Cisco IOS Software Releases 11.2

Table Of Contents

Release Notes for Cisco 1600 Series Routers for Cisco IOS Release 11.2 P

Contents

System Requirements

Memory Recommendations

Hardware Supported

Determining the Software Version

Upgrading to a New Software Release

Feature Set Tables

New and Changed Information

No New Software Features in Cisco IOS Release 11.2(13)P and Later

New Hardware and Software Features in Cisco IOS Release 11.2(12)P

Enhanced CBAC Denial-of-Service Detection and Prevention

Cisco T1 DSU/CSU WAN Interface Card

New Software Features in Cisco IOS Release 11.2(11)P

The Cisco IOS Firewall Feature Set: Context-Based Access Control

New Software Features in Cisco IOS Release 11.2(10)P

Virtual Private Dial-up Networks

RADIUS

New Hardware and Software Features in Cisco IOS Release 11.2(9)P

Cisco 1605-R Router

ISDN Leased Line BRI S/T WAN Interface Card

56/64kbps DSU/CSU WAN Interface Card

New Software Features in Cisco IOS Release 11.2(1)

Routing Protocols

Desktop Protocols

Wide-Area Networking Features

Security Features

Network Management

Important Notes

Traffic Shaping over Frame Relay

LAN Extension

Enabling IPX Routing

Forwarding of Locally Sourced AppleTalk Packets

Some 40-Bit Encryption Images Are Unavailable

Release 11.2(7a) Fixes Caveats CSCdj24132 and CSCdj21944

Release 11.2(10a) Fixes Caveats CSCdj58676 and CSCdj60533

Release 11.2(11) Reintroduces Caveat CSCdj28874

Release 11.2(15a) and 11.2(15a) P

Cisco IOS Release 11.2 Switches to Long-Cycle Maintenance Releases

Caveats

Related Documentation

Release-Specific Documents

Platform-Specific Documents

Feature Modules

Cisco IOS Software Documentation Set

Documentation Modules

Cisco IOS Release 11.2 Documentation Set

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Contacting TAC by Using the Cisco TAC Website

Contacting TAC by Telephone

Release Notes for Cisco 1600 Series Routers for Cisco IOS Release 11.2 P

---

April 16, 2001

---

Note You can find the most current Cisco IOS documentation on Cisco.com. These electronic documents may contain updates and modifications made after the hard-copy documents were printed.

---

These release notes for the Cisco 1600 series routers describe the enhancements provided in Cisco IOS Release 11.2 P. These release notes are updated as needed.

For a list of the software caveats that apply to Cisco IOS Release 11.2 P, see Caveats for Cisco IOS Release 11.2 P that accompanies these release notes. The caveats document is updated for every maintenance release and is located on Cisco.com and the Documentation CD-ROM.

Use these release notes with Cross-Platform Release Notes for Cisco IOS Release 11.2 on Cisco.com and the Documentation CD-ROM.

---

Note Cisco IOS Release 11.2(26)P is the last scheduled maintenance release for Cisco IOS Release 11.2 P. TAC Support will continue to be available. These release notes will be the last release notes published for Cisco IOS Release 11.2 P.

---

Contents

These release notes describe the following topics:

•System Requirements

•New and Changed Information

•Important Notes

•Caveats

•Related Documentation

•Obtaining Documentation

•Obtaining Technical Assistance

System Requirements

This section describes the system requirements for Cisco IOS Release 11.2 P:

•Memory Recommendations

•Hardware Supported

•Determining the Software Version

•Upgrading to a New Software Release

•Feature Set Tables

Memory Recommendations

Table 1 Memory Recommendations for Cisco 1600 Series Routers 

Platforms	Feature Sets	Image Name	Software Image	Recommended Flash Memory1	Recommended DRAM Memory1	Runs from
Cisco 1600- Cisco 1604	IP Feature Sets	IP	c1600-y-1	4 MB	2 MB	Flash
		IP Plus	c1600-sy-1	6 MB	4 MB	Flash
		IP Plus 40	c1600-sy40-1	6 MB	4 MB	Flash
		IP Plus 56	c1600-sy56-1	6 MB	4 MB	Flash
		IP/IPX	c1600-ny-1	4 MB	2 MB	Flash
		IP/IPX Plus	c1600-nsy-1	6 MB	4 MB	Flash
		IP/IPX Plus 40	c1600-nsy40-1	6 MB	4 MB	Flash
		IP/IPX Plus 56	c1600-nsy56-1	6 MB	4 MB	Flash
		IP/Appletalk	c1600-by-1	4 MB	2 MB	Flash
		IP/Appletalk Plus	c1600-bsy-1	6 MB	4 MB	Flash
		IP/Appletalk Plus 40	c1600-bsy40-1	6 MB	4 MB	Flash
		IP/Appletalk Plus 56	c1600-bsy56-1	6 MB	4 MB	Flash
		IP/IPX/Appletalk	c1600-bny-1	6 MB	4 MB	Flash
		IP/IPX/Appletalk Plus	c1600-bnsy-1	6 MB	4 MB	Flash
		IP/IPX/Appletalk Plus 40	c1600-bnsy40-1	6 MB	4 MB	Flash
		IP/IPX/Appletalk Plus 56	c1600-bnsy56-1	6 MB	4 MB	Flash
		IP/IPX/IBM	c1600-nr2y-1	6 MB	4 MB	Flash
		IP/IPX IBM Plus	c1600-nr2sy-1	8 MB	4 MB	Flash
		IP/IPX IBM Plus 40	c1600-nr2sy40-1	8 MB	4 MB	Flash
		IP/IPX IBM Plus 56	c1600-nr2sy56-1	8 MB	4 MB	Flash
		IP/Firewall	c1600-oy-l	4 MB	2 MB	Flash
		IP/IPX/Firewall Plus	c1600-nosy-l	6 MB	4 MB	Flash
		IP/IPX/AT/IBM/Firewall Plus 56	c1600-bnor2sy56-l	8 MB	6 MB	Flash
Cisco 1605-R	IP Feature Sets	IP	c1600-y-1	2 MB	8 MB	RAM
		IP Plus	c1600-sy-1	4 MB	8 MB	RAM
		IP Plus 40	c1600-sy40-1	4 MB	8 MB	RAM
		IP Plus 56	c1600-sy56-1	4 MB	8 MB	RAM
		IP/IPX	c1600-ny-1	2 MB	8 MB	RAM
		IP/IPX Plus	c1600-nsy-1	4 MB	8 MB	RAM
		IP/IPX Plus 40	c1600-nsy40-1	4 MB	10 MB	RAM
		IP/IPX Plus 56	c1600-nsy56-1	4 MB	10 MB	RAM
		IP/Appletalk	c1600-by-1	2 MB	8 MB	RAM
		IP/Appletalk Plus	c1600-bsy-1	4 MB	8 MB	RAM
		IP/Appletalk Plus 40	c1600-bsy40-1	4 MB	10 MB	RAM
		IP/Appletalk Plus 56	c1600-bsy56-1	4 MB	10 MB	RAM
		IP/IPX/Appletalk	c1600-bny-1	4 MB	8 MB	RAM
		IP/IPX/Appletalk Plus	c1600-bnsy-1	4 MB	10 MB	RAM
		IP/IPX/Appletalk Plus 40	c1600-bnsy40-1	4 MB	10 MB	RAM
		IP/IPX/Appletalk Plus 56	c1600-bnsy56-1	4 MB	10 MB	RAM
		IP/IPX/IBM	c1600-nr2y-1	4 MB	10 MB	RAM
		IP/IPX IBM Plus	c1600-nr2sy-1	4 MB	12 MB	RAM
		IP/IPX IBM Plus 40	c1600-nr2sy40-1	4 MB	12 MB	RAM
		IP/IPX IBM Plus 56	c1600-nr2sy56-1	4 MB	12 MB	RAM
		IP/Firewall	c1600-oy-l	2 MB	8 MB	RAM
		IP/IPX/Firewall Plus	c1600-nosy-l	4 MB	10 MB	RAM
		IP/IPX/AT/IBM/Firewall Plus 56	c1600-bnor2sy56-l	4 MB	12 MB	RAM

1 This is the default memory size.

Hardware Supported

Cisco IOS Release 11.2 P supports the Cisco 1600 series routers:

•Cisco 1601

•Cisco 1602

•Cisco 1603

•Cisco 1604

•Cisco 1605-R

The Cisco 1600 series routers deliver the next-generation set of features and benefits for small-office Internet and intranet access: WAN flexibility, end-to-end security, end-to-end quality of service, ease of use, deployment, and management. The Cisco 1600 series routers connect small offices with Ethernet LANs to the public Internet and to a company internal intranet or corporate LAN through several WAN connections such as ISDN, asynchronous serial, and synchronous serial.

Cisco 1601 through Cisco 1604 router models include one Ethernet port, one built-in WAN port, and one WAN interface-card expansion slot for additional connectivity and flexibility. The Cisco 1601 includes a built-in serial WAN port; the Cisco 1602 has an onboard 56-kbps four-wire data service unit/channel service unit (DSU/CSU); the Cisco 1603 has an ISDN BRI S/T port; and the Cisco 1601, 1602, and 1605-R include an ISDN BRI U interface with a built-in NT1 device. The Cisco 1605-R has two Ethernet LAN interfaces and one WAN interface card slot.

The following WAN interface cards are supported by the Cisco 1600 series routers:

•1-port synchronous/asynchronous serial

•1-port ISDN BRI with S/T interface

•1-port ISDN BRI with NT1 and U interface

•1-port ISDN Leased Line BRI S/T WAN interface (Cisco 1603 and Cisco 1604 routers only)

•1-port 56/64kbps DSU/CSU WAN interface

•1-port T1/Fractional T1 DSU/CSU WAN interface

Determining the Software Version

To determine the version of Cisco IOS software running on your Cisco 1600 series router, log in to the router and enter the show version EXEC command:

router> show version

Cisco Internetwork Operating System Software 

IOS (tm) 11.2 P Software (C1600-NY-L), Version 11.2(26)P, RELEASE SOFTWARE

Upgrading to a New Software Release

For general information about upgrading to a new software release, see Upgrading the Cisco IOS Software Release in Cisco Routers and Modems located at:

http://www.cisco.com/warp/public/620/6.html

Feature Set Tables

The Cisco IOS software is packaged in feature sets consisting of software images—depending on the platform. Each feature set contains a specific set of Cisco IOS features.

Cisco IOS Release 11.2 P supports the same feature sets as Cisco IOS Release 11.2, but Release 11.2 P can include new features supported by the Cisco 1600 series routers.

---

Caution Cisco IOS images with strong encryption (including, but not limited to, 168-bit Triple Data Encryption Standard [3DES] data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States are likely to require an export license. Customer orders may be denied or subject to delay because of United States government regulations. When applicable, purchaser and user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.

---

Table 2 lists the features and feature sets supported by the Cisco 1600 series routers in Cisco IOS Release 11.2 P and uses the following conventions:

•Basic—The feature is supported in the basic software image.

•Plus—The feature is supported in the Plus software image.

•- (en-dash)—The feature is not supported in the software image.

---

Note This table might not be cumulative or list all the features in each image. You can find the most current Cisco IOS documentation on Cisco.com. These electronic documents may contain updates and modifications made after the hard-copy documents were printed. If you have a Cisco.com login account, you can find image and release information regarding features prior to Cisco IOS Release 11.2(26)P by using the Feature Navigator tool at http://www.cisco.com/go/fn.

---

Table 2 Feature List by Feature Set for the Cisco 1600 Routers 

	Feature Sets
Features	IP	IP/IPX	IP/ Apple- Talk	IP/IPX/ Apple- Talk	IP/IPX/ IBM	IP/ Firewall1	IP/IPX/ Firewall Plus	IP/IPX/ AT/IBM/ Firewall Plus 56
LAN Support
AppleTalk 1 and 22	-	-	Basic	Basic	-	-	-	Basic
Integrated routing and bridging (IRB)3	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
IP	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Novell IPX4	-	Basic	-	Basic	Basic	-	Basic	Basic
Transparent bridging	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
WAN Services
Asynchronous	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Frame Relay	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Frame Relay SVC support (DTE)	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus
Frame Relay traffic shaping	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
HDLC	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
ISDN 5	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
PPP6	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
SMDS	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Switched 56	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
X.25	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
SLIP asynchronous only	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
WAN Optimization
Bandwidth-on-demand7	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Custom and priority queuing	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Dial backup	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Dial-on-demand	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Header, link, and payload compression	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Header and link compression	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Snapshot routing	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Weighted fair queuing	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
IPX and SPX spoofing	-	Basic	-	Basic	Basic	-	Basic	Basic
IP Routing
AppleTalk SMRP Multicast	-	-	Plus	Plus	-	-	-	Plus
Enhanced IGRP	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
IGRP	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
IP Multicast (PIM)	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus
Network Address Translation (NAT)	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus
On Demand Routing (ODR)	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
OSPF	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus
OSPF On Demand Circuit (RFC 1793)	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus
PIM	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus
RIP	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
RIP Version 2	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Other Routing
IPX RIP	-	Basic	-	Basic	Basic	-	Basic	Basic
RTMP	-	-	Basic	Basic	-	-	-	Basic
NLSP	-	Plus	-	Plus	Plus	-	Plus	Plus
Multimedia and Quality of  Service
Generic traffic shaping	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus
Random Early Detection (RED)	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus
Resource Reservation Protocol (RSVP)	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus
Management
SNMP	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Telnet	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Console port	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Networking Timing Protocol (NTP)	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus
Simple Networking Timing Protocol (SNTP)	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Security
Access lists	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Cisco IOS Firewall: Context-Based Access Control	-	-	-	-	-	Basic	Basic	Basic
Extended access lists	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
TACACS Plus	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
RADIUS	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus
GRE tunneling	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Lock and key	Basic	Basic	Basic	Basic	Basic	Basic	Basic	Basic
Network layer encryption, 40-bit (Plus 40) and 56-bit (Plus 56)	Encrypt	Encrypt	Encrypt	Encrypt	Encrypt	Encrypt	Encrypt	Encrypt
Virtual Private Dialup Network	Plus	Plus	Plus	Plus	Plus	Plus	Plus	Plus

1 This image is available only in Cisco IOS Release 11.2(11)P and later releases. 2 AppleTalk load balancing is available in Cisco IOS Release 11.2. 3 IRB supports IP, IPX, and AppleTalk; it is supported for transparent bridging, but not for SRB; it is supported on all media-type interfaces except X.25 and ISDN bridged interfaces; and IRB and concurrent routing and bridging (CRB) cannot operate at the same time. 4 In Cisco IOS Release 11.2, the Novell IPX feature includes Display SAP by Name, IPX Access Control List violation logging, and plain-English IPX access lists. 5 ISDN support includes calling line identification (CLI/ANI), ISDN subaddressing, and applicable WAN optimization features. 6 PPP includes support for LAN protocols supported by the feature set, address negotiation, PAP and CHAP authentication, and PPP compression. Multilink PPP is included with Cisco IOS Release 11.0(4) and later releases. 7 Bandwidth-on-demand means two B-channel calls to the same destination.

New and Changed Information

The following sections list the new hardware and software features supported by the Cisco 1600 series routers for Release 11.2 P.

No New Software Features in Cisco IOS Release 11.2(13)P and Later

There are no new software features supported by the Cisco 1600 series routers for Release 11.2(13)P and later.

New Hardware and Software Features in Cisco IOS Release 11.2(12)P

The following new hardware and software features are supported by the Cisco 1600 series for Release 11.2(12)P.

Enhanced CBAC Denial-of-Service Detection and Prevention

Context-Based Access Control (CBAC), introduced in Release 11.2(11)P, provides basic Denial-of-Service detection and prevention services. These services are enhanced in Release 11.2(12)P to provide additional controls, configurable with the command new ip inspect tcp-max-incomplete host.

Cisco T1 DSU/CSU WAN Interface Card

The Cisco T1 data service unit/channel service unit (DSU/CSU) WAN interface card is an integrated, managed, T1 or fractional T1 WAN interface card. It provides nonchannelized data rates of 1 to 24 X 64 kbps or 1 to 24 X 56 kbps and follows ANSI T1.403 and AT&T Publication 62411 standards.

The Cisco T1 DSU/CSU WAN interface management features include the following:

•You can locally perform an initial configuration for the interface using ClickStart, a point-and-click web browser-based interface tool. You can remotely configure the interface using Telnet and the Cisco IOS command-line interface (CLI).

•For monitoring purposes, the router and DSU/CSU are manageable as a single Simple Network Management Protocol (SNMP) entity, using CiscoWorks or CiscoView. DSU/CSU statistics are accessed from the CLI.

•The SNMP agent supports the standard Management Information Base II (MIB II), Cisco integrated DSU/CSU MIB, and T1 MIB (RFC 1406).

•Loopbacks (including a manual button for a network line loopback) and bit error rate tester (BERT) tests are provided for troubleshooting.

•Test patterns, alarm counters, and performance reports are accessible using the CLI.

•The module has carrier detect, loopback, and alarm LEDs.

New Software Features in Cisco IOS Release 11.2(11)P

The following new software features are supported by the Cisco 1600 series for Release 11.2(11)P.

The Cisco IOS Firewall Feature Set: Context-Based Access Control

The Cisco IOS Firewall feature set combines existing Cisco IOS firewall technology and the new context-based access control feature to provide an effective, robust firewall.

The Cisco IOS Firewall feature set is designed to prevent unauthorized, external individuals from gaining access to your internal network and to block attacks on your network, while at the same time allowing authorized users to access network resources.

You can use the Cisco IOS Firewall feature set to configure your Cisco IOS device as:

•An Internet firewall or part of an Internet firewall

•A firewall between groups in your internal network

•A firewall providing secure connections to branch offices

•A firewall between your company network and your company partners' networks

The Cisco IOS Firewall feature set provides the following capabilities:

•Protects internal networks from intrusion

•Monitors traffic through network perimeters

•Enables network commerce via the World Wide Web

Context-based access control (CBAC) is a new feature which provides intelligent filtering of packets through the firewall. CBAC creates temporary openings in the firewall to permit packets that are part of a permissible session. (These packets are normally blocked at the firewall.) A permissible session is one that originates from within your protected internal network.

---

Note In Release 11.2(11)P, the command ip inspect tcp-max-incomplete host is not available. (This command is introduced in 11.2(12)P to enhance CBAC's Denial-of-Service detection and prevention services.)

---

New Software Features in Cisco IOS Release 11.2(10)P

The following new software features are supported by the Cisco 1600 series for Release 11.2(10)P.

Virtual Private Dial-up Networks

Virtual private dial-up networks (VPDN) allow separate and autonomous protocol domains to share common access infrastructure including modems, access servers, and ISDN routers. VPDN uses the Level 2 Forwarding protocol (L2F), which permits the tunneling of link level frames.

Using L2F tunneling, an Internet Service Provider (ISP) or other access service can create a virtual tunnel to link a customer remote sites or remote users with corporate home networks. In particular, a network access server at the ISP point of presence (POP) exchanges PPP messages with the remote users and communicates by L2F requests and responses with the customer home gateway to set up tunnels. L2F passes protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection.

Frames from the remote users are accepted by the ISP POP, stripped of any linked framing or transparency bytes, encapsulated in L2F, and forwarded over the appropriate tunnel. The customer home gateway accepts these L2F frames, strips the L2F encapsulation, and processes the incoming frames for the appropriate interface.

---

Note This implementation of VPDN supports PPP dial-up only.

---

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.

Cisco supports RADIUS under its authentication, authorization, and accounting (AAA) security paradigm. RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, or local username lookup. RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.

Use RADIUS in the following network environments that require access security:

•Networks with multiple-vendor access servers, each supporting RADIUS—For example, access servers from several vendors use a single RADIUS server-based security database. In an IP-based network with multiple vendor's access servers, dial-in users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system.

•Turn-key network security environments in which applications support the RADIUS protocol—For example, in an access environment that uses a "smart card" access control system. In one case, RADIUS has been used with Enigma's security cards to validate users and grant access to network resources.

•Networks already using RADIUS—You can add a Cisco router with RADIUS to the network. This might be the first step when you transition to a Terminal Access Controller Access Control System (TACACS+).

•Networks in which a user must only access a single service—Using RADIUS, you can control user access to a single host, to a single utility such as Telnet, or to a single protocol such as Point-to-Point Protocol (PPP). For example, when a user logs in, RADIUS identifies this user as having authorization to run PPP using IP address 1.2.3.4 and access-list N is started.

•Networks that require resource accounting—You can use RADIUS accounting independently of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, indicating the amount of resources (such as time, packets, bytes, and so on) used during the session. An Internet service provider (ISP) might use a freeware-based version of RADIUS access control and accounting software to meet special security and billing needs.

RADIUS is not suitable in the following network security situations:

•Multiprotocol access environments—RADIUS does not support the following protocols:

–AppleTalk Remote Access Protocol (ARAP)

–NetBIOS Frame Protocol Control Protocol (NBFCP)

–NetWare Asynchronous Services Interface (NASI)

–X.25 PAD connections

•Router-to-router situations—RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one router to a non-Cisco router if the non-Cisco router requires RADIUS authentication.

•Networks using a variety of services—RADIUS generally binds a user to one service model.

New Hardware and Software Features in Cisco IOS Release 11.2(9)P

The following new hardware and software features are supported by the Cisco 1600 series for Release 11.2(9)P.

Cisco 1605-R Router

This new router provides two Ethernet LAN interfaces and one WAN interface card slot. One Ethernet interface can be dedicated to an internal LAN while a second perimeter LAN allows users from an untrusted network (such as the Internet) to access resources such as Web and FTP servers.

ISDN Leased Line BRI S/T WAN Interface Card

This card is supported on Cisco 1603 and 1604 routers. The card provides an additional ISDN 64-kbps leased-line on the B1 channel that supports Frame Relay encapsulation, PPP encapsulation, and PPP compression.

56/64kbps DSU/CSU WAN Interface Card

This 4-wire, SNMP-manageable DSU/CSU card supports 56- or 64-kbps Digital Data Service (DDS) and Leased Line and Switched 56 kbps. The following synchronous serial WAN services/protocols are supported: Frame Relay, SMDS, X.25, PPP, LAPB, and HDLC. Card diagnostics can be retrieved using Telnet or the console port.

New Software Features in Cisco IOS Release 11.2(1)

The following new software features are supported by the Cisco 1600 series routers for Release 11.2(1) and later. They are divided into the following categories:

•Routing Protocols

•Desktop Protocols

•Wide-Area Networking Features

•Security Features

•Network Management

Routing Protocols

IP Protocol and Feature Enhancements

The following new IP protocol software features are available:

•On Demand Routing—On Demand Routing (ODR) is a mechanism that provides minimum-overhead IP routing for stub sites. The overhead of a general dynamic routing protocol is avoided, without incurring the configuration and management overhead of using static routing.

A stub router is the peripheral router in a hub-and-spoke network topology. Stub routers commonly have a WAN connection to the hub router and a small number of LAN network segments (stub networks) that are connected directly to the stub router. To provide full connectivity, the hub routers can be statically configured to recognize that a particular stub network is reachable via a specified access router. However, if there are multiple hub routers, many stub networks, or asynchronous connections between hubs and spokes, the overhead required to statically configure knowledge of the stub networks on the hub routers becomes too great.

ODR simplifies installation of IP stub networks in which the hub routers dynamically maintain routes to the stub networks. This is accomplished without requiring the configuration of an IP routing protocol at the stub routers. With ODR, the stub advertises IP prefixes corresponding to the IP networks that are configured on its directly connected interfaces. Because ODR advertises IP prefixes, rather than IP network numbers, ODR is able to carry Variable Length Subnet Mask (VLSM) information.

Once ODR is enabled on a hub router, the router begins installing stub network routes in the IP forwarding table. The hub router can also be configured to redistribute these routes into any configured dynamic IP routing protocols. IP does not need to be configured on the stub router. With ODR, a router is automatically considered to be a stub when no IP routing protocols have been configured on it.

The routing protocol that ODR generates is propagated between routers using Cisco Discovery Protocol (CDP). Thus, ODR is partially controlled by the configuration of CDP. Specifically:

–If CDP is disabled, the propagation of ODR routing information ceases.

–By default, CDP sends updates every 60 seconds. This update interval might not be frequent enough to provide fast reconvergence of IP routers on the hub-router side of the network. A faster reconvergence rate might be necessary if the stub connects to several hub routers via asynchronous interfaces (such as modem lines).

–ODR might not work well with dial-on-demand routing (DDR) interfaces, as CDP packets do not cause a DDR connection to be made.

It is recommended that IP filtering be used to limit the network prefixes that the hub router permits to be learned dynamically through ODR. If the interface has multiple logical IP networks configured (via the IP secondary command), only the primary IP network is advertised through ODR.

Open Shortest Path First (OSPF) Enhancements

The following features have been added to Cisco OSPF software:

•OSPF On-Demand Circuit—OSPF On-Demand Circuit is an enhancement to the OSPF protocol, as described in RFC 1793, that allows efficient operation over demand circuits such as ISDN, X.25 SVCs, and dial-up lines. Previously, the period nature of OSPF routing traffic mandated that the underlying data-link connection needed to be open constantly, resulting in unwanted usage charges. With this feature, OSPF Hellos and the refresh of OSPF routing information is suppressed for on-demand circuits (and reachability is presumed), allowing the underlying data-link connections to be closed when not carrying application traffic.

The feature allows the consolidation on a single routing protocol and the benefits of the OSPF routing protocol across the entire network, without incurring excess connection costs.

If the router is part of a point-to-point topology, only one end of the demand circuit needs to be configured for OSPF On-Demand Circuit operation. In point-to-multipoint topologies, all appropriate routers must be configured with OSPF On-Demand Circuit. All routers in an area must support this feature—that is, be running Cisco IOS Software Release 11.2 or greater.

•OSPF Not-So-Stubby Areas (NSSA)—As part of the OSPF protocol support for scalable, hierarchical routing, peripheral portions of the network can be defined as "stub" areas, so that they do not receive and process external OSPF advertisements. Stub areas are generally defined for low end routers with: a limited memory and CPU, low-speed connections, and a default route configuration.

OSPF Not-So-Stubby-Areas (NSSA) defines a more flexible, hybrid method, whereby stub areas can import external OSPF routes in a limited fashion, so that OSPF can be extended across the stub to backbone connection.

NSSA enables OSPF to be extended across a stub area to backbone area connection to become logically part of the same network.

Border Gateway Protocol version 4 (BGP4) Enhancements

The following features have been added to Cisco BGP4 software:

•BGP4 Soft Configuration—BGP4 soft configuration allows BGP4 policies to be configured and activated without clearing the BGP session, hence without invalidating the forwarding cache. This enables policy reconfiguration without causing short-term interruptions to traffic being forwarded in the network.

•BGP4 Multipath Support— BGP4 Multipath Support provides BGP load balancing between multiple Exterior BGP (EBGP) sessions. If there are multiple EBGP sessions between the local autonomous system (AS) and the neighboring AS, multipath support allows BGP to load balance among these sessions. Depending on the switching mode, per packet or per destination load balancing is performed. BGP4 Multipath Support can support up to six paths.

•BGP4 Prefix Filtering with Inbound Route Maps—This feature allows prefix-based matching support to the inbound neighbor route map. This feature allows an inbound route map to be used to enforce prefix-based policies.

Network Address Translation

Network Address Translation (NAT) provides a mechanism for a privately addressed network to access registered networks, such as the Internet, without requiring a registered subnet address. This eliminates the need for host renumbering and allows the same IP address range to be used in multiple intranets.

With NAT, the privately addressed network (designated as "inside") continues to use its existing private or obsolete addresses. These addresses are converted into legal addresses before packets are forwarded onto the registered network (designated as "outside"). The translation function is compatible with standard routing; the feature is required only on the router connecting the inside network to the outside domain.

Translations can be static or dynamic. A static address translation establishes a one-to-one mapping between the inside network and the outside domain. Dynamic address translations are defined by describing the local addresses to be translated and the pool of addresses from which to allocate outside addresses. Allocation is done in numeric order and multiple pools of contiguous address blocks can be defined.

NAT Benefits:

•NAT eliminates the need to readdress all hosts that require external access, saving time and money.

•With NAT, internal hosts can share a single registered IP address for all external communications. In this type of configuration, relatively few external addresses are required to support many internal hosts, thus conserving IP addresses.

•Because private networks do not advertise their addresses or internal topology, they remain reasonably secure when used in conjunction with NAT to gain controlled external access.

Because the addressing scheme on the inside network might conflict with registered addresses already assigned within the Internet, NAT can support a separate address pool for overlapping networks and translate as appropriate.

Applications that use raw IP addresses as a part of their protocol exchanges are incompatible with NAT. Typically, these are less common applications that do not use fully qualified domain names.

Named IP Access Control List

The Named IP Access Control List (ACL) feature gives network managers the option of using names for their access control lists. Named IP ACL function similarly to their numbered counter-parts, except that they use names instead of numbers. This feature also includes a new configuration mode, which supports addition and deletion of single lines in a multiline access control list.

This feature eliminates some of the confusion associated with maintaining long access control lists. Meaningful names can be assigned, making it easier to remember which service is controlled by which access control list. Moreover, this feature removes the limit of 100 extended and 99 standard access control lists, so that additional IP access control lists can be configured.

The new configuration feature allows a network manager to edit access control lists, rather than re-creating the entire list. Currently, only packet and route filters can use Named IP ACL. Also, named IP ACLs are not backward-compatible with earlier releases of Cisco IOS software. Named IP ACLs are not currently supported with Distributed Fast Switching.

Multimedia and Quality of Service

The following features have been added to Cisco multimedia and quality of service software:

•Resource Reservation Protocol—Resource Reservation Protocol (RSVP) enables applications to dynamically reserve necessary network resources from end-to-end for different classes of service. An application, which acts as a receiver for a traffic stream, initiates a request for reservation of resources (bandwidth) from the network, based on the required quality of service of the application. The first RSVP-enabled router that receives the request informs the requesting host whether the requested resources are available or not. The request is forwarded to the next router, towards the sender of the traffic stream. If the reservations are successful, an end-to-end pipeline of resources is available for the application to obtain the required quality of service. RSVP enables applications with real-time traffic needs, such as multimedia applications, to coexist with bursty applications on the same network. RSVP works with both unicast and multicast applications.

RSVP requires both a network implementation and a client implementation. Applications need to be RSVP-enabled to take advantage of RSVP functionality. Currently, Precept provides an implementation of RSVP for Windows-based PCs. Companies such as Sun and Silicon Graphics have demonstrated RSVP on their platforms. Several application developers are planning to take advantage of RSVP in their applications.

•Random Early Detection—Random Early Detection (RED) helps eliminate network congestion during peak traffic loads. RED uses the characteristics of a robust transport protocol (TCP) to reduce transmission volume at the source when traffic volume threatens to overload a router buffer resources. RED is designed to relieve congestion on TCP/IP networks.

RED is enabled on a per-interface basis. It "throttles back" lower-priority traffic first, allowing higher-priority traffic (as designated by an RSVP reservation or the IP precedence value) to continue unabated. RED works with RSVP to maintain end-to-end quality of service during peak traffic loads. Congestion is avoided by selectively dropping traffic during peak load periods. This is performed in a manner designed to damp out waves of sessions going through TCP slow start.

Existing networks can be upgraded to better handle RSVP and priority traffic. Additionally, RED can be used in existing networks to manage congestion more effectively on higher-speed links where fair queuing is expensive.

Exercise caution when enabling RED on interfaces that support multiprotocol traffic (in addition to TCP/IP), such as IPX or AppleTalk. RED is not designed for use with these protocols and could have deleterious affects. RED is a queuing technique; it cannot be used on the same interface as other queuing techniques, such as Standard Queuing, Custom Queuing, Priority Queuing, or Fair Queuing.

•Generic Traffic Shaping—Generic Traffic Shaping (also called Interface Independent Traffic Shaping) helps reduce the flow of outbound traffic from a router interface into a backbone transport network when congestion is detected in the downstream portions of the backbone transport network or in a downstream router. Unlike the Traffic Shaping over Frame Relay features which are specifically designed to work on interfaces to Frame Relay networks, Generic Traffic Shaping works on interfaces to a variety of Layer 2 data-link technologies (including Frame Relay, SMDS, Ethernet, and so on).

Topologies that have high-speed links feeding into lower-speed links—such as a central site to a remote or branch sites—often experience bottlenecks at the remote end because of the speed mismatch. Generic Traffic Shaping helps eliminate the bottleneck situation by throttling back traffic volume at the source end.

Routers can be configured to transmit at a lower bit rate than the interface bit rate. Service providers or large enterprises can use the feature to partition, for example, T1 or T3 links into smaller channels to match service ordered by customers.

Generic Traffic Shaping implements a Weighted Fair Queuing (WFQ) on an interface or subinterface to allow the desired level of traffic flow. The feature consumes router memory and CPU resources, so it must be used judiciously to regulate critical traffic flows while not degrading overall router performance.

Multiprotocol Routing

Enhanced IGRP Optimizations—With the wide-scale deployment of Enhanced Interior Gateway Routing Protocol (Enhanced IGRP) in increasingly large and complex customer networks, Cisco has been able to continuously monitor and refine Enhanced IGRP operation, integrating several key optimizations. Optimizations have been made in the allocation of bandwidth, use of processor and memory resources, and mechanisms for maintaining information about peer routers, as described below:

•Intelligent Bandwidth Control: In network congestion scenarios, packet loss, especially the dropping of routing protocol messages, adversely affects convergence time and overall stability. To prevent this problem, Enhanced IGRP now takes into consideration the available bandwidth (at a granularity of per subinterface/virtual circuit if appropriate) when determining the rate at which it transmits updates. Interfaces can also be configured to use a certain (maximum) percentage of the bandwidth, so that even during routing topology computations, a defined portion of the link capacity remains available for data traffic.

•Improved Processor and Memory Utilization: Enhanced IGRP derives the distributed routing tables from topology databases that are exchanged between peer routers. This CPU computation has now been made significantly more efficient as has the protocol queuing algorithm, resulting in improved memory utilization. The combination of these factors further increases the suitability of Enhanced IGRP for deployment, particularly on low-end routers.

•Implicit Protocol Acknowledgments: Enhanced IGRP running within a router maintains state and reachability information about other neighboring routers. This mechanism has been modified so that it no longer requires explicit notifications to be exchanged but rather accepts any traffic originating from a peer as a valid indication that the router is operational. This provides greater resilience under extreme load.

•IPX Service Advertisement Interleaving: Large IPX environments are typically characterized by many Service Advertisements, which can saturate lower-speed links at the expense of routing protocol messages. Enhanced IGRP now employs an interleaving technique to ensure that both traffic types receive sufficient bandwidth in large IPX networks.

These enhancements are particularly applicable in networking environments having many low-speed links (typically in hub-and-spoke topologies); in Non-Broadcast-Multiple-Access (NBMA) wide-area networks such as Frame Relay, ATM, or X.25 backbones; and in highly redundant, dense router-router peering configurations. It should be noted that the basic Enhanced IGRP routing algorithm that exhibits very fast convergence and guaranteed loop-free paths has not changed, so there are no backwards compatibility issues with earlier versions of Cisco IOS software.

Switching Features

Integrated Routing and Bridging—Integrated routing and bridging (IRB) delivers the functionality to extend VLANs and Layer 2 bridged domains across the groups of interfaces on Cisco IOS software-based routers and interconnect them to the routed domains within the same router.

The ability to route and bridge the same protocol on multiple independent sets of interfaces of the same Cisco IOS software-based router makes it possible to route between these routed and the bridged domains within that router. IRB provides a scalable mechanism for integration of Layer 2 and Layer 3 domains within the same device.

Integrated routing and bridging provides:

•Scalable, efficient integration of Layer 2 and Layer 3 domains: The IRB functionality allows you to extend the bridge domains or VLANs across routers while maintaining the ability to interconnect them to the routed domains through the same router.

•Layer 3 address conservation: You can extend the bridge domains and the VLAN environments across the routers to conserve the Layer 3 address space and still use the same router to interconnect the VLANs and bridged domains to the routed domain.

•Flexible network reconfiguration: Network administrators gain the flexibility of being able to extend the bridge domain across router interfaces to provide temporary solution for moves, adds, and changes. This can be useful during migration from a bridged environment to a routed environment or when making address changes on a scheduled basis.

Note that:

•Currently, IRB supports three protocols: IP, IPX, and AppleTalk, in both fast-switching and process-switching modes.

•IRB is supported for transparent bridging, but not for source-route bridging.

•IRB is supported on all media-type interfaces except X.25 and ISDN bridged interfaces.

•IRB and concurrent routing and bridging (CRB) cannot operate at the same time.

Desktop Protocols

AppleTalk Features

AppleTalk Load Balancing—This feature allows AppleTalk data traffic to be distributed more evenly across redundant links in a network. AppleTalk load balancing can reduce network costs by allowing more efficient use of network resources. Network reliability is improved because the chance that network paths between nodes becomes overloaded is reduced. For convenience, load balancing is provided for networks using native AppleTalk routing protocols such as Routing Table Maintenance Protocol (RTMP) and Enhanced IGRP. AppleTalk load balancing operates with process and fast switching.

Novell Features

The following features have been added to Cisco Novell software:

•Display SAP by Name—This feature allows network managers to display Service Advertisement Protocol (SAP) entries that match a particular server name or other specific value. The current command that displays IPX servers has been extended to allow the use of any regular expression (including supported special characters) for matching against the router SAP table.

•IPX Access Control List Violation Logging—With this feature, routers can use existing router logging facilities to log IPX access control list (ACL) violations whenever a packet matches a particular access-list entry. The first packet to match an entry is logged immediately; updates are sent at approximately 5-minute intervals.

This feature allows logging of:

–Source and destination addresses

–Source and destination socket numbers

–Protocol (or packet) type (for example, IPX, SPX, or NCP)

–Action taken (permit/deny)

Matching packets and logging-enabled ACLs are sent at the process level. Router logging facilities use the IP protocol.

•Plain English IPX access list—Through the use of this feature, the most common protocol and socket numbers used in IPX extended ACLs can be specified by either name or number instead of only numbers, as required previously. Protocol types supported include RIP, SAP, NCP, and NetBIOS. Supported socket types include Novell Diagnostics Packet Enhanced IGRP and NLSP. Plain English IPX Access Lists greatly reduce the complexity and increase the readability of IPX extended access control lists, reducing network management expense by making it easier to build and analyze the access control mechanisms used in IPX networks.

Wide-Area Networking Features

ISDN/DDR Enhancements

The following features have been added to Cisco ISDN and DDR software:

•Multichassis Multilink PPP (MMP)—Multichassis Multilink Point-to-Point Protocol (MMP) extends Multilink PPP (MLP) by providing a mechanism to aggregate B-channels transparently across multiple routers or access servers. MMP defines the methodology for sharing individual links in a MLP bundle across multiple, independent platforms. The primary application for MMP is the ISDN dial-up pool; however, it can also be used in a mixed technology environment.

MMP is based on the concept of a stack group—a group of routers or access servers that operate as a group when receiving MLP calls. Any member of the stack group can answer any call into the single access number applied to all WAN interfaces. Typically, the access number corresponds to a telco hunt group. Cross-platform aggregation is performed via tunneling between members of a stack group using the Level 2 Forwarding (L2F) protocol, a draft IETF standard.

MMP is flexible and scalable. Because the L2F protocol is IP based, members of a stack group can be connected over many types of LAN or WAN media. stack group size can be increased by increasing the bandwidth available to the L2F protocol—for example, by moving from shared to switched Ethernet.

With Multichassis Multilink PPP:

–New devices can be added to the dial-up pool at any time.

–The load for reassembly and resequencing can be shared across all devices in the stack group. MMP is less CPU-intensive than MLP.

–MMP provides an interoperable multivendor solution because it does not require any special software capabilities at the remote sites. The only remote requirement is support for industry-standard MLP (RFC 1717).

---

Note This feature is documented in the PPP for wide-area networking chapters of the Wide-Area Networking Configuration Guide and the Wide-Area Networking Command Reference.

---

•Virtual Private Dial-up Network— Virtual Private Dial-up Network (VPDN) allows users from multiple disparate domains to gain secure access to their corporate home gateways via public networks or the Internet. This functionality is based on the Layer 2 Forwarding (L2F) specification that Cisco has proposed as an industry standard to the Internet Engineering Task Force (IETF).

Service providers who wish to offer private dial-up network services can use VPDN to provide a single telephone number for all their client organizations. A customer can use dial-up access to a local point of presence where the access server identifies the customer by PPP username. The PPP username is also used to establish a home gateway destination. When the home gateway is identified, the access server builds a secure tunnel across the service provider backbone to the customer home gateway. The PPP session is also transported to this home gateway, where local security measures can ensure the person is allowed access to the network behind the home gateway. Of special interest to service providers is the independence of VPDN from WAN technology. Because L2F is TCP/IP-based, it can be used over any type of service provider backbone network.

---

Note This feature is documented in the PPP for wide-area networking chapters of the Wide-Area Networking Configuration Guide and the Wide-Area Networking Command Reference.

---

•Dialer Profiles—Dialer profiles allow the user to separate the network layer, encapsulation, and dialer parameters portion of the configuration from that of the interface used to place or receive calls. Dialer profile extends the flexibility of current dial-up configurations. For example, on a single ISDN PRI or PRI rotary group, it is now possible to allocate separate profiles for different classes of user. These profiles might define normal DDR usage or backup usage.

Each dialer profile uses an Interface Descriptor Block (IDB) distinct from the IDB of the physical interface used to place or receive calls. When a call is established, both IDBs are bound together so that traffic can flow. As a result, dialer profiles use more IDBs than normal DDR. This initial release of dialer profiles does not support Frame Relay, X.25, or Link Access Procedure Balance (LAPB) encapsulation on DDR links or Snapshot Routing capabilities.

•Combinet Packet Protocol (CPP) Support—Combinet Packet Protocol (CPP) is a proprietary encapsulation used by legacy Combinet products for data transport. CPP also defines a methodology for performing compression and load sharing across ISDN links. The Cisco IOS software implementation of CPP supports both compression and load sharing using this proprietary encapsulation.

A large installed base of early Combinet product users cannot upgrade to later software releases that support interoperability standards such as PPP. With CPP support, these users can integrate their existing product base into new Cisco IOS software-based internetworks.

CPP does not provide many of the functions available in the Cisco implementation of the PPP standards. These functions include address negotiation and support for protocols like AppleTalk. Where possible, Cisco recommends that customers migrate to software that supports PPP.

•Half Bridge/Half Router for Combinet Packet Protocol (CPP) and PPP—Half bridge/half router allows low-end, simply configured bridge devices to bridge either PPP or Combinet Packet Protocol (CPP)-encapsulated data to a Cisco IOS core network router. Half bridge/half router is designed for networks that have small-remote Ethernet segments, each with a single PPP- or CPP-compatible bridging device connected to a core network. The serial or ISDN interface on the core network router appears as a virtual Ethernet port to the network. Layer 3 data packets transported across this type of link are first encapsulated within an Ethernet encapsulation. A PPP or CPP bridging header is then added. This facility allows bridged traffic arriving at the core device to be routed from that point on. This feature is process switched.

Frame Relay Enhancements

The following features have been added to Cisco Frame Relay software:

•Frame Relay SVC Support (DTE)—Currently, access to Frame Relay networks is through private leased lines at speeds ranging from 56 kbps to 45 Mbps. Bandwidth within the Frame Relay network is permanently committed to providing permanent virtual circuits (PVCs) between the endpoints. Switched virtual circuits (SVCs) allow access through a Frame Relay network by setting up a path to the destination endpoints only when the need arises. This is similar to X.25 SVCs, which allow connections to be set up and torn down based upon data traffic requirements. Although SVCs entail overhead for setting up and tearing down links, the VC is only established when data must be transferred, so the number of VCs is proportional to the number of actual conversations between sites rather than the number of sites.

Frame Relay SVCs offer cost savings via usage-based pricing instead of fixed pricing for a PVC connection, dynamic modification of network topologies with any-to-any connectivity, dynamic network bandwidth allocation or bandwidth-on-demand for large data transfers such as FTP traffic, backup for PVC backbones, and conservation of resources in private networks.

To use Frame Relay SVCs, Frame Relay SVC must be supported by the Frame Relay switches used in the network. Also, a Physical Local Loop Connection, such as a leased or dedicated line, must exist between the router (DTE) and the local Frame Relay switch.

•Traffic Shaping over Frame Relay

---

Note Traffic shaping over Frame Relay is not available in Release 11.2(1). Refer to software defect ID CSCdi60734.

---

The Frame Relay protocol defines several parameters that are useful for managing network traffic congestion. These include Committed Information Rate (CIR), Forward/Backward Explicit Congestion Notification (FECN/BECN), and Discard Eligibility (DE) bit. Cisco already provides support for FECN for DECnet and OSI, BECN for Systems Network Architecture (SNA) traffic using direct LLC2 encapsulation via RFC 1490, and DE bit support. The Frame Relay Traffic Shaping feature builds upon this support by providing the following three capabilities:

–Rate Enforcement on a per virtual circuit (VC) basis: A peak rate can be configured to limit outbound traffic to either the CIR or some other defined value such as the Excess Information Rate (EIR).

–Generalized BECN support on a per VC basis: The router can monitor BECNs and throttle traffic based upon BECN marked packet feedback from the Frame Relay network.

–Priority/Custom/First In, First Out Queuing (PQ/CQ/FIFO) support at the VC level: This allows for finer granularity in the prioritization and queuing of traffic, providing more control over the traffic flow on an individual VC.

Frame Relay Traffic Shaping:

–Eliminates bottlenecks in Frame Relay network topologies with high-speed connections at the central site and low-speed connections at the branch sites. Rate Enforcement can be used to limit the rate at which data is sent on the VC at the central site.

–Provides a mechanism for sharing media by multiple VCs. Rate Enforcement allows the transmission speed used by the router to be controlled by criteria other than line speed, such as the CIR or EIR. The Rate Enforcement feature can also be used to pre-allocate bandwidth to each VC, creating a Virtual Time Division Multiplexing network.

–Dynamically throttles traffic, based on information contained in BECN-tagged packets received from the network. With BECN-based throttling, packets are held in the router buffers to reduce the data flow from the router into the Frame Relay network. The throttling is done on a per VC basis and the transmission rate is adjusted based on the number of BECN-tagged packets received.

–Defines queuing at the VC or subinterface level. Custom Queuing with the Per VC Queuing and Rate Enforcement capabilities enable Frame Relay VCs to be configured to carry multiple traffic types (such as IP, SNA and IPX), with bandwidth guaranteed for each traffic type.

The three capabilities of the Traffic Shaping for Frame Relay feature require the router to buffer packets to control traffic flow and compute data rate tables. Because of this router memory and CPU utilization, these features must be used judiciously to regulate critical traffic flows while not degrading overall Frame Relay performance.

Security Features

New Features

•Router Authentication and Network-Layer Encryption—This feature provides a mechanism for secure data transmission. It consists of two components:

–Router Authentication: Prior to passing encrypted traffic, two routers perform a one-time, two-way authentication by exchanging Digital Signature Standard (DSS) public keys. The hash signatures of these keys are compared to authenticate the routers.

–Network-Layer Encryption: For IP payload encryption, the routers use Diffie-Hellman key exchange to securely generate a DES 40- or 56-bit session key. New session keys are generated on a configurable basis. Encryption policy is set by crypto-maps that use extended IP Access Lists to define which network, subnet, host, or protocol pairs are to be encrypted between routers.

This feature can be used to build multiprotocol Virtual Private Networks (VPNs), using encrypted Generic Routing Encapsulation (GRE) tunnels. It can also be used to deploy secure telecommuting services, intranet privacy, and virtual collaborative or community-of-interest networks.

All components of this feature are subject to U.S. Department of Commerce export regulations. Encryption is currently IP only, though it does support multiprotocol GRE tunnels. This feature is most appropriately deployed in a relatively small number of routers, with a logically flat or star-shaped encryption topology. Load-sharing of the encryption/decryption function is not supported. Without a Certification Authority (CA), the one-time authentication effort increases exponentially with the number of routers. Router authentication requires the network administrator to compare the hashes produced by the routers once during initial configuration. This version of encryption is not IPSEC compliant.

•Kerberos V Client Support—This feature provides full support of Kerberos V client authentication, including credential forwarding. Systems with existing Kerberos V infrastructures can use their Key Distribution Centers (KDCs) to authenticate end users for network or router access. This is a client implementation, not a Kerberos KDC. Kerberos is generally considered a legacy security service and is most beneficial in networks already using Kerberos.

TACACS+ Enhancements

The following features have been added to Cisco Terminal Access Controller Access Control System (TACACS)+ software:

•TACACS+ Single Connection—Single Connection is an enhancement to the network access server that increases the number of transactions per second supported. Prior to this enhancement, separate TCP connections would be opened and closed for each of the TACACS+ services: authentication, authorization, and accounting. This became a bottleneck for improving throughput on authentication services for large networks.

Single Connection is an optimization whereby the network access server maintains a single TCP connection to one or more TACACS+ daemons. The connection is maintained in an open state for as long as possible, instead of being opened and closed each time a session is negotiated. It is expected that Single Connection yields performance improvements on a suitably constructed daemon.

Currently, only the CiscoSecure daemon V1.0.1 supports Single Connection. The network access server must be explicitly configured to support a Single Connection daemon. Configuring Single Connection for a daemon that does not support this feature generates errors when TACACS+ is used.

•TACACS+ SENDAUTH Function—SENDAUTH is a TACACS+ protocol change to increase security. SENDAUTH supersedes SENDPASS. SENDAUTH and SENDPASS are documented in Version 1.63 of the TACACS+ protocol specification, which is available from Cisco.com or via anonymous FTP from ftp-eng.cisco.com.

The network access server can support both SENDAUTH and SENDPASS simultaneously. It detects if the daemon is able to support SENDAUTH and, if not, uses SENDPASS instead. This negotiation is virtually transparent to the user, with the exception that the down-rev daemon can log the initial SENDAUTH packet as unrecognized. SENDAUTH functionality requires support from the daemon, as well as from the network access server.

Network Management

New Features

ClickStart—ClickStart is a powerful Web-based software solution for configuring a Cisco router in minutes. ClickStart enables Cisco 1000 series ISDN access routers to be accessed by any Web browser on any desktop platform including MS Windows, Windows 95, Windows NT, UNIX and, MacOS. The easy-to-use Web-based interface guides users through the router installation process. By completing an initial setup form, a user can easily configure the router and bring up the ISDN network connection. The router is then manageable from a central location so that fine-tuning and upgrades can be performed remotely.

MIBs Supported

The following MIB support has been added:

•APPN DLUR MIB

•RTTMON Support

•Cisco IP Encryption MIB

•Cisco Modem Management MIB

•Cisco SYSLOG MIB

•Cisco TN3270 Server MIB

Important Notes

The following sections contain important notes about Cisco IOS Release 11.2 P that can apply to the Cisco 1600 series routers.

Traffic Shaping over Frame Relay

Traffic shaping over Frame Relay is available only in Release 11.2(8) and above. Refer to software caveat ID CSCdj60734 and CSCdi88662.

LAN Extension

The LAN extension interface does not function correctly in Release 11.2(1). The behavior is that the LAN extension NCP negotiates and sets the LAN extension interface state to "up" and the show controller lex number command displays the message "No inventory message received from LAN Extender." Turning on the LAN extension RCMD debugging shows that every remote command is being rejected with the message "LEX-RCMD: encapsulation failure." There is no workaround. Refer to software defect ID CSCdi66478. This defect is fixed in software Release 11.2(2) and above.

Enabling IPX Routing

The Token Ring interface is reset whenever IPX routing is enabled on that interface.

Forwarding of Locally Sourced AppleTalk Packets

Our implementation of AppleTalk does not forward packets with local-source and destination network addresses. This behavior does not conform to the definition of AppleTalk in the Apple Computer Inside AppleTalk publication. However, this behavior is designed to prevent any possible corruption of the AppleTalk Address Resolution Protocol (AARP) table in any AppleTalk node that is performing MAC-address gleaning.

Some 40-Bit Encryption Images Are Unavailable

Cisco is conducting an internal review of the build and distribution processes associated with its 40-bit Cisco IOS cryptographic products. So that we can provide you with seamless access to Cisco IOS 40-bit encryption capability, Cisco provides access to the most current 40-bit encryption images, beginning with Releases 11.2 (12), 11.2(12)P, and 11.3(2). The following 40-bit encryption images are indefinitely unavailable: 11.2(1) - 11.2(11.2), 1.2(2)P - 11.2(11.1)P, 11.2(1)F - 11.2(4)F, 11.3(1).

This review is not related to any new or previously unreported bugs. The information gathered in the review is used to implement new automated development and to order processing applications.

Release 11.2(7a) Fixes Caveats CSCdj24132 and CSCdj21944

Cisco IOS Releases 11.2(7) and 11.2(7)P were deferred due to two severe defects. It was determined that these caveats were significant enough to merit a software rebuild. The rebuild includes the caveat fixes and is renumbered to 11.2(7a).

These defects are bugs CSCdj24132 and CSCdj21944 and are described as follows:

•A router crashes every time it receives an ISDN Q.931 DISCONNECT message. This problem only affects net3 switch types.

A router might also crash if the clear interface bri command is issued. This problem only affects net3, vn2/vn3, and ts013 switch types. [CSCdj24132]

•A memory allocation error occurs after a large number of modem calls are placed to an AS5200 configured for PRI ISDN. After the AS5200 starts to generate a number of these memory allocation error messages, calls cannot be answered.

The following are indicators that can be used to determine if the AS5200 is encountering this problem:

–When the Cisco AS5200 runs out of memory, MALLOC Failure messages similar to the one shown are displayed:

11.2 P

–If there is no ISDN process in the output from the show process command, and you start to see "%SYS-2-MALLOCFAIL" error messages, then the memory leak was caused by this bug.

–If there are more than 46 entries marked "Active" in the output from the show isdn history command, the memory leak was caused by this bug.

[CSCdj21944]

Release 11.2(7a) and all subsequent releases of Cisco IOS software include the fix for these caveats.

Release 11.2(10a) Fixes Caveats CSCdj58676 and CSCdj60533

Cisco IOS Releases 11.2(10) and 11.2(10)P were deferred due to two severe defects: CSCdj58676 and CSCdj60533. It was determined that these caveats were significant enough to merit a software rebuild. The rebuild includes the caveat fixes and is renumbered to 11.2(10a).

These defects are described as follows:

•With EIGRP routing configured, redistribution of the following type of routes into the EIGRP process do not work correctly:

–A directly connected route

–A static route with the next hop set to an interface

–A static route with the next hop set to a dynamically learned route

The nature of the defect is that it only occurs after a dynamic event. If redistribution is manually configured, EIGRP initially reflects correct information in the topology table. However, after any sort of dynamic event, the topology table becomes invalid, and routing updates sent are inaccurate. [CSCdj58676]

---

Note The code changes committed by CSCdj58676 resolved some issues but created the symptoms reported in CSCdj65737. The code changes for CSCdj58676 were only committed to releases 11.2(10a), 11.2(10a)BC and 11.2(10a)P; therefore, they are the only ones affected by CSCdj65737. See the "Release 11.2(11) Reintroduces Caveat CSCdj28874" section for more information related to CSCdj58676 and CSCdj65737.

---

•The ARP lookup routine might suspend, causing unexpected behaviors for IP protocols. For example, if the OSPF routing process is traversing a list of neighbors to send LSA packets and the ARP routine is called, the ARP routine suspension could cause a system reset. [CSCdj60533]

Release 11.2(11) Reintroduces Caveat CSCdj28874

CSCdj65737 was introduced by code changes associated with CSCdj58676. The issue is that routes are not being redistributed into EIGRP from other routing protocols if both protocols are routing for the same major network.

The code changes for CSCdj58676 were only applied to Releases 11.2(10a), 11.2(10a)BC and 11.2(10a)P; therefore, those releases are the only ones impacted by CSCdj65737. The fix to CSCdj65737 is to back out the code changes committed by CSCdj58676 and CSCdj28874. That change has the effect of reintroducing the behavior reported by CSCdj28874, which is described as follows:

•When a network is included in the EIGRP routing process because it is specified with the network x.x.x.x command and that same network is redistributed into EIGRP via the redistribute connected command, there are two entries for the network in the EIGRP topology table.

If the interface connecting that network goes down, only one of the two entries are removed from the topology table. The entry learned via redistribution remains in the topology table and is advertised, even though it is no longer valid. [CSCdj28874]

The code back-outs of CSCdj65737 and reintroduction of CSCdj28874 appears in the following releases:

•11.2(11), 11.2(11)BC, 11.2(11)P

•11.1(16), 11.1(16)AA, 11.1(16)CA, 11.1(16)IA

All defect resolution information pertaining to CSCdj58676 is superseded by the details relating to CSCdj65737.

The symptoms of CSCdj28874 can be avoided by not using the redistributed connected command and instead specifying the individual networks to be redistributed into Enhanced IGRP.

Release 11.2(15a) and 11.2(15a) P

After the release of Cisco IOS Release 11.2(15) and 11.2(15) P, a serious defect (caveat CSCdk33475) was identified that impacts Enhanced IGRP for Cisco IOS Releases 11.2(14.1) through 11.2(15.2) and Releases 11.2(14.1)P through 11.2(15.2)P. It was determined that this defect was significant enough to merit a software rebuild. The rebuild includes the caveat fix and is renumbered to Release 11.2(15a) and 11.2(15a)P.

Caveat CSCdk33475 causes a router to fail after the command show ip eigrp events is issued. While this show command is not required for normal operation, it is used often enough by TAC personnel and customers to cause major havoc to customers who are running images with this defect.

Release 11.2(15a) and 11.2(15a)P and all subsequent releases of Cisco IOS software include the fix for this caveat.

Cisco IOS Release 11.2 Switches to Long-Cycle Maintenance Releases

Beginning with Cisco IOS Release 11.2(15) and 11.2(15)P, all subsequent 11.2 and 11.2 P releases switch to Long-Cycle Maintenance Releases. A new 11.2 and 11.2 P maintenance release is scheduled to be available every thirteen weeks during the Long-Cycle Maintenance Release period. Interim builds will be available approximately every three weeks.

Caveats

Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.

For information on caveats in Cisco IOS Release 11.2 P, see Caveats for Cisco IOS Release 11.2 P.

All caveats in Cisco IOS Release 11.2 are also in Cisco IOS Release 11.2 P.

For information on caveats in Cisco IOS Release 11.2, see the caveats sections in Cross-Platform Release Notes for Cisco IOS Release 11.2, which list severity 1 and 2 caveats.

---

Note If you have an account with Cisco.com, you can use Bug Navigator II to find caveats of any severity for any release. To reach Bug Navigator II, go to Cisco.com and press Login. Then go to Software Center: Cisco IOS Software: Cisco Bugtool Navigator II. Another option is to go to http://www.cisco.com/support/bugtools.

---

Related Documentation

The following sections describe the documentation available for the Cisco 1600 series routers. These documents consist of hardware and software installation guides, Cisco IOS configuration and command references, system error messages, feature modules, and other documents.

Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com and the Documentation CD-ROM.

Use these release notes with these documents:

•Release-Specific Documents

•Platform-Specific Documents

•Feature Modules

•Cisco IOS Software Documentation Set

Release-Specific Documents

The following documents are specific to Cisco IOS Release 11.2 and are located on Cisco.com and the Documentation CD-ROM:

•Cross-Platform Release Notes for Cisco IOS Release 11.2

On Cisco.com at:

Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 11.2: Product Specific Release Notes for Cisco IOS Release 11.2: Cross-Platform Release Notes for Cisco IOS Release 11.2

On the Documentation CD-ROM at:

Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 11.2: Product Specific Release Notes for Cisco IOS Release 11.2: Cross-Platform Release Notes for Cisco IOS Release 11.2

•Product bulletins, field notices, and other release-specific documents on Cisco.com at:

Technical Documents

•Caveats for Cisco IOS Release 11.2 and 11.2 P

See the "Caveats" section in Cross-Platform Release Notes for Cisco IOS Release 11.2 and the entire Caveats for Cisco IOS Release 11.2 P document, which contain caveats applicable to all platforms for all maintenance releases of Cisco IOS Release 11.2 and Release 11.2 P.

On Cisco.com at:

Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 11.2: Product Specific Release Notes for Cisco IOS Release 11.2

On the Documentation CD-ROM at:

Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 11.2: Product Specific Release Notes for Cisco IOS Release 11.2

---

Note If you have an account with Cisco.com, you can use Bug Navigator II to find caveats of any severity for any release. To reach Bug Navigator II, go to Cisco.com and press Login. Then go to Software Center: Cisco IOS Software: Cisco Bugtool Navigator II. Another option is to go to http://www.cisco.com/support/bugtools.

---

Platform-Specific Documents

These individual and groups of documents are available for the Cisco 1600 series routers on Cisco.com and the Documentation CD-ROM:

•Quick Start Guides

•Cisco 1600 Series Hardware Installation Guide

•Cisco 1600 Series Software Configuration Guide

•Cisco 1600 series router configuration notes

•Release notes for Cisco 1600 series routers

•Regulatory compliance and safety information for the Cisco 1600 series

•WAN Interface Cards Hardware Installation Guide

•Cisco 1600 Fast Step Quick Start Guide

On Cisco.com at:

Technical Documents: Documentation Home Page: Cisco Product Documentation: Access Servers and Access Routers: Modular Access Routers: Cisco 1600 Series Routers

On the Documentation CD-ROM at:

Cisco Product Documentation: Access Servers and Access Routers: Modular Access Routers: Cisco 1600 Series Routers

Feature Modules

Feature modules describe new features supported by Cisco IOS Release 11.2 P and are updates to the Cisco IOS documentation set. A feature module consists of a brief overview of the feature, benefits, configuration tasks, and a command reference. As updates, the feature modules are available online only. Feature module information is incorporated in the next printing of the Cisco IOS documentation set.

On Cisco.com at:

Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 11.2: Feature Guide for Cisco IOS Release 11.2 P

On the Documentation CD-ROM at:

Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 11.2: Feature Guide for Cisco IOS Release 11.2 P

Cisco IOS Software Documentation Set

The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents that are shipped with your order in electronic form on the Documentation CD-ROM—unless you specifically ordered the printed versions.

Documentation Modules

Each module in the Cisco IOS documentation set consists of two books: a configuration guide and a corresponding command reference. Chapters in a configuration guide describe protocols, configuration tasks, Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference.

On Cisco.com and the Documentation CD-ROM, two master hot-linked documents provide information for the Cisco IOS software documentation set.

On Cisco.com at:

Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 11.2: Cisco IOS Release 11.2 Configuration Guides/Command References

On the Documentation CD-ROM at:

Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 11.2: Cisco IOS Release 11.2 Configuration Guides/Command References

Cisco IOS Release 11.2 Documentation Set

Table 3 describes the contents of the Cisco IOS Release 11.2 software documentation set, which is available in electronic form and in printed form ordered.

---

Note You can find the most current Cisco IOS documentation on Cisco.com and the Documentation CD-ROM. These electronic documents may contain updates and modifications made after the hard-copy documents were printed.

---

On Cisco.com at:

Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 11.2

On the Documentation CD-ROM at:

Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 11.2

Table 3 Cisco IOS Release 11.2 Documentation Set 

Books	Chapter Topics
•Configuration Fundamentals Configuration Guide •Configuration Fundamentals Command Reference	Access Server and Router Product Overview User Interface System Images and Configuration Files Using ClickStart, AutoInstall, and Setup Interfaces System Management
•Security Configuration Guide •Security Command Reference	Network Access Security Terminal Access Security Accounting and Billing Traffic Filters Controlling Router Access Network Data Encryption with Router Authentication
•Access Services Configuration Guide •Access Services Command Reference	Terminal Lines and Modem Support Network Connections AppleTalk Remote Access SLIP and PPP XRemote LAT Telnet TN3270 Protocol Translation Configuring Modem Support and Chat Scripts X.3 PAD Regular Expressions
•Wide-Area Networking Configuration Guide •Wide-Area Networking Command Reference	ATM Dial-on-Demand Routing (DDR) Frame Relay ISDN LANE PPP for Wide-Area Networking SMDS X.25 and LAPB
•Network Protocols Configuration Guide, Part 1 •Network Protocols Command Reference, Part 1	IP IP Routing
•Network Protocols Configuration Guide, Part 2 •Network Protocols Command Reference, Part 2	AppleTalk Novell IPX
•Network Protocols Configuration Guide, Part 3 •Network Protocols Command Reference, Part 3	Apollo Domain Banyan VINES DECnet ISO CLNS XNS
•Bridging and IBM Networking Configuration Guide •Bridging and IBM Networking Command Reference	Transparent Bridging Source-Route Bridging Remote Source-Route Bridging DLSw+ STUN and BSTUN LLC2 and SDLC IBM Network Media Translation DSPU and SNA Service Point Support SNA Frame Relay Access Support APPN NCIA Client/Server Topologies IBM Channel Attach
•Cisco IOS Software Command Summary •Access Services Quick Configuration Guide •System Error Messages •Debug Command Reference •Cisco Management Information Base (MIB) User Quick Reference

---

Note Cisco Management Information Base (MIB) User Quick Reference is no longer published. If you have an account with Cisco.com, you can find the current list of MIBs supported by Cisco. To reach the Cisco Network Management Toolkit, go to Cisco.com, press Login, and click to Software Center: Network Mgmt Products: Cisco Network Management Toolkit: Cisco MIB.

---

Obtaining Documentation

The following sections provide sources for obtaining documentation from Cisco Systems.

World Wide Web

The most current Cisco documentation is available on the World Wide Web at http://www.cisco.com. Translated documentation can be accessed at http://www.cisco.com/public/countries_languages.shtml.

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

•Registered Cisco Direct Customers can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/cgi-bin/order/order_root.pl

•Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS(6387).

Documentation Feedback

If you are reading Cisco products documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

For your convenience, many documents contain a response card behind the front cover for submitting your comments by mail. Otherwise, you can mail your comments to the following address:

Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

The following sections provide sources for obtaining technical assistance from Cisco Systems.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

To access Cisco.com, go to the following website:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Website

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:

http://www.cisco.com/tac

P3 and P4 level problems are defined as follows:

•P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

•P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration.

In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.

To register for Cisco.com, go to the following website:

http://www.cisco.com/register/

Cisco.com registered users who cannot resolve a technical issue by using the TAC online resource can open a case online by using the TAC Case Open tool at the following website:

http://www.cisco.com/tac/caseopen

Contacting TAC by Telephone

If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

P1 and P2 level problems are defined as follows:

•P1—Your production network is down, causing a critical impact to business operations if service is not restored quickly. No workaround is available.

•P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available.