layer (SSL) VPN

• 4-port 10/100 Fast Ethernet managed switch with VLAN support; two ports support Power over Ethernet (PoE) for powering IP phones or external access points

• Secure 802.11g/n access point option based on draft 802.11n standard with support for Autonomous or Cisco Unified WLAN architectures

• CON/AUX port for console or external modem

• 1 USB 1.1 port for security e-token credentials, booting from USB, loading configuration

• Easy setup, deployment, and remote management capabilities through Web-based tools and Cisco IOS Software

Figure 35. Cisco 880 Series Integrated Services Router

Table 11. Cisco 880 Series Data Models

Models

WAN Interface

LAN Interfaces

802.11g/n Option

Integrated 3G *

Integrated ISDN Dial Backup

Cisco 881

10/100-Mbps Fast Ethernet

4-port 10/100-Mbps managed switch

Yes (Cisco 881W)

Yes (Cisco 881G) *

-

Cisco 888

G.SHDSL

4-port 10/100-Mbps managed switch

Yes (Cisco 888W)

Yes (Cisco 888G)

Yes


* Available in second half of calendar year 2008
Cisco 860 Product Overview
The Cisco 860 Series Integrated Services Routers combine Internet access, security, and wireless services onto a single, secure device that is simple to use and manage for small businesses. Cisco 860 Series delivers features, including firewall, IPSec VPNs, and WLANs, at broadband speeds to small offices. Easy deployment and centralized management features enable the Cisco 860 Series to be deployed by service providers for small businesses.
Benefits
Cisco 860 Series Integrated Services Routers offer:

• Concurrent broadband services for small offices, and remote sites

• Secure connectivity with Stateful Inspection Firewall and IP Security (IPSec) VPN support for small offices

• 4-port 10/100 Fast Ethernet managed switch with VLAN support

• CON/AUX Port for console or external modem connections

• Secure 802.11g/n access point option based on draft 802.11n

• Easy setup, deployment, and remote management capabilities through Web-based tools and Cisco IOS Software

• Security features including:

– Stateful Inspection Firewall

– IP Security (IPSec) VPNs (Triple Data Encryption Standard [3DES] or Advanced Encryption Standard [AES])

Figure 36. Cisco 860 Series Integrated Services Router

Product Management Contact: Harbans Kaur, harbkaur@cisco.com

4.7.4) Cisco Business-Class IAD880 Series Integrated Access Devices

The Cisco IAD880 Series Integrated Access Devices are cost-effective, fixed configuration, customer premises equipment for service providers offering managed voice and data services. It offers a set of cost-effective platforms for providing interconnect solutions for accelerating the migration from Time-Division Multiplexing (TDM) to Voice over IP (VoIP). It provides secure concurrent services, including firewall, content filtering, VPNs, and WLANs, at broadband speeds to small offices.
The Cisco IAD880 Series includes fixed configuration platforms with voice ports, WAN uplinks, embedded encryption acceleration, voice Digital-Signal-Processor (DSP) slots on the motherboard, IPS, and IPSec features while maintaining a desktop form factor for space-saving service provider managed services deployments.

Figure 37. Cisco IAD880 Integrated Access Device

Table 5 lists the routers that currently comprise the Cisco IAD880 Series.

Table 12. Cisco IAD880 Series Models

Model

WAN Interface

LAN Interfaces

VPN

Voice

Data Backup

802.11n Wireless (b/g Compatible)

IAD881

10/100 Mbps Fast Ethernet

4-port 10/100-Mbps managed switch

Up to 20 tunnels

4 FXS or 2 BRI

-

An option on all IAD881 SKUs

IAD888

G.SHDSL (Symmetrical High-Data-Rate DSL)

4-port 10/100-Mbps managed switch

Up to 20 tunnels

4 FXS or 2 BRI

ISDN

An option on all IAD888 SKUs

Primary Features and Benefits to Service Providers
Cost Effectiveness
The Cisco IAD880 Series offers the entire gamut of industry-leading features at a very cost effective price for service providers. With flexible support for a variety of WAN interfaces and line side voice interfaces, wireless services, as well as integrated security services, the Cisco IAD880 Series is customized to the unique requirements for the small and medium-sized business. Priced with the small and medium-sized business customer in mind, the feature-rich Cisco IAD880 Series offers superior value to a service provider interested in taking advantage of the growing managed small and medium-sized business services market.
Transparent Service Migration
The Cisco IAD880 Series can help service providers transparently migrate end customers from TDM-based voice service to call agent-based packet voice services without the need for a complete equipment upgrade at the end-customer site. The provider can choose SIP, MGCP or H.323 for VoIP protocols, based on the services that need to be delivered.
Flexibility
The Cisco IAD880 Series offers both TDM and VoIP with rich VoIP signaling protocol support. Combined with the option for call agent- and BRI-based network designs, the Cisco IAD880 Series offers powerful flexibility in the design of next-generation multiservice networks.
Functional Intelligence
When used with the popular Cisco Configuration Express tool, the auto-installation technology offers true ready-to-use installation. In addition, the Cisco IAD880 Series is based on Cisco IOS Software and provides the same IP features that power more than 80 percent of the Internet infrastructure. Cisco IOS Software delivers rich data services, allowing service providers to gain additional data revenue, in addition to proven industry-tested voice features.
Operational Efficiencies
The new Cisco IAD880 Series can increase operational efficiencies by reducing or eliminating the necessity for complete hardware upgrades, warehousing, complete equipment upgrades, and highly skilled technician involvement. Service providers that deploy these devices with other Cisco equipment and Cisco IOS Software can cost-effectively extend training, administration, and maintenance activities across the entire network.
End-to-End Solution
Because the Cisco IAD880 Series is compatible with a wide range of industry-leading DSL Access Multiplexers (DSLAMs) and voice gateways and offers world-class data features of Cisco IOS Software, service providers can deploy a highly efficient and scalable end-to-end multiservice network. The Cisco IAD880 Series is an integral part of Cisco packet voice solutions.
Primary Benefits to End Users
Robust Voice Quality
The Cisco experience in providing toll-quality packet-voice service helps ensure that the Cisco IAD880 Series provides the clear, robust voice quality that users have come to expect from telephony services.
Reliability
Cisco products are known for their exceptional reliability earned through years of proven industry service. The Cisco IAD880 Series extends the same reliability standards to managed service environments to provide end users with high levels of dependability.
Service Flexibility
Today's rapidly changing business environment leads to constant change in network requirements of small and medium-sized businesses. The Cisco IAD880 Series allows service providers to add or remove service offerings remotely based on end-user needs.
Network Capacity Expansion (NCE) System for Cisco ISRs
Cisco Network Capacity Expansion (NCE) System is a transparent proxy that increases the amount of available bandwidth at small to midsized branch offices and remote locations. It is designed to cost-effectively accelerate data transfer over the WAN by overcoming bandwidth limitations, and mitigating effects of latency and packet loss. With NCE, multisite organizations get more data through and more value out of their existing WAN links. Unlike other bandwidth optimization or latency mitigation products, Cisco NCE is a small-footprint module that easily integrates into the modular Cisco ISRs.

Figure 38. Network Capacity Expansion (NCE) System for Cisco ISRs

Benefits

• Accelerates WAN data transfer 3-20 times

• Hardware-based Layer 4 compression

• SCTP-based TCP optimization

• Cost-effective and network transparent

• Targeted at all TCP based applications

• Based on IETF standards (SCTP, Deflate, PEP)

Hardware

Routers

• Cisco 1841, 2800, and 3800 Series Routers

Product Management Contact: ask-nce-pm@cisco.com

4.8) Voice

4.8.1) Communications Manager Express (CME) 7.0 Voice Features

Cisco IOS Release 12.4(20)T contains several new features for customers using Communications Manager Express call processing:
E911 Support
E911 feature provides support for the enhanced 911 services to connect your Cisco Unified Communications Manager Express system to your local Public Safety Answering Point (PSAP).
The E911 feature includes:

1. Option to define unlimited number of Emergency Response Locations (ERL) for handling 911 calling party translation

2. Each ERL can have two (2) Emergency Location Identification Numbers (ELIN) for handling two calls at once from the ERL

3. Phones can be assigned to an ERL by use of IP address subnets or by using phone Mac address

4. On an outbound call to 911 (or any defined emergency number) the IP Phone calling party number is changed to the ELIN to allow the Public Safety Answering Point to know the location of the caller

5. Return calls from the Public Safety Answering Point to the IP Phone are routed back to the original 911 caller

6. Return calls from PSAP are routed to an operator or security personnel in case no matching E911 callback record is found

7. Ability to connect the CME system to multiple Public Safety Answering Points

8. Flexible ERL matching with the use of zones allowing for ranking of the locations and controlling the order of ERL searches

9. History of E911 calls placed can be viewed using Cisco IOS CLI Show command, or tracked via Radius or CSV Call Detail Record (CDR) collection

10. Use of CME E911 requires Primary Rate Interface (PRI) or Centralized Automated Message Accounting (CAMA) trunks

New Comma Separated Value Format and Supplementary Services Enhancements for Call Detail Records (CDR)
Cisco Unified Communications Manager Express can now generate Call Detail Records in a Comma Separated Value (CSV) format. The records in the CSV format can be either stored on the CME router flash or sent to a billing server directly using the File Transfer Protocol (FTP).
Extension Mobility
Extension Mobility in Cisco Unified CME provides the benefit of phone mobility for end users. A user login service allows phone users to temporarily access a physical phone other than their own phone and utilize their personal settings, such as directory number, speed-dial lists, and services, as if the phone is their own desk phone. The phone user can make and receive calls on that phone using the same personal directory number as is on their own desk phone.
Octo-line support
An octo-line directory number supports up to eight active calls, both incoming and outgoing, on a single phone button. Unlike a dual-line directory number, which is shared exclusively among phones (after a call is answered, that phone owns both channels of the dual-line directory number), an octo-line directory number can split its channels among other phones that share the directory number. All phones are allowed to initiate or receive calls on the idle channels of the shared octo-line directory number.
Call Barge with Privacy Release
The Barge feature enables phone users to join a call on a shared octo-line directory number by pressing the Cbarge soft key and converting the call to an ad hoc conference. This feature uses a hardware conference bridge configured in Cisco Unified CME. When the initiator barges into a call, an ad hoc conference is created between the barge initiator, the target party, and the other party connected in the call. Parties see the call information on their phone displays and, if the conference join tone is configured, hear a tone. The call information for all parties changes to barge and the participants can add more parties to the conference or drop any party. The initiator of the barge sees a new call created on their line in the connected state. The original remote-in-use call at the initiator does not change state as a result of the barge. The target party of the barge sees a new call created on their line in the remote-in-use state. The original connected call at the target party does not change state as a result of the barge.
The privacy feature enables phone users to block other users from seeing call information or barging into a call on a shared octo-line directory number. When a phone receives an incoming call on a shared octo-line, the user can make the call private by pressing the Privacy feature button, which toggles between on and off to allow the user to alter the privacy setting on their phone. The privacy state is applied to new calls and current calls owned by the phone user.
Privacy is enabled for all phones in the system by default. You can disable privacy globally and enable it for specific phones only, either individually or through an ephone template.
Add/change speed dial on phone
IP phone users can now configure their own speed-dial and fast-dial settings directly from the phone. The speed-dial and fast-dial settings can be added or modified on the phone by using a menu available with the Services feature button. Extension Mobility users can add or modify speed-dial settings in their user profile after logging in. The logout profile is not configurable from the phone.
Transfer to Voice Mail
The Transfer to Voice Mail feature allows a phone user to transfer a caller directly to a voice-mail extension. The user presses the TrnsfVM soft key to place the call on hold, enters the extension number, and then commits the transfer by pressing the TrnsfVM soft key again. The caller hears the complete voice mail greeting. This feature is supported using the TrnsfVM soft key or Feature Access Code (FAC).
Live Record Softkey with Cisco Unity Express
The Live Record feature enables IP phone users in a Cisco Unified CME system to record a phone conversation if Cisco Unity Express is the voice mail system. An audible notification, either by announcement or by periodic beep, alerts participants that the conversation is being recorded. The playing of the announcement or beep is under the control of Cisco Unity Express.
Blast/Parallel Hunt Group
Parallel hunt groups are a type of hunt groups where incoming calls simultaneously ring multiple phones. Using parallel hunt groups is also referred to as application-level forking because it enables the forking of a call to multiple destinations. In versions earlier than Cisco Unified CME 7.0, only SIP phones support parallel hunt groups. In Cisco Unified CME 7.0 and later versions, SCCP phones also support voice hunt groups.
Call Transfer Recall
The Call-Transfer Recall feature in Cisco Unified CME returns a transferred call to the phone that initiated the transfer if the destination does not answer. After a phone user completes a transfer to a directory number on a local phone, if the transfer-to party does not answer, the call is forwarded back to the transferor phone after the configured recall timer expires.
If the transfer-recall timer expires before a call is answered, the call is directed back to the transferor phone if the transfer-to directory number does not have Call Forward Busy enabled and is not a member of any hunt group.
Integration with Cisco 3200 Rugged ISR (previously the Cisco Mobile Access Router)
Cisco Unified CME on the Cisco 3200 Series can be deployed in sites requiring on demand network connectivity and voice and data communications that typically do not have PSTN connectivity. The benefits include:

• Ensures voice communications locally if the WAN link fails

• Allows greater autonomy for voice communications at remote sites

• Supports H.323 and SIP trunks

• Easily portable

SRTP media encryption for secure conversation
Cisco Unified Communications Manager Express now supports SRTP for media encryption to provide secure conversations. SRTP for secure media encryption when used with secure call control signaling using either Transport Layer Security (TLS) or IP Security (IPSec) channel provides completely secured communications.
Cisco Unified CME manages the SRTP keys to endpoints and to gateways. The Media Encryption (SRTP) on Cisco Unified CME feature supports the following features:

• Secure voice calls using SRTP for SCCP endpoints

• Secure voice calls in a mixed shared line environment that allows both RTP and SRTP capable endpoints; shared line media security depends on the endpoint configuration.

• Secure supplementary services using H.450 including:-Call forward-Call transfer-Call hold and resume-Call park and call pickup-Nonsecure software conference Note: SRTP conference calls over H.323 may experience a 0 to 2 second noise interval when the call is joined to the conference

• Secure calls in a non H.450 environment

• Secure Cisco Unified CME interaction with secure Cisco Unity

• Secure Cisco Unified CME interaction with Cisco Unity Express (interaction is supported and calls are downgraded to nonsecure mode)

• Secure transcoding for remote phones with DSP farm transcoding configured

Interoperability with Cisco Unified Contact Center Express 5.0
Cisco Unified CME now supports interoperability between Cisco Unified CME and Cisco Customer Response Solutions (CRS) 5.0 and later versions with Cisco Unified Call Center Express (Unified CCX), including enhanced call processing, device and call monitoring, unattended call transfers to multiple call center agents and basic extension mobility, and IP IVR applications.
The Unified CCX application uses the CRS platform to provide a multimedia (voice, data, and web) connection. Cisco IP IVR functionality is available with Unified CCX and includes prompt-and-collect and call treatment.
The following functions are provided in Cisco Unified CME

• Support of Unified CCX Cisco Agent Desktop for use with Cisco Unified CME

• Configuration query and update between Unified CCX and Cisco Unified CME

• SIP-based simple and supplementary call control services including:

– Call routing between Cisco Unified CME and Unified CCX using SIP-based route point

– First-party call control for SIP-based simple and supplementary call

– Call monitoring and device monitoring based on SIP presence and dialog event package

• Unified CCX session management of Cisco Unified CME

• Unified CCX device and call monitoring of agent lines and call activities in Cisco Unified CME

G.722 and iLBC Codec Support
In Cisco Unified CME, support for G.722-64K and the Internet Low Bit Rate Codec (iLBC) have now been added. This enables Cisco Unified CME to support the same codecs that are used in newer Cisco Unified IP phones, mobile wireless networks, and internet telephony without transcoding. This feature provides support for the following:

• iLBC and G.722-capable SIP and SCCP IP phones in Cisco Unified CME

• iLBC-capable SCCP analog endpoints and remote phones in Cisco Unified CME

• Conferencing support for G.722 and ILBC

• Supplementary services, such as transfer, call forward, MOH, support for G.722 and iLBC, including any supplementary services that require transcoding between G.722 and any other codec

• Transcoding for G.722 and iLBC, including G.722 to G.711 and G.722 to any other codec

Hardware

Routers

• Cisco 2800 and 3800 Series Integrated Services, UC500 Series Routers

Product Management Contact: Vipul Jain ( vipujain@cisco.com)

4.8.2) Survivable Remote Site Telephony 7.0 Voice Features

Cisco IOS Software Release 12.4(20)T contains new features for customers using Cisco Unified Survivable Remote Site Telephony (SRST) for backup call control with a centralized Communications Manager cluster:
Octo-line support
With the octo-line support in the Cisco Unified SRST, a single phone button can have up to 8 active calls, both incoming and outgoing during the time the connection to the centralized communications manager is out of service.
Hardware

Routers

• Cisco 2800 and 3800 Series Integrated Services Routers

Product Management Contact: Vipul Jain ( vipujain@cisco.com)

4.8.3) Cisco Unified Border Element (CUBE) 1.2

Cisco Unified Border Element provides the necessary services for interconnecting Unified Communications networks securely, flexibly and reliably. Designed to meet Enterprise and service provider UC interconnection needs, including Session Border Controller (SBC) functions, Cisco Unified Border Element is an integrated Cisco IOS Software application.

Figure 39.

The new features in CUBE 1.2 enable unprecedented adaptability and interoperability with more endpoints. SIP profiles enable the integration of new types of devices and applications and allow for interoperability with third party devices that require specific SIP messages. Additional features include SIP video for Telepresence calls, Session Border Controller Enhancements for H.323 video, H.239 signaling, H235 security and universal transcoding.
Hardware

Routers

• Cisco 2800, 3800, AS5350XM and AS5400XM Series

Additional Information: http://www.cisco.com/go/cube
Product Management Contact: ask-cube-pm@cisco.com

4.8.4) Voice Quality Improvements on Cisco VoIP Gateways

The G.722-64 and iLBC codecs can now be used to enable conferencing and transcoding on Cisco IOS voice gateways in a Cisco Unified Communications Manager or in a Cisco Unified Communications Manager Express network. Digital Signal Processor (DSP) farms provide conferencing and transcoding services using DSP resources on high-density digital voice/fax network modules (PVDM2). G.722-64 brings "high definition" voice for the branch office using the same bandwidth as G.711 (64Kbps). iLBC provides high robustness to packet loss while maintaining good voice quality with efficient bandwidth usage.
A rich set of voice quality metrics such as K factor and late voice packet counts are made available in gateways for SIP and H323 signaling protocols in addition to MGCP. The metrics available via IOS CLIs, CDRs and Syslog can be used for efficient diagnostics and proactive monitoring of voice calls. Troubleshooting problems such as one way audio and echo are made easier for network administrators. Voice jitter buffer improvement applicable on the Cisco VoIP gateways results in overall improved VoIP call quality and better delay adaptation with a variety of endpoints in branch offices.
Integrated 3G-324M Gateway Support on the AS5000 Series
Cisco adds the 3G-324M standard gateway protocol to IOS to be supported on the AS5350XM and AS5400XM for video telephony services. This feature enables the IP video and voice network implementations to talk directly to the next generation 3G mobile networks.
In addition, the Cisco 3G-Gateway functionality interfaces with the Cisco Unified Customer Voice Portal (CVP) SIP Back-to-Back User Agent (B2BUA). This allows Interactive Voice Response (IVR) sessions that start as an audio call to switch to video IVR session providing an enhanced customer experience. Ultimately, these video calls are transferred to agents with video capabilities. The 3G-324M gateway functionality is supported for basic calls and also for calls which require supplementary services like hold, resume, transfer and conference. The Cisco IOS 3G-324M gateway solution supports a wide range of endpoint types including H.263+ endpoints which are commonly adopted for this type of solution. Cisco IOS Software Release 12.4(20)T further enhances the video capabilities on the Cisco Integrated Services Router (ISR) 2800 and 3800 Series by implementing H.320 ISO-13871 bonding enhancements to the existing Cisco IOS H.320 Gateway functionality.
Land Mobile Radio (LMR) Over IP - Tone Control Feature
Cisco IOS Release 12.4(20) T enhances the Land Mobile Radio (LMR) Over IP capabilities of the Cisco Integrated Services Router (ISR) 2800 and 3800 Series by providing RFC2833 based tone control feature for use with Cisco IPICS2.1.
ISDN Q.931 tunneling over SIP
This feature enables ISDN Q.931 tunneling using the RAW format over the SIP TDM gateway.
Hardware

Routers

• Cisco AS5350XM and AS5400XM Series

Product Management Contacts:
Teresa Newell, tnewell@cisco.com
Li Shen, lishen@cisco.com

5) Release 12.4(15)T Highlights

Table 13. Release 12.4(15)T Feature Highlights

5.1) Cisco IOS Security

5.2) Routing and Multicast

5.3) IP Services

5.4) High Availability

5.5) Connectivity

5.1.1) Cisco IOS Intrusion Prevention System (IPS) Support for Microsoft Vulnerabilities *

5.1.2) Flexible Packet Matching (FPM) Full Packet Filtering *

5.1.3) Cisco IOS SSL VPN Enhancements

5.1.4) Cisco IOS Software Support for AnyConnect VPN Client

5.1.5) Reverse Route Injection Distance Metric Enhancements

5.2.1) OSPF Mechanism to Exclude Connected Prefixes

5.2.2) Optimized Edge Routing (OER) Application Aware Routing *

5.2.3) OER Link Grouping

5.2.4) Bandwidth Call Admission Control (CAC) for IP Multicast

5.3.1) Gateway Load Balancing Protocol (GLBP) Client Cache

5.3.2) Dynamic Host Configuration Protocol (DHCP) Server Multiple Subnet

5.3.3) Hot Standby Routing Protocol (HSRP) Bidirectional Forwarding Detection (BFD) Peering

5.3.4) DHCPv6 Stateless Enhancements

5.4.1) Bidirectional Forward Detection (BFD) Support for Cisco Integrated Services Routers*

5.5.1) Multiple PPP-over-Ethernet (PPPoE) Clients per VC Support

5.5.2) Layer 2 Tunneling Protocol (L2TP) Forwarding of PPPoE Tags

5.6) Management, Instrumentation, and User Interface

5.7) Mobility and Wireless

5.8) Voice

5.9) Hardware

5.6.1) Cisco IOS Auto-Upgrade Manager *

5.6.2) Cisco IOS Embedded Resource Manager *

5.6.3) Toolkit Command Language (TCL) Signing

5.7.1) Mobile Ad Hoc Networking (MANET) Networking Enhancements for Router Radio Links

5.7.2) Access Point Link Role Flexibility *

5.7.3) IP Pool Address Holdback Timer

5.8.1) Communications Manager Express (CME) 4.1 Voice Features

5.8.2) Survivable Remote Site Telephony 4.1 Voice Features

5.9.1) Cisco 7201 Router *

5.9.2) ATM T3/E3 for the Cisco 2800 and3800 Series Integrated Services Router

5.9.3) HWIC-2SHDSL & HWIC-4SHDSL

5.9.4) Cisco 1- and 2-Port Enhanced Capability T3/E3 Clear Channel Port Adapters and Feature Offload Support for Multichannel T3 Port Adapters

5.9.5) USB eToken 64KB Enhancement

5.9.6) Boot from USB Flash Enhancement

* Indicates Key Highlight

5.1) Cisco IOS Security

5.1.1) Cisco IOS Intrusion Prevention System (IPS) Support for Microsoft Vulnerabilities

Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based feature that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. As a core facet of the self-defending network, Cisco IOS IPS enables the network to defend itself with the intelligence to accurately identify, classify, and stop or block malicious or damaging traffic in real time.
While it is common practice to defend against attacks by inspecting traffic at the data centers and corporate headquarters, distributing the defense to stop malicious traffic close to its entry point at the branch offices is also critical. Deploying inline Cisco IOS IPS at the branch enables gateways to drop offending traffic, send an alarm, block an attacker or reset a potentially malicious client-server connection as needed to stop attacking traffic at its point of origin.
Key Benefits of Cisco IOS IPS features include:

• Provides network-wide, distributed protection from many worms, viruses, and attacks exploiting vulnerabilities in operating systems and applications

• Eliminates the need for a standalone IPS device at branch and telecommuter offices as well as in small and medium-sized business networks

• Offers field-customizable worm and attack signature set and event actions

• Offers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions

• Works with Cisco IOS® Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router

• Supports same signature database available for Cisco Intrusion Prevention System (IPS) appliances

In Cisco IOS Software Release 12.4(15)T, Cisco IOS Intrusion Prevention System (IPS) provides support for the Cisco IPS Software Version 5.x/6.0 signature format, which is also used by the latest Cisco appliance-based IPS products. The Cisco IPS version 5.x signature format is improved to support encrypted signature parameters and other features such as signature Risk Rating. In this release, Cisco IOS IPS feature will also support signatures for many vulnerabilities found in Microsoft Server Message Block (SMB) and Microsoft Remote Procedure Call (MSRPC) protocols. Both of those protocols are widely and frequently used by most of Microsoft's computer applications and software packages.
New Cisco IOS IPS features in Cisco IOS Release 12.4(15)T provides:

• Signatures for vulnerabilities in Microsoft SMB and MSRPC protocols

• Support for encrypted signatures provided by vendors under NDA (such as Microsoft)

• Risk Rating value in IPS alarms for efficient event filtering, monitoring and correlation

• Supports Signature Event Action Processor (SEAP) for automated adjustment of signature event actions based on Risk Rating

• Support for the same signature format as the latest Cisco IPS appliance/module software version

• Individual and category based signature provisioning capabilities via Cisco IOS CLI

• XML-based IDCONF signature provisioning mechanism

• Automated signature updates (at periodic intervals) from a local TFTP or HTTP/HTTPS server

Figure 40. IPS Now Supports Microsoft SMB and MSRPC Signatures Natively

Benefits of IPS Features in Cisco IOS Software Release 12.4(15)T

Enhanced Microsoft Signature Support (MSRPC and SMB):

Cisco IOS IPS adds support for ~95 signatures for vulnerabilities in Microsoft Remote Procedure Call (MSRPC) and Microsoft Small Message Block (SMB) protocols.

Support for Encrypted Signatures Released Under NDA:

Cisco IOS IPS can now scan for encrypted signatures for certain vulnerabilities as provided by vendors under NDA (such as Microsoft) sometimes even before their public release.

More Accurate and Efficient Event Monitoring with Reduced False Positives:

Event Risk Rating value provided in IPS alarms are calculated based on signature severity, signature fidelity (high fidelity signatures have a lower rate of false positives) and a "target value rating" defined by users. Event monitoring/correlation applications or devices such as CS-MARS may use the Risk Rating (RR) value in IPS alarms to filter out events below a certain RR threshold and/or trigger event correlation/action rules based on relative importance of IPS events indicated by their Risk Rating value.

Quick and Automated Adjustment of Signature Event Actions Based on Calculated Risk:

The Signature Event Action Processor (SEAP) feature allows overriding of default signature actions based on calculated Risk Rating value. For instance, signatures generating events with a Risk Rating value of 90 or higher (on a scale of 1 to 100) may be configured to drop offending packets and/or deny traffic from the attacker's address in addition to the default action of simply sending an alarm.

Common Operational Model for Cisco IPS Appliances, Modules and Cisco IOS IPS:

In this release, Cisco IOS IPS starts using the same signature format and deployment/update/provisioning mechanism as all other Cisco IPS devices allowing Cisco Security Manager 3.1 to apply the same policy changes (signature tunings) to all Cisco IOS routers, IPS appliances and modules in a customer network.

Secure and Scalable Management of Signature Policies for Any Kind of Deployment:

Security Device Manager 2.4 and Cisco Security Manager 3.1 provides complete IPS provisioning capabilities for a single router and multiple routers and IPS devices, respectively. Both management applications use IDCONF protocol running securely over HTTPS. Granular customization and tuning of signatures is also possible via CLI and custom CLI scripts. For large scale deployments, it is possible to distribute signature selection and action tunings applied to a single router to a large number of routers using Cisco Configuration Engine.

Timely Protection from the Latest Threats with Minimal User Intervention:

Automated and periodic signature updates from a local TFTP or HTTP(S) server.

Hardware

Routers

• Cisco 87x, 1800, 2800, 3700, 3800, 7200 Series Routers

Additional Information: http://www.cisco.com/go/iosips
Product Management Contact: Kemal Akozer ( kemal@cisco.com)

5.1.2) Flexible Packet Matching (FPM) Full Packet Filtering

Flexible Packet Matching (FPM) is the next-generation Access Control List (ACL) technology that provides a flexible and rapid first line of defense against malicious traffic at the entry point into the network. It features powerful custom pattern matching deep within the packet header or payload, minimizing inadvertent blocking of legitimate business traffic.
FPM is a packet classification feature that allows users to define one or more classes of network traffic by pairing a rich set of standard matching operators with user-defined protocol header fields. FPM further extends the network traffic class definition capability to include new CLI syntax to offset into a user-defined protocol header and, furthermore, into the data portion of the packet.
FPM provides network security administrators with powerful tools to identify miscreant traffic as it enters the network, and to immediately drop and/or keep a log for audit purposes. Administrators can specify custom match patterns at multiple offsets within the packet. FPM includes ready-made definitions for standard protocols via Protocol Header Definition Files (PHDF), which simplify deployment. Customers can also customize and add extensions to PHDFs at device run time.
FPM was first introduced in Cisco IOS Release 12.4(4)T. In the initial release, FPM was limited to searching for patterns 32 bytes long within the first 256 bytes of a packet. Release 12.4(15)T extends the FPM matching capability by allowing network security administrators the ability to search for strings up to 256 bytes long anywhere within the entire packet. This provides greater flexibility for defining filters for miscreant traffic targeting your network.

Figure 41. Flexible Packet Matching Process

Benefits

• FPM enables users to create their own stateless packet classification criteria and to define policies with multiple actions (ie: drop, log or send ICMP unreachable) to immediately block new viruses, worms, and attacks

• FPM provides a flexible, granular Layer 2-7 matching capability providing the ability to inspect packets for characteristics regardless of the header fields involved

• FPM goes beyond static attributes allowing you to specify arbitrary bits/bytes at any offset within the entire packet (header or payload), minimizing inadvertent blocking of legitimate business traffic

• Allows network security administrators to rapidly set up custom filters using CLI or XML-based policy language

• Useful for Security Incident Response Teams for reacting to threats targeting their networks

Hardware

Routers

• Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800, 7200 and 7301 Series

Considerations
The Flexible Packet Matching feature is only available in Cisco IOS Software Release 12.4(15)T (and higher) Advanced Security, Advanced IP Services, and Advanced Enterprise Software packages.
Additional Information: http://www.cisco.com/go/fpm
Product Management Contact: ask-stg-ios-pm@cisco.com

5.1.3) Cisco IOS SSL VPN Enhancements

Unlike IPsec-VPN, SSL VPN in clientless mode is an application-aware technology. Using SSL VPN on the routers, companies can securely and transparently extend their companies' networks to any Internet-enabled location. SSL VPN is compelling because the security is transparent to the end user and easy for IT to administer. Using only a Web browser, companies can extend their secure Enterprise networks to any Internet-enabled location, including home computers, Internet kiosks, and wireless hotspots-thereby enabling higher employee productivity and protecting corporate data. Cisco IOS SSL VPN supports clientless access to applications such as HTML-based intranet content, email, network file shares, and Citrix. While this allows for a great end-user experience, it must be balanced with proper access-control so end-users have access to only those resources dictated by corporate policy. Figure 29 provides a use-case scenario for customers to implement Cisco IOS SSL VPN effectively at the branch.

Figure 42. IOS SSL VPN Use Case Scenario

Cisco IOS ® SSL VPN is a licensed feature supported on Cisco ® 871, 1800, 2800, 3700, 3800, 7200, and 7301 routers running the Advanced Security image since Cisco IOS Software Release 12.4(6)T (and higher). You can purchase the feature license in packs of 10, 25, or 100 simultaneous users directly from the Cisco.com ordering tool or through your Cisco partner/account team. Figure 30 provides more portfolio and license pricing details.

Figure 43. Cisco IOS SSL VPN Portfolio and Pricing

New SSL VPN features in Cisco IOS Software Release 12.4(15)T include the following:

1. SSL VPN Clientless Performance Enhancements

2. SSL VPN GUI Enhancements

3. SSL VPN User-level Bookmarking

4. Front Door-VRF Support

5.1.3.1) SSL VPN Clientless Performance Enhancements

Prior to this feature, traffic from clientless SSL VPN users was processed switched. Clientless performance enhancements bring CEF support to clientless SSL VPN traffic through this Cisco IOS SSL VPN gateway. Cisco Express Forwarding (CEF) technology for IP is a scalable, distributed, layer 3 switching solution designed to meet the future performance requirements of the Internet and Enterprise networks. Hardware acceleration is also now supported, offloading the processor from extensive cryptographic computations.
Reduction of the overall load of the processor allows for greater scalability and throughput providing for an improved user experience and user density per router. Reducing the CPU load also allows for configuration of other concurrent features on the router. CEF and hardware support are enabled by default.
Benefits

Increased Scalability and Performance: Increased number of concurrent users and throughput.

5.1.3.2) SSL VPN GUI Enhancements

Ergonomic improvements of the GUI user interface of the Cisco IOS SSL VPN gateway have been added. Improved customization of the user interface provide for greater flexibility and ability to tailor the portal pages for an individualized look and feel. Features are more clearly delineated, making for a more intuitive and less cluttered interface. The portal page now spawns new pages for mangled links or URLs, eliminating any need to navigate back to the portal page. The separate toolbar window has been replaced with an integrated floating toolbar that floats in either the upper left or right (dynamically configurable) of pages spawned from the portal page. Previous interface configurations are still available.

Figure 44. SSL VPN GUI Enhancements

User Configurable Enhancements:

• Login Banner message

• Login Picture

GUI Improvements:

• GUI layout

• Toolbar integrated directly into spawned pages:

Previous Configurable Elements:

• Login message

• Color accents

• Logo

• Secondary browser color

• Secondary text color

Benefits

Ease of use/Customization: The improved GUI takes into account the latest Cisco IOS SSL VPN features and presents them in a layout that is more intuitive and aesthetic. Integration of the toolbar reduces clutter of the desktop by removing an extra window.

5.1.3.3) SSL VPN User-Level Bookmarking

User level bookmarking allows individual users to customize the portal page with their own bookmarks. Bookmarks are stored on the router and are linked to the individual user id's so the user's bookmarks are location/machine independent. The user profile location can be stored on any of the file systems on the router as well as externally such as a Trivial File Transfer Protocol (TFTP) server. In addition to administrator defined bookmarks, Cisco IOS SSL VPN users can create, edit, and delete their own individual bookmark list and have access to them on any computer at any location.

Figure 45. SSLVPN User-Level Bookmarking

Benefits

Increased Usability: The user level bookmarking feature gives flexibility to users to customize the portal page to suit their individual needs. In addition to predefined links configured by the administrator, users can create a list of bookmarks that are most useful for them.

5.1.3.4) Front door-VRF (fVRF) Support

Front door-VRF (fVRF) support, coupled with the already supported internal VRF (iVRF) capability in Cisco IOS Software Release 12.4T, allows the Cisco IOS SSL VPN gateway to be fully integrated into an MPLS network. The virtual gateway can be placed into a VRF, separate from the Internet to avoid internal MPLS/IP network exposure. This reduces the vulnerability of the router by separating the Internet routes and/or the global routing table. Clients can now reach the gateway via the fVRF which can be separate from the global VRF. The backend or iVRF functionality remains the same.

Figure 46. Front door-VRF Support

Benefits

Increased Security: Cisco IOS SSL VPN virtual gateway can be placed and accessed on a separate VRF to reduce network exposure and provide support for overlapping IP addresses.

Hardware

Routers

• Cisco 871, 1800, 2800, 3700, 3800, 7200, 7301 Series Routers

Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

5.1.4) Cisco IOS Software Support for AnyConnect VPN Client

The Cisco AnyConnect VPN Client is the Cisco next generation VPN client providing secure remote access through an SSL VPN tunnel. It provides similar functionality and features as traditional IPsec clients. As with clientless access, no provisioning on the client machine is required. The AnyConnect client is pushed from the Cisco IOS SSL VPN gateway to the client where it is installed and a secure tunnel is established. Initial installation requires admin rights, but upgrading an existing install does not.
AnyConnect supports 32-bit Microsoft Windows 2000, Windows XP, Windows Vista (64-bit platforms to follow as well as Windows Mobile 5), Mac, and Linux platforms.

Figure 47. Cisco IOS Software Support for AnyConnect VPN Client

Benefits

Increased Functionality and Flexibility: The Cisco AnyConnect VPN Client provides a secure remote access alternative for non-Web based traffic. It compliments clientless operations, allowing for traditional IPsec like connectivity between clients and the secure Cisco IOS Software gateway.

Hardware

Routers

• Cisco 871, 1800, 2800, 3700, 3800, 7200, 7301 Series Routers

Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com

5.1.5) Reverse Route Injection Distance Metric Enhancements

Reverse Route Injection (RRI) is the ability for static routes to be automatically inserted into the routing process for those networks and hosts that are protected by a remote tunnel endpoint. The RRI Distance Metric Enhancement defines a distance metric for each static route created by RRI.
RRI is supported on both ipsec-profile and crypto map configuration (CLI) profiles:

• Configuration example on crypto map:

crypto map mymap 1 ipsec-isakmp

set reverse-route distance 20

• Configuration example on ipsec-profiles:

crypto ipsec profile myprof

set reverse-route distance 20

Benefits

Increased Flexibility: Improves RRI flexibility when used in dynamic routing scenarios. Static routes can be tailored so dynamic routes can have priority in the routing table.

Hardware

Routers

• Cisco 871, 1800, 2800, 3700, 3800, 7200, 7301 Series Routers

Additional Information: http://www.cisco.com/go/iossecurity
Product Management Contact: ask-stg-ios-pm@cisco.com

5.2) Routing and Multicast

5.2.1) OSPF Mechanism to Exclude Connected Prefixes

By default, when an OSPF router is connected to other OSPF routers via an IP numbered link, it automatically includes prefixes of IP numbered links in its advertisements. The OSPF Mechanism to Exclude Connected Prefixes feature enhancement provides the ability to exclude directly connected prefixes from advertising throughout the network.
When this feature is configured, IP numbered link prefixes will not be advertised into the network, resulting in improved convergence times and enhanced security by excluding internal network prefixes from being exposed outside of the network.
Key Benefits:

Improved convergence, scalability and performance: By excluding prefixes in OSPF advertisements, the network will converge faster, scale better. Performance of routers is improved by dealing with less number of prefixes in a network.

Improved security: By not advertising connected prefixes, OSPF area border routers or autonomous system border routers will not be able to advertise these prefixes outside of the network. This improves the security of the network by not advertising connected prefixes to external entities.

Hardware

Routers

• Cisco 7200 Series Routers

Product Management Contact: Suresh Katukam ( skatukam@cisco.com)

5.2.2) Optimized Edge Routing (OER) Application Aware Routing

Previously Optimized Edge Routing (OER) allowed users to optimize traffic based upon IP Prefixes, DSCP values, and Access Control Lists (ACLs). This feature allows OER the ability to optimize well known applications without having to configure ACLs to classify the traffic. Application optimization can be divided into three important tasks; application detection (learning), application performance measurement, and application route control. With this feature, you can specify an application by name for learning, performance measurement and route optimization.
Table 7 is a list of some of the applications that can be defined in OER policies for performance routing:

Table 14. Application List for OER Application Aware Routing

Application Name

Protocol

Port Number

CU-SeeMe-Server

TCP

UDP

7648 7649 7648 7649 24032

DHCP-Server

UDP/TCP

67

DHCP-Client

UDP/TCP

68

DNS

UDP/TCP

53

FINGER-Server

TCP

79

GOPHER-Server

TCP/UDP

70

HTTPSSL-Server

TCP

443

HTTP

TCP/UDP

80

IMAP-Server

TCP/UDP

143 220

SIMAP-Server

TCP/UDP

585 993(preferred)

IRC-Server

TCP/UDP

194

SIRC

TCP/UDP

994

KERBEROS-Server

TCP/UDP

88

749

L2TP-Sever

UDP

1701

LDAP-Server

TCP/UDP

389

SLDAP-Server

TCP/UDP

636

MSSQL-Server

TCP

1433

NETBIOS-Server

UDP

TCP

137 138

137 139

NFS-Server

TCP/UDP

2049

NNTP-Server

TCP/UDP

119

SNNTP-Server

TCP/UDP

563

NOTES-Server

TCP/UDP

1352

NTP-Server

TCP/UDP

123

PCanywhere-Server

UDP

TCP

22 5632

65301 5631

POP3-Server

TCP/UDP

110

SPOP3-Server

TCP/UDP

995

PPTP-Server

TCP

1723

SMTP-Sever

TCP

25

Hardware

Routers

• Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800, 7200, and 7500 Series Routers

Product Management Contact: Scott Van de Houten ( svandeho@cisco.com)

5.2.3) OER Link Grouping

OER automates routing in order to select the best path based upon cost minimization, load distribution policy, and overall network performance. This enables intelligent network traffic load distribution and dynamic failure detection of data-paths at the WAN edge (for multi-homing to the Internet or intranet connectivity). OER is unique in that it can make adaptive and dynamic routing adjustments based on criteria other than static routing metrics: response time, packet loss, jitter, MOS scores, path availability, traffic load distribution, and financial cost minimization policies.
OER Link Grouping allows one or more interfaces on the border router to be assigned to a link group. By assigning interfaces to a link group, applications can be directed to only traverse interfaces within a link group. Policies are used to select an exit interface from a given link group. Fallback link groups can be used by the Policy if no interface within a link group is available or meets the policy requirements.
Hardware

Routers

• Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800, 7200, and 7500 Series Routers

Product Management Contact: Scott Van de Houten ( svandeho@cisco.com)

5.2.4) Bandwidth Call Admission Control (CAC) for IP Multicast

In multicast enabled networks, monitoring and controlling the amount of bandwidth utilized is critical for service efficiency. In corporate communications or IP video environments, it is important that the network link is not oversubscribed or video services might degrade for a set of users. Cisco understands this problem and has implemented a method to control and monitor the total bandwidth consumed at the network edge. In today's networks voice, video and data need to be allocated respective bandwidth and bandwidth based CAC allows seamless integration of video services.
The Bandwidth Based Call Admission Control (CAC) for IP Multicast feature allows the monitoring of bandwidth per set of multicast groups per interface in the network. Bandwidth based CAC has the ability to control how much bandwidth various content providers can use across a network by assigning specific multicast groups allowable bandwidth consumption.

Figure 48. Bandwidth Based Call Admission Control (CAC) for IP Multicast-Details

Benefits

• Enhances video services by monitoring video bandwidth consumption on the edge

• Provides guaranteed control of multicast based total bandwidth usage per interface

Hardware

Routers

• Cisco 800, 1700, 1800, 2600, 2600XM, 2800, 3600, 3700, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/multicast
Product Management Contact: Scott Van de Houten ( svandeho@cisco.com)

5.3) IP Services

5.3.1) Gateway Load Balancing Protocol (GLBP) Client Cache

Gateway Load Balancing Protocol (GLBP) protects data traffic from a failed router or circuit, while allowing packet load sharing between a group of redundant routers. GLBP differentiates itself from Virtual Router Redundancy Protocol (VRRP) in that GLBP offers the ability to concurrently use more than one gateway, significantly reducing the cost of a First Hop Routing solution.
GLBP is enhanced with the ability to display more information about individual network clients that are using GLBP as their default gateway. This makes it easier to understand:

• How well GLBP clients have been distributed among forwarders

• Which forwarder a particular client is assigned to

• How many clients are assigned to each forwarder

• Which clients are assigned to each forwarder

To achieve the above mentioned benefits, the following data is provided through a Cisco IOS CLI "show command" on the Active Virtual Gateway for the group:

• Percentage of all clients currently assigned to each forwarder

• Forwarder assigned to a specified client MAC address

• Number of clients assigned to each forwarder

• Information about each client assigned to each forwarder

Benefits

• Manageability and network troubleshooting of GLBP is greatly improved

Hardware

Routers

• Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800, 7200, 7301 Series Routers

Product Management Contact: Benoit Lourdelet ( blourdel@cisco.com)

5.3.2) Dynamic Host Configuration Protocol (DHCP) Server Multiple Subnet

The Dynamic Host Configuration Protocol (DHCP) server now supports the configuration of multiple subnets under a single pool name. This enables large deployments where common DHCP parameters configuration can be grouped under a single pool, while subnet specific parameters can be set as well.
Benefits

• DHCP configuration is made easier and the number of pools to configure is kept to a minimum

Hardware

Routers

• Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800, 7200, 7301 Series Routers

Product Management Contact: Benoit Lourdelet ( blourdel@cisco.com)

5.3.3) Hot Standby Routing Protocol (HSRP) Bidirectional Forwarding Detection (BFD) Peering

Bidirectional Forwarding Detection (BFD) is introduced in the Hot Standby Routing Protocol (HSRP) group member health monitoring system. Previously, group member monitoring relied exclusively on HSRP multicast messages. These messages are relatively large, hence CPU consuming to produce and check. In architectures where a single interface hosts hundreds of groups there is a need for a lighter protocol. BFD addresses this issue and offers sub-second health monitoring at a relatively low CPU impact.

Figure 49. HSRP BFD Peering Topology

Benefits

• Allows for quicker and more efficient failure detection of HSRP group member

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200, 7301 Series Routers

Product Management Contact: Benoit Lourdelet ( blourdel@cisco.com)

5.3.4) DHCPv6 Stateless Enhancements

Stateless DHCPv6 is enhanced to support new options in the Client and the Server component. Cisco IOS Release 12.4(15)T adds support for new DHCPv6 options for configuration of the DHCP Server:

• NIS SERVERS

• NISP SERVERS

• NIS DOMAIN_NAME

• NISP DOMAIN_NAME

• SNTP SERVERS

• INFORMATION REFRESH TIME

Special attention must be paid to "INFORMATION REFRESH TIME" as it provides the end-host the capability to regularly refresh the content of stateless options that don't carry a lease time with them.
The above mentioned options are requested by the DHCPv6 Client and INFORMATION REFRESH TIME is taken into account to refresh the content on stateless DHCP options received by the Client.
In scenarios where a router is a DHCPv6 client toward its upstream router and a DHCPv6 Server toward downstream hosts, it is now possible to import received options from the Client side to automatically populate the DHCPv6 Server configuration with those options. The choice of imported options is set on a pool basis.

Figure 50. Hierarchical Stateless DHCPv6

Benefits

• DHCPv6 Stateless parameters are regularly renewed

• DHCPv6 Server configuration on CPE is made more dynamic

Hardware

Routers

• Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800, 7200,and 7301 Series Routers

Product Management Contact: Benoit Lourdelet ( blourdel@cisco.com)

5.4) High Availability

5.4.1) Bidirectional Forward Detection (BFD) Support for Cisco Integrated Services Routers

BFD is a detection protocol that is designed to provide fast forwarding path failure detection times for all media types.
The convergence of business-critical applications onto a common IP infrastructure in Enterprise and Service Provider networks is becoming more common. Given the criticality of the data, these networks are typically constructed with a high degree of redundancy. While such redundancy is desirable to increase network availability, its effectiveness is dependant upon the ability of individual network devices to quickly detect failures and reroute traffic to an alternate path.
Routing protocol convergence is a key issue in these converged network designs since it determines the routes available to send data packets on and the reachability of the network. In order to maintain the integrity of routing data, it is vital to have accurate information regarding the status of links and whether they are up or down. Bidirectional Forwarding Detection (BFD) is an IETF draft based mechanism used to detect link failures for routing protocols. It addresses some of the important problems in link status detection:

• Link Layer detection mechanisms vary significantly in the temporal resolution they offer for link status detection. Techniques like Automatic Protection Switching (APS) on SONET offer sub-50 ms resolution for the detection of link failures while Ethernet or traditional WAN link methods offer a few seconds of resolution at best.

• Link Layer detection mechanism may not help with Layer 3 Network level failures. This is important when there is a routing flap in the routing protocol at Layer 3 but the underlying Layer 2 Link is fine.

• Typical mechanisms that work at Layer 3 offer 15-20 seconds of temporal resolution for failure detection times. This is slow in terms of times which applications require for network connectivity to be maintained.

BFD provides a low-overhead, short-duration method of detecting failures in the forwarding path between two adjacent routers, including the interfaces, data links, and forwarding planes. BFD delivers fast router peer failure detection times independent of all media types, encapsulations, topologies, and routing protocols including EIGRP, IS-IS, OSPF, and BGP (single-hop peers over Ethernet interfaces). Cisco currently supports the BFD Asynchronous mode, which depends on the sending of BFD control packets between two systems for liveness detection between the forwarding engines of the BFD neighbors.

Figure 51. Bidirectional Forward Detection (BFD) Support for Cisco Integrated Services Routers

Benefits

• Facilitates faster network convergence due to faster failure detection of link/neighbor

• Allows for media independent link-failure detection

• Enables easier network profiling and planning

Considerations

• Cisco IOS Software Release 12.4(15)T supports BFD for EIGRP, OSPF, ISIS, and BGP single-hop peers over Ethernet interfaces only.

• BFD is not supported over OSPF virtual links or sham links, as the current specification for BFD usage on IP links limits BFD to one-hop adjacencies.

• Care should be taken while configuring BFD timers. Consider CPU utilization, link speed, and speed of light constraints before setting low values.

• BFD is not intended for use as a protocol to detect Cyclic Redundancy Check (CRC) errors or packet loss between two adjacent routers.

Hardware

Routers

• Cisco 800, 1800, 2800, 3800 Series Routers

Product Management Contact: Harmen Van Der Linde ( havander@cisco.com)

5.5) Connectivity

5.5.1) Multiple PPP-over-Ethernet (PPPoE) Clients per VC Support

The Multiple PPPoE Client feature is an enhancement over the existing PPPoE client support for ATM Virtual Circuits. Previously, an ATM PVC could only be configured with one PPPoE dialer interface. Now, multiple Dialer interfaces may be configured on a single Virtual Circuit (VC). This can be used to configure redundancy to multiple L2TP Network Servers (LNS's), providing an easy backup path, should the primary LNS stop responding. This capability is especially useful in situations where only one PVC can be configured between Customer Premises Equipment (CPE) and the Asynchronous Transfer Mode (ATM) aggregator.
Key Benefits for using Multiple PPPoE Clients per VC include:

• Increased flexibility in defining PPPoE Dialer Interfaces

• Provide multiple services to a CPE using separate logical PPP interfaces across the same VC

• Improved availability using a single VC

Figure 52. Multiple PPPoE Clients

Hardware

Routers

• Cisco 800, 1800, 2800, 3800 Series Routers

Product Management Contact: Ben Strickland ( bstrickl@cisco.com)

5.5.2) Layer 2 Tunneling Protocol (L2TP) Forwarding of PPPoE Tags

In an Ethernet access aggregation network, there are no unique mappings between subscriber line ID and Ethernet interface like the Virtual Circuit (VC) in an ATM based network, especially when a separate Virtual LAN (VLAN) per subscriber is not used. DSL Forum TR-101 proposed a method by which the Digital Subscriber Line Access Multiplexer (DSLAM) sends a DSL Remote-ID and circuit-id in the discovery phase. By obtaining this information, future subscriber decisions can be made at later points during the call set-up phase. However, before this feature was introduced, the implementation did not extend to the LNS in a VPDN environment. This feature allows for the PPPoE tag information containing the DSL-Forum attributes to be forwarded from the L2TP Access Concentrator (LAC) to the LNS.
The DSLAM port information contained within the PPPoE tags can be used by the local Authentication, Authorization, and Accounting (AAA) servers on the LNS in addition to the LAC. This is especially useful in wholesale environments where the LAC and LNS may belong to different owners.
Key benefit for using Multiple L2TP Forwarding of PPPoE Tags:

• Increased LNS security by being able to authenticate users based on DSLAM port information

Figure 53. Forwarding the DSLAM Circuit-id over L2TP

Hardware

Routers

• Cisco 800, 1800, 2800, 3800, 7200 Series Routers

Product Management Contact: Ben Strickland ( bstrickl@cisco.com)

5.6) Management, Instrumentation, and User Interface

5.6.1) Cisco IOS Auto-Upgrade Manager

Cisco IOS Auto-Upgrade Manager simplifies the Cisco IOS Software upgrade process by providing a simple interface to specify, download, and upgrade (or downgrade) to a new Cisco IOS Software image. Cisco IOS Auto-Upgrade Manager includes CLI-based management of automatic software downloads and upgrades, including:

• Locating and downloading the new Cisco IOS Software image

• Checking memory requirements

• Managing secondary storage

• Validating the image

• Scheduling a Warm-Upgrade

• Providing roll-back support on failure

New software images can be automatically downloaded from Cisco with a valid Cisco.com login via SSL, or any other Trivial File Transfer Protocol (TFTP) or File Transfer Protocol (FTP) server in the user's network or elsewhere that contains the desired software image. The software upgrade is scheduled either immediately or at a convenient future time using a "Warm-Upgrade" to minimize down time.
Automatic notifications can include a status email sent upon completion of successful warm upgrade or failure and roll-back, error messages indicating any incompatible CLI statements, and should the upgrade fail for any reason, error messages are generated and sent to the console and syslog buffers.
Cisco IOS Auto-Upgrade Manager can be invoked with either an interactive dialog that will walk a novice user through the upgrade process and options, or a single line CLI User Interface for more experienced users.

Figure 54. Cisco IOS Auto-Upgrade Manager Simplifies Cisco IOS Software Upgrades

Benefits

• Makes upgrading Cisco IOS Software easier for less experienced staff and easier to walk through with telephone support

• Reduced time to upgrade Cisco IOS Software

• Lower Total Cost of Ownership (TCO) of Cisco routers with single provisioning method for access and work group products

Hardware

Routers

• Cisco 1800, 2800, 3800 Series Routers

Product Management Contact: Tom Cramer ( tcramer@cisco.com)

5.6.2) Cisco IOS Embedded Resource Manager

The Embedded Resource Manager (ERM) feature provides a method to monitor internal system resource utilization. Finite resources such as buffer, memory, and processor utilization are monitored.
ERM works by monitoring resource utilization from the perspective of resource owners and resources users. These owners and users are various subsystems within Cisco IOS Software. Network administrators can define thresholds to create notifications according to the real-time resource consumption.
The ERM infrastructure is designed to be extensible and to allow for very granular monitoring on an IOS task basis. It goes beyond simply monitoring for total CPU utilization for example. Through the use of ERM, network administrators and operators can gain a better understanding of the device's operational characteristics leading to better insight into system scalability and improved system availability.
Features and Benefits
The Embedded Resource Manager (ERM) infrastructure tracks resource utilization, depletion and resource dependencies across processes and within a system. ERM represents a framework for monitoring any finite resource within the software. Support for monitoring CPU, buffer, and memory utilization at the global or task level is available today. The ERM framework is extensible and will be further enhanced to provide more function in future software releases.
The ERM framework provides a mechanism to send notifications whenever the specified threshold values are violated by any Resource User (RU). This notification helps in diagnosing any CPU, buffer, and memory utilization issues.
The Embedded Resource Manager feature allows you to:

• Monitor system resource usage to better understand scalability

• Set resource thresholds at a granular level

• Generate alerts when resource utilization reaches specified levels

• Generate internal events using the Cisco IOS Embedded Event Manager feature and take local automated action

• Gain a better understanding of how network changes might impact system operation

Resource Accounting and Thresholds
ERM tracks the resource usage and allocation for each Resource User (RU) internally. A RU is a subsystem or process task within the Cisco IOS Software. As an example, the OSPF hello process is a resource user. Threshold limits are used to notify network operations of specific conditions. The ERM infrastructure provides a means to notify the internal RU subsystem of threshold indications as well. The resource accounting is performed by individual Resource Owners (ROs). ROs are part of the Cisco IOS Software responsible for certain resources such as the memory manager. When the utilization for each of the RUs crosses the threshold value you have set, the ROs send internal notifications to the RUs and to network administrators in the form of Syslog messages or SNMP alerts.
You can set rising and falling values for critical, major, and minor levels of thresholds. When the resource utilization crosses the rising threshold level, an Up notification is sent. When the resource utilization falls below the falling threshold level, a Down notification is sent.
ERM provides for three types of thresholds to be defined:

• System Global Threshold-Used when the entire resource reaches a specified value; sent to all RUs

• User Local Threshold-Used when a specified RUs utilization exceeds the configured limit

• User Global Threshold-Used when the entire resource reaches a configured value; sent only to the specified RU

Table 15. ERM Features and Benefits

Feature

Benefit

System Monitoring and Management

Flexible facility for monitoring finite resources

ERM provides a common facility for monitoring various finite resources within the system. CPU, buffer, and memory resources are monitored.

Embedded within Cisco IOS Software

ERM is part of the Cisco IOS Software infrastructure.

Granular, per subsystem statistics

ERM accounts for resource utilization on both a system level as well as on a per subsystem task level.

User defined thresholds

Network administrators can set the thresholds for specific conditions.

Multiple threshold levels

You can set rising and falling threshold values for minor, major, and critical levels of resource utilization for buffer, CPU, and memory ROs.

Extended Statistics and Information

Loadometer process

The loadometer process generates an extended load monitor report every 5 seconds. The loadometer function, which calculates process CPU usage percentages, is enhanced to generate the loadometer process reports.

Snapshot Management using event trace

Snapshot management manages the buffer where snapshots of reports are stored. The snapshot management infrastructure stores, displays, and releases the snapshots.

Automatic CPUHOG profiling

Troubleshooting data is collected automatically by the system to aid in problem resolution. The timer ISR starts profiling a process when it notices that the process has taken more than the configured value or a default of 2x (maximum scheduling quantum).

Improved memory statistics

Embedded Resource Manager enhances the memory manager in Cisco IOS Software to include memory usage history and memory accounting

Improved buffer management

Embedded Resource Manager addresses the most frequently faced problems to the Buffer Manager. They are: buffer manager tuning, buffer leak detection, buffer accounting and buffer usage thresholds.

Cisco IOS Feature Integration

EEM integration

ERM is integrated with Cisco IOS Embedded Event Manager (EEM). ERM threshold violations are detected by the ERM Event Detector and can be used to trigger automated actions.

Additional Management Interfaces

Embedded Resource Manager MIB

ERM SNMP support is added beginning with Cisco IOS Software version 12.4(15)T and 12.2(33)SRB. The ERM MIB will be available on Cisco.com Visit: http://www.cisco.com/public/sw-center/sw-netmgmt.shtml

Product Architecture
ERM is a feature within the Cisco IOS Software infrastructure. The ERM framework and architecture defines components in terms of Resource Owners (ROs) and Resource Users (RUs). An ERM Resource Manager (RM) component is also part of the infrastructure. ROs account for utilization by the resource users. The RM provides control and notification functions.

Figure 55. Cisco IOS Embedded Resource Manager Architecture

Hardware

Routers

• Cisco Integrated Services Routers, Cisco 7200 Series Routers

System Requirements
The ERM software subsystem does not consume any significant amount of resources.
Additional Information:
For more information about the Cisco IOS Embedded Resource Manager, visit http://www.cisco.com/public/support/tac/documentation.html and browse the appropriate Cisco IOS Software documentation.
Product Management Contact: Rick Williams ( rwill@cisco.com)

5.6.3) Toolkit Command Language (TCL) Signing

Toolkit Command Language (TCL) was first introduced in Cisco IOS Software in 1994. Many components of Cisco IOS Software like EEM, ESM and IVR use TCL scripts. Signing of TCL scripts enables customers to execute only authenticated and approved scripts on the Cisco devices. It provides a mechanism for the customers to verify the source of the TCL scripts.
TCL is an interpreted language and scripts written in TCL do not have to be compiled before execution. TCL scripts can be created and modified dynamically. TCL provides a fundamental command set which can be expanded by adding "extensions" to the language to perform specific operations. As a result TCL is highly portable and extensible. It is used for rapid prototyping, scripted applications and testing.
Cisco is now innovating TCL scripts to a new level by introducing state of the art, reliable and web based "Signing Tool" application to verify the authenticity.
Key advantages to using the TCL Signing Tool include:

• Ability to configure safe and secure modes for execution

• Enhanced security (safe and whole modes) within security mode

• Allow various formats of TCL scripts-clear, signed with PKCS7, signed with PKCS and signature appended

• API to verify the signatures if customers customize the scripts

• Only trusted scripts to be executed in whole mode; all other scripts to be executed in safe mode

• Private keys stored in secure Hardware Security Module

Figure 56. Verification of Signed TCL Scripts Process

Hardware

Routers

• Cisco 800, 1700, 2600, 3600, 3700, 7200, 7301 Series Routers

Product Management Contact: Madhu Vulpala ( mulpala@cisco.com)

5.7) Mobility and Wireless

5.7.1) Mobile Ad Hoc Networking (MANET) Networking Enhancements for Router Radio Links

Cisco Mobile Ad Hoc Networking (MANET) enhancements address several of the issues faced when merging IP routing and mobile radio communications in ad hoc networking applications. In a MANET, highly mobile "nodes" communicate with each other across bandwidth-constrained radio links. An individual node includes both a radio and a network router, with the two devices interconnected via Ethernet. Key challenges in a MANET environment include:

• Convergence: Since nodes can rapidly join or leave the network, MANET routing topologies are highly dynamic. Fast convergence in a MANET becomes a challenge because a node's state can change well before the event is detected by the routing protocol's normal timing mechanisms.

• Route Selection: Radio link quality in a MANET can vary dramatically due to a variety of factors such as noise, fading, interference, and power fluctuation. As a result, routers need the ability to factor these fluctuations into "best path" selection.

• Radios have limited buffering capabilities, and could be easily over-loaded with IP traffic.

• Directional radios that operate on a narrow beam tend to model the network as a series of physical point-to-point connections with neighbor nodes. This point-to-point model does not translate gracefully to multi-hop, multipoint router environments, as it increases the size of each router's topology database and reduces routing efficiency when mobile nodes join and leave the network, based on neighbor up/down signaling from the radio.

This feature enables a Cisco router to use Layer 2 feedback from its partner radio to optimize Layer 3 processing. Intra-nodal communications between router and radio are supported by means of PPP-over-Ethernet (PPPoE) sessions. A PPPoE session is established between router and its partner radio on behalf of every other router/radio neighbor located in the MANET. Once the PPPoE sessions are established, a PPP session is established end to end. These Layer 2 sessions are the means by which radio network status gets reported to the router's Layer 3 processes. The Cisco IOS MANET enhancements provide several new capabilities for optimizing routing in a wireless, ad hoc environment:

Neighbor Up/Down Signaling: Enables Cisco routers to provide faster network convergence by reacting to link status signals generated by the radio, rather than waiting for protocol times to expire. The routing protocols (OSPFv3 or EIGRP) respond immediately to these link status signals by expediting adjacency formation or tear-down.

Link Quality Metrics Reporting: The PPPoE protocol has been extended to enable a radio to report link quality metric information to a router. Cisco routers have been enhanced so that OSPFv3 or EIGRP routing protocols can factor link quality metrics into route cost calculations.

PPPoE Credit-Based Flow Control: This PPPoE extension allows the radio to control the rate at which the router can transmit data for each PPPoE session, so that the need for queuing in the radio is minimized.

Virtual Multipoint Interface: Aggregates per-neighbor PPPoE sessions and maps these to appear as a single point-to-multipoint, multi-access, broadcast-capable network.

The Cisco IOS MANET enhancements provide the following critical advantages:

• Faster convergence when nodes join and leave the network

• Optimal route selection based on Layer 2 feedback from the radio network

• Flow-controlled communications between the radio and its partner router

• Efficient integration of point-to-point, directional radio topologies with multi-hop routing

Figure 57. MANET Enhancements for Router-Radio Links

Benefits

• Enables network-based applications and information to be delivered reliably and quickly over directional radio links

• Faster convergence and optimal route selection ensure that delay-sensitive traffic such as voice and video are not disrupted

• Reduces impact on radio equipment by minimizing the need for internal queuing/buffering; also provides consistent Quality of Service (QoS) for networks with multiple radios

Hardware

Routers

• Cisco 2800, 3200, and 3800 Series Routers

Product Management Contact: Rex Craig ( recraig@cisco.com)

5.7.2) Access Point Link Role Flexibility

Access Point Link Role Flexibility allows access point radios to operate in a combination of radio roles, such as access point root, bridge root (with or without clients), bridge nonroot (with or without clients). This provides a more flexible deployment scheme to support the various applications requirement. Please note that the Cisco Integrated Services Router (ISR) Access Point (AP) does not support access point repeater and Work Group Bridges (WGB).
There are thirteen new Access Point Link Role Flexibility features being introduced in Release 12.4(15)T:
1. Advanced Encryption Standard (AES)-CCMP
This feature supports Wi-Fi Protected Access (WPA2) which is the Wi-Fi Alliance specification for interoperable wireless LAN security that supports IEEE 802.11i authentication and AES-CCMP encryption.
2. Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is an authentication protocol for the 802.1X framework for mutual authentication between the client and a RADIUS server. New EAP authentication types supported in this Cisco IOS Software release include EAP-TTLS, EAP-MD5, and EAP-SIM.
3. IEEE 802.1X Local A