Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.0 T

Cisco AS5200 - Cisco IOS Release 12.0 T

Downloads

Table Of Contents

Release Notes for Cisco AS5200 Universal Access Servers for Cisco IOS Release 12.0 T

Contents

Introduction

System Requirements

Memory Requirements

Hardware Supported

Determining the Software Version

Updating to a New Software Release

Modem Code

Feature Set Tables

New and Changed Information

New Software Features in Release 12.0(7)T

Cisco H.235 Accounting and Security Enhancements for Cisco Gateways

Cisco H.323 Multizone Enhancements

Configuring RADIUS for Multiple User Datagram Protocol Ports

Dynamic Multiple Encapsulations for Dial-In over ISDN

Gateway Support for Alternate Gatekeeper

Redundant Link Manager

Resource Pool Management Server

Resource Pool Management with Direct Remote Services

Selecting AAA Server Groups Based on DNIS

New Software Features in Release 12.0(5)T

Asynchronous Serial Traffic over UDP

Cisco Resource Pool Manager

CNS Client for Cisco IOS Software

Layer 2 Tunneling Protocol Dial-out

Multicast Routing Monitor

Service Assurance Agent

Subnetwork Bandwidth Manager

New Software Features in Release 12.0(4)T

Cisco IOS SNMPv3

Dynamic Multiple Encapsulation for Dial-In over ISDN

Flow-Based Weighted Random Early Detection (WRED)

ISDN LAPB-TA

Large Scale Dialout

Multilink Multiplexor

Parse Bookmarks

Process MIB

Signaling System 7

Virtual Console

No New Features in Release 12.0(3)T

No New Features in Release 12.0(2)T

New Software Features in Release 12.0(1)T

CLI String Search

Easy IP Phase 2-DHCP Server

ISDN MIB RFC2127

Layer Two Tunneling Protocol (L2TP)

Limitations and Restrictions

MIBs

Important Notes

Last Maintenance Release of Cisco IOS Release 12.0 T

Cisco IOS Syslog Failure

Affected Devices and Software Versions

Solution

Workarounds

Software Versions and Fixes

Caveats

Related Documentation

Release-Specific Documents

Platform-Specific Documents

Feature Modules

Cisco IOS Software Documentation Set

Documentation Modules

Release 12.0 Documentation Set

Service and Support

Software Configuration Tips from the Cisco Technical Assistance Center

Cisco Connection Online

Documentation CD-ROM


Release Notes for Cisco AS5200 Universal Access Servers for Cisco IOS Release 12.0 T

January 21, 2000

These release notes for Cisco AS5200 universal access servers support Cisco IOS Release 12.0 T, up to and including Release 12.0(7)T. These release notes are updated as needed to accommodate memory requirements, new features, hardware support, software platform deferrals, and changes to the microcode or modem code and related documents.

For a list of software caveats that apply to Release 12.0 T, see the Caveats for Cisco IOS Release 12.0 T  document that accompanies these release notes. The caveats document is updated for every maintenance release, and is location on Cisco Connection Online (CCO) and the Documentation CD-ROM. For more information, refer to the "Caveats" section of these release notes.

Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.0 located on Cisco Connection Online (CCO) and the Documentation CD-ROM. 

Contents

These release notes discuss the following topics:

Introduction

System Requirements

New and Changed Information

Limitations and Restrictions

Important Notes

Caveats

Related Documentation

Service and Support

Cisco Connection Online

Documentation CD-ROM

Introduction

The Cisco AS5200 universal access server is a multifaceted data communications platform that provides all the functions of an access server, a router, modems, and terminal adapters (TAs) in a modular chassis. Mid-sized organizations or service providers requiring centralized processing capabilities for mobile users and telecommuters will benefit the most using the Cisco AS5200 universal access server.

With their optimization for high-speed modem access, the Cisco AS5200 universal access servers are ideally suited for all traditional dial-up applications, such as host access, electronic mail, file transfer, and dial-in access to a local area network.

For information on new features and Cisco IOS commands supported by Release 12.0 T, see the "New and Changed Information" section and "Related Documentation" section.

System Requirements

This section describes the system requirements for Release 12.0(7)T:

Memory Requirements

Hardware Supported

Determining the Software Version

Updating to a New Software Release

Modem Code

Feature Set Tables

Memory Requirements

Table 1 describes the memory requirements for the Cisco AS5200 platform feature sets supported by Cisco IOS Release 12.0(7)T.

Table 1 Memory Requirements for the Cisco AS5200 Access Server 

Image Name
Software Image
Flash
Memory
Required
DRAM
Memory
Required
Runs from

IP

c5200-i-1

16 MB

8 MB

Flash

IP Plus

c5200-is-1

16 MB

16 MB

Flash

Desktop

c5200-d-1

16 MB

8 MB

Flash

Desktop Plus

c5200-ds-1

16 MB h

16 MB

Flash


Hardware Supported

The following are LAN interfaces supported on the Cisco AS5200 universal access servers:

Ethernet (AUI)

MultiChannel Interface (Channelized E1/T1)

The following are WAN data rates supported on the Cisco AS5200:

48/56/64 kbps

1.544/2.048 Mbps

The following are WAN interfaces supported on the Cisco AS5200:

EIA/TIA-232

X.21

V.35

EIA/TIA-449

EIA-530

ISDN PRI

E1-G.703/G.704

Channelized T1

Channelized E1

Serial

Determining the Software Version

To determine the version of Cisco IOS software running on your Cisco AS5200, log in to the Cisco AS5200 and enter the show version EXEC command: 

router>show version

Cisco Internetwork Operating System Software 

IOS (tm) AS5200 Software (c5200-i-l), Version 12.0(7)T, RELEASE SOFTWARE

Updating to a New Software Release

For information on upgrading to a new software release, see the product bulletin Cisco IOS Software Release 12.0 T Upgrade Paths and Packaging Simplification (#819: 1/99)  on CCO at:

Service & Support: Product Bulletins: Software

Under Cisco IOS 12.0, click Cisco IOS Software Release 12.0 T Upgrade (#819: 1/99).

Modem Code

Cisco IOS Release 11.2(2) and later releases, including Release 12.0(7)T, include bundled modem code for the Cisco AS5200, which is the firmware or portware that runs on the Microcom 12-port and MICA 6-port modem cards. Modem code is bundled with the Cisco IOS software image to eliminate the need to store separate modem code. When the Cisco AS5200 access server starts, the Cisco IOS software unpacks the modem code and loads the proper code on the modem cards. lists the current bundled modem code versions for the Cisco AS5200.

Table 2 Current Bundled Modem Code Version

Modem Code Module
Current Bundled Modem Code Version
Cisco IOS Software Releases

Microcom modems

Microcom version 5.1.20

Release 12.0(5)T and later

MICA modems

MICA portware Version 2.7.1.0

Release 12.0(5)T and later


Note   You could have received a later version of modem code than the one bundled with the Cisco IOS software. The modem code in Flash memory is mapped to the modems. Unless you fully understand how Cisco IOS software uses modem code, it is important to keep the factory configuration.

The Cisco IOS Software Upgrade Planner on CCO contains information about downloading software. To access this document from CCO, click Login on the CCO home page to access all information. From the CCO home page, go to the Service & Support area menu, click Software Center, then Cisco IOS Software or IOS Upgrade Planner.

The modem code release notes are on CCO and on the Documentation CD-ROM.

On CCO at:

Technical Documents: Documentation Home Page: Access Servers and Access Routers: Firmware and Portware Information

On the Documentation CD-ROM at:

Cisco Product Documentation: Access Servers and Access Routers:Firmware and Portware Information

Feature Set Tables

The Cisco IOS software is packaged in feature sets consisting of software images — depending on the platform. Each feature set contains a specific set of Cisco IOS features.

lists the Cisco IOS software feature sets available for the Cisco AS5200, including the feature set name, the feature set matrix term, the software image name, and supported platforms.

Table 3 Feature Sets Supported by Cisco AS5200 Universal Access Servers

Feature Set
Image Name
Feature Set Matrix Term
Software Image
IP Standard
Feature Set

IP

Basic1

c5200-i-l

IP Plus

Basic, Plus2

c5200-is-l

Desktop Standard
Feature Set

Desktop

Basic

c5200-d-l

Desktop Plus

Basic, Plus

c5200-ds-l

1 This feature is offered in the basic feature set.

2 This feature is offered in the Plus feature set.


Caution   
Cisco IOS images with strong encryption (including, but not limited to 168-bit (3DES) data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States are likely to require an export license. Customer orders may be denied or subject to delay due to United States government regulations. When applicable, purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.

lists the features and feature sets supported by the Cisco AS5200 for Cisco IOS Release 12.0(7)T and uses the following conventions:

Yes—The feature is supported in the software image.

No—The feature is not supported in the software image.

In—The number in the "In" column indicates the Cisco IOS release in which the feature was introduced. For example, (7) means a feature was introduced in 12.0(7)T. If a cell in this column is empty, the feature was included in the initial base release.

Note   This feature set table contains only a selected list of features. This table is not cumulative — nor complete list of all the features in each image.

Table 4 Feature List by Feature Set for the Cisco AS5200 Universal Access Server 

Features
In1
Software Images by Feature Set
IP
IP
Plus
Desktop
DesktopPlus
IBM Support

Bridging Code Rework

 

Yes

Yes

Yes

Yes

RIF Passthru in DLSw+

 

No

No

No

No

IP Routing

Asynch over UDP

(5)

Yes

Yes

Yes

Yes

Easy IP Phase 2-DHCP Server

(1)

Yes

Yes

Yes

Yes

IP Type of Service and Precedence for GRE Tunnels

 

Yes

Yes

Yes

Yes

OSPF Point to Multipoint

 

Yes

Yes

Yes

Yes

Per User DNS

 

Yes

Yes

Yes

Yes

Management

Cisco IOS File System

 

Yes

Yes

Yes

Yes

CNS Client for Cisco IOS Software

(4)

No

No

No

No

CNS client for IOS 12.05(t) (aka IPSec Policy Agent II)

(5)

No

No

No

No

Entity MIB

 

Yes

Yes

Yes

Yes

Expression MIB

 

Yes

Yes

Yes

Yes

Conditionally Triggered Debugging

 

Yes

Yes

Yes

Yes

ISDN MIB RFC 2127

(1)

Yes

Yes

Yes

Yes

Generic Filesystem Layer (OS_IFSS)

(4)

Yes

Yes

Yes

Yes

Multicast Routing Monitor

(5)

Yes

Yes

Yes

Yes

Process MIB

(4)

Yes

Yes

Yes

Yes

Show Caller

 

Yes

Yes

Yes

Yes

SNMP Inform Request

 

No

No

No

No

SNMP Manager

 

Yes

Yes

Yes

Yes

Cisco SNMP Version 3

(4)

Yes

Yes

Yes

Yes

Virtual Console

(1)

Yes

Yes

Yes

Yes

VPDN MIB and Syslog Facility

 

No

Yes

No

Yes

Multimedia

Protocol-Independent Multicasts (PIM) v2

 

Yes

Yes

Yes

Yes

Quality of Service

CLI String Search

(1)

Yes

Yes

Yes

Yes

Scalability

Airline Product Set (ALPS)

 

Yes

Yes

Yes

Yes

Security

Additional Vendor-Proprietary RADIUS Attributes

 

Yes

Yes

Yes

Yes

Authenticating ACLs

 

Yes

Yes

Yes

Yes

Automated Double Authentication

 

Yes

Yes

Yes

Yes

MS-CHAP Support

 

No

No

No

No

Named Method Lists for AAA Authentication & Accounting

 

Yes

Yes

Yes

Yes

Parse Bookmarks

(4)

Yes

Yes

Yes

Yes

Subblock Phase 1

 

Yes

Yes

Yes

Yes

WAN Optimization

DRP Server Agent Enhancement

 

Yes

Yes

No

Yes

WAN Services

Always On/Dynamic ISDN (AO/DI)

 

No

No

No

No

ATM E.164 Auto Conversion

 

Yes

Yes

Yes

Yes

Dialer Watch

 

Yes

Yes

Yes

Yes

ISDN LAPB-TA

(4)

Yes

Yes

Yes

Yes

Large Scale Dialout

(4)

Yes

Yes

No

No

Layer 2 Tunneling Protocol

(1)

No

Yes

No

Yes

Layer 2 Tunneling Protocol Dial Out

(5)

No

Yes

No

Yes

Microsoft Point-to-Point (MPPC)

 

Yes

Yes

Yes

Yes

MS Callback

 

Yes

Yes

Yes

Yes

Multiple ISDN Switch Types

 

Yes

Yes

Yes

Yes

National ISDN Switch Types

 

Yes

Yes

Yes

Yes

Signaling System 7 (SS7)

(4)

No

Yes

No

Yes

Stackable Home Gateway

 

No

Yes

No

Yes

Miscellaneous

Cisco Resource Pool Manager

(4)

Yes

Yes

Yes

Yes

Flow Random Early Detection (Flow WRED)

(4)

Yes

Yes

Yes

Yes

Subnetwork Bandwidth Manager

(5)

Yes

Yes

Yes

Yes

New
         

Configuring RADIUS for Multiple User Datagram Protocol Ports

(7)

Yes

Yes

Yes

Yes

Dynamic Multiple Encapsulation for Dial-in over ISDN

(7)

Yes

Yes

Yes

Yes

Resource Pool Management Server

(7)

Yes

Yes

Yes

Yes

Resource Pool Management with Direct Remote Services

(7)

Yes

Yes

Yes

Yes

Selecting AAA Server Groups Based on DNIS

(7)

Yes

Yes

Yes

Yes

1 This column indicates the maintenance release in which the feature was introduced. If this cell is empty in this column, this feature was introduced in the initial base release.


New and Changed Information

The following sections list the new hardware and software features supported by the Cisco AS5200 universal access servers for Release 12.0 T.

New Software Features in Release 12.0(7)T

The following new hardware features are supported by the Cisco AS5200 for Release 12.0(7)T:

Cisco H.235 Accounting and Security Enhancements for Cisco Gateways

The Cisco H.323 gateway now supports the use of CryptoH323Tokens for authentication. The CryptoH323Token is defined in H.225 Version 2 and is used in a "password-with-hashing" security scheme described in section 10.3.3 of the H.235 specification.

A cryptoToken can be included in any RAS message and is used to authenticate the sender of the message. You can use a separate database for user ID and password verification.

With this release, Cisco H.323 gateways support three levels of authentication:

Endpoint—The RAS channel used for gateway-to-gatekeeper signaling is not a secure channel. To ensure secure communications, H.235 allows gateways to include an authentication key in their RAS messages. This key is used by the gatekeeper to authenticate the source of the messages. At the endpoint level, validation is performed on all messages from the gateway. The cryptoTokens are validated using the password configured for the gateway.

Per-Call—When the gateway receives a call over the telephony leg, it prompts the user for an account number and personal identification number (PIN). These two numbers are included in certain RAS messages sent from the endpoint and are used to authenticate the originator of the call.

All—This option is a combination of the other two. With this option, the validation of cryptoTokens in ARQ messages is based on an the account number and PIN of the user making a call and the validation of cryptoTokens sent in all the other RAS messages is based on the password configured for the gateway.

You can configure the level of authentication for the gateway using the Cisco IOS software command line interface.

CryptoTokens for registration requests (RRQ), unregistration request (URQ), disengage request (DRQ) and the terminating side of admission request (ARQ) messages contain information about the gateway that generated the token, including the gateway ID (which is the H.323 ID configured on the gateway) and the gateway password. CryptoTokens for the originating side ARQ messages contain information about the user that is placing the call, including the user ID and personal identification number (PIN).

Cisco H.323 Multizone Enhancements

Cisco H.323 Multizone enhancements allow a Cisco gateway to provide information to the gatekeeper with additional fields in the RAS (registration, admission, and status) messages.

Previously, the source gateway attempted to set up a call to a destination IP address as provided by the gatekeeper in an Admission Confirm (ACF) message. If the gatekeeper was unable to resolve the destination E.164 phone number to an IP address, the incoming call was terminated.

This version of the H.323 software adds support to allow a gatekeeper to provide additional destination information and modify the destinationInfo field in the ACF. The gateway will include the canMapAlias associated destination information in setting up the call to the destination gateway.

In conjunction with the canMapAlias functionality, this version includes support for the gatekeeper to indicate to the gateway that the call should be destined to a new E.164 number. The gatekeeper indicates this by sending an Admission Confirm message with an IP address of 0.0.0.0 in the destCallSignalAddress field and the new destination E.164 phone number in the destinationInfo field.

The gateway receiving such an ACF will fall back to routing the call based on this new E.164 address and performing a new lookup of the gateway's configured dial plan. This may result in the call being routed back to the PSTN or to an H.323 endpoint.

Configuring RADIUS for Multiple User Datagram Protocol Ports

In past Cisco IOS releases, RADIUS hosts were uniquely identified by their IP addresses; therefore, only one definition of a RADIUS server for each IP address was allowed. The Configuring RADIUS for Multiple UDP Ports feature expands RADIUS implementation so that RADIUS security servers are identified by their IP addresses and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server tries the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order that they are configured.)

The Configuring RADIUS for Multiple UDP Ports feature also applies to RADIUS server groups—server groups can now include multiple service definitions for host entries for the same server, as long as each entry has a unique identifier.

Dynamic Multiple Encapsulations for Dial-In over ISDN

The Dynamic Multiple Encapsulations feature allows incoming calls over ISDN to be assigned an encapsulation type such as Frame Relay, PPP, and X.25 based on calling line identification (CLID) or DNIS. It also allows various encapsulation types and per-user configurations on the same ISDN B channel at different times according to the type of incoming call.

The Dynamic Multiple Encapsulations feature allows per-user configuration for each dial-in caller on any ingress ISDN B channel on which encapsulation can be run independently from other B channels on the same ISDN link. The caller is identified by CLID (caller ID) or DNIS to ensure that only incoming calls with authorization and valid user profiles are accepted. When PPP is used, authentication and profile binding can also be done by PPP name.

In addition, a large set of user profiles can be stored in dialer profiles locally or on a remote AAA server. (For large scale dial-in, storing user-specific configurations on a remote server becomes necessary for enhancing expandability and local memory efficiency.) However, whether stored locally or on a remote AAA server, the user-specific encapsulation and configuration can be applied to individual B channels dynamically and independently.

Dynamic multiple encapsulation is especially important in Europe where ISDN is relatively inexpensive and maximum use of all 30 B channels on the same ISDN link is desirable. Further, the feature removes the need to statically dedicate channels to a particular encapsulation and configuration type, and improves channel usage.

Gateway Support for Alternate Gatekeeper

The Alternate Gatekeeper feature provides redundancy for a gatekeeper in a system where gatekeepers are used. This enhancement allows a gateway to use up to two alternate gatekeepers as a backup in the case of a primary gatekeeper failure.

A gatekeeper manages H.323 endpoints in a consistent manner, allowing them to register with the gateway and to locate another gatekeeper. The gatekeeper provides logic variables for proxies or gateways in a call path, to provide connectivity with the public switched telephone network (PSTN), to improve Quality of Service (QoS), and to enforce security policies. Multiple gatekeepers may be configured to communicate with one another, either by integrating their addressing into Domain Naming System (DNS) or using Cisco IOS configuration options.

Redundant Link Manager

Part of the Cisco SS7 Dial Access Solution (DAS), the Cisco Redundant Link Manager (RLM) provides link management over multiple IP networks, so that your Cisco SS7 DAS can tolerate a single point of failure.

By using the RLM functionality, the Q.931 signaling protocol and other proprietary protocols are transported on top of multiple redundant links between a telephony controller and the media gateways (MGWs).

A feature enhancement to RLM for this Cisco SS7 DAS release is redundancy at the link and telephony-controller level. When each RLM group has multiple telephony controllers associated with a MGW, a telephony-controller priority and a link priority are examined by the RLM client during failover, ensuring improved control handling. The RLM client is an MGW running RLM software.

The RLM client on the MGW supports both versions of RLM functionality:

Multiple redundant links between a single telephony-controller and the MGWs (Version 1)

Multiple redundant links between multiple telephony-controllers and the MGWs (Version 2)

After installation, the RLM client defaults to Version 2; however, you can choose a different version by using a command line interface (CLI) configuration command. Once an RLM version is selected, all RLM groups on a given MGW use the selected version's functionality.

Note   The RLM feature is backwards compatible on the telephony-controller, but only one version of the RLM client can run on a given MGW.

Resource Pool Management Server

Part of the Cisco SS7 Dial Access Solution (DAS), the Cisco Resource Pool Manager Server (RPMS) communicates with the RPM component of the MGWs to enable telephone companies and ISPs to count, control, bill, and manage resources centrally for wholesale and retail dial network services. RPM is configured across multiple MGW stacks using one or more external RPMS.

The Cisco RPMS provides the following:

Customer shared-resource management

Advanced wholesale (VPDN) services for enterprise accounts and ISPs

Efficient use of resources to offer different oversubscription ratios and dial-service agreements

Combination of retail and wholesale services on the same MGWs

Cisco RPMS offers three major functions:

Resource management uses the call type and dialed number identification service (DNIS) information to accept or reject the call based on the customer profile session limits associated with the DNIS information. If the call is accepted, the call is assigned to an MGW resource.

Dial services determines how the call is handled after it is answered. The call can be authenticated locally or sent to a home gateway through a VPDN tunnel (using the DNIS information or a domain name).

Call discrimination is used to prevent unapproved call types from accessing MGW resources. When a call is placed, the MGW sends the call type and dialed number information service (DNIS) information to the Cisco RPMS. The Cisco RPMS compares this combination to the call discrimination table. If the call type-DNIS combination appears in the table, the call is rejected.

Resource Pool Management with Direct Remote Services

Cisco Resource Pool Manager (RPM) enables telephone companies and ISPs to share dial resources for wholesale and retail dial network services in a single network access server (NAS) or across multiple NAS stacks. With Cisco RPM, service providers can count, control, and manage dial resources and provide accounting for shared resources when implementing different service-level agreements.

Cisco RPM can be configured in one or more standalone Cisco NASs, or, optionally, across multiple NAS stacks by using one or more external Cisco Resource Pool Manager Servers (RPMSs).

The Cisco RPM is ideal for combining retail and wholesale dial services using Cisco AS5200, AS5300, and AS5800 network access servers. Call management and call discrimination can be configured to occur before the call is answered. Dial customers are differentiated by the use of configurable customer profiles that are based on the Dialed Number Information Service (DNIS) and the call type determined at the time of an incoming call. When a call arrives at the NAS, the DNIS and call type are matched against a table of disallowed calls. If the DNIS and call type match an entry in this table, the call is rejected. Call discrimination can be used to manage the billing of calls to different types of resources.

When management by virtual private dialup network (VPDN) is configured, a VPDN group includes the information needed to set up or reject a VPDN session. VPDN setup can be based on the DNIS received during call setup, or on the domain name after the call is answered. Load balancing is used to achieve full usage of VPDN tunnels. The VPDN group can also serve as the "customer profile" when all calls are answered and sessions are identified and limited by domain name instead of DNIS.

To support data over voice bearer service (DoVBS), service providers use DNIS to direct calls to the appropriate resource. When a digital call arrives at the NAS through the voice network, it terminates on a High-Level Data Link Control (HDLC) controller rather than on a modem.

Direct remote services is an enhancement to Cisco resource pool management (RPM) implemented in Cisco IOS Release 12.0(7)T that enables service providers to implement wholesale dial services without using VPDN tunnels. A customer profile that has been preconfigured with a PPP template to define the unique PPP services for the wholesale dial customer is selected by the incoming DNIS and call type. At the same time, the DNIS is used to select AAA server groups for authentication/authorization and for accounting for the customer.

Selecting AAA Server Groups Based on DNIS

In past Cisco IOS releases, authentication and accounting services (otherwise referred to as AAA services) have been implemented in one of the following methods:

Globally—meaning that AAA services were defined using global configuration access list commands and applied in general to all interfaces on a specific network access server

Per Interface—meaning that AAA services were defined using interface configuration commands and applied specifically to the interface being configured on a specific network access server

Using the AAA DNIS Map feature as described in the Cisco IOS Release 12.0(2)T Selecting AAA Servers Using DNIS Numbers feature module—meaning that you could use DNIS to specify one AAA server to supply AAA services

With Cisco IOS Release 12.0(7)T, you can now select an AAA server group to which authentication and accounting requests will be sent by using DNIS. With this new Selecting AAA Server Groups Based on DNIS feature, you can specify the same server group for AAA services or a separate server group for each AAA service. You can now configure authentication and accounting on different physical devices and provide failover backup support.

This feature obsoletes the previous Cisco IOS Release 12.0(2)T AAA DNIS Map feature.

New Software Features in Release 12.0(5)T

The following new hardware features are supported by the Cisco AS5200 for Release 12.0(5)T:

Asynchronous Serial Traffic over UDP

The Asynchronous Serial Traffic over UDP feature provides the ability to encapsulate asynchronous data into UDP packets, and then unreliably send this data without needing to establish a connection with a receiving device.

You load the data you want to send through an asynchronous port, and then send it, optionally, as a multicast or a broadcast. The receiving device(s) can then receive the data whenever it wants. If the receiver ends reception, the transmission is unaffected.

This process is referred to as UDP Telnet (UDPTN), although it does not (and cannot) use the Telnet protocol. UDPTN is similar to Telnet in that both are used to send data, but UDPTN is unique in that it does not require that a connection be established with a receiving device.

Cisco Resource Pool Manager

The Cisco Resource Pool Manager (RPM) feature enables telephone companies and Internet service providers (ISPs) to share dial resources for wholesale and retail dial network services. With RPM, telcos and ISPs can count, control, and manage dial resources and provide accounting for shared resources when implementing different service-level agreements. Resource pool management can be configured in a single, standalone Cisco network access server using RPM or, optionally, across multiple network access server stacks using one or more external Cisco Resource Pool Manager Servers.

CNS Client for Cisco IOS Software

Cisco Networking Services (CNS) Client feature for Cisco IOS software enables authenticated directory access. CNS Client for Cisco IOS software includes the following components:

Lightweight Directing Access Protocol (LDAP) V.3 client

Support to use Kerberos V.5 as security protocol for LDAP V.3 client

CNS Event Services Client

CNS Locator Services Client

CNS IP Security (IPSec) virtual private network (VPN) Provisioning Agent

CNS Configuration Change Notification Agent

CNS Provisioning Agent

LDAP V.3 client functionality enables Cisco IOS software-based applications to securely authenticate to a CNS for Active Directory (CNS/AD) server using Kerberos V.5 as security protocol to retrieve or store information such as policy and configuration data. Cisco IOS software-based applications publish or subscribe to events using CNS event services client, enabling external applications using the application programming interface (API) features of CNS to receive events or publish events to the Cisco IOS device. This Cisco IOS software-based device will use CNS locator services client to locate the nearest directory server using Domain Name System. The administrator need not configure the device to locate the nearest directory server.

All the above-mentioned functionality is intended for use by internal Cisco IOS application developers. CNS IPSec VPN provisioning agent enables the router to retrieve IPSec policies stored in the CNS/AD server and configure itself, automating the provisioning of customer premises equipment devices for IPSec VPN. CNS provisioning agent enables Cisco IOS device to be provisioned using CNS event services.

Layer 2 Tunneling Protocol Dial-out

The Layer 2 Tunneling Protocol (L2TP) Dial-Out feature enables L2TP Network Servers (LNSs) to tunnel dial-out VPDN calls using L2TP as the tunneling protocol. This feature enables a centralized network to efficiently and inexpensively establish a virtual point-to-point connection with any number of remote offices.

Using the L2TP Dial-Out feature, Cisco routers can carry both dial-in and dial-out calls in the same L2TP tunnels.

Previously, only dial-in VPDN calls were supported.

L2TP dial-out involves two devices: an LNS and an L2TP Access Concentrator (LAC). When the LNS wants to perform L2TP dial-out, it negotiates an L2TP tunnel with the LAC. The LAC then places a PPP call to the client(s) the LNS wants to dial-out to.

Multicast Routing Monitor

The Multicast Routing Monitor (MRM) feature is a management diagnostic tool that provides network fault detection and isolation in a large multicast routing infrastructure. It is designed to notify a network administrator of multicast routing problems in near real time.

MRM has three components that play different roles: the Manager, the Test Sender, and the Test Receiver. The Manager can reside on the same device as the Test Sender or Test Receiver. You can test a multicast environment using test packets (perhaps before an upcoming multicast event), or you can monitor existing IP multicast traffic.

You create a test based on various test parameters, name the test, and start the test. The test runs in the background and the command prompt returns. If the Test Receiver detects an error (such as packet loss or duplicate packets), it sends an error report to the router configured as the Manager. The Manager immediately displays the error report. Also, by issuing a certain show command, you can see the error reports, if any. You then troubleshoot your multicast environment as normal, perhaps using the mtrace command from the source to the Test Receiver. If the show command displays no error reports, the Test Receiver is receiving test packets without loss or duplicates from the Test Sender.

Service Assurance Agent

The Service Assurance (SA) Agent is both an enhancement to and a new name for the Response Time Reporter (RTR) feature that was introduced in Cisco IOS Release 11.2. The feature allows you to monitor network performance by measuring key Service Level Agreement metrics such as response time, network resources, availability, jitter, connect time, packet loss, and application performance.

With Cisco IOS Release 12.0(5)T, the SA Agent provides new capabilities that enable you to:

Monitor the Domain Name Server, DHCP Server, and DLSw peer stack and tunnel performance. Thresholds can be used to trigger additional collection of time delay statistics.

Monitor network one-way delay variance (jitter) and packet loss.

Monitor web server response time.

Subnetwork Bandwidth Manager

Resource Reservation Protocol (RSVP) is a signalling mechanism that supports request of specific levels of service such as reserved bandwidth from the network. RSVP and its service class definitions are largely independent of the underlying network technologies. This independence requires that a user define the mapping of RSVP onto subnetwork technologies.

The Subnetwork Bandwidth Manager (SBM) feature answers this requirement for RSVP in relation to IEEE 802-based networks. SBM specifies a signalling method and protocol for LAN-based admission control for RSVP flows. SBM allows RSVP-enabled routers and Layer 2 and Layer 3 devices to support reservation of LAN resources for RSVP-enabled data flows. The SBM signalling method is similar to that of RSVP itself. SBM protocol entities have the following features:

Reside in Layer 2 or Layer 3 devices.

Can manage resources on a segment. A segment is a Layer 2 physical segment shared by one or more senders, such as a shared Ethernet or Token Ring wire.

Can become candidates in a dynamic election process that designates one SBM as the segment manager. The elected candidate is called the Designated Subnetwork Bandwidth Manager (DSBM). The elected DSBM is responsible for exercising admission control over requests for resource reservations on a managed segment.

New Software Features in Release 12.0(4)T

The following new software enhancements are supported by the Cisco AS5200 universal access servers in Cisco IOS Release 12.0(4)T.

Cisco IOS SNMPv3

Cisco IOS Simple Network Management Protocol version 3 (SNMPv3) addresses issues related to the large scale deployment of SNMP for configuration, accounting and fault management. Currently SNMP is predominantly used for monitoring and performance management. The primary goal of SNMPv3 is to define a secure version of the SNMP protocol. SNMPv3 also facilitates remote configuration of the SNMP entities which make remote administration of SNMP entities a much simpler task. SNMPv3 builds on top of SNMPv1 and SNMPv2 to provide a secure environment for the management of systems and networks.

SNMPv3 provides an identification strategy for SNMP devices to facilitate communication only between known SNMP strategy. Each SNMP device has an identifier called the SNMP EngineID which is a copy of SNMP. Each SNMP message contains an SNMP EngineID. SNMP communication is possible only if an SNMP entity knows the identity of its peer SNMP device.

SNMPv3 also contains a security model or security strategy that exists between an SNMP user and the SNMP group to which the user belongs. A security model may define the security policy within an administrative domain or a intranet. The SNMPv3 protocol consists of the specification for the User based Security Model (USM).

Definition of security goals where the goals of message authentication service includes the following protection strategies:

Modification of Information or protection against some unauthorized SNMP entity altering in-transit SNMP messages generated on behalf of an authorized principal)

Masquerade or protection against attempting management operations not authorized for some principal by assuming the identity of another principal that has the appropriate authorizations

Message Stream Modification or protection against messages getting maliciously re-ordered, delayed or replayed in order to effect unauthorized management operations

Disclosure or protection against eavesdropping on the exchanges between SNMP engines. Three different types of communication mechanisms are available for this protection strategy. They are:

communication without authentication and privacy (NoAuthNoPriv)

communication with authentication and without privacy (AuthNoPriv)

communication with authentication and privacy (AuthPriv)

Dynamic Multiple Encapsulation for Dial-In over ISDN

The Dynamic Multiple Encapsulations feature allows incoming calls over Integrated Services Digital Network (ISDN) to be assigned an encapsulation type such as Point-to-Point Protocol (PPP), X.25, and ISDN Link Access Procedure, Balanced-Terminal Adapter (LAPB-TA) based on calling line identification (CLID) or Dialed Number Identification Service (DNIS). It also allows various encapsulation types and per-user configurations on the same ISDN B channel at different times according to the type of incoming call.

The Dynamic Multiple Encapsulations feature allows per-user configuration for each dial-in caller on any ingress ISDN B channel on which encapsulation can be run independently from other B channels on the same ISDN link. The caller is identified by CLID or DNIS to make sure that only incoming calls with authorization and valid user profiles are accepted. When PPP is used, authentication and profile binding can also be done by PPP name.

Dynamic multiple encapsulation is especially important in Europe where ISDN is relatively inexpensive and maximum use of all 30 B channels on the same ISDN link is desirable. Further, the feature removes the need to statically dedicate channels to a particular encapsulation and configuration type, and improves channel usage.

Flow-Based Weighted Random Early Detection (WRED)

Weighted Random Early Detection (WRED) is a mechanism that helps avoid congestion in packet-switched networks. The transport layer reacts to congestion indications coming from the router, such as in a TCP/IP network. A router can indicate to upper layer protocols that congestion is taking place either by marking the packet or dropping it. WRED drops packets to indicate congestion. In a TCP/IP network, when TCP detects that a packet has been dropped, it goes into a slow start phase that enables it to determine the rate at which it can send traffic through the network without dropping.

WRED allows control of queue size to eliminate long delays and avoid tail-dropping when the queue fills up. When a router tail-drops packets, it drops anything that exceeds the transmit queue limit. WRED uses the time since the last drop and the current queue size to determine whether a packet should be dropped. The time factor prevents WRED from dropping multiple packets from a TCP traffic stream within a short period of time, giving the TCP session enough time to detect that a packet has been dropped and go into a slow start phase. WRED uses the queue size factor to specify different dropping thresholds by IP precedence; IP precedence defines the type of service required. WRED gives a higher discard trigger to RSVP packets.

Flow-based WRED is an extension to WRED that penalizes flows that do not back off or respond to dropping from the network. Adaptive, fragile flows tend to send short bursts of traffic and have fewer packets buffered. Thus, if their packets arrive when the average queue depth is high, they are just as likely to have packets dropped as the rest of the flows. WRED does not recognize the fact that these sessions have fewer packets in the output queue overall. Flow-based WRED adjusts for this by keeping track of which flows are using more than the allowable portion of resources. Non-adaptive flows do not respond to WRED's congestion signals and are therefore more likely to use up the output queue/buffers more greedily. Flow-based WRED recognizes this and penalizes them more aggressively.

Flow-based WRED allows a per-flow threshold for all active flows in the output queue. This threshold allows each flow to have a certain number of packets in the output queue before it is marked for dropping. The effect is that adaptive flows are less likely to experience packet dropping because they have an allocated portion of resources even when the average queue depth is high. Non-adaptive flows are more likely to experience packet dropping because they are more inclined to exceed their resource allowance.

ISDN LAPB-TA

To carry asynchronous traffic over ISDN, you need a terminal adapter to convert that traffic and forward it over synchronous connections. This is normally implemented by the V.120 protocol, which carries asynchronous traffic over ISDN. (For more information on the V.120 protocol, see "Configuring V.120 Access" in the Dial Solutions Configuration Guide.)

However, several countries in Europe (Germany, Switzerland, and some Eastern European countries) use LAPB (Link Access Procedure, Balanced) as the protocol to forward their asynchronous traffic over synchronous connections.

Cisco routers, therefore, needed to be able to recognize and accept calls from these asynchronous/synchronous conversion devices, which is why LAPB-TA (Link Access Procedure, Balanced-Terminal Adapter) was created. (LAPB is sometimes referred to as "X.75," because LAPB is the link layer specified in the ITU-T X.75 recommendation for carrying asynchronous traffic over ISDN.)

LAPB-TA allows someone with an ISDN terminal adapter that supports asynchronous traffic over LAPB to call into the router and establish an asynchronous PPP (point to point protocol) session. LAPB supports both local CHAP (challenge handshake authentication protocol) authentication and external RADIUS authorization on the AAA (authentication, authorization and accounting) server.

Large Scale Dialout

In previous dial-on-demand routing (DDR) networking strategies, only incoming calls could take advantage of features such as dialer and virtual profiles, Multichassis

Multilink PPP (MMP) support, and the ability to use an authentication, authorization, and accounting (AAA) server to store attributes. MMP allows network access servers (NASes) to be stacked together and appear as a single NAS chassis so that if one NAS fails, another NAS in the stack can accept calls. MMP also provides stacked NASes access to a local Internet point of presence (POP) using a single telephone number. This allows for easy expansion and scalability, as well as assured fault tolerance and redundancy. Now with large scale dialout, these features are available for both outgoing and incoming calls.

Large scale dialout eliminates the need to configure dialer maps on every NAS for every destination. Instead, you create remote site profiles containing outgoing call attributes (telephone number, service type, and so on) on the AAA server. The profile is downloaded by the NAS when packet traffic requires a call to be placed to a remote site.

Additionally, large scale dialout addresses congestion management by seeking an uncongested, alternative NAS within the same POP when the designated primary NAS experiences port congestion.

As an added benefit, large scale dialout enables scalable dial-out service to many remote sites across one or more Cisco NASes or Cisco routers. This is especially beneficial to both Internet service providers (ISPs) and large scale enterprise customers because it can simplify network configuration and management. Large scale dialout streamlines activities such as service maintenance and scheduled activities like application upgrades from a centralized location. Large enterprise networks such as those used by retail stores, supermarket chains, and franchise restaurants can use large scale dialout to easily update daily prices and inventory information from a central server to all branch locations in one process, using the same NASes they currently use for dial in functions.

Multilink Multiplexor

The Multilink Point to Point Protocol (MLP) Inverse Multiplexor feature allows you to combine T1/E1 lines in a Versatile Interface Processor (VIP) into a bundle that has the combined bandwidth of the multiple T1/E1 lines. This is done by using a VIP MLP link. You choose the number of bundles and the number of T1/E1 lines in each bundle. This allows you to increase the bandwidth of your network links beyond that of a single T1/E1 line without having to purchase a T3 line.

Parse Bookmarks

The Parse Bookmarks feature quickly processes consecutive similar commands, such as access-lists and prefix-lists—up to five times faster than usual. Parse bookmarks reduce boot and load time for large configurations with many similar consecutive commands. This feature is an enhancement to the parsing algorithm, therefore no configuration changes are needed.

Process MIB

The addition of the CISCO-PROCESS-MIB and changes to the CISCO-MEMORY-POOL-MIB will allow the retrieval of more CPU and memory statistics. This information will be particularly used by the Device Health Monitor Application.

Signaling System 7

SS7 is the international standard for the common channel signaling system. SS7 defines the architecture, network elements, interfaces, protocols, and the management (MGMT) procedures for a network which transports control information between network switches and between switches and databases. The North American version is also sometimes referred to as CCS7. SS7 is used between the PSTN switches replacing per-trunk in-band signaling, LEC switches, IEC switches, and between LEC and IEC networks.

The SS7 is implemented on a separate data network within the PSTN and provides call setup and teardown, network management, fault resolution, and traffic management services. The SS7 network is solely used for network control and the only data sent over it is signaling messages. (Note that the term SS7 can be used to refer to the SS7 protocol, the signaling network, or the signaling network architecture.)

The SS7 protocols that convey signaling information between switching systems (called signaling points) in the PSTN are carried on a special overlay network used exclusively for signaling. The signaling points use routing information in the SS7 signals to transfer calls to their final destinations.

Virtual Console

The Virtual Console feature allows you to access dial and router shelves connected to a system controller. During a system controller session, you can connect to a router or dial shelf at the same privilege level as the current system controller session.

By entering one command, you can Telnet directly to a shelf, provide a username and password, and then go to the same privilege level as the system controller.

No New Features in Release 12.0(3)T

There are no new features supported by the Cisco AS5200 in Cisco IOS Release 12.0(3)T.

No New Features in Release 12.0(2)T

There are no new features supported by the Cisco AS5200 in Cisco IOS Release 12.0(2)T.

New Software Features in Release 12.0(1)T

The following new software features are supported by the Cisco AS5200 universal access servers for Release 12.0(1)T.

CLI String Search

The Command Line Interface (CLI) String Search feature allows you to search or filter any show or more command's output. This is useful when you need to sort though large amounts of output, or if you want to exclude output that you do not need to see. CLI String Search also allows for searching and filtering at --More-- paging prompts.

With the search function, you can begin unfiltered output at the first line that contains a regular expression you specify. You can specify a maximum of one filter per command to either include or exclude output lines that contain the specified regular expression.

A regular expression is any word, phrase, number, etc. that appears in show or more command output.

Easy IP Phase 2-DHCP Server

With the introduction of Easy IP Phase 2, Cisco IOS software also supports Intelligent DHCP Relay functionality. A DHCP Relay Agent is any host that forwards DHCP packets between clients and servers. A DHCP Relay Agent enables the client and server to reside on separate subnets. If the Cisco IOS DHCP server cannot satisfy a DHCP request from its own database, it can forward the DHCP request to one or more secondary DHCP servers defined by the network administrator using standard Cisco IOS IP helper-address functionality.

ISDN MIB RFC2127

The new Integrated Services Digital Network (ISDN) Management Information Base (MIB) RFC2127 has been designed to provide useful information in accordance with the IETF's new standard for the management of ISDN interfaces. RFC2127 provides information on the physical Basic Rate interfaces, control and statistical information for B (bearer) and D (signaling) channels, terminal endpoints, and directory numbers.

The ISDN MIB RFC2127 controls all aspects of ISDN interfaces. It consists of five groups:

ISDN Physical Interface Group

B (Bearer) Channel Group

D (Signaling) Channel Group

Terminal Endpoint Group

Directory Number Group (optional)

The ISDN MIB RFC2127 enables you to use any commercial SNMP network management application to support ISDN call processing in Cisco IOS software. You can integrate management of dial access products using ISDN with your existing network management systems.

Layer Two Tunneling Protocol (L2TP)

Layer Two Tunneling Protocol (L2TP) is an emerging Internet Engineering Task Force (IETF) standard that combines the best features of two existing tunneling protocols: Cisco's Layer Two Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). L2TP is an extension to the Point-to-Point Protocol (PPP), which is an important component for Access Virtual Private Networks (VPNs). Access VPNs allow mobile users to connect to their corporate intranets or extranets, thus improving flexibility and reducing costs.

Traditional dial-up networking services only supported registered IP address, which limited the types of applications that could be implemented over Virtual Private Networks (VPNs). L2TP supports multiple protocols and unregistered and privately administered IP addresses over the Internet. This allows the existing access infastructure, such as the Internet, modems, access servers, and ISDN terminal adaptors (TAs), to be used.

L2TP can be initiated wherever PPTP or L2F is currently deployed and can be operated as a client initiated tunnel, such as PPTP, or a network access server (NAS) initiated tunnel, such as L2F.

Limitations and Restrictions

MIBs

Old Cisco Management Information Bases (MIBs) will be replaced in a future release. Currently, OLD-CISCO-* MIBs are being converted into more scalable MIBs—without affecting existing Cisco IOS products or NMS applications. You can update from deprecated MIBs to the replacement MIBs as shown in :

Table 5 Deprecated and Replacement MIBs 

Deprecated MIB
Replacement

OLD-CISCO-APPLETALK-MIB

RFC1243-MIB

OLD-CISCO-CHASSIS-MIB

ENTITY-MIB

OLD-CISCO-CPUK-MIB

In development

OLD-CISCO-DECNET-MIB

 

OLD-CISCO-ENV-MIB

CISCO-ENVMON-MIB

OLD-CISCO-FLASH-MIB

CISCO-FLASH-MIB

OLD-CISCO-INTERFACES-MIB

IF-MIB CISCO-QUEUE-MIB

OLD-CISCO-IP-MIB

 

OLD-CISCO-MEMORY-MIB

CISCO-MEMORY-POOL-MIB

OLD-CISCO-NOVELL-MIB

NOVELL-IPX-MIB

OLD-CISCO-SYS-MIB

(Compilation of other OLD* MIBs)

OLD-CISCO-SYSTEM-MIB

CISCO-CONFIG-COPY-MIB

OLD-CISCO-TCP-MIB

CISCO-TCP-MIB

OLD-CISCO-TS-MIB

 

OLD-CISCO-VINES-MIB

CISCO-VINES-MIB

OLD-CISCO-XNS-MIB

 


Important Notes

This section contains important information about Cisco IOS Release 12.0 T software that can apply to the Cisco AS5300 universal access server.

Last Maintenance Release of Cisco IOS Release 12.0 T

Cisco IOS Release 12.0(6)T has been renamed 12.0(7)T to align this release with the 12.0(7) mainline release. The closed caveats for Release 12.0(7)T are identical to the caveats closed in the 12.0(7) mainline release. There was no change in the feature content of the renamed release--the features in 12.0(6)T are the same as 12.0(7)T. Release 12.0(7)T is the last maintenance release of the 12.0 T release train.

Customers needing closure of caveats for the 12.0 T features should migrate to the 12.1mainline release, which has the complete feature content of Release 12.0 T and will eventually reach General Deployment (GD). Release 12.0 T is a super set of the 12.0 mainline release, so all caveats closed in the 12.0 mainline are also closed in 12.0 T.

Cisco IOS Syslog Failure

Certain versions of Cisco IOS software can fail when they receive invalid User Datagram Protocol (UDP) packets sent to their syslog ports (port 514). At least one commonly used Internet scanning tool generates packets that cause such problems. This fact has been published on public Internet mailing lists, which are widely read both by security professionals and by security crackers. This information should be considered in the public domain.

Attackers can cause Cisco IOS devices to repeatedly fail and reload, resulting in a completely disabled Cisco IOS device that needs to be reconfigured by its administrator. Some Cisco IOS devices can hang instead of failing when attacked. These devices do not recover until they are manually restarted by reset or power cycling. An administrator must visit the device to restart it, even if the attacker is no longer actively sending any traffic. Some devices have failed without providing stack traces; some devices indicate that they were "restarted by power-on," even when that was not the case.

Assume that any potential attacker knows the existence of this problem and the ways to exploit it. An attacker can use tools available to the public on the Internet and does not need to write any software to exploit the vulnerability. Minimal skill is required and no special equipment is required.

Despite Cisco specifically inviting such reports, Cisco has received no actual reports of malicious exploitation of this problem.

This vulnerability notice was posted on Cisco's World Wide Web site:

http://www.cisco.com/warp/public/770/iossyslog-pub.shtml

This information was also sent to the following e-mail and USENET news recipients:

cust-security-announce@cisco.com

bugtraq@netspace.org

first-teams@first.org (includes CERT/C