Cisco IOS® Software is the world's premiere network infrastructure software, delivering seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, from small home office routers to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.
Cisco IOS®Software Release 12.4T integrates a comprehensive portfolio of new capabilities, including security, voice, and IP services, with powerful hardware support to deliver advanced services for Enterprise and access customers.
Release 12.4(24)T, the latest release of the 12.4T family, adds Cisco IOS BGP Support for 4-byte Autonomous System Numbers (ASN), Application-Based Routing for Mobile Router (MR) Multi-Path Support, Web Services Management Agent (WSMA), for advanced embedded capabilities to provision, manage, configure and adapt Cisco devices, Smart Call Home Support for the Cisco 7200 Series Router, and Cisco Unified Communications Manager Express and Cisco Unified SRST 7.1 enhancements.
Release 12.4(22)T provided QoS support for IPSec tunnels, Trusted Relay Point (TRP) IOS firewall security for Unified Communications, Flexible NetFlow enhancements, and support for the Cisco 880 SRST and 880G Integrated Services Routers.
Release 12.4(20)T added significant embedded management enhancements, category-based productivity and security ratings support, multi-level Quality of Service (QoS) scheduling, and support for the Cisco 860, 880, and 1861 Routers.
Release 12.4(15)T streamlined the Cisco IOS Software upgrade process, provided sub-second link failure detection and faster convergence, delivered next-generation Layer 2-7 flexible packet classification, enhanced intrusion protection (IPS) and SSLVPN capabilities, and support for the new Cisco 7201 Router.
Release 12.4(11)T delivered new Layer 2 VPN transport over MPLS capabilities, enhanced MPLS management, mobile IPv6 authorization and identity support, and support for the high performance Network Processing Engine G2 (NPE-G2) and VPN Service Adapter (VSA) for the Cisco 7200 Series Router.
Release 12.4(9)T delivered improved manageability, integrated IP communications capability, enhanced HTTP and P2P security, and faster routing protocol convergence.
Release 12.4(6)T delivered highly available firewalls, comprehensive endpoint and network security for SSL VPN environments, and optimized bandwidth management for improved VoIP call quality.
Release 12.4(4)T enhanced threat protection against malicious worm and virus attacks, improved performance monitoring of VoIP networks, and extended support for secure concurrent services on the Cisco 1800 Series router.
1.1) Migration Guide
Cisco recommends that customers running Release 12.3T, 12.3, or prior releases upgrade to Release 12.4T or 12.4. Customers should determine their functionality needs and choose the appropriate release.
Release 12.4(15)T will receive extended bug fix support through December 2010. Cisco is taking this action to indicate that Release 12.4(15)T maintenance releases are treated in a similar manner as Release 12.4. Both undergo comprehensive testing and review cycles to continuously improve and increase reliability, quality, and stability. As per Cisco policies, no new technologies or features are added to either Release 12.4 or maintenance rebuild releases of Release 12.4(15)T. For more information please visit: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/ps8258/product_bulletin_c25-496283.html
AppleTalk Support Discontinuation in IOS T
Due to a significant decrease in AppleTalk usage and demand among its customer base, and given the fact that Apple now fully supports the TCP/IP family of protocols, Cisco has reached the decision to discontinue AppleTalk support on Cisco IOS. The AppleTalk feature removal will be permanent and will apply to future IOS releases after Release 12.4(24)T.
Figure 1 illustrates the current migration path from Cisco IOS Releases 12.3T, 12.3, and prior releases to Release 12.4T or Release 12.4.
Figure 1. Release 12.4T Migration Plan
Figure 2 below illustrates the relationship between Release 12.4T and Release 12.4.
Figure 2. Release 12.4T and Release 12.4 Relationship
Figure 3 below shows the relationship between Release 12.4T and individual 12.4(n)T new feature releases.
Figure 3. Release 12.4T and Individual 12.4(n)T Release Relationship
Note: Cisco IOS Software Release 12.4(20)T and later Release 12.4T releases do not support several Cisco hardware platforms that were supported in Release 12.4(15)T and prior releases. These platforms will be supported by Release 12.4(15)T via regularly scheduled software maintenance rebuilds and bug fix support until the end of software maintenance date for the respective platform is reached.
• Cisco SOHO 90 Series
• Cisco 831, 836, 837, and 850 Series
• Cisco 1701, 1711, 1712, 1721, 1751, 1751-V, and 1760 Series
• Cisco 2610XM-2611XM, 2620XM-2621XM, 2650XM-2651XM, and 2691 Series
The Cisco release delivery process, rigorous software testing, and regularly scheduled software maintenance results in significant incremental enhancements and improvement to the quality, stability, and resiliency of Cisco IOS Software Release 12.4T and Release 12.4.
2.1.1) Cisco IOS BGP Support for 4-byte Autonomous System Numbers (ASN)
Border Gateway Protocol (BGP) is an Internet Engineering Task Force (IETF) standard, and the most scalable of all routing protocols. BGP is the routing protocol of the global Internet, as well as for enterprise and service provider private networks. BGP has expanded upon its original purpose of carrying Internet reachability information, and can now carry routes for Multicast, IPv6, VPNs, and a variety of other data. Cisco supports all IETF BGP standards, as well as the majority of Internet Drafts for BGP. In addition, Cisco is an active participant in the Inter-Domain Routing (IDR) Working Group at IETF, and a frequent contributor of new BGP extensions.
Cisco IOS Software Release 12.4(24)T release adds BGP Support for 4-byte ASN.
At the early time of BGP development and standardization, it was assumed that availability of a 16 bit binary number to identify the Autonomous System (AS) within BGP would have been more than sufficient. The 16 bit AS number, also known as the 2-byte AS number, provides a pool of 65,536 unique Autonomous System numbers. The Internet Assigned Numbers Authority (IANA) manages the available BGP Autonomous System Numbers (ASN) pool, with the assignments being carried out by the Regional Registries.
The current consumption rate of public AS numbers suggests that the entire 2-byte ASN pool will be fully depleted by early to middle 2011. A solution to this depletion is the expansion of the existing 2-byte AS number to a 4-byte AS number, which provides a theoretical 4,294,967,296 unique AS numbers. ARIN has made the following policy changes in conjunction with the adoption of the solution.
As of January 1, 2009, per the American Registry for Internet Numbers (ARIN), all new Autonomous System Numbers (ASNs) issued will be 4-byte by default, unless otherwise requested. For more information please visit: https://www.arin.net/announcements/2008/07242008.html
The Cisco IOS BGP 4-byte ASN feature allows BGP to support the ASN encoded as a 4-byte entity. The addition of this feature allows an operator to use an expanded 4-byte AS number granted by IANA.
As shown in Figure 5 below, backwards compatibility is provided between the 4-byte and 2-byte AS numbers, since BGP and Multiprotocol BGP is already widely deployed in ISP and MPLS VPN environments. Specifically, advertisement via standard based BGP capability code, two new "optional transitive" attributes: AS4_AGGREGATOR and AS4_PATH, and a newly reserved AS TRANS#: 23456 for interoperability between 4 bytes ASN capable and non-capable BGP speakers are introduced to a smooth migration from a 2-byte to a 4-byte ASN environment.
The implementation is in compliance with IEFT RFC 5396 and RFC 4893 standards.
Figure 5. Use Case Example of Both 4-byte Capable and 2-byte ASN BGP Speakers
Benefits
• Allows BGP to carry a Autonomous System Number (ASN) encoded as a 4-byte entity
• Includes the following enhancement to ensure a smooth migration from a 2-byte to 4-byte ASN environment
– Advertisement via standard based BGP capability code
– Two new "optional transitive" attributes: AS4_AGGREGATOR and AS4_PATH
– A newly reserved AS TRANS#: 23456 for interoperability between 4 bytes ASN capable and non-capable BGP speakers
• To further reduce operation change requirements when an operator migrating from a 2 bytes to a 4 bytes ASN environment, the implementation provides a default "asplain" and an optional "asdot" AS output format
Considerations
• The initial support for 4-byte ASN in Release 12.4(24)T supports all existing BGP features (including IPv4, IPv6, VPNv4, and VPNv6 address and sub address families) with the exception of Cisco IOS NetFlow
2.1.2) Mobile IP-Policy and Application-Based Routing for Mobile Router Multi-Path Support
Cisco Mobile Routers (MRs) running Cisco Mobile Network technology, offer seamless network connectivity for devices connecting to it. Network connectivity remains uninterrupted even when the mobile router roams among various wireless and wired networks.
Prior to the introduction MR Multi-Path support in Cisco IOS Software Release 12.4(9)T, a Cisco MR could only support seamless mobility to the Home Agent (HA) via a single mobile tunnel at a time. The Multi-Path Support for Mobile Router feature allows a MR and a HA to establish multiple Mobile IP tunnels over all available roaming interfaces. When the Multi-Path feature is enabled, the MR registers through all of its available roaming interfaces to the HA. Each registration is independent of the other registrations taking place on other roaming interfaces. Once registered through the roaming interfaces, the MR will have multiple routes or multiple paths back to the HA (assuming the Mobile IP Reverse Tunnel feature is configured). The mobile traffic from or to the mobile network is then load-balanced among the multiple routes based on the CEF load balancing algorithms, either per packet or per destination (default). In addition, this feature supports unequal load balancing. The Multi-Path feature enables users to utilize all the possible bandwidth available from all the enabled links.
New in Cisco IOS Software Release 12.4(24)T is Application-Based Routing for Mobile Router Multi-Path Support. This feature extends existing MR Multi-Path routing support to enable static Access Control Lists (ACLs) and dynamic Policy-Based Routing (PBR) route-map commands to define unique traffic types and route these traffic classes over specified interfaces or paths. This feature enables you to bi-directionally define how specific traffic types should be routed across the multiple tunnels established between the MR and HA. The same ACL and PBR policies are used on both the MR and HA.
Figure 6. Application-Based Routing for Mobile Router (MR) Multi-Path Support
Benefits
• Better Investment Protection: Enables the customer to optimize performance, scalability, and availability of applications traversing the multi-path mobile network via application routing policies
Hardware
Routers
• Cisco 1700, 1800, 2800, 3200, 3270, 3600, 3700, 3800, 7200, and 7301 Series Routers
2.1.3) Multi-VRF Selection Using Policy-Based Routing (PBR)
Multi-VRF Selection using Policy Based Routing is an extension of VRF Selection based on Source IP Address. This functionality takes advantage of the existing Route-map (which is capable of supporting multiple selection criteria) and uses Policy Based Routing (PBR) as a way to classify packets and set the relevant routing/forwarding decision. Classification criteria include source and/or destination IP addresses, protocol number, source and/or destination port number, IP precedence value, DSCP value, TCP flags, packet length and ICMP type.
Note: This feature only supports VRF-Lite. Only IP routing protocols are supported with this feature. Multiprotocol Label Switching (MPLS) VPN is not supported.
Secure Neighbor Discovery (SeND) protocol is designed to counter the threats of Neighbor Discovery Protocol (NDP), as detailed in RFC3756. SeND comes as an addendum on top of ND. It defines a set of new ND options, and two new ND messages (Certification Path Solicitation & Answer). It also defines a new auto-configuration mechanism, to be used in conjunction with the new ND options, to establish address ownership.
There are essentially two security features introduced by SeND to mitigate address spoofing and rogue routers, two of the biggest threats related to NDP. The first feature enables nodes to establish address ownership using IPv6 Cryptographically Generated addresses (CGA), as specified in RFC3972. The second feature provides router authorization through X.509 certificates, and is specified in RFC3971.
Deployment-wise, CGA is a very light-weight mechanism, as it does not involve cryptographic key distribution (other than providing the public key in one of the new NDP option), nor any identity of any sort or certificates.
Router authorization is more challenging, since router must have an "identify", certified through a certificate signed by a Certificate Authority, and that Certificate Authority must be known by all nodes. RFC3971 also specifies two important additional elements. Certificates can contain the list of prefixes that the router owns, so that any node could verify prefixes announced by the router prior to performing stateless auto-configuration. And last but not least, a node running SeND is expected to be able to arbitrage between concurrent claims coming from a mixture of peers speaking SeND and nodes speaking ND, in favor of the former.
The Cisco implementation, which is fully compliant with SFC3971 and 3972, supports:
• Cryptographically Generated addresses (CGA)
• Router authorization through X.509 certificates
• Prefixes embedded in certificates, as specified in RFC 3779
• Transitioning situation, where it is capable of giving preference to SeND peers over ND peers
In addition, the IOS-PKI and the IOS-CS (Certificate Server) has been upgraded to allow building certificate requests with embedded IPv6 prefixes, read and store these prefixes, and validate a certificate chain with embedded IPv6 prefixes. This is useful to install on a Cisco SeND router, a fully complied X.509 certificate with embedded prefixes, and enable Router Authorization.
Figure 7. Generation of a SeND Packet (simplified version)
Benefits
• Router interface addresses are generated in a way that the ownership can be verified by a third party
• Received address ownership is dynamically verified; Only validated neighbors are inserted into the Neighbor Discovery cache
• Router Advertisement content is dynamically verified, so no one can pretend to be a valid router on a link without a valid matching X.509 certificate
Hardware
Routers
• Cisco 800, 1800, 3800, 7200, 7301 Series Routers
At the heart of the IP address distribution architecture for IPv4, DHCP has been selected by the IPv6 community to fulfill similar functions. While stateless address auto-configuration is mandated by IPv6 specifications, there is a business demand to have DHCP offer stateful address and prefix delegation in an easily deployable fashion (VoIPv6 for instance).
The new feature of allocating individual addresses is now supported for Client, Server and Relay functions.
The DHCPv6 client, server, and relay functions are mutually exclusive on an interface.
Client Function
The DHCPv6 client function can be enabled on individual IPv6-enabled interfaces and benefits from the new following features:
• Support for multiple IPv6 addresses (IA_NA options) on an interface
• Rapid Commit: The Rapid Commit option is supported
• The DHCPv6 Client works in an IPv6 VRF environment
Server Selection
A DHCPv6 client builds a list of potential servers by sending a solicit message and collecting advertise message replies from servers. These messages are ranked based on preference value, and servers may add a preference option to their advertise messages explicitly stating their preference value. If the client needs to acquire prefixes from servers, only servers that have advertised prefixes are considered.
Server Function
The DHCPv6 server function can be enabled on individual IPv6-enabled interfaces.
The DHCPv6 server is providing the following features:
• RFC3041 Compliance: IPv6 addresses will be allocated in a non-sequential fashion
• Allocating multiple IPv6 addresses to a client. (ie: if multiple address pools apply, then one address will be allocated from each address pool)
• Rapid Commit: The Rapid Commit option is supported
• The DHCPv6 server works in an IPv6 VRF environment
• The DHCPv6 server writes current allocated addresses to a TFTP server and can read currently allocated addresses back from the TFTP server upon startup
• Configuration and support of Vendor-Specific Options
DHCP Relay Agent
A DHCP relay agent, which may reside on the client's link, is used to relay messages between the client and server. DHCP relay agent operation is transparent to the client. A client locates a DHCP server using a reserved, link-scoped multicast address. Therefore, it is a requirement for direct communication between the client and the server that the client and the server be attached to the same link. However, in some situations in which ease of management, economy, or scalability is a concern, it is desirable to allow a DHCP client to send a message to a DHCP server that is not connected to the same link.
Benefits of using DHCPv6 individual Address assignment:
Flexibility, Scalability, and Customization: DHCPv6 in terms of individual address assignment now offers similar functionality as DHCPv4, which includes easy configuration of address pool and scalability.
Hardware
Routers
• Cisco 800, 1800, 3800, 7200, 7301 Series Routers
Web Services Management Agent (WSMA) allows customers, partners and developers to provision, configure, manage and adapt Cisco IOS devices using industry standard Web Services protocols. Combined with Extensible Markup Language (XML), Web Services provides secure, reliable and robust access to IOS using a familiar set of protocols already in use by the majority of customers and partners. WSMA leverages existing investments in IOS CLI as well as existing Web Services expertise and tools.
External management systems can be built to perform the following functions with a WSMA agent inside IOS:
• Retrieve configuration information in tagged and well-formed XML
• Change the running configuration using CLI or XML
• Test a candidate configuration before applying it to the running configuration
• Bulk transfer multiple CLI/Exec commands in a single Simple Object Access Protocol (SOAP) envelope
• Allow atomic rollback if a transaction fails
• Receive full audit trails of configuration changes and operation returns codes
• Control whether the WSMA agent listens for inbound sessions (listener mode) or establishes an outbound session to the external NS system (initiator mode)
• Perform "show" commands and receive the output in tagged XML format
• Copy images, apply updates and archive configurations
• Retrieve directory listings
• Run Exec commands
• Receive configuration change notifications including before and after audit trails of the configuration change
• Group Web Services using profiles which allow different transports and protocols to be assigned to different groups and services.
WSMA supports two important modes of communication; listener and initiator modes:
• Initiator Mode: The WSMA agent can establish an outbound session to the external NMS system to avoid opening up inbound connections to the router or switch. For customers wanting a highly secure environment which traverses firewall and resolves NAT issues, initiator mode is a significant capability
• Listener Mode: The WSMA listens for inbound Web Service session requests in a traditional Web Services client/server architecture
WSMA allows several highly secure methods of authentication currently used by customers; SSH and HTTPs. Future versions of WSMA support TLS as well.
Benefits
• Increased Provisioning/Configuration Speed: Making configuration changes through WSMA, configurations can be applied many times faster than using off-box expect scripts or manual configuration using SSH/Telnet. In addition, multiple CLI commands can be operated as an atomic operation.
• Reduced Development Effort: WSMA frees up web services developers to use their existing tools and expertise to rapidly build management applications. Based on industry standard web services protocols (SOAP 1.1, SOAP 1.2, etc) and transports (SSH, TLS and HTTPs) developers can rapidly build applications which are reusable and flexible.
• Improved Automation: In addition to return codes and audit trails, WSMA provides atomic rollback in case of failure. Should the worst occur, WSMA will return the configuration to a working state.
• Improved Accuracy: WSMA brings the benefits of XML and web services; accuracy and consistency. Using WSMA to provision, configure, manage and adapt a Cisco device, customers get a robust, self-describing system with the accuracy of XML access.
Hardware
Routers
• Cisco 800, 1800, 3800, 3800, 7200, 7301 Series Routers
2.3.2) Smart Call Home Support for the Cisco 7200 Series Router
Smart Call Home is a powerful component of Cisco SMARTnet Service that offers proactive diagnostics, real-time alerts, and personalized web-based reports on select Cisco devices.
Cisco Smart Call Home offers:
• Visibility into your network through diagnostic reports
• Real-time trouble shooting and alerts
• Automatic generation of Cisco service requests to Cisco technical engineers
• Secure, reliable data transport
• Personalized Web-based portal to review Call Home messages, detailed diagnostics, recommendations, and inventory
Cisco IOS Software Release 12.4(24)T adds Smart Call Home support for the Cisco 7200 Series Router.
Cisco Unified Communications Manager Express is the Cisco router based call processing solution that provides a smart, simple and robust Unified Communications solution for small and medium businesses and enterprise branch offices. Cisco IOS Software 12.4(24)T contains several new features for customers using Communications Unified Communications Manager Express.
Single Number Reach (SNR)
The Single Number Reach feature allows users to consolidate all their incoming calls into a single business phone number which reaches both their Cisco IP Phone and their cell phone. This feature enables users to answer incoming calls on their desktop IP phone or at a remote destination, such as a mobile phone.
The Single Number Reach feature includes:
1. Option to dynamically change alternate phone number from phone Telephony User Interface (TUI)
2. Allows calls to be switched between IP phone and alternate phone with the touch of a button
3. Users can toggle SNR functionality on/off from the phone
Whisper Intercom
The Whisper Intercom feature allows a receptionist to perform a whisper page to the manager phone to provide one-way voice from the calling to the called party, regardless of whether the called party is busy or idle. In case the manager is already on a call, the audio from the receptionist will not be heard on the manager's other call.
The Whisper Intercom feature includes:
1. The phone receiving a whisper page displays the extension and name of the party initiating the whisper page and Cisco Unified CME plays a zip zip tone before the called party hears the caller's voice
2. If the called party wants to speak to the caller, the called party selects the intercom button on their phone.
3. The lamp for intercom buttons is colored amber to indicate one-way audio for whisper intercom and green to indicate two-way audio for standard intercom.
SIP Line Side Enhancements
SIP Line side enhancements in Cisco Unified Communications Manager Express for Cisco SIP endpoints builds on an already robust feature set for SIP endpoints.
SIP Line Side Enhancement includes:
1. Shared line support across up to 16 Cisco SIP phones
2. Ability to barge into calls for Cisco SIP phones with shared lines
3. Calls put on hold on Cisco SIP phones with shared lines can be resumed by other shared line members
4. Privacy for SIP phones enables phone users to block other users from seeing call information or barging into a call on a SIP shared-line directory number. Users can toggle privacy on/off dynamically for shared lines.
5. Call Park and Pickup between SCCP and SIP endpoints. Both SCCP and SIP endpoints can park and retrieve calls that are parked.
6. Call Park slots can now be reserved for specific departments
Busy Lamp Field (BLF) Monitoring of Devices
Support device-based BLF monitoring, allowing a watcher to monitor the status of a phone, not only a line on the phone.
Busy Lamp Field (BLF) Monitoring of DnD, Call Park, Paging and Conferencing Directory Numbers
Provide BLF indicators for directory numbers that become DND-enabled, or are configured as call-park slots, paging numbers, or conference numbers.
SIP Trunk Video Support for SCCP Endpoints
Supports video calls between SCCP endpoints across different Cisco Unified CME routers connected through a SIP trunk. Support H.264 codec for video calls.
DSCP Enhancements
Supports Differentiated Services Code Point (DSCP) packet marking for Cisco Unified IP phones.
Multilevel Precedence and Preemption (MLPP)
MLPP service allows validated users to place priority calls, and if necessary, to preempt lower-priority calls. This capability assures high-ranking personnel can communicate with critical organizations and personnel during network stress situations, such as a national emergency or degraded network situation.
Benefits
• Improves end user experience and productivity: Cisco SIP IP Phone users now have access to more robust IP Telephony features available on Cisco Unified Communications Manager Express. Users have presence information for other users and can reach them seamlessly. They are also able to join calls with the touch of a button and can enable privacy to when needed.
• Enhanced mobility: Allows IP Phone users to provide a single number to other parties and receive calls on their desk or cell phone. This allows users to be connected while away from the office and reduces missed calls and sales opportunities.
• Support for Public Safety and Department of Defense (DOD) initiatives: Assure that critical calls from high ranking personnel and emergency calls are always serviced.
3.1.1) IOS Firewall Support for Trusted Relay Point
Cisco IOS firewall enhances security for Unified Communications (UC) by supporting Trusted Relay Point (TRP). This solution provides a trusted anchor within the network for seamless UC related services including media recording, QoS enforcement, and intelligent firewall traversal.
Figure 9. IOS Firewall Trusted Relay Point Use Case Scenario
Trusted Relay Point is a multi-functional architecture covering Quality of Service (QoS), Optimized Edge Routing (OER), and virtual network traversal. It eliminates the deep packet inspection and overhead associated with firewalling by signaling the firewall to permit traffic.
Benefits of UC-Trusted Firewall Control
• Provides authentication required to open port requests on the firewall
• Supports asymmetric signaling/media paths control, cases where signaling and media may not traverse the same paths in the network (such as internal "firewalling") and might ordinarily be blocked
• Provides encrypted signaling between voice entities, cases where the firewall has the group key to look at the signaling and allow pinholes for media
• Ports for media and signaling remain open for session length only, providing more secure sessions
Hardware
Routers
• Cisco 871, 1800, 2800, 3700, 3800, 7200, and 7301 Series Routers
3.1.2) Access Control List (ACL) Syslog Correlation
Cisco IOS ACL Syslog Correlation feature provides a correlation mechanism for ACLs that can be used by Network Management System (NMS) tools to correlate the triggered syslog with the specific Access Control Entry (ACE) within the ACL that triggered the syslog. The ACL Syslog Correlation feature utilizes a `tag' which is appended to the ACE generated syslog. The `tag' can either be a user-configured alpha-numeric cookie or an IOS generated 32-bit hash. If the user does not configure the cookie, IOS will create the hash for ACEs configured with the `log' keyword.
Figure 10. Define a tag to be used for ACE generated syslogs
Figure 11. Configured tags are appended to ACE generated syslogs
Benefits
• Provides a consistent monitoring solution for IOS ACLs, allowing network management tools to easily correlate the triggered syslog with the specific Access Control Entry (ACE) within the ACL that triggered the syslog
• Reduces complexity of managing and monitoring ACL rules for access and control by simplifying the correlation of ACE rules with their corresponding syslog events
• Assists network administrators in troubleshooting issues that occur as a result of ACE rules and allows them to monitor ACE rules' effectiveness
Hardware
Routers
• Cisco 800, 1800, 2800, 3700, 3800, and 7200 Series Routers
3.1.3) Per Dynamic Multipoint VPN (DMVPN) Tunnel Quality of Service (QoS)
This feature enables the DMVPN hub to dynamically allocate a QoS service policy for each spoke. The DMVPN hub can have multiple QoS policies for all the remote spokes. If QoS is configured, each spoke requests a QoS policy from the hub during Next Hop Resolution Protocol (NHRP) registration. This QoS service policy is applied on the hub in the outbound direction. A typical QoS policy provides multiple classes of service, including a priority queue for voice, and traffic shaping for the total bandwidth of all classes.
Table 3. Detailed Capabilities of DMVPN Per Tunnel QoS Functionality
Feature
Benefit
Dynamic QoS policy allocation for spokes during the NHRP registration with hub
Simplifies QoS configuration on the hub router for dynamically addressed spokes
Cisco Modular QoS CLI (MQC) support configuration in every spoke policy
Allows prioritization to VoIP/delay sensitive data traffic
Protect critical control traffic before and after encryption
Enhances network stability
Dynamic QoS on the hub ensures optimal traffic flow when a spoke connects to the hub
Simplifies QoS enablement in VPN networks
Protect the crypto engine by supporting full tunnel queuing hierarchy in hierarchical queuing format; QoS queuing and shaping happens before encryption
Avoids anti-replay error reporting with IPSec
Shaping and queuing happens at the physical interface
Centralizes QoS policy in the router and simplifies configuration
Protection for critical control traffic before and after encryption
Enhances network stability
Dynamic QoS allocation on the hub router protects the spoke from traffic bursts
Protects small spokes from becoming overwhelmed from large hub sites
Hardware
Routers
• Cisco 800, 1800, 2800, 3700, 3800, and 7200 Series Routers
This feature enables support for RFC3779, X.509 Extensions for IP addresses. One of the first protocols to use this feature will be the SEcure Neighbor Discovery Protocol (SEND). IPv6 hosts run Neighbor Discovery Protocol (NDP) to discover other devices on a link. If this link is not secured, NDP is vulnerable to various attacks such as neighbor solicitation/advertisement spoofing and duplicate address detection DoS attacks. SEND is designed to counter the threats to NDP and can use X.509 IP extensions to provide a stronger control on prefix advertisements.
Note that with SEND, RFC3779 (X.509 Extensions for IP addresses) is an optional feature. While SEND will provide its full capabilities with this version of PKI, it could still be deployed with older PKI versions that don't support IP extensions.
Benefits
• Generates certificates with IP extensions
• Counters threats to NDP
• Allows for stronger control on prefix advertisements
Hardware
Routers
• Cisco 87x, 88x, 1800, 2800, 3700, 3800, 7200, and 7301 Series Routers
3.1.5) Time-Based Anti-Replay on The VPN Services Adapter (VSA)
This feature enables Time-Based Anti-Replay (TBAR) support on the VPN Services Adapter (VSA) of the 7200 NPE-G2 platform. TBAR is used in the Group Encrypted Transport VPN (GETVPN) solution to detect replay attacks since standard sequence-based anti-replay attack detection is not supported. This feature prevents `man in the middle' attacks.
The Cisco GETVPN solution allows organizations to have branch-to-branch secure connectivity without having to incur the cost of establishing and maintaining full-mesh connections.
Benefits
• Supports anti-replay in the Cisco GET VPN solution
• Allows protection against `man in the middle' attacks, bolstering overall GET VPN security
Hardware
Routers
• Cisco 7200 with Network Processing Engine (NPE) G2
3.1.6) Group Encrypted Transport VPN (GET VPN) Enhancements
Several new GET VPN feature enhancements are introduced in Release 12.4(22)T:
• Passive Security Association (SA)
This feature enables a new mode of IPSec Security Association (SA) with GET VPN. In this mode, the SA will accept unencrypted traffic and encrypted traffic on the inbound, while it will always encrypt traffic on the outbound. Passive SA mode is configured on the Group Member (GM), and is persistent over router restarts: this allows the Group Member to modify the SAs downloaded from the Key Server (KS). Passive SA can be used similar to the SA receive-only to enable transitions in large scale deployment.
• Fail-Close
This feature enables GET VPN traffic forwarding to follow the "fail-close" model, wherein an unregistered Group Member (GM) stops forwarding data packets rather than send them out unencrypted.
The fail-close command sets up an implicit "permit ip any any" at the end of the crypto map during the pre-registration phase. Post successful GDOI registration, the "permit ip any any" is removed from the crypto map.
You can specify exceptions that need to be forwarded in the clear, through a deny entry in the ACL. This is useful to allow routing packets and management packets from a particular host to get through. However, note that the deny ACL in the GDOI crypto map still takes precedence. After the registration is successful, the deny entry in the ACL goes away while the deny entry in the GDOI crypto map is persistent.
Once the GM is successfully registered to all its groups, the policies downloaded from the KS take over, governing the GMs behavior and the fail-close ACL and implicit "permit ip any any" are taken out. GMs keep the policies downloaded from the KS even if the re-registration fails and IPSec SA has expired.
When fail-close is activated, unencrypted packets are prevented prior to and during registration. Once the GM is successfully registered to all its groups however, the policies downloaded from the KS take over, governing the GMs behavior and the fail-close ACL and implicit "permit ip any any" are dropped. GMs keep the policies downloaded from the KS even if the re-registration fails and IPSec SA has expired.
Note: GET VPN supported fail-close previously, using an interface ACL. With the above feature, interface ACL may not be required. Fail-close with interface ACL might still be useful to customers looking to enforce a policy that certain packets must always be encrypted, regardless of the downloaded key server policy.
• Change Key Server Role
This feature allows you to switch the primary Key Server (KS)by forcing an election. Issuing the new clear crypto gdoi ks coop role command on the primary Key Server makes it relinquish the primary role and initiate an election. If the priorities have changed, a new primary will be declared elected. Note: This command does not clear any policies-it merely facilitates switching the primary KS.
• Co-operative Key Server: Sharing Keys
This feature optimizes the number of rekeys that are sent out in the event of a network split, thereby allowing the network to stabilize rapidly. When there is a network split, a secondary KS takes the partition that cannot reach the primary; with this new feature, the new primary reuses the existing policies where possible. At split, the rekey is sent only if there are keys that are due to expire within the lifetime threshold (150 seconds). Unless this threshold is met, the current keys and policies are retained on the KS separated from the primary. This new ability to share the keys created by another KS reduces the number of policies to manage, thereby improving the cooperation between the KS'es.
• Re-key From Secondary on Merge
This feature distributes rekeying when a partitioned network merges back. When the merge occurs, the newly-demoted secondary KS takes responsibility to send out rekeys to the group members in its database. The primary KS is freed from having to send out all rekeys, and is able to focus on sending rekeys to only the members in its own database.
Benefits
• Enables controlled deployments in phases
• Provides ability to eliminate flow of unencrypted data packets
• Allows primary key server to be changed midstream ie: for scheduled maintenance
• Optimizes cooperative key server communications during split and merge, providing better stability
Hardware
Routers
• Group Member (GM): Cisco 870, 88, 1800, 2800, 3800 and 7200 Series and Cisco 7301
• Key Server (KS): Cisco 1840, 2800, 3800 and 7200 Series and Cisco 7301
Cisco IOS SSL VPN Internationalization lays the framework to support multiple languages in the login and portal pages. Users will be able to select their language preference for their session from a drop down menu at the time of login.
Figure 12. IOS SSL VPN Internationalization Support
Benefits
• Allows content to be presented in the local language.
Hardware
Routers
• Cisco 87x, 88x, 1800, 2800, 3700, 3800, 7200, and 7301 Series Routers
Cisco IOS provides a cost effective, yet powerful Communications Assistance for Law Enforcement Act (CALEA) compliant solution with the ability to monitor digital communications. The Cisco Service Independent Intercept (SII), Control Point Discovery (CPD) and Packet Cable 2.0 support Dynamic Discovery of Intercept Access Point (IAP). Cisco Lawful Intercept provides an out-of-band control mechanism when using a third-party mediation device to request intercepts on the network elements within the organizations trust boundaries. When performing captures for Lawful Intercept, this activity is transparent to everything else going on in the network, providing access only to authorized personnel.
Figure 13. IOS Control Point Discovery (CPD) Lawful Intercept - Use Case Scenario
1. The Cisco IOS Router will act as a platform for lawful intercept, offering a complete end-to-end solution for the network with all communication sessions and intercept details preserved.
2. The Cisco Lawful Intercept solution offers scalable packet captures and an effective, powerful solution for organizations looking to comply with CALEA requirements.
Benefits
• Cost effective way to leverage existing infrastructure to meet LI regulatory obligations
• Provides easy, proactive compliance and offers quick deployment
3.2.1) Cisco IOS Embedded Event Manager Version 3.0
The Cisco IOS Embedded Event Manager (EEM) is a unique subsystem within Cisco IOS Software. EEM is a powerful and flexible tool to automate tasks and customize the behavior of Cisco IOS and the operation of the device. Customers can use EEM to create and run programs or scripts directly on a router or switch. The scripts are referred to as EEM Policies and can be programmed using a simple CLI-based interface or using a scripting language called Tool Command Language (Tcl). EEM allows customers to harness the significant intelligence within Cisco IOS Software to respond to real-time events, automate tasks, create customer commands and take local automated action based on conditions detected by the Cisco IOS Software itself.
The latest version of the EEM subsystem within Cisco IOS Software is EEM Version 3.0.
Applications
The applications are endless and only limited by your imagination.
Suppose, for example, you would like to automatically configure a switch interface depending on the device that is connected to a port or interface, an IP phone. A script can be devised that is triggered on the interface up condition and determines the details of the connected device. Upon discovery and verification of a newly connected IP phone, the port can be automatically configured according to prescribed parameters.
Another example might be to react to an abnormal condition, such as the detection of a high error rate on an interface, by forcing transit traffic over a more stable and error-free path. EEM can watch for the increased error rate and trigger a policy into action. The policy could notify network operations personnel and take immediate action to reroute traffic.
A third example might be to collect detailed data upon detection of a specific failure condition in order to gather information that can allow the root cause of the problem to be determined faster, leading to a lower mean time to repair and higher availability. EEM could detect a specific Syslog message and trigger a script to collect detailed data using a series of show commands. After automatically collecting the data, it can be saved to flash memory or sent to an external management system or via email to a network operator.
The control is in the network administrator's hands. You control what events to detect and what actions to take. EEM is optional-it is up to the network administrator if and when it should be used and only takes the actions you program it to take.
Features and Benefits
Cisco IOS Embedded Event Manager provides a level of embedded systems management not previously seen in Cisco IOS Software. Over twenty event detectors provide an extensive set of conditions that can be monitored and defined as event triggers. The system is extensible with new capabilities and further subsystem integration is planned. The feature is mostly product independent and available across a wide range of Cisco products. Each new version of the EEM feature introduces new event detectors or new capabilities. Consult the Cisco documentation for detailed information.
EEM Version 3.0 Enhancements
The latest version of the EEM subsystem is EEM v3.0. This version ushers in a significant number of enhancements over previous versions. This development enhances the performance, increases feature integration, adds new capabilities, and extends the flexibility, so EEM can be used in new and exciting ways.
With EEM v3.0 comes:
• Four new Event Detectors
– Routing Event Detector
Monitors the events relative to the Routing Information Base (RIB). Events are raised for conditions such as when a particular route is added or removed or when a route is modified.
– Flexible NetFlow Event Detector
Detects events related to Flexible NetFlow
Provides a powerful set of triggers to detect and react to real-time network activity
Triggers policies based on the detection of flows that match particular criteria such as when a new flow is seen with a particular destination IP address and port number; or detect conditions like when the rate of new flow entries exceeds some threshold you define.
– IP SLA Event Detector
Provides event triggers based on IP SLA operation results
Integrates IP SLA directly with the EEM subsystem
Provides an event-driven mechanism to take immediate action when an IP SLA operation fails. For example, take local action to direct traffic out another interface, when an IP SLA icmp-echo operation, that pings a headquarters server over the current interface every 3 seconds, fails three times in a row.
– Enhanced CLI Event Detector
Offers enhancements to make creation of your own custom CLI commands easier and more powerful
Provides new event triggers when special characters like "Tab", "?", and the "Enter" key are seen. Provides a way for you to offer `help' for your new commands and make them like Cisco-developed commands.
• High performance "Turbo" Tcl policies
– Provides an order-of-magnitude increase in event handling
– Up to 150 events per second depending on the product
• SNMP Library Tcl Extensions
– Provides actions for Get, Set, and Notify for local and remote SNMP devices
– Offers more power to communicate with neighbor devices or to interrogate local MIB variables from within your policies
• Enhanced Interactive Applets
– Increases the power of the EEM Applet (CLI-based) policies
– Do more without resorting to Tcl-based policies
– Includes support for variables and logical functions and if-then-else constructs
• CLI Library Support for XML Programmable Interface
– Provides a set of Tcl library functions to facilitate the parsing of output from the Cisco IOS CLI "format" extension in the form of: show <show-command> | format {spec-file}
– Makes extracting data from the Cisco IOS CLI within EEM policies easier
• Support authenticating SMTP email servers
– More practical support for email actions
• Class Based Scheduling
– Power users have the ability to schedule policy execution according to specific requirements
• Digital Signature Support
– Infrastructure is included to verify policies that are digitally signed by Cisco
• Additional Support for IPv6
– The SNMP proxy feature introduced in EEM 2.4 has been enhanced to support IPv6
– SMTP actions have been enhanced to support IPv6
Table 4. EEM Version 3.0 Features and Benefits
Feature
Benefit
Extensible and powerful subsystem architecture
Architecture
The EEM subsystem is designed with modularity in mind. It consists of Event Detectors, an Event Manager Server, and action routines called Policies
CLI interface
An interface to the Cisco IOS CLI to allow automated commands and access to any information that can be displayed. Includes support for XML Programmable Interface from within EEM policies.
Policy scheduler
EEM policies are scheduled one at a time or concurrently according to the number of threads configured. An enhanced class-based scheduling option for fine control over policy execution.
Built-in actions
Policies can invoke a number of built-in actions for easy automation
CLI command match and run with even more capabilities for creating your own commands
Counter
Custom counter events
GOLD
Generic Online Diagnostics (GOLD) event detection
Interface
Interface counters and events
IP SLA
Tighter integration with the SLA monitoring and measurement subsystem. Easy event triggers and automation when conditions are not satisfactory.
Memory Threshold (Deprecated)
Detect memory resource related events
NetFlow
Event triggers based on traffic flow. Many uses from capacity planning to DoS alert and automated actions.
None (by run command)
Allows execution of an EEM policy by direct command, event manager run
Object Tracking
Integration with Enhanced Object Tracking (EOT)
OIR
Card Online Insertion & Removal detection
Remote Procedure Call
Allows for authorized programs outside of the device to invoke specific device-resident, embedded policies by sending a SOAP request over an SSHv2 connection.
Resource Threshold
Integration with Embedded Resource Manager, supersedes Memory Threshold ED.
Creates events when a specified SNMP trap or inform is received at the device. This allows for policies to be triggered by events from other devices.
Syslog
Regular expression pattern match on emitted Syslog messages
Timer
Custom timed events
IOS Watchdog Monitor
Cisco IOS scheduler, watchdog events
WDSysMon
Cisco IOS Software Modularity: System monitor event
Secure system operation
EEM scripts run within system constraints
Protects system from harm. ie: A looping script will not stop Cisco IOS
User scripts run in Safe-Tcl mode
Certain programmable options are disabled for protection
Controlled environment
Only a network administrator with privileged access can define and set up EEM scripts. No one else can install software to compromise the system.
Support for TACACS+/RADIUS
EEM scripts can be associated with a configured User ID. All CLI commands issued by the scripts are authorized before they are executed.
EEM is optional
If you don't want to use this powerful capability, you don't have to enable it.
Online scripting community
Cisco Beyond-Product Extension Community
A place for customers to share and download scripts. Don't reinvent the wheel. Build and extend the work of others. Learn by example. Go to: http://www.cisco.com/go/ciscobeyond
Product Architecture
The Cisco IOS Embedded Event Manager is a primarily product independent software feature consisting of a series of Event Detectors, an Embedded Event Manager Server, and interfaces to allow action routines called Policies to be invoked. There are also internal application programming interfaces for other Cisco IOS subsystems to take advantage of the EEM subsystem. The diagram in Figure 10 illustrates the EEM components.
Figure 14. EEM Architecture
Notice there are two types of EEM Policies:
• Applet Policies-Easy-to-use interface, defined using the configuration CLI
• Tcl Policies-More flexible and extensive capabilities, defined using the Tcl programming language
Once one or more policies are defined, the Event Detector software will watch for the conditions that match those defined by the policy. When a condition occurs, the event is passed to the Event Manager Server. The server then invokes any policy that has registered for that particular event. The actions defined within the policy are then carried out.
Each type of event has specific options, parameters and detailed information that is available to the policy when it is invoked. All of these details are described in the Cisco IOS documentation.
Feature Specifications
Please use the Cisco IOS Feature Navigator application on Cisco.com to check the latest information on software and product availability. Go to: http://cisco.com/go/fn. The following table includes EEM feature availability information.
Table 5. EEM Feature Specifications
Product compatibility
EEM is available for the Catalyst 6500 Series Switches, Cisco Integrated Services Routers, Cisco 7200 Series Routers, Cisco 7300 Series Routers, Cisco 7600 Series Routers, Cisco 10000 Series Routers; EEM is also available for the Catalyst 4500 Series Switches and the Catalyst 3700 Series Switches and the ASR-1000 Series Routers. Please refer to the Cisco IOS Feature Navigator for the latest device support information.
Software compatibility
EEM is available in Cisco IOS Software Releases 12.2SX, 12.2SR, 12.2SB, 12.4, and 12.4T, 12.2SG, 12.2SE, Cisco IOS XE and future versions. EEM function is also included in Cisco IOS XR and Cisco NX OS.
Software Packaging
Some Cisco products require an enhanced feature set license to acquire support for EEM. Please refer to the Cisco IOS Feature Navigator for the latest packaging information.
System Requirements
The EEM software subsystem will consume CPU and memory resources in its operation. Tcl-based policies reside on flash disk and will take up space. Customers should examine the operation in their environment to ensure resources exist for their specific scenarios. Some basic guidelines are included in Table 5.
Table 6. EEM System Requirements
Disk Space
Tcl-based policies are files stored on flash disk. The amount space required depends on the size and number of policies and any programmed storage requirements
Hardware
CPU utilization requirements are solution dependent
Memory
Each Tcl-based policy will use approximately 500KB when initialized. Beyond that utilization is specific to the policy's operational requirements
Software
A Tcl interpreter is included within the Cisco IOS Software. The current version is Tcl 8.3.4.
For More Information
For more information about the Cisco IOS Embedded Event Manager, visit http://cisco.com/go/eem or contact your local account representative or send email to askabouteem@cisco.com.
Flexible NetFlow exporter introduces the support of NetFlow v5 export format. NetFlow v5 export format must be used in conjunction with the v5 tupple in Flexible NetFlow (FNF) for one pre-defined flow record named original-NetFlow.
When transitioning from traditional NetFlow to Flexible NetFlow, the user will be able to create a Flow Monitor with the original-NetFlow record and export it using NetFlow v5 to the existing NetFlow v5 collector. In addition, the user will be able to create a second Flow Monitor to take advantage of other innovative FNF capabilities, such as Flow record customization and NetFlow v9 export.
Benefits
• Enable smooth migration from traditional NetFlow to Flexible NetFlow.
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7300 Series Routers
Understanding who is using the network and for how long, what protocols and applications are being utilized and where the network data is flowing is a necessity for today's IP network managers. NetFlow data can be used for a variety of purposes, including network management and planning, user and security monitoring, protocol and application monitoring, Enterprise accounting, and departmental charge backs, Internet Service Provider (ISP) billing, data warehousing, and data mining for marketing purposes.
Flexible NetFlow CLI is used extensively for troubleshooting and understanding network behavior. Flexible NetFlow CLI has been enhanced to provide advanced search capabilities. The new CLI provides a generic set of tools to display any kind of Flow Monitor (IPv4, IPv6, Layer2, etc.) in a more efficient way. Flexible NetFlow CLI allows filtering, aggregating and sorting the content of a Flow Monitor:
• Flow Filtering: The user will be able to filter on any field available in the Flow Record used by the Flow Monitor being examined. The filtering can be an exact match or a match on a range or a regular expression.
• Flow Aggregation: The user will be able to display the Flows that are formed by aggregating any subset of the key fields available in the Flow Record used by the Flow Monitor being examined.
• Flow Sorting: the user will be able to control the sorting of Flows using the fields that are available in the FNF Cache to be shown. This could be the primary or secondary (post aggregation step) cache.
Benefits
• Security: Able to view the list of top talkers to see if traffic patterns consistent with a Denial of Service (DoS) attack are present in the network.
• Load balancing: Able to identify the most heavily used parts of the system and move network traffic over to less-used parts of the system
• Traffic analysis: Consulting the data retrieved Top talker CLI
• Talkers feature can assist in general traffic study and planning for the network.
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7300 Series Routers
3.2.4) Flexible NetFlow-Multicast Statistics for IPv4 Support
The Flexible NetFlow IPv4 Multicast support feature allows users to capture multicast-specific data (both packets and bytes) for multicast flows. For example, you can capture the packet replication factor for a specific IPv4 flow, as well as for each outgoing stream.
Flexible NetFlow IPv4 Multicast Support feature can identify and count multicast IPv4 packets on the ingress side or the egress side (or both sides) of a router. Multicast ingress accounting provides information about the source and the number of times the traffic was replicated. With multicast ingress accounting, the destination interface field will be set to null, and the IP next hop field is set to zero for multicast flows. Multicast egress accounting creates a unique flow record for each outgoing interface.
Flexible NetFlow IPv4 Multicast Support feature lets you enable NetFlow statistics to account for all packets that fail the Reverse Path Forwarding (RPF) check, that are dropped in the core of the service provider network. Accounting for RPF-failed packets provides more accurate traffic statistics and patterns.
Flexible NetFlow IPv4 Multicast requires NetFlow v9 export format to export Multicast statistics.
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7300 Series Routers
3.3.1) Cisco VG202 and Cisco VG204 Analog Phone Gateways
The Cisco VG202 and Cisco VG204 Analog Phone Gateways are Cisco IOS Software-based analog voice gateways, which extend the Cisco VG224 offering. The Cisco VG202 and Cisco VG204 offer 2 FXS ports and 4 FXS ports per unit, respectively. Integrating into the Cisco Unified Communications solution for Enterprise branch offices and SMBs just like the Cisco VG224, these analog voice gateways enable analog phones, fax machines and modems to connect to an IP infrastructure. They will be supported by the Cisco Unified Communications Manager releases 6.1(3) and 7.0(1) or later. The Cisco VG202 and Cisco VG204 offer, in a desktop form-factor with fanless design, the entire set of rich Cisco IOS Software based voice and security features offered by the VG224. They also offer proven DSP technology that is consistent across the VG224 and the Cisco Integrated Services Router Voice Gateways.
Cisco is consistently leading the development of Session Initiation Protocol (SIP). This is part of IOS that runs on all routers in the Integrated Services Router (ISR) portfolio. This is also a key development for the unified communications solution for service providers, Enterprises, SMBs and small branch offices that provide voice, data, voicemail, Automated-Attendant, video, and security capabilities.
In this current release, core components include the following:
• RSVP Preconditions (RFC3312) for TDM Gateway and Cisco Unified Communications Manager Express. It extends negotiation of RSVP CAC/QoS across CUCM clusters*, Gateways, CUCME and CUBE
• Audio RSVP enhancements to support RE-INVITE or 302-Response based supplementary services on gateways
• RSVP support on the SIP trunk of SCCP-CUCME
• SIP SRTP Fallback to Non-secure RTP and SRTP over sip: scheme for CUBE:
This feature extends the existing SRTP fallback on the SIP-TDM gateway to interoperate with the SRTP fallback method of CUCM on SIP trunk. It adds the CUCM interoperable SRTP fallback support to SIP-SIP and SIP-H323 call-flow of CUBE. This is supported on CUBE for the following call flows-EO-EO, DO-DO, FS-EO, EO-FS, SS-DO:
• SIP Diversion Header Enhancements
• SIP History INFO (RFC 4244): Many services that SIP is anticipated to support, require the ability to determine why and how the call arrived at a specific application. SIP History-Info header provides a standard mechanism for capturing the request history information to enable a wide variety of services for networks and end-users. The History-Info header provides a building block for development of new services.
• SIP Multicast Music on Hold: When the IP-Phone puts a call on hold, the CUCM will ask the MOH server to stream the RTP packets on a pre-configured multicast address. The CM will also send mid-call Invite with Send-Only attribute and multicast address to the IOS SIP gateway to listen on that multicast address.
3.4.1) Cisco 880 3G and Cisco 880 SRST Router Series
Cisco Systems is pleased to announce the orderability of the Cisco 880 3G and Cisco 880 SRST Router Series. The Cisco 880 Series is part of the Cisco 800 fixed-configuration router family and offers Internet access, security, voice, and wireless services over broadband speeds in a single, secure device that is simple to use and manage, for small businesses and small remote offices.
The Cisco 880 Series Integrated Services Routers are fixed-configuration routers that provide collaborative business solutions for secure data communication to small businesses and Enterprise teleworkers. The Cisco 880 Series offers concurrent broadband services over 3G, Metro Ethernet, and multiple types of DSL for business continuity. Wireless 802.11n and 3G offer LAN and WAN mobility.
Figure 15. Cisco 880 3G and Cisco 880 SRST Router Series
The 880G Series with the 3G Wireless option offers a cost-effective, rapidly deployable, reliable and secure backup solution. In addition to 3G Wireless WAN, the Cisco 880G Series offers additional WAN options like xDSL and Fast Ethernet (FE) WAN interface, a 4-port 10/100 FE managed switch with VLAN support and the latest 802.11n Wireless LAN capability. The 880G Series supports the latest 3G standards (HSPA and EVDO Rev A) and are backward compatible with UMTS/EDGE/GPRS and EVDO Rev0/1xRTT respectively. The 880G series has 2 variants:
• GSM/UMTS models are based on 3GPP and support HSPA, UMTS, EDGE and GPRS
• CDMA models are based on 3GPP2 and support EVDO RevA/Rev0 and 1xRTT
The Cisco 880 SRST Series is ideal for small remote sites and teleworkers who need to be connected to a larger Enterprise. These routers help extend corporate networks to secure remote sites while giving users access to the same applications found in a corporate office. The Cisco 880 SRST Series routers offers WAN options like xDSL and Fast Ethernet (FE) WAN interface, a 4-port 10/100 FE managed switch with power over Ethernet, and the latest 802.11n Wireless LAN capabilities. Additionally, the Cisco 880 SRST Series offers 4 FXS ports, FXO or BRI for PSTN connectivity, and a 4 SRST user license.
Table 7. Cisco 880 3G and Cisco 880 SRST Router Series Part Numbers
Part Number
Product Name
Ethernet and 3G
Configurable 3G Bundles
CISCO881G-K9
Cisco 881 Ethernet Security Router with 3G
CISCO881GW-GN-A-K9
Cisco 881 Ethernet Security Router with 3G, 802.11n FCC Compliant
CISCO881GW-GN-E-K9
Cisco 881 Ethernet Security Router with 3G, 802.11n ETSI Compliant
G.SHDSL and 3G
Configurable 3G Bundles
CISCO888G-K9
Cisco 888 G.SHDSL Router with 3G
CISCO888GW-G-AN-K9
Cisco 888 G.SHDSL Wireless Router with 3G; 802.11n FCC Compliant
CISCO888GW-G-EN-K9
Cisco 888 G.SHDSL Wireless Router with 3G; 802.11n ETSI Compliant
SRST
C881SRST-K9
Cisco 881 SRST Ethernet Security Router with FXS, FXO
The Cisco IAD2435-8FXS Integrated Access Device provides small and medium-sized businesses with a cost effective platform for managed data, voice, and security services.
The Cisco IAD2435-8FXS Series offers unparalleled value to both Small and Medium-sized Businesses (SMBs) and service providers delivering managed services to these customers. As an addition to the Cisco IAD2430 Series Integrated Access Device Family, IAD2435-8FXS comes loaded with integrated features and services and is designed with the scalability required for delivering managed solutions for broadband data, packet voice, unified communications and security ―all in one router platform.
Cisco IAD2435-8FXS Integrated Access Device is a fixed configuration platform and comes with the following hardware and support for industry standard voice protocols like SIP, MGCP and H.323:
3.4.3) Intrusion Prevention System Enhanced Network Module
Intrusion Prevention System Enhanced Network Module is an integrated IPS module on the Cisco 2811, 2821, 2851 and 3800 Series Routers. It provides an advanced and accelerated threat control to protect the SMB and branch offices and extend the security perimeter out to the entire corporate network. The IPS NME has the following features:
• Supports inline and promiscuous modes upon configuration
• Runs same software (CIPS 6.1) and features as Cisco IPS 4200
• Has dedicated CPU and DRAM to offload host CPU
• Runs up to 75 Mbps
• Can be managed by Cisco IPS Device Manager (IDM), Cisco Configuration Professional (CCP), Cisco Security Manager (CSM), IPS Manager Express (IME) and CS-MARS
Figure 16. Intrusion Protection System Enhanced Network Module
4.1.1) Group Encrypted Transport VPN (GET VPN) Support for the Cisco VPN Services Adapter (VSA) for Cisco 7200 NPE-G2 Series Routers
Cisco IOS Release 12.4(20)T adds GET VPN support for the Cisco VSA, the latest high-performance encryption and key-generation services module for IPSec VPN applications on Cisco 7200 NPE-G2 Series Routers.
GET VPN offers a new standards-based IP Security (IPSec) security model that is based on the concept of "trusted" group members. Trusted member routers use a common security methodology that is independent of any point-to-point IPSec tunnel relationship. GET VPN simplifies securing large Layer 2 or MPLS networks requiring partial or full-mesh connectivity.
Benefits
The VSA offers increased IPSec performance over the Cisco VPN Acceleration Module 2+ (VAM2+) module.
Cisco IOS Content Filtering offers category-based productivity and security ratings. Content-aware security ratings protect against malware, malicious code, phishing attacks, and spyware. URL and keyword blocking help to ensure that employees are productive when accessing the Internet. This is a subscription-based hosted solution that leverages Trend Micro's global TrendLabs™ threat database, and is closely integrated with Cisco IOS Software. It is supported on routers running the Advanced Security image. Feature licenses can be purchased directly from the Cisco.com ordering tool or through your Cisco partner/account team.
Figure 17. IOS Content Filtering Use Case Scenario
Benefits
• Secures Internet access to branch, without the need for additional devices
• Controls spyware and malware at the remote site; conserves WAN bandwidth
• Improves employee productivity and protects network resources by enabling content filtering
4.1.3) VRF-Aware Cisco IOS Intrusion Prevention System (IPS)
VRF-Aware Cisco IOS IPS allows Enterprises or service providers to put different groups of users or network segments into separate Virtual Routing and Forwarding (VRF) groups and to configure IPS on only certain VRFs or to configure IPS differently on each VRF. Divisions or functional groups separated by VRF segments may have different threat protection needs. Examples include:
• Vendor-provided applications vs. native applications
• Administrative users vs. regular employees vs. contractors/guests
• Students vs. faculty members vs. school administration
VRF-aware Cisco IOS IPS will also enable network security operators to distinguish between the IPS event alarms generated within each user group or network segment based on their VRF ID.
Figure 18. Typical Use Case for VRF Aware Cisco IOS IPS
Benefits
• Allows the configuration of IPS on only certain virtual network segments (VRFs) or in a different way on each VRF
• Distinguishes between IPS alarms/events generated within each group (VRF segment) based on VRF ID
• Supports IPS on VRF interfaces in addition to physical interfaces with or without overlapping IP addresses
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, and 7200 Series Routers
Cisco IOS Firewall offers the ability to deploy secure access policies at all network interfaces: Internet perimeter, remote-site connectivity, business-partner access, and telecommuter connections. User-based Cisco IOS Firewall dynamically binds unique zone-based firewall policies to a group where members, regardless of IP address entry point, are authorized using authentication proxy or Network Admission Control (NAC).
Figure 19. User based Cisco IOS Firewall Example
Benefits
• Facilitates the support of Enterprise mobile workers where user access is dynamic, while maintaining source IP address and user group associations
• Secures granular access to the branch, without the need for additional devices
4.1.5) Application Inspection and Control for Simple Mail Transfer Protocol (SMTP)
Cisco IOS Firewall Application Inspection and Control (AIC) has expanded the SMTP capability to support a more detailed inspection, providing more control over how SMTP inspection is performed.
Benefits
• Inspects SMTP at a more granular level
• Scans actual e-mail data like attachment types and encoding types
• Detects a limited number of attack signatures
• Ability to use signatures in SYSLOG message alerts to warn of a possible attack, such as the detection of illegal SMTP commands in a packet
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
4.1.6) Cisco IOS Firewall Support for Skinny Local Traffic
Cisco IOS Firewall enhances Skinny Local Traffic support. This feature offers inspection for locally generated and locally terminated SKINNY protocol data in two main deployment scenarios:
1. Cisco Call Manager Express (CME) is enabled on the Cisco IOS Firewall and manages the VoIP phones using SCCP over intranet or Internet.
2. Analog and VoIP phones are connected and managed by the Cisco IOS Firewall-enabled CME router.
Benefits
• Improves user groups SCCP locally generated traffic support
• Provides inspection of CME using SCCP over the intranet/Internet
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
Cisco IOS Firewall SIP ALG and protocol inspection feature prevents unauthorized calls, call hijacking, SIP protocol exploits, and related DoS attacks. It supports both pass-through and local traffic.
Benefits
• Removes malformed packets from reaching Cisco Unified Communications Manager at the head office
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
4.1.8) Cisco IOS Firewall H.323 Version 3 (v3) and Version 4 (v4) Support
Cisco IOS Firewall adds support for H.323 v3 and v4 to maintain high availability of mission-critical IP telephony calls while upholding high level call experience.
Benefits
• Includes H.323 v3 and v4 Annex E, Annex G, and Annex D support
• Supports H.323 v3 and v4 fax and call transfer capabilities
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
4.1.9) Instant Messaging Blocking Support in Cisco IOS Firewall for "I Seek You" (ICQ) and Windows Messenger
Cisco IOS Firewall Application Inspection and Control (AIC) adds comprehensive management and control of Instant Messaging (IM) applications such as ICQ and Windows Messenger.
Benefits
• Detects, blocks or throttles ICQ and Windows Messenger services
• Enforces associated policy of "I Seek You" (ICQ) Instant Messenger Version 2001b and above as well as Windows Instant Messenger Version 5.1
• Provides granular control when managing things such as file transfers and attachments, application sharing, games, video/audio conferencing, and pop-ups
• Offers the ability to send syslog information of the event
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, 7301 Series Routers
4.1.10) Object Groups for Access Control Lists (ACL)
ACL Object Groups allow network administrators to classify users, devices, and protocols into groups allowing them to apply policies based on group classification. IP hosts and networks, protocols and ports are defined in object groups. Once configured, object groups can then be used in the place of IP addresses, protocols or ports within Access Control Lists (ACLs).
The two steps required to configure object groups for ACLs is shown below:
Step 1. Define the Object Group:
! Define network type object-groups to group IP hosts and networks
object-group network Engineering
10.240.12.0 255.255.255.0
10.245.10.0 255255.255.0
object-group network Web-Servers
10.1.1.0 255.255.255.0
host 10.10.10.100
object-group network Mail-Servers
10.32.1.0 255.255.255.0
! Define a service type object group to group you protocols and ports
4.1.11) Cisco IOS SSL VPN Access Control Enhancements
Depending on the network security design, the need to repeatedly provide user credentials to gain secure access may be redundant. This is especially true for cellular providers that authenticate users as they join the network. Using Cisco IOS SSL VPN Access Control Enhancements, login credentials can be embedded in the URL used by the client machine to connect to the SSL VPN gateway. Users would not be challenged for credentials but would instead immediately start their secure SSL VPN session.
Benefits
• Simplifies the user login procedures
• Reduces intrusive and repetitive login prompts
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
4.1.12) Cisco IOS SSL VPN AnyConnect Client Support
AnyConnect is the Cisco next generation SSL VPN client. It replaces the current Cisco SSL VPN Client (SVC), and requires no pre-installation or pre-configuration on the client machine.
The Cisco IOS SSL VPN AnyConnect Client is pushed from the secure gateway to the client machine when needed. Traffic is encrypted and authenticated using a Layer 2 tunneling functionality that is similar to traditional IPSec, and is agnostic to traffic type. Performance is greatly improved because there is no need to apply URL mangling on the secure traffic as is required with clientless connections.
AnyConnect provides added functionality beyond the current SVC client with support for multiple operating systems including Windows Vista, Apple Mac OS X, and Linux. Administrators can now support a mixed operating system network environment.
Once pushed down to the user, the Cisco AnyConnect client can be configured to stay installed so that subsequent connections do not require repeated downloads and installations. Standalone mode allows users to initiate new SSL VPN tunnel sessions without the need of a web browser, simplifying the login procedure.
Figure 20. Cisco IOS SSL VPN AnyConnect Client Support
Benefits
• Avoids pre-configuration and pre-installation requirements
• Improves performance over clientless only traffic
• Offers support for multiple operating systems
• Reduces bandwidth requirements in Standalone mode
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
In the past, all clientless mode user requests were sent to internal servers directly. This meant that the internal servers had to be directly addressable by the SSL VPN gateway for connectivity to succeed. This feature enhancement adds HTTP proxy client functionality to the Cisco IOS SSL VPN gateway so requests can now be passed through to an internal proxy server in the protected network.
Benefits
• Provides increased flexibility and control in supporting more diverse internal network architectures
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
Cisco Express Forwarding (CEF) Scalability and Selective Rewrite (CSSR) technology for IP has been added to full-tunnel mode as well as clientless SSL VPN deployments. Combining CSSR with SSL VPN full-tunnel traffic provides greater throughput and reduces router CPU utilization.
Note: CSSR, supported in Cisco IOS Release 12.4(20)T onward, is a scalable, distributed, Layer 3 switching technology designed to meet the future performance requirements of Enterprise networks. Refer to the Cisco IOS Infrastructure section for more information on CSSR support.
Benefits
• Increases scalability and performance
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
4.1.15) Cisco IOS SSL VPN URL Split Rewrite Support
In SSL VPN clientless operation, the SSL VPN gateway acts as a proxy between client and server, inspecting all web-based traffic and rewriting URLs in the content. This process is very CPU intensive and time consuming, affecting performance and scalability.
Conceptually similar to split tunneling in IPSec, the URL Split Rewrite for Cisco IOS SSL VPN feature enables the administrator to select which URLs are processed through the SSL VPN gateway, and which URLs the client can reach directly. Internal web-based connections to protected resources are still processed normally through the SSL VPN gateway, while external traffic can be allowed a direct connection.
Figure 21. Cisco IOS SSL VPN URL Split Rewrite Support
Benefits
• Provides flexibility to selectively define what traffic needs SSL VPN protection
• Improves scalability and performance by not having to process all of a remote users traffic
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
4.1.16) Next Hop Resolution Protocol (NHRP) MIB for Dynamic Multipoint VPN (DMVPN)
To manage DMVPN deployments most effectively, administrators are not only interested in knowing about individual IPSec and tunnel protected Multipoint GRE (mGRE) tunnels, but also the control plane (ie: NHRP) statistics associated with corresponding tunnels.
The NHRP MIB for DMVPN feature addresses this by providing information on NHRP usage, routes, sessions, NHRP supported hub maximum throughput, and memory in a DMVPN network.
Benefits
• Improves manageability of DMVPN networks.
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
4.1.17) IPv6 Over Dynamic Multipoint VPN (DMVPN) Support
DMVPN has added support for IPv6 in combined IPv4 and IPv6 network environments. Where secure connectivity is required, DMVPN can now be used to connect IPv4 and IPv6 networks.
Benefits
• Supports standards-based IPv6
• Supports IPSec native mode
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
4.1.18) Group Encrypted Transport (GET) VPN Support for VRF-Lite
GET VPN support for VRF-Lite allows Enterprises or service providers to support multiple VPN Routing and Forwarding (VRF) instances on Customer Edge (CE) devices. VRF-Lite extends limited Provider Edge (PE) functionality to a CE device, giving it the ability to maintain separate VRF tables and extending the privacy and security of a VPN to the branch office. This also allows the capability of sharing the same CE device for various internal departments while maintaining separate VRF tables for each department.
The GET VPN key server is not VRF aware. As a result, there can be 2 possible scenarios (cases) for deployment depending on whether single or multiple MPLS VPNs (PE VRFs) are used on the PE router for each GETVPN group:
• Case 1: PE uses a single MPLS VPN (PE VRF) for all group member VRFs (CE VRFs). For this, group members can use the same certificate for authentication, for all the crypto maps applied on VRF interfaces. No overlapping addresses can be supported in the group member VRFs because the PE has all the group member addresses in a single VRF. However, traffic excluded from any of the encryption policies are subject to be routed across group member VRFs.
• Case 2: To use overlapping addresses between group member VRFs, the PE router should use a unique MPLS VPN (PE VRFs) for each group member VRFs. In addition, a separate key server must be dedicated to each VRF because the key server is not VRF-aware. Group members should also use a separate certificate to authenticate each crypto map.
Benefits
• Allows customers to share the same CE router for various internal departments while maintaining separate VRF tables for each department
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
4.1.19) Cisco Tunnel Control Protocol (cTCP) Support on Easy VPN Hardware Clients
There are many situations where customers require a VPN client to operate in an environment where standard ESP (Protocol 50) or UDP 500 (IKE) can either not work, or not function transparently without modifications to existing firewall rules. With Cisco Tunnel Control Protocol (cTCP), users can establish VPN tunnels from the client to an Easy VPN Server through a third-party Network Address Translation (NAT) device or firewall.
Figure 22. Cisco Tunnel Control Protocol (cTCP) Support on Easy VPN Hardware Clients
Benefits
• Requires no modification of firewall rules
• Creates fewer limitations from where clients can connect
• Offers transparent interoperability with third party firewalls
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
A variety of IPSec usability enhancements are being introduced in Release 12.4(20)T:
Intelligent Defaults
Support for eight Internet Key Exchange (IKE) default policies and IPSec transform set policies. By default, the IKE option is turned on. The default IPSec transform set will be used only if no other transform set is configured for a crypto map.
To display the default IKE policy, the following CLI command has been created:
show crypto isakmp default policy
If the default policies are turned off, then show crypto isakmp default policy will not display the default policies. If the user configures the isakmp policy then the default policy will not be used during negotiation. This command is not available in the K8 images.
To display the default IPSec transform set policy, the following CLI command has been created:
show crypto ipsec default transform-set
The default transform-sets is not available in the K8 images.
IPSec Show Command Enhancements
Using IOS show commands to display MIB agent maintained data helps monitor CPE devices. The following show commands are some examples (MIB table information is for a specific VRF if the VRF-name is provided; otherwise, the information for all vrfs is displayed):
show crypto mib isakmp flowmib failure { vrf <vrf-name> }
show crypto mib isakmp flowmib global { vrf <vrf-name> }
show crypto mib isakmp flowmib history { vrf <vrf-name>}
Show Tech Support IPSEC
Often to resolve technical issues, multiple show commands need to be executed and the output needs to be collected. To simplify this process, the show tech-support IPSEC [vrf <vrf>] [peer-ip <address>] has been created to collect the same output in one show command.
Benefits
• Improves administration
• Simplifies configuration with default policies
• Improves problem reporting
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
4.1.21) Secure Shell Protocol Version 2 (SSHv2) Feature Enhancements
A number of SSHv2 enhancements have been added including additional debugging functionality, VRF-aware SSH support, SSH keyboard mode, and Diffie-Hellman group exchange key support for mods 2048 and 4096.
4.1.23) CLI to Control Certification Revocation List (CRL) Cache
When processing X.509 certificates, the Certificate Revocation List (CRL) is consulted. To improve performance of certificate validation, IOS keeps a cache of the downloaded CRL in volatile storage on the router. Instead of using a fixed amount of volatile memory, administrators can reduce the cache size for low memory conditions or increase it for better performance when dealing with a large number of CRLs.
Benefits
• Helps to optimize router memory allocation
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
SDP Connect Template increases the usability and range of applications for configuring the device for Internet connectivity. This eases the deployment process for routers, particularly routers that do not already have Internet connectivity.
Benefits
• Eases deployment burden on administrators
• Reduces deployment costs
Hardware
Routers
• Cisco 800, 1800, 2800, 3800, 7200, and 7301 Series Routers
4.2.1) Cisco Express Forwarding Scalability and Selective Rewrite (CSSR)
Cisco Express Forwarding (CEF) technology for IP is a scalable, distributed, layer 3 switching solution designed to meet the performance requirements of the Internet and Enterprise networks. The CEF infrastructure has been adapted and rewritten as Cisco Express Forwarding Scalability and Selective Rewrite (CSSR) in order to meet the requirements and scalability of Internet traffic evolution as well as support new platforms and features developed by Cisco.
This infrastructure is also supported in Cisco IOS Software Releases 12.2SB, 12.2SE, 12.2SG, 12.2SR, and 12.2SX.
Benefits
CSSR delivers the following benefits:
• Enhances scalability to sustain the Internet growth, support larger numbers of:
– IPv4/IPv6 prefixes and adjacencies
– Load balanced paths
– VPNs (VPN routing/forwarding instances)
• Simplifies fast switching path decisions for both IPv4 and IPv6 traffic
• Offers improved manageability:
– CEF logging for both IPv4 and IPv6
– Unicast Reverse Path Forwarding Strict and Loose mode for both IPv4 and IPv6
– CEF MIB support
– uRPF MIB support
– CLI display enhancements
Considerations
CSSR infrastructure enhancements in Release 12.4(20)T might result in changed performance characteristics in your networks. Please test your configurations prior to upgrading to this software release.
NTP Version 4 is a protocol designed to time-synchronize a network of machines. It is widely used in the Internet to synchronize hosts and routers clocks as a large number of manufacturers include NTP software for their systems.
As the Internet evolves from thousands to millions of devices, improvements to NTP are required to better scale, enhance security, and comply with next generation of Internet Protocol Version 6 (IPv6).
The NTP Version 4 IETF draft is a significant revision to the NTP Version 3 standard, with a number of NTP v4 implementations in production today. The Cisco implementation prior to Release 12.4(20)T was based on NTP Version 3, an Internet draft standard formalized in RFC 1305.
Benefits
• Provides NTPv4 client and server functionality
• Allows NTPv4 configuration in IPv4 environments, including backward compatibility with NTPv3
• Enables NTP configuration in IPv6 environments
• Enables NTP configuration in VRF environment for both IPv4 and IPv6
4.3.1) Cisco IOS MPLS Label Distribution Protocol (LDP) Enhancements
Cisco IOS MPLS LDP offers standards-based feature capabilities for MPLS label information signaling between MPLS-enabled routers. In addition to RFC3036-compliant MPLS signaling, Cisco MPLS LDP also offers a number of value-added feature capabilities, which enable improved configuration and usability. MPLS LDP feature capabilities are focused on MPLS LDP CLI configuration enhancements, enhanced security, and coexistence support with Cisco High Availability (HA) feature set, including Nonstop Forwarding (NSF) with Stateful Switchover (SSO).
The following LDP features and enhancements are introduced in Cisco IOS Release 12.4(20)T:
MPLS LDP-Message Digest 5 (MD5) Global Configuration
The MPLS LDP MD5 Global Configuration feature provides enhancements to the use of MD5 passwords for LDP session authentication. This feature allows the user to enable LDP MD5 globally (ie: in global router configuration context) instead of on a per-LDP peer basis. Using this feature allows setup of password requirements for a specific LDP neighbor, or a set of LDP neighbors (ie:LDP peer group) to help prevent unauthorized peers from establishing LDP sessions and to block spoofed TCP messages.
MPLS LDP-Lossless MD5 LDP Session Authentication
The MPLS LDP MD5 Global Configuration feature provides a configuration enhancement for enabling MD5-based session authentication of LDP sessions. This prevents unauthorized LDP peer applications from establishing LDP sessions with the local LDP process and also helps to block spoofed TCP messages.
The feature allows configuration of LDP MD5 support globally (ie: for all LDP-enabled interfaces on a MPLS-enabled router) instead of on a per-LDP peer basis. In addition, MD5 session authentication can be enabled for a selective set of LDP sessions via access-control lists.
Additional LDP feature enhancements are also introduced to provide the ability to dynamically change the configuration of MD5 keys for LDP session authentication. Via a configurable MD5 keychain, multiple MD5 authentication keys with specific activation intervals can be configured for a given LDP session. These new LDP enhancements complement existing MD5 LDP session authentication capabilities, which prior to Release 12.4(20)T only enabled configuration of one single MD5 key per LDP session.
Figure 23. MPLS LDP MD5 Global Configuration feature overview
Benefits
Key benefits of the new MPLS LDP feature enhancements include the following:
• MPLS LDP-MD5 Global Configuration: Enhanced configuration capabilities for enabling MD5-based LDP session authentication, including MD5 authentication configuration for specific LDP peer groups and ability to update existing MD5 keys without impacting current state of LDP sessions.
• MPLS LDP-Lossless MD5 LDP Session Authentication: No need anymore to tear down LDP session to activate new MD5 key for LDP session authentication. Configurable key chain enables flexible scheduling of multiple MD5 keys to be used for LDP session authentication.
Cisco IOS MPLS TE offers standards-based feature capabilities for MPLS traffic management, including explicit path configuration and protection, via signaling of TE/RSVP tunnels. In addition to RFC-compliant RSVP/TE signaling procedures, Cisco MPLS TE also offers a number of value-added feature capabilities, which enable improved configuration and usability of MPLS TE functionality, such as coexistence support with the Cisco High Availability (HA) feature set.
Starting with Cisco IOS Release 12.4(20)T, a full set of MPLS TE/RSVP capabilities will also be available including the following features:
Basic MPLS TE/RSVP:
The following capabilities are now supported as part of the base MPLS TE/RSVP feature set:
