Table Of Contents
Cisco IOS Software Release 12.3T New Features and Hardware
1) Introduction: Cisco IOS Software Release 12.3T
1.2) Release 12.3T Additional Information
2) Cisco IOS Software Release 12.3(14)T Highlights
2.2) Cisco IOS Software Infrastructure
2.4) Management and Provisioning
2.7) Multiprotocol Label Switching
3) Release 12.3(11)T Highlights
3.8) Embedded Network Management
3.9) IP Addressing and Services
4) Release 12.3(8)T Highlights
4.7) IP Addressing and Services
5) Release 12.3(7)T Highlights
5.6) Embedded Network Management
5.10) Multiprotocol Label Switching
6) Release 12.3(4)T Highlights
6.8) Embedded Network Management
7) Release 12.3(2)T Highlights
7.3) Embedded Network Management
8) Appendix: Release 12.3(8)T—New Feature Enhancements
9) Appendix: Release 12.3(7)T—New Feature Enhancements
10) Appendix: Release 12.3(4)T—New Feature Enhancements
11) Appendix: Release 12.3(2)T—New Feature Enhancements
11.1) Hardware Products and Modules Newly Supported in Cisco IOS Software Release 12.3(2)T
12) Appendix: Release 12.3(11)t—new Feature Enhancements
Product Bulletin, No. 2215
Cisco IOS Software Release 12.3T New Features and Hardware
This Product Bulletin introduces Cisco IOS Software Release 12.3T, and includes the following sections:
1) Introduction: Cisco IOS Software Release 12.3T
Cisco IOS® Software is the world's premiere network infrastructure software, delivering seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, from small home office routers to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.
The Release 12.3T family will be issued as a series of individual releases, each of which will create significant new revenue opportunities and will include hundreds of business-critical features, the latest hardware support, and ongoing quality improvements. Cisco will ultimately consolidate all of these individual 12.3T releases to form a single major release.
With more than sixty new features, Cisco IOS Software Release 12.3(14)T extends the functionality and benefits of Cisco IOS Software.
Release 12.3(T) powers the new Cisco Integrated Services Routers, the first hardware/software system to deliver secure, wire-speed data, voice, video, and security services to small and medium-sized businesses, Enterprise branch offices, and Service Providers who offer managed services. By speeding application deployment and reducing operating complexity, customers realize a lower total cost of ownership.
Release 12.3(11)T, extends the benefits of Cisco IOS High Availability to the small and medium sized business and branch office by minimizing router downtime during planned or unplanned outages.
In order to maximize the value of the network, Cisco customers are continually integrating new technologies, hardware, and services into the existing infrastructure. In recognition of the challenges this can pose, Release 12.3(8)T delivers network intelligence with integrated features that secure branch office communications, automate the deployment of new applications, and optimize the flow of outbound traffic.
Release 12.3(7)T, the third release of this family, extends the robust suite of Cisco IOS Security capabilities with features that further reduce network vulnerability. The powerful new hardware support, enhanced security management capabilities, and enriched Cisco IOS Firewall functionality in Release 12.3(7)T protect sensitive data and corporate resources from malicious attacks.
Release 12.3(4)T, the second of the 12.3T releases, allows customers to leverage embedded Cisco IOS Software functionality to more easily deploy Security, Voice and Wireless applications. By enabling integrated small-scale deployment scenarios, Release 12.3(4)T provides the infrastructure for future expansion of small and medium business and Enterprise branch customers.
Release 12.3(2)T, the first of the 12.3T releases, greatly enhances customer productivity with nearly one hundred new features across more than thirty Cisco hardware products. Highlights of Release 12.3(2)T include the Cisco 830 Series Router and Cisco Security Device Manager.
Figure 1
Major Release and New Technology Release Relationship
1.1) Migration Guide
Cisco recommends that the customers who require features found in Release 12.2T upgrade to the latest version of Major Release 12.3 or 12.3T. Release 12.2T is scheduled for End of Sales on October 31, 2003. Software releases that End of Sales are no longer orderable, but are still available to customers under maintenance contract for downloading from Cisco.com and the Technical Assistance Center (TAC).
Figure 2 illustrates the migration path into Release 12.3T.
Figure 2
Release 12.3T Migration Path
Cisco IOS Software Release 12.3T will now continue to undergo an ongoing testing and review cycle to continuously improve and increase reliability and quality. Unlike the Major Release 12.3 family, Release 12.3T will integrate new features with every maintenance release. Release 12.3T will be updated via regular maintenance releases to include improvements resulting from the testing cycle. Maintenance for Release 12.2T ceased upon the introduction of Major Release 12.3 and 12.3T. Users of Release 12.2T should move to Major Release 12.3 or 12.3T in order to receive maintenance.
Each Cisco IOS Software new technology release is built upon the previous release. It adds new software features hardware support and software fixes for previous major releases and new technology releases. Release 12.3(4)T, for example, is built upon the existing functionality of Release 12.3(2)T. Customers interested in upgrading to Release 12.3T should determine their functionality needs and choose the corresponding release in the Release 12.3T family.
1.2) Release 12.3T Additional Information
•
Release 12.3T Information
http://www.cisco.com/go/release123t/
•
http://www.cisco.com/go/123tqa/
•
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.html
•
Download Cisco IOS Software releases and access software upgrade planners.
http://www.cisco.com/public/sw-center/sw-ios.shtml
•
A web-based application that allows you to quickly match Cisco IOS Software releases to features to hardware.
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
•
Determine the minimum supported software for selected hardware.
http://www.cisco.com/pcgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi
•
View all major releases, hardware, and software features from a single interface.
http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi
•
http://www.cisco.com/warp/public/732/feedback/release/
1.3) Cisco IOS Packaging
Cisco IOS Packaging simplifies the image selection process by consolidating the total number of packages and using consistent package names across all hardware products.
Figure 3
Cisco IOS Packaging for Cisco Routers
2) Cisco IOS Software Release 12.3(14)T Highlights
Tables 1and 2 describe and identify the feature highlights of Cisco IOS Software Release 12.3(14)T.
2.1) Security and VPN
2.1.1) Cisco IOS Software Login Password Retry Lockout (per EAL4 Compliance)
Login password retry lockout conforms to the EAL4 requirement of providing these enhancements to Cisco IOS Software-enabled devices:
•
•
•
•
•
•
•
•
Benefits
•
•
•
•
Hardware
Product Management Contact: ask-stg-ios-pm@cisco.com
2.1.2) Cisco IOS Firewall: HTTP Inspection Engine
Cisco IOS Firewall has been enhanced with the introduction of Advanced Application Inspection and Control. Often companies decide to permit common applications, such as Web browsing, through their firewalls. Unfortunately, such access can result in non-HTTP applications, such as instant messaging (IM), attempting to take advantage of hosts behind this opening in the firewall. Although traditional firewall enforcement blocks traffic based on source and destination addresses and protocol and port numbers, the Cisco IOS Firewall HTTP Inspection Engine enforces protocol conformance and prevents malicious or unauthorized behavior such as port 80 tunneling, malformed packets, and Trojans from passing through. The HTTP Inspection Engine gives Cisco IOS Firewall the intelligence not only to block non-HTTP traffic, but also to help ensure that traffic that is assumed to be HTTP is legitimate Web browsing and not IM or similar traffic trying to gain access through the firewall. The net result is that network administrators will have more granular control of applications passing through the firewall.
Benefits
•
•
•
•
•
•
•
•
•
•
Hardware
Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html
Cisco IOS Packaging
The Cisco IOS Firewall HTTP Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)
2.1.3) Cisco IOS Firewall: Granular Protocol Inspection
With this feature, Cisco IOS Firewall can perform more granular protocol inspection of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic for most application types as defined in RFC 1700.
IP packets that contain most well-known ports defined in RFC 1700 plus user-defined ports and ranges that map to specific applications can be inspected. Additionally, the current Cisco IOS Firewall feature called Port-to-Application Mapping (PAM) has been enhanced to distinguish between TCP and UDP.
Benefits
•
•
•
•
Hardware
Considerations
•
•
Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html
Cisco IOS Packaging
The Cisco IOS Firewall Granular Protocol Inspection feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)
2.1.4) Cisco IOS Firewall: Email Inspection Engine
Cisco IOS Firewall Advanced Application Inspection and Control features Inspection Engines to provide protocol anomaly detection services. This latest enhancement adds support for Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) to the Email Inspection Engine in addition to the existing support for Simple Mail Transfer Protocol (SMTP) and Extended Simple Mail Transfer Protocol (ESMTP).
Benefits
•
•
•
•
•
Hardware
Considerations
Users will need to have sufficient free memory.
Additional Information: http://.cisco.com/en/US/products/sw/secursw/ps1018/index.html
Cisco IOS Packaging
The Cisco IOS Firewall Email Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)
2.1.5) Cisco IOS Firewall: Inspection of Router-Generated Traffic
The Inspection of Router-Generated Traffic feature enables the inspection of local router traffic to single-channel TCP and UDP connections originated by or terminated at a router. Local H.323 connections are also supported.
Benefits
•
•
Hardware
Considerations
•
•
Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html
Cisco IOS Packaging
The Cisco IOS Firewall Inspection of Router-Generated Traffic feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)
2.1.6) Virtual Routing and Forwarding Aware Cisco IOS Firewall
Virtual Routing and Forwarding (VRF) Aware Cisco IOS Firewall applies Cisco IOS Firewall functionality to VRF interfaces when the firewall is configured on a service provider or large enterprise edge router. Service providers can provide managed services to small and medium business markets. VRF-Aware Cisco IOS Firewall supports VRF-aware URL filtering and VRF-lite (also known as multi-VRF customer edge [CE]).
Benefits
•
•
•
•
•
•
•
Hardware
Considerations
•
•
•
Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html
Cisco IOS Packaging
VRF-Aware Firewall is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)
2.1.7) Intrusion Prevention Systems Signature Enhancements
This release adds the TCP, UDP, and Internet Control Message Protocol (ICMP) signature microengines (SMEs) to the list of supported SMEs. This allows for Cisco IOS Software routers to defend networks against common worms and viruses such as the following:
Also included in this release is the local shun action. This can be configured on any signature. A shun places an ACL-type block on the interface from which the attacking traffic is entering the router to more quickly defend the network from attack traffic.
Benefits
•
•
Hardware
Cisco IOS Packaging
IPS Signature Enhancements are positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Tom Guerrette ( ask-stg-ios-pm@cisco.com)
2.1.8) Secure Device Provisioning Phase 4: Administrative Introducer
Secure Device Provisioning (SDP) Phase 4 allows an IT administrator to introduce and preprovision several end routers without the need of an end user. Administrative login and device specification have been introduced into the SDP framework.
SDP, formerly known as EZ Secure Device Deployment, simplifies introduction of a VPN device into the public key infrastructure (PKI) network. SDP mechanisms assume a permanent relationship between the introducer and the device. As a result, the introducer username is used to define the device hostname. Often the introducer username is used as the database locator to determine the Cisco IOS Software configuration template, template variables (pulled from the AA database and expanded into the template), and the appropriate subject name for the PKI certificates issued to the device.
In some deployment scenarios, the introducer is an administrator (or an administrative service such as a CiscoWorks VPN/Security Management Solution [VMS] or the Cisco IP Solution Center [ISC]) doing the introduction for many devices. In this situation, the administrator's username cannot be used as a database locator so the SDP GUI has been enhanced to provide the username as a separate parameter.
Figure 4
SDP Administrative Introducer
Benefits
Allows an IT administrator or security management solution to provision multiple devices.
Hardware
Cisco IOS Packaging
SDP Phase 4: Administrative Introducer is positioned in the Advanced Security packages across Cisco routers
( Figure 3).Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)
2.1.9) Secure Device Provisioning Phase 4: Hierarchical Certificate Servers
PKI deployments have a certificate server that issues certificates to the nodes in the VPN installation. A root certificate server is a CA server that holds a self-signed certificate, and its key pair is the root of the trust associations (digital signatures in the certificates) of the whole VPN installation. Because the root RSA key pairs are extremely important in a PKI hierarchy, it is often advantageous to keep them offline or archived. To support such an arrangement, PKI hierarchies allow for subordinate certificate authorities that have been signed by the root authority. In this way the root authority can be kept offline (except to issue occasional Certificate Revocation List [CRL] updates) and the sub-Certificate Authority (sub-CA) can be used during normal operation.
Figure 5
SDP Hierarchical Certificate Server
Benefits
•
•
Hardware
Cisco IOS Packaging
SDP Phase 4: Hierarchical Certificate Servers is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)
2.1.10) OS Universal Serial Bus Token Support: Public Key Infrastructure Enhancements
The Cisco IOS Software Universal Serial Bus (USB) Token Support project provides support for USB cryptographic tokens and flash drives on Cisco IOS Software. The USB token plugs into the router's USB port.
Tokens provide a secure place to store keys and configurations, where they can be protected with a PIN. Tokens do not have enough storage to hold images or other bulk data. The tokens supported in this release have a capacity of 32 KB, of which about half is taken up by token and Cisco IOS Software system overhead. This size is suitable for a small configuration and a few certificates and keys.
Flash drives can be used to store images, configurations, and other data, but are not suitable for private keys because they have no security.
Figure 6
USB Token: PKI
Benefits
•
•
•
Hardware
Cisco IOS Packaging
OS USB Token Support: PKI Enhancements is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)
2.1.11) Persistent Self-Signed Certificates
Cisco IOS Software has an HTTPS server that allows access to Web-based management pages using a SSL connection. SSL requires the server to present its certificate to the client during the SSL handshake prior to establishing a secure connection between the server and the client.
If the Cisco IOS Software does not have a certificate that the HTTPS server can use, it generates a self-signed certificate by calling the PKI API. This API is then presented to the client, which prompts the user to accept the certificate. If the user accepts, the certificate is stored in the browser for future use.
Future SSL handshakes require the same certificate. However, on reloads, this certificate is lost, and a new one has to be generated and go through the same authentication sequence. The Persistent Self-Signed Certificate feature overcomes these limitations by saving a certificate in the router's startup configuration and having persistence using HTTPS connections with clients.
Figure 7
Persistent Self-Signed Certificates
Benefits
•
•
•
Hardware
Cisco IOS Packaging
Persistent Self Signed Certificates is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)
2.1.12) Easy VPN Remote Phase 4.1: Enhancements
Easy VPN Phase 4.1 supports two enhancements for Easy VPN Remote: Support for Reliable Static Routing using Object Tracking and Tunnel Activation on Interesting Traffic on Easy VPN Remote.
Support for Reliable Static Routing using Object Tracking is a current feature the enables Cisco IOS Software to identify when a Point-to-Point Protocol over Ethernet (PPPoE) or IPsec VPN tunnel goes down and initiate a dial-on-demand routing (DDR) connection to a preconfigured destination from any alternative WAN/LAN port (for example, T1, ISDN, analog, or AUX). This feature delivers a solution for deployments in which a remote router only has a static route to the corporate network. The IP Static route-tracking feature allows an object to be tracked (by IP address or host name) using ICMP, TCP, or other protocols and installs or removes the static route based on the state of the tracked object. If this feature determines that Internet connectivity is lost, then the default route for the primary interface is removed, and the floating static route for the backup interface is enabled.
This new enhancement delivers the capability to establish a secondary Easy VPN connection, if the primary Easy VPN connection fails, using support of Reliable Static Routing using Object Tracking. However, it is based on the dial backup interface only.
Two new Easy VPN Remote CLI configuration options support Reliable Static Routing using Object Tracking: a connection to the backup Easy VPN remote configuration and a connection to the tracking system.
backup < ezvpn-cfg-name> specifies the Easy VPN configuration that will be activated when backup is triggered. track <tracked-object-number> specifies the link to the tracking system so that the Easy VPN state machine can get the notification to trigger backup.
crypto ipsec client ezvpn <ezvpn-cfg-name>backup <ezvpn-cfg-name> track <tracked-object-number>Easy VPN Remote registers to the tracking system to get the notifications for change in the state of the object. The above command will inform the tracking process that Easy VPN Remote is interested in tracking an object, identified by the object number. The tracking process will in turn inform Easy VPN Remote when the state of this object changes. This notification prompts Easy VPN Remote to bring up the backup connection when the tracked object state is DOWN. When the tracked object is UP again, the backup connection is torn down, and Easy VPN Remote will switch back to using the primary connection. The primary connection is not torn down when the tracked object goes DOWN; however, it may timeout or reset eventually on its own. The pings will continue to be attempted to be sent using the primary tunnel. If the tunnel is not up, the pings will be dropped. The primary tunnel will continue to attempt to reestablish, and once it does, the pings will be successful, and the tracked object state will go UP again.
Benefits
•
Tunnel Activation on Interesting Traffic on Easy VPN Remote is a feature that introduces a new method of activating Easy VPN tunnels based on user traffic. Prior to this feature there were two ways to bring up the tunnel: manual entry of the XAuth user/password, and automatic activation of the tunnel with the user/password stored in the configuration file. The new feature will only bring up the tunnel when user traffic needs to use it. It can be used with an idle timer on the tunnel to bring the tunnel up and down only when it is needed for user traffic. This arrangement can reduce the load on the Easy VPN concentrator, because tunnels are only brought up when needed.
Figure 8
Activation Triggered by Easy VPN Remote Traffic
Benefits
Reduces the load on the Easy VPN concentrator, because tunnels are only brought up when needed.
Hardware
Cisco IOS Packaging
Easy VPN Remote Phase 4.1: Enhancements is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.13) IPsec Preferred Peer
IPsec Preferred Peer allows a user to tag a peer as the default peer in a multiple-set peer configuration. The provisions include setting a peer with default option and setting an IPsec idle timer with default option.
Setting a peer with default option: a new keyword—default—has been added to mark the first peer in a multiple-set peer configuration as the default peer. This peer will then be retried in certain failure cases before a connection to the next peer on the list is attempted. If a failure is detected by dead peer detection (DPD), the default peer will be tried once more before the next peer is tried. If the default peer is unresponsive, failure using retransmits of Internet Key Exchange (IKE) initiation messages will set the new current peer to the next one on the list. Further connections through that crypto map will then try this new current peer.
This feature is useful in a dial backup scenario in which transmission stops because of remote peer failure traffic on a physical link. DPD will indicate that the remote peer is unavailable, although it will remain the current peer. The dial backup link will come up. Once connectivity through the physical link is restored, the default peer will be tried again. This procedure allows the user to always give preference to certain peers in the event of failover and is useful if the original failure occurred because of a connectivity problem through the network, as opposed to the remote peer itself failing. If the remote peer has indeed failed, retransmits to that peer (this process takes approximately 45 seconds) will force the default peer to be skipped and the next peer on the list to be tried.
Benefits
Allows flexibility to use a primary peer when it is better (for example, closer, less expensive, or provides more bandwidth).
Hardware
Additional Information
•
•
•
•
•
•
Cisco IOS Packaging
The Cisco IOS IPsec Preferred Peer feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.14) IPsec Antireplay Window Expansion and Disable Options
IPsec antireplay window is a 32-bit counter and a bitmap (or equivalent) used to describe whether an inbound authentication header or ESP packet is a replay. The Expansion and Disable options supported in this feature give IPsec users two additional options with which to control the antireplay mechanism in IPsec. Users can now choose to expand the antireplay window size or, alternatively, disable antireplay checking completely. The default antireplay window size and default enabling of antireplay checking for IPsec in Cisco IOS Software will be the same as in prior Cisco IOS Software releases.
Figure 9
IPsec Antireplay
Benefits
Allows an IT administrator flexibility to control antireplay window size or disable it.
Hardware
Additional Information
If the antireplay window is disabled, replay attack is possible.
Cisco IOS Packaging
IPsec Antireplay Window Expansion and Disable Options is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.15) IPsec Virtual Tunnel Interface
VPNs are increasingly being recognized as a mainstream solution for secure WAN connectivity. They replace or augment existing private networks using leased lines, Frame Relay, or ATM to connect remote and branch offices and central sites more cost effectively and with increased flexibility. This new status requires that VPN devices deliver higher performance, support for both LAN and WAN interfaces, and high network availability. IPsec virtual tunnel interfaces (VTIs) are a new tool that can be used by customers to configure IPsec-based VPNs between site-to-site devices. IPsec VTI tunnels provide a designated pathway across the shared WAN and encapsulate traffic with new packet headers, ensuring delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. In addition, IPsec provides true confidentiality (as does encryption) and can carry encrypted traffic.
With IPsec VTIs delivered by Cisco, enterprises can use cost-effective VPNs and continue to add voice and video to their data networks without compromising quality and reliability.
Cisco IPsec VTIs provide secure connectivity for site-to-site VPNs combined with the Cisco Architecture for Voice, Video and Integrated Data (AVVID) architecture for delivering converged voice, video, and data over IP networks. VPNs deliver cost-effective, flexible wide-area connectivity, while providing a network infrastructure that supports the latest converged network applications such as IP telephony and video.
Figure 10
IPsec Static Virtual Tunnel Interfaces Between Two Sites
Benefits
•
•
•
•
•
Hardware
Cisco IOS Packaging
The Cisco IOS IPsec Virtual Tunnel Interface feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.16) Reverse Route Injection
Reverse Route Injection (RRI) is used to create static routes based on remote proxy IDs (subnet/mask) for remote IPsec devices. It is platform independent (except for Cisco Catalyst 6000 Series and Cisco 7600 Series Router) and is dynamic in that it saves the user from statically defining routes. It is remote agnostic as well and works on both dynamic and static crypto maps. Typically in an RRI, routes are injected into the routing process.
RRI enhancements included in this release: Cisco IOS Software can now alter RRI behavior for static L2L. IPsec tunnels and can retain RRI routes when a crypto ACL is modified. In addition, it is enhanced to retain RRI routes for dynamic customer premises equipment CPE as well as remove RRI routes when same crypto map is applied to two different interfaces.
Figure 11
Reverse Route Injection
Benefits
Saves the user from statically defining routes.
Considerations
Cisco IOS Software will not allow RRI in the same crypto map on multiple interfaces.
Hardware
Additional Information
If the antireplay window is disabled, replay attack is possible.
Cisco IOS Packaging
Reverse Route Injection is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.17) Easy VPN Remote Web-Based Activation
Easy VPN contains two primary hardware client applications: Teleworker and Branch Office. Teleworker allows user-driven authentication of the client router (for example, interactive XAuth credential entry) with optional authentication of devices behind the client router. Teleworker is also possibly useful for offices in which one person is authorized to activate the office connection. The second application is Branch Office, where a client router connects automatically without user intervention (XAuth credentials saved in configuration file). Optionally, it is possible to authenticate devices behind the client router.
Easy VPN Remote Web-Based Activation allows the authentication of the remote router more easily by having a Web-based interface in which to enter xAuth username/password.
Figure 12
Easy VPN Remote Web-Based Activation
Benefits
Small office or home office (SOHO) users benefit greatly by using a Web-based interface to activate Easy VPN Remote.
Hardware
Additional Information
If the antireplay window is disabled, replay attack is possible.
Cisco IOS Packaging
Easy VPN Remote Web-Based Activation is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.18) WebVPN
WebVPN is an SSL-based VPN solution that provides clientless remote access by using a Web browser as the remote user's VPN client. Because most personal computers already have a Web browser installed, no further application installation is required to securely access network resources. This feature can augment the existing IPsec remote access (Easy VPN) functionality or, in environments with relatively simple remote access requirements, WebVPN may offer sufficient functionality to address all remote access demands. Cisco IOS Software WebVPN makes it easy to deploy remote access to internal applications on a single integrated network device.
The first release of WebVPN in Cisco IOS Software supports two functional modes:
•
•
Benefits
•
•
•
•
•
•
•
•
Hardware
Considerations
•
•
•
•
Cisco IOS Packaging
WebVPN is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Gary Sockrider ( ask-stg-ios-pm@cisco.com)
2.1.19) Cisco Router and Security Device Manager 2.1
Cisco Router and Security Device Manager (SDM) 2.1 combines routing and security services management with ease of use, intelligent wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of integrating services onto the router. Customers can now synchronize routing and security policies throughout the network, enjoy a more comprehensive view of their router services status, and reduce their operational costs.
Benefits
•
–
–
–
–
•
–
–
–
•
–
–
–
•
–
–
–
•
–
•
–
–
•
–
–
Hardware
Cisco IOS Packaging
Router and Security Device Manager 2.1 is positioned in the Advanced Security packages across Cisco routers
( Figure 3).Product Management Contacts: ask-stg-ios-pm@cisco.com, sdm-feedback@cisco.com
2.2) Cisco IOS Software Infrastructure
2.2.1) Cisco IOS Embedded Event Manager 2.1
Cisco IOS Embedded Event Manager (EEM) has been enhanced significantly since it first become available in Cisco IOS Software Release 12.3(4)T. Now EEM allows user-programmable action based on Tool Command Language (TCL).
EEM marks a shift in network management systems design. Cisco has committed to increasing the level of management intelligence and self-awareness within Cisco IOS Software. EEM provides the infrastructure for detection of specific events and the ability to take local action based on those events.
Local actions, called EEM policies, can be defined using simple CLI commands, or more complex or custom actions can be specified using TCL. The TCL interpreter with TCL extensions embedded within Cisco IOS Software provides full access to the CLI, so the type of actions is limited only by the imagination.
Figure 13
Embedded Event Manager 2.1 Architecture
Benefits
•
•
•
•
Hardware
Product Management Contacts: Rohit Shrivastava ( roshriva@cisco.com), Rick Williams ( rwill@cisco.com)
2.2.2) Embedded Resource Manager
Continuing on the commitment to add more embedded intelligence within the network devices, Embedded Resource Manager (ERM) lays the groundwork for even more internal monitoring and reporting capabilities.
ERM provides internal mechanisms for monitoring internal Cisco IOS Software tasks and shared resource consumption.
Figure 14
ERM Architecture
Benefits
•
•
•
•
Hardware
Cisco IOS Packaging
Cisco IOS Embedded Resource Manager is positioned in the IP Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Valliappan ( svalliap@cisco.com)
2.3) Routing
2.3.1) Enhanced Interior Gateway Routing Protocol Prefix Limit Support
Enhanced Interior Gateway Routing Protocol (EIGRP) allows the network administrator to limit the number of prefixes learned by EIGRP. This feature provides a means to limit the shared resources (memory and CPU) consumed by the EIGRP process.
Additional CLI configuration options are added to support this feature.
Benefits
•
•
Hardware
Product Management Contact: Chetan Khetani ( cpk@cisco.com)
2.3.2) Enhanced IGRP Simple Network Management Protocol Support
This feature provides SNMP MIB support for SNMP GET and SNMP TRAPS for EIGRP and provides an infrastructure interface for network management.
Benefits
•
•
Hardware
Cisco IOS Packaging
EIGRP SNMP Support is positioned in the Enterprise Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Chetan Khetani ( cpk@cisco.com)
2.3.3) Open Shortest Path First Sham-Link MIB Support
In some MPLS VPN networks, OSPF sham link is used to interconnect two VPN sites that share the same OSPF area.
This arrangement presents some difficulty for network management. Prior to this feature, no SNMP MIB objects have provided useful information for OSPF sham links.
This feature enhances the specific Cisco MIB (CISCO-OSPF-MIB.my) to allow for monitoring of OSPF sham links. The enhancement allows for:
•
•
•
•
Benefits
Provides a means to manage OSPF sham links.
Hardware
Considerations
The implementation is RFC 1850 compliant and based on an OSPFv2 MIB IETF draft. See IETF draft draft-rosen-vpns-ospf-bgp-mpls-05.txt.
Product Management Contact: Chetan Khetani ( cpk@cisco.com)
2.3.4) Border Gateway Protocol Support for Fast Peering Session Deactivation
Border Gateway Protocol (BGP) support for Fast Peering Session Deactivation accelerates speed at which the BGP subsystem releases a peering session. The BGP subsystem will deactivate the peering session immediately upon indication that the peer is gone and eliminates an internal wait timer. This feature optimizes the software such that multiple failure detection mechanisms are linked to trigger session deactivation.
Benefits
•
•
•
Hardware
Cisco IOS Packaging
BGP Support for Fast Peering Session Deactivation is positioned in the Advanced Security and SP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Pepe Garcia ( pepe@cisco.com)
2.3.5) Border Gateway Protocol Support for IP Prefix Import from Global Table into Virtual Routing and Forwarding Table
This feature allows customers to specify which specific prefixes from the global routing table are to be imported into a VPN routing and forwarding table.
Hardware
Cisco IOS Packaging
BGP Support for IP Prefix Import From Global Table Into a VRF Table is positioned in the Advanced Security and SP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Pepe Garcia ( pepe@cisco.com)
2.3.6) Border Gateway Protocol Support for Next-Hop Address Tracking
Border Gateway Protocol (BGP) Next-Hop Address Tracking provides a mechanism for routes learned using BGP to converge more quickly on a new path when triggered by a change to a monitored BGP next-hop address.
An address-tracking filter mechanism is used to filter notifications to the routing information base. This mechanism allows for new path selection to begin as soon as the notification regarding the change in reachability state of the next hop occurs. The results are much faster convergence of traffic to a new path and less impact to traffic flows.
All of these facts mean faster reconvergence, leading to improved perception of reliability for users.
Figure 15
Next-Hop Tracking Speeds Reconvergence
Next-Hop Tracking will trigger the BGP scanner at PE-1 to run immediately on Interior Gateway Protocol (IGP) convergence, so the route through PE-3 will handle traffic upon failure to PE-2.
Benefits
•
•
•
Hardware
Product Management Contact: Pepe Garcia ( pepe@cisco.com)
2.3.7) Routemap Display Extension
Routemap Display Extension enhances the display of dynamic routemaps to include detailed information about the ACLs used in the match clauses.
Benefits
•
•
Hardware
Cisco IOS Packaging
Routemap Display Extension is positioned in IP Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Chetan Khetani ( cpk@cisco.com)
2.3.8) Optimized Edge Routing Support for Cost-Based Optimization and Traceroute Reporting
Optimized Edge Routing (OER) provides automatic outbound route optimization for multihomed enterprises by establishing criteria for the optimal exit point for traffic destined for other networks. OER enables link selection according to performance, cost, and load distribution policy.
This enhancement provides outbound traffic optimization based on financial link cost. The idea is to minimize the cost associated with service through efficient and effective traffic routing. This is called cost minimization.
The configuration for cost minimization supports fixed-cost Service Level Agreements (SLAs) and tier-based-with-bursting cost SLAs. SLAs encompass the billing criteria that are established with each ISP. Although the specific details of "tier-based-with-bursting" billing models will vary by ISP, most ISPs will use some variation of the following algorithm to calculate what an enterprise should pay in a tiered billing plan:
1.
2.
3.
4.
5.
6.
Cisco OER seeks to minimize the overall service cost by distributing traffic in the most cost-efficient way (or as configured). By deploying the Cisco OER bandwidth cost minimization functionality, customers can instruct Cisco OER to select the exit links that provide the most cost-effective bandwidth utilization, while still maintaining the desired performance characteristics.
This release also adds support for traceroute reporting. The feature allows the network administrator to form a clearer picture of the amount of delay introduced by different segments in the path. If an unexpected round-trip delay value for a prefix on a particular exit is observed, the delay can be quantified on a per-hop basis.
Benefits
•
•
•
Hardware
Cisco IOS Packaging
OER Support for Cost-Based Optimization and Traceroute Reporting feature is positioned in the Advanced Security, SP Services, and Enterprise Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Paul Kohler ( pkohler@cisco.com)
2.3.9) Policy-Based Routing: Recursive Next Hop
Policy-Based Routing (PBR): Recursive Next Hop provides the ability to set a next hop that is not directly connected to enable load balancing when PBR is used.
With this feature enabled, the routing table will be examined recursively to find the directly connected next hop when PBR is used to set an indirect next hop.
The following new configuration command is introduced:
set ip next-hop recursiveThis command may be used to set a directly connected next hop or subnet as well as an indirect next hop or subnet.
Figure 16
Using Recursive Next Hop for Load Balancing
Benefits
Allows use of Cisco Express Forwarding load balancing when PBR is configured.
Hardware
Cisco IOS Packaging
Policy-Based Routing: Recursive Next Hop is positioned in the IP Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Chetan Khetani ( cpk@cisco.com)
2.3.10) Internet Group Management Protocol Version 3 Host Stack
Internet Group Management Protocol (IGMP) Version 3 Host Stack support enables the router or switch to behave as a multicast network endpoint or host. The support for IGMPv3 also allows other Cisco IOS Software subsystems to take advantage of the infrastructure to use Source Specific Multicast (SSM) for broadcast functions.
One reason to use this feature is the rapid deployment of voice applications and gateway functionality within Cisco IOS Software. Cisco devices that provide voice services may join a multicast channel for music on hold and convert and distribute that stream to analog or ISDN interfaces.
Benefits
•
•
Hardware
Cisco IOS Packaging
IGMPv3 Host Stack is positioned in the IP Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)
2.3.11) Per Interface mroute State Limit
The Per Interface mroute State Limit feature will limit the number of mroute states on a per-interface basis. This limitation is beneficial for access routers or Layer 3 switches, particularly for deployments of advanced Ethernet services or Ethernet to the home, curb, pedestal, business, multiple tenant dwelling unit, and so on.
Prior to this feature, Cisco IOS Software supported an ability to limit mroute states on a per-VRF basis using
ip multicast [vrf <name>] route-limit. This feature extends that capability to allow specification on an interface basis.Benefits
•
•
Hardware
Cisco IOS Packaging
Per Interface mroute State Limit is positioned in the IP Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)
2.3.12) Integrated Routing and Bridging Support on MGX-RPM-XF-512
Integrated routing and bridging (IRB) is a bridging mechanism that allows integration of traditional systems with your IP network. IRB is useful when you need to connect bridged networks with Layer 3 routed networks.
IRB has existed in Cisco IOS Software since Release 11.2, and is available on a wide variety of Cisco products. This feature adds support for the Cisco MGX® Route Processor Module.
Benefits
Increases the deployment options for the Cisco MGX Route Processor Module.
Hardware
Cisco IOS Packaging
IRB Support on Cisco MGX Route Processor Module is positioned in the Enterprise Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Christopher Kolstad ( ckolstad@cisco.com)
2.4) Management and Provisioning
2.4.1) Multicast VPN MIB
Multicast VPN MIB provides enhancements and support for SNMP Multicast VPN MIB.
Benefits
•
•
Hardware
Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)
2.4.2) Exclusive Configuration Change Access
The Cisco IOS Software CLI has offered a familiar and effective interface for configuration and troubleshooting for many years. With the increased importance and proliferation of network connections and equipment, management and maintenance activities have grown. Some organizations have segmented their network engineering and operations teams, with multiple groups or systems now requiring access to the CLI.
The feature introduces a configuration session locking mechanism. It allows a user to have exclusive access to the Cisco IOS Software configuration mode, preventing any other user from changing the system configuration for the duration of the lock.
Benefits
•
•
Hardware
Product Management Contact: Mark Basinski ( mbasinsk@cisco.com)
2.4.3) Selective Enabling of Applications Using HTTP Server
Cisco IOS Software incorporates an internal HTTP server that permits easy configuration using a browser interface. A number of Cisco IOS Software subsystems and features use the included server. However, until now, each feature could not individually be controlled with respect to the HTTP server interface. For example, a user can now enable one particular subsystem for Web-based configuration and control, but not another.
The feature enables selective enabling of Cisco IOS Software applications or subsystems that use the internal HTTP server in Cisco IOS Software.
Benefits
•
•
Hardware
Product Management Contact: Mark Basinski ( mbasinsk@cisco.com)
2.4.4) Bandwidth Estimation Using Corvil Bandwidth Technology
Allocating adequate bandwidth is crucial to ensuring the network performance required for applications. However, allocating too much bandwidth can be costly. Bandwidth Estimation in Cisco IOS Software, using Corvil Bandwidth technology, allows network managers to determine the correct bandwidth requirements to achieve user-specified Quality of Service (QoS) targets for networked applications.
Corvil Bandwidth can determine the minimum bandwidth required to meet a customer-specified QoS target with statistical reliability. From a network manager's perspective, an application's QoS requirements are characterized with respect to its sensitivity to packet loss and delay. Corvil Bandwidth gives the network manager a way to specify limits for delay and packet loss and to get a close estimate of the minimum bandwidth essential to achieve desired application performance.
Figure 17
Corvil Bandwidth
Benefits
•
•
•
•
Hardware
Cisco IOS Packaging
Bandwidth Estimation Using Corvil Bandwidth Technology is positioned in the SP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Tim McSweeney ( timcswee@cisco.com)
2.4.5) IP Service Level Agreements Voice over IP Call Setup (Postdial Delay) Monitoring
Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS IP Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco IOS IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.
This feature enhances Cisco IOS IP SLAs further by including a capability to monitor the call setup delay for VoIP calls. With this feature, Cisco IOS SLAs measure the call setup time using the H.323/Session Initiation Protocol (SIP) over an IP network.
The Jitter operation in IP SLAs offers the ability to configure various codec types and provide the corresponding Impairment/Calculated Impairment Planning Factor (ICPIF) and mean opinion scores (MOSs). This capability is widely used to monitor VoIP performance. This enhancement focuses on measuring call setup time. It provides the capability to send an H.323 or SIP call setup message and to measure the time to ringing, busy, or connect. The typical setup time measured is from setup/INVITE message is sent to the time the alert/ringing message is received.
Figure 18
Cisco IOS IP SLAs VoIP Call Setup (Postdial Delay) Monitoring
Benefits
•
•
•
•
•
•
•
•
•
•
Hardware
Cisco IOS Packaging
Cisco IOS IP SLAs VoIP Call Setup (Postdial Delay) Monitoring is positioned in the IP Voice packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Tom Zingale ( tomz@cisco.com)
2.4.6) IP Service Level Agreements—Voice over IP Gatekeeper Delay Monitoring
Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS IP Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco IOS IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.
With Voice over IP (VoIP) deployments accelerating, even more requirements are being placed on the operations staff to ensure that service meets or exceeds the required levels. A converged network with VoIP Gatekeeper functionality adds another aspect to performance monitoring.
This feature adds a VoIP Gatekeeper (GK) registration delay monitoring operation to the IP SLAs feature set. This operation measures the "lightweight registration time" from an H.323 Gateway (GW) to the GK. The lightweight registration time is the time from the sending of a registration request (RRQ) to the time a registration confirmation (RCF) is received by the GW.
Figure 19
IP SLAs VoIP Gatekeeper Delay Monitoring
Benefits
•
•
•
•
•
•
•
•
Hardware
Cisco IOS Packaging
Cisco IOS IP SLAs VoIP Gatekeeper Delay Monitoring is positioned in the IP Voice packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Tom Zingale ( tomz@cisco.com)
2.4.7) IP Service Level Agreements CLI Introduction
Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS IP Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco IOS IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.
IP SLAs used past Cisco IOS Software service assurance functionality and added recent enhancements. The new CLI is being implemented to ease the deployment of service monitoring and will simplify configuration of IP SLA measurements and enhance command-line views for service-level measurement data.
The transition to the new configuration command set is made easy because support for the previous configuration commands is included. In future releases the command structure will be simplified more based on customer input.
Other new commands are also included with this Cisco IOS Software release.
Benefits
•
•
•
•
•
•
•
•
•
Hardware
Considerations
Because some display commands are changed, automated scripts that parse output of the commands may need to be modified. Consult the documentation for details.
Cisco IOS Packaging
Cisco IOS IP SLAs CLI Introduction is positioned in the IP Voice, Advanced Security, and Enterprise Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Tom Zingale ( tomz@cisco.com)
2.4.8) IP Service Level Agreement Sub-Millisecond Accuracy Improvements
Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS Software IP Service Level Agreements are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as VoIP, audio and video, VPN, and other business-critical applications. Cisco IOS Software IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS Software IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.
This feature adds granular and highly accurate measurements to the robust set functions included in Cisco IOS Software IP SLAs. The functions within IP SLAs measure various performance parameters such as round-trip time, one-way latency, jitter (interpacket delay variance), packet loss, and so on.
Improvements such as increased link speeds and the deployment of higher performing routers and switches have reduced the latency, increased capacity, and enormously expanded the throughput in today's high-speed networks. Because of these facts, the accuracy of the measurements provided in IP SLAs is likewise being improved upon.
Improvements have been made in two primary areas:
•
•
Benefits
•
•
•
•
•
•
•
•
•
•
Hardware
Cisco IOS Packaging
IP SLAs Sub-millisecond Accuracy Improvements is positioned in the IP Voice packages across Cisco routers
( Figure 3).Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Considerations
In order to utilize the accuracy enhancements, the source and destination endpoints of the measurements must have Cisco IOS Software Release 12.3(14)T.
Product Management Contact: Tom Zingale ( tomz@cisco.com)
2.5) IP Services
2.5.1) Network Address Translation Virtual Interface
Cisco IOS Software provides a NAT subsystem with extensive support for protocols that embed IP addresses within the payload using Application Layer Gateway (ALG) functions. Cisco IOS NAT was extended to support VPN VRF tables in Cisco IOS Software Release 12.2(15)T. This support allowed NAT to be centrally deployed and provided a solution for interconnection between communities with overlapping addresses in different VRFs. However, prior to the introduction of this feature, NAT could not be performed on traffic flowing between two interfaces, both marked as inside interfaces within a single device.
The feature offers an alternative way to configure NAT and permits packets between different VRFs to undergo NAT, while traffic from each VRF to common services can also be processed.
Benefits
•
•
Hardware
Cisco IOS Packaging
NAT Virtual Interface is positioned in the IP Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)
2.5.2) Network Address Translation Routemaps Outside-to-Inside Support
Cisco IOS NAT allows for the configuration of routemaps to establish traffic eligible for translation. Certain environments and network designs will benefit from the ability to interrogate defined routemaps for traffic flowing from the NAT outside interface toward the NAT inside interface.
This feature provides for interrogation and use of defined routemaps for traffic flowing from outside to inside.
Prior to this feature, Cisco IOS NAT did not permit traffic from outside destined to a global address associated with a dynamic entry based on a routemap. With this support, customers can use routemaps to allocate global addresses and permit return traffic to use these global addresses. Return traffic is verified to match the defined routemap in the reverse direction.
Figure 20
NAT Routemap Outside-to-Inside Support
In Figure 20, suppose A and B want to converse. When each registered with the directory server, a routemap was used to allocate the global IP address. With this feature, A is allowed to connect to B directly through R2 (as long as its traffic matches the routemap), even though B's global IP address was established using a routemap. Other traffic from other devices that does not match the routemap is dropped.
Benefits
•
•
Hardware
Cisco IOS Packaging
NAT Routemap Outside-to-Inside Support is positioned in the IP Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)
2.5.3) Dynamic Host Configuration Protocol Intelligent Services Gateway Enhancements
To make it possible for ISPs (or address providers) to provide service to customers using one network infrastructure, Cisco IOS Software features are closely integrated. These enhancements extend the feature integration between Cisco IOS Software DHCP services and other features.
More specifically, this work enables a router, under control of the administrator, to specify which address provider, or address pool, should be used to provide various end stations and customers with an IP address.
This infrastructure will enable other services in future releases.
Benefits
•
•
Hardware
Cisco IOS Packaging
DHCP Intelligent Services Gateway Enhancements is positioned in the IP Base packages across Cisco routers
( Figure 3).Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)
2.5.4) Dynamic Host Configuration Protocol Relay Subscriber Identifier Suboption
The DHCP Relay function in Cisco IOS Software provides support for forwarding DHCP requests to designated DHCP servers.
This feature allows configuration of a character string on an interface or subinterface basis and can be used to uniquely identify a subscriber or user. When the DHCP Relay Information option is enabled, this configured string is added in the subscriber-identifier suboption of the Relay Information option in all the DHCP requests that are forwarded on to the specified DHCP servers.
Benefits
Allows more flexibility and granular control over the way IP address assignments are made.
Hardware
Cisco IOS Packaging
DHCP Relay Subscriber Identifier Suboption is positioned in the Advanced Enterprise Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)
2.5.5) Virtual Router Redundancy Protocol Message Digest Algorithm 5 Authentication
Hot Standby Router Protocol (HSRP) and Gateway Load Balancing Protocol (GLBP) allow for Message Digest Algorithm 5 (MD5) authentication for passwords exchanged between first-hop redundancy group members. This feature brings this same security feature to Virtual Router Redundancy Protocol (VRRP) as well.
Benefits
•
•
Hardware
Considerations
Support for MD5 authentication is specific to Cisco and not part of the VRRP standard. It is probably not interoperable with equipment from other vendors.
Cisco IOS Packaging
VRRP MD5 Authentication is positioned in the IP Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)
2.5.6) Extended Prepaid Tariff Switch with Service Selection Gateway
At present, without this new enhancement service providers can request tariff rates in midsession in Service Selection Gateway (SSG) prepaid billing mode. One such example of switching tariff rate is that providers want to charge at a higher rate during business hours and switch to a lower rate after business hours. In another example providers want to switch between a volume base and a time base or the reverse, in which case the tariff model will be changed midsession. Both these tariff switch modes are supported today in SSG. But such changes require billing servers to provide SSG with two quotas and times for tariff switch. The first quota indicates the tariff rate before the switch, and the second quota indicates the postswitch rate. SSG will accordingly apply the quotas and tariff rates based on the switch time.
With this new extension to prepaid tariff switching functionality, prepaid billing servers can choose to provide only one quota instead of two. SSG will use the same quota and report back how much of the quota was used before and after the tariff switch. This approach simplifies service providers' billing and operations server implementations.
Benefits
Simplified billing server implementation for service providers.
Restrictions
•
•
Hardware
Cisco IOS Packaging
Cisco IOS Extended Prepaid Tariff Switch with SSG is positioned in the Advanced IP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Murali Kolli ( mkolli@cisoc.com)
2.5.7) MAC Address-Based Authorization with Service Selection Gateway
SSG currently authenticates users with Web-based login through Cisco Subscriber Edge Services Manager (SESM) or acting as RADIUS proxy in an Extensible Authentication Protocol (EAP) type of authentication. SSG also can authenticate the users based on their IP address through the functionality called Transparent Auto Logon (TAL).
The MAC address-based authentication is developed to trace DHCP IP address allocation with the MAC address for reasons of authenticating the user.
If a connection request comes from an unknown user, SSG mandates explicit Web login with a captive portal. After initial login, the MAC address of the client device is learned and tracked for further authentication during the next login. Thereafter, SSG implicitly authenticates the user at every login until a predefined time interval has passed.
Benefits
After the user authenticates with Web login, further user logins can be avoided as long the user uses same client device until the predefined time period has passed.
Restrictions
Assumes that the device belongs to the same user all the time. If users swap devices, the identity of the users behind the devices can be misunderstood.
Hardware
Cisco IOS Packaging
MAC Address-Based Authorization with SSH is positioned in the Advanced IP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Murali Kolli ( mkolli@cisoc.com)
2.5.8) Service Selection Gateway Aware On-Demand IP Address Renewal
Service Selection Gateway (SSG) functionality poses two problems:
1.
2.
Benefits
•
•
Hardware
Cisco IOS Packaging
SSG Aware On-Demand IP Address Renewal is positioned in the Advanced IP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Murali Kolli ( mkolli@cisoc.com)
2.5.9) Service Selection Gateway Support for Subnet-Based Authentication
Subnet-based authentication functionality enables SSG to accept a login from one of the users in a subnet (for example, a business) and to treat a complete subnet as authenticated. This functionality will eliminate the need for all the users in a subnet (or a business) to authenticate individually. This enhancement will also enable services for all users in the subnet and generate aggregate billing records.
Subnet-based authentication is supported for both Web login users and transparent autologon (TAL) users.
Benefits
•
•
•
Restrictions
•
•
Hardware
Cisco IOS Packaging
SSG Support for Subnet-Based Authentication is positioned in the Advanced IP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Murali Kolli ( mkolli@cisoc.com)
2.6) IPv6
2.6.1) Dynamic Host Configuration Protocol version 6 Prefix Delegation Using Authentication, Authorization, and Accounting
An IPv6 prefix-delegating router (DHCPv6 server) selects prefixes to be assigned to a requesting router (DHCPv6 client) upon receiving a request from the client. Prior to this feature, these prefixes could be obtained only using one of the following:
•
•
This feature enables a third option. It allows the prefix assignment to originate from a RADIUS/AAA Server using the Framed-IPv6-Prefix attribute as described in RFC 3162.
Cisco IOS Software Release 12.3(4)T added support for the Framed-IPv6-Prefix attribute (see DDTS CSCdy19621). The DHCPv6 Prefix Delegation Using AAA feature enables the DHCPv6 server to interface with AAA to obtain the prefix assignment using an AAA/RADIUS authorization request.
Benefits
•
•
Hardware
Additional Information:
http://www.cisco.com/en/US/tech/tk872/technologies_white_paper09186a00801e199d.shtmlProduct Management Contact: Patrick Grossette ( pgrosset@cisco.com)
2.6.2) Mobile IP: Mobile IPv6 Home Agent
This feature provides support for the Mobile IPv6 Home Agent (HA). It includes the following:
•
Home agent functionality allows an IPv6 router to act as a home agent for one or more mobile nodes when they are away from home.
•
Allows a configurable Advertisement Interval option to help mobile nodes perform movement detection.
•
Enables verification of the mobile node (MN) IP address by performing duplicate address detection (DAD) when processing a request for registration from an MN.
•
Allows home agents in a subnet to learn of each other's presence and capabilities by listening to router advertisements.
•
Supports use of ACLs to limit sources of binding updates, Dynamic Home Agent Address Discovery (DHAAD) requests, and prefix solicitations. Allows control over roaming.
Benefits
RFC 3775-compliant support for Mobile IPv6 Home Agent.
Hardware
Considerations
•
•
Additional Information: http://www.cisco.com/warp/public/732/Tech/ipv6/docs/mobileipv6.pdf
Cisco IOS Packaging
Mobile IP: Mobile IPv6 Home Agent is positioned in the Advanced IP Services packages across Cisco routers
( Figure 3).Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)
2.6.3) Cisco Express Forwarding Support for Network Address Translation-Protocol Translation
Cisco IOS Network Address Translation-Protocol Translation (NAT-PT) translates packets that traverse between IPv4-only and IPv6-only networks in either direction. NAT-PT translates the IP header and source and destination ports if needed. It also translates the embedded IP addresses and ports for application protocols of which it is aware.
Prior to the introduction of this feature, packets undergoing NAT-PT were process-switched, which limited the throughput that could be achieved while using this feature. Now packets that undergo NAT-PT are processed in the interrupt path and use Cisco Express Forwarding.
Benefits
Better performance when translation between IPv4 and IPv6 networks is necessary.
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_data_sheet09186a008011ff51.htmlCisco IOS Packaging
Cisco Express Forwarding Support for NAT-PT is positioned in the IP Base packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)
2.6.4) Simple Network Management Protocol Using IPv6 Transport
IPv6 networks are becoming more prominent, as are the requirements for management in an all-IPv6 environment. To date, most IPv6 networks have been deployed with support for IPv4 and with the assumption that network management was based on IPv4.
SNMP over IPv6 Transport allows network management to be performed from a station running only IPv6.
The feature includes:
•
•
–
•
–
•
–
MIB Changes
•
–
–
–
–
–
–
•
–
•
–
–
Benefits
•
•
Hardware
Considerations
Provides for support of IPv6 using an internal proxy method.
Cisco IOS Packaging
SNMP Using IPv6 Transport is positioned in the Advanced IP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contacts: IPv6—Patrick Grossette ( pgrosset@cisco.com), SNMP—Michael Cheung ( cheung@cisco.com)
2.6.5) IPv6 Bootstrap Router Bidirectional Support
This feature improves upon the IPv6 Bootstrap Router (BSR) implementation by offering support for bidirectionality in BSR.
Benefits
Supports the advertising of bidirectional rendezvous points in C-RP messages and bidirectional ranges in the band splitter module (BSM).
Hardware
Considerations
All the routers in the system must be upgraded to be able to understand the bidirectional range. Just upgrading candidate RP and candidate BSR routers is not sufficient.
Cisco IOS Packaging
IPv6 BSR Bidirectional Support is positioned in the Advanced IP Services and Enterprise Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)
2.6.6) IPv6 Bootstrap Router Scoped Zone Support
IPv6 Bootstrap Router (BSR) Scoped Zone Support enhances IPv6 BSR, allowing for distribution of group-to-RP mappings in networks using administratively scoped multicast.
Benefits
Allows the customer to configure candidate BSRs and a set of candidate RPs for each administratively scoped region in the domain.
Hardware
Cisco IOS Packaging
IPv6 BSR Scoped Zone Support is positioned in the Advanced IP Services and Enterprise Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)
2.7) Multiprotocol Label Switching
2.7.1) Multiprotocol Label Switching: Label Distribution Protocol Graceful Restart
Cisco Nonstop Forwarding (NSF) with Stateful Switchover (SSO) has been proven to increase the availability of networks for service providers and enterprises. Cisco IOS Software Release 12.2(25)S added support for MPLS HA, including Label Distribution Protocol (LDP) Graceful Restart capability as specified by RFC 3478.
This feature brings this support for LDP Graceful Restart to other Cisco IOS Software products that are based on Cisco IOS Software Release 12.3(14)T and future Cisco IOS Software releases.
Benefits
•
•
Hardware
Cisco IOS Packaging
MPL: LDP Graceful Restart is positioned in the SP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Pepe Garcia ( pepe@cisco.com)
2.7.2) Multiprotocol Label Switching: Label Distribution Protocol Inbound Label Binding Filtering
MPLS LDP supports inbound label binding filtering, which allows customers to configure ACLs to control the label bindings a label switch router (LSR) accepts from its peer LSRs.
Benefits
•
•
•
Hardware
Cisco IOS Packaging
MPLS: LDP Inbound label Binding Filtering is positioned in the SP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Ripin Checker ( rchecker@cisco.com)
2.7.3) Multiprotocol Label Switching: Virtual Routing and Forwarding-Aware Static Labels
The VRF-Aware Cisco MPLS Static Labels feature allows MPLS static labels to be used for VRF traffic.
When static labels software is not VRF aware, it can only be used for the following purposes:
•
•
Those limitations mean that in MPLS VPN environments, the software can be used only in the provider core.
The VRF-Aware MPLS Static Labels feature provides the following benefits:
•
•
Note:
Benefits
•
•
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_white_paper09186a00801b23af.shtmlCisco IOS Packaging
MPLS: VRF Aware Static Labels is positioned in the SP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Ripin Checker ( rchecker@cisco.com)
2.7.4) Multiprotocol Label Switching: Label Distribution Protocol Session Protection
MPLS LDP Session Protection maintains LDP bindings when a link fails. MPLS LDP sessions are protected through the use of LDP Hello messages. When you enable MPLS LDP session protection, the LSRs send messages to find other LSRs with which they can create LDP sessions.
If the LSR is one hop from its neighbor, it is directly connected to its neighbor. The LSR sends out LDP Hello messages as UDP packets to all the routers on the subnet. The hello message is called an LDP Link Hello. A neighboring LSR responds to the hello message, and the two routers begin to establish an LDP session.
If the LSR is more than one hop from its neighbor, it is not directly connected to its neighbor. The LSR sends out a directed hello message as a UDP packet, but as a unicast message specifically addressed to that LSR. The hello message is called an LDP Targeted Hello. The nondirectly connected LSR responds to the Hello message, and the two routers establish an LDP session. (If the path between two LSRs has been traffic engineered and has LDP enabled, the LDP session between them is called a targeted session.)
MPLS LDP Session Protection uses LDP Targeted Hellos to protect LDP sessions.
Benefits
•
•
•
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95d9.htmlCisco IOS Packaging
MPLS LDP Session Protection is positioned in the SP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Ripin Checker ( rchecker@cisco.com)
2.7.5) Multiprotocol Label Switching: Label Distribution Protocol Autoconfiguration
This enhancement provides a global configuration command that enables LDP on interfaces for which a specified IGP has been enabled. This simplifies LDP configuration by making it unnecessary to explicitly configure each interface and reduces the likelihood of accidentally omitting explicit LDP configuration on one or more interfaces for which it is required.
LDP is disabled on all interfaces by default. Prior to this feature, the interface-level [no] mpls ip command enabled or disabled LDP on the interface.
This feature defines a new global configuration command:
mpls ldp autoconfigWhen this command is used, it is not necessary to configure mpls ip on each interface covered by the mpls ldp autoconfig command. Optional parameters specify the applicability of the command with regard to the IGP enabled on each interface.
Benefits
•
•
•
•
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95de.htmlCisco IOS Packaging
MPLS LDP Autoconfiguration is positioned in the SP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Ripin Checker ( rchecker@cisco.com)
2.7.6) Multiprotocol Label Switching: Label Distribution Protocol-Interior Gateway Protocol Synchronization
Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP) Interior Gateway Protocol (IGP) Synchronization ensures that LDP is fully established before the IGP path is used for switching.
This feature provides synchronization of IGP forwarding with MPLS forwarding to reduce the chance of MPLS traffic being lost following link failure or link flap.
Packet loss can occur because the actions of the IGP and LDP are not synchronized. Packet loss can occur in two situations:
•
•
This feature provides a means to synchronize LDP and IGP to minimize MPLS packet loss.
MPLS LDP-IGP Synchronization enables users to globally enable LDP-IGP Synchronization on every interface associated with an IGP process. (Currently, the only IGP that supports this feature is OSPF.) Also, it provides a means to disable LDP-IGP Synchronization on interfaces that you do not want enabled. The goal of MPLS LDP-IGP Synchronization is to prevent MPLS packet loss because of synchronization conflicts.
Benefits
•
•
Hardware
Considerations
There must be an alternate path available for traffic to benefit from this feature.
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95dd.htmlCisco IOS Packaging
MPLS: LDP Autoconfiguration feature is positioned in the SP Services packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Ripin Checker ( rchecker@cisco.com)
3) Release 12.3(11)T Highlights
3.1) New Hardware Support
3.1.1) Cisco 3800 Series Integrated Services Router
The integrated services routing architecture of the Cisco 3800 Series builds on the powerful Cisco 3700 Series routers designed to embed and integrate security and voice processing with advanced services for rapid deployment of new applications, including application layer functions, intelligent network services, and converged communications. The Cisco 3800 Series supports the bandwidth requirements for multiple Fast Ethernet interfaces per slot, time-division multiplexing (TDM) interconnections, and fully integrated power distribution to modules supporting 802.3af Power over Ethernet (PoE), while still supporting the existing portfolio of modular interfaces. This ensures continuing investment protection to accommodate network expansion or changes in technology as new services and applications are deployed. By integrating the functions of multiple separate devices into a single compact unit, the Cisco 3800 Series dramatically reduces the cost and complexity of managing remote networks.
New models include the Cisco 3825 and the Cisco 3845, available with three optional configurations for AC power, AC power with integrated IP phone power support, and DC power.
Figure 21
Cisco 3800 Series Integrated Services Router
Benefits
•
•
•
•
•
Additional Information: http://www.cisco.com/en/US/products/ps5855/index.html
Product Management Contact: cs-3800@cisco.com
3.2) High Availability
3.2.1) Cisco IOS Warm Upgrade
Cisco IOS Warm Upgrade significantly reduces planned downtime for Cisco IOS Software devices during upgrades to new Cisco IOS Software images. This improves the overall availability of hardware with single route or switch processors. Users implementing Cisco IOS Warm Upgrade will typically enjoy an eighty percent reduction in downtime during an image upgrade.
Figure 22
Cisco IOS Warm Upgrade
Benefits
•
Cisco IOS Warm Upgrade allows the image to be directly loaded into memory and uncompressed while the current image is still executing on the Cisco IOS Software device. A failover then occurs to the new image after it is completely loaded. This allows the load and decompress as well as initial boot steps to be bypassed.
•
With Cisco IOS Warm Upgrade, it is possible to upgrade to a new image over the network without attempting a netboot from rommon or the boothelper. This allows users to evaluate a new software on a device without placing the image on the flash media of a Cisco IOS Software device. Furthermore, if Cisco IOS Warm Upgrade fails for any reason, the Cisco IOS Software device will continue to run the existing image if possible.
Hardware
Considerations
Users will need to have sufficient free memory to decompress the new Cisco IOS Software image in the system in order to be able to leverage Warm Upgrade.
Additional Information:
•
•
•
3.2.2) Cisco IOS IPsec Stateful Failover
IPsec Stateful Failover allows customers to employ a backup IPsec server to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. The backup (secondary) IPsec Server automatically take over the tasks of the active (primary) router, without losing secure connections with its peers in the event the active router loses connectivity for any reason. This process is transparent to the end user and does not require adjustment or reconfiguration of any remote peer.
IPsec Stateful Failover is designed to work in conjunction with Stateful Switchover (SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. IPsec Stateful Failover provides protection for IPsec tunnels, IPsec with GRE, and Cisco IOS Easy VPN traffic.
Figure 23
IPsec Stateful Failover Feature Module
Benefits
Increased Resiliency and Availability for Network applications such as client/server, voice and video over VPN. These applications now can continue uninterrupted during schedule network maintenance time or network outage. IPsec Stateful Failover feature enables rapid IPsec Stateful Failover for geographically dispersed peers, avoiding disruption to critical enterprise applications.
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.htmlProduct Management Contact: ask-stg-ios-pm@cisco.com
3.3) Cisco IOS Security
3.3.1) Role-Based CLI Access—Granular Interface Control
Cisco initially introduced Role-Based CLI Access—Granular Interface Control in Release 12.3(7)T. It enables the network device administrator to set up views that define the set of CLI commands that can be accessed by each user. With this enhancement, administrators can control user access and configure specific ports, logical interfaces, and slots on a router.
Figure 24
Role-Based CLI Access—Granular Interface Control
Benefits
With Role-Based CLI Access—Granular Interface Control, administrators can match user access to CLI commands based on their operational roles in the organization.
•
•
•
Hardware
Product Management Contact: ask-stg-ios-pm@cisco.com
3.3.2) 802.1x Supplicant
There are deployment scenarios in which a network device (a router acting as an 802.1X authenticator) is placed in an unsecured location and cannot be trusted as an authenticator. This scenario mandates that a network device have the ability to authenticate itself against another network device.
The 802.1x supplicant support functionality provides the following solutions:
•
•
•
Figure 25
802.1x Supplicant
Benefits
•
•
•
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.htmlProduct Management Contact: ask-stg-ios-pm@cisco.com
3.3.3) Cisco IOS Intrusion Prevention System
Cisco IOS Intrusion Prevention System (IPS) utilizes inline deep packet inspection to enhance network attack mitigation capabilities in Cisco IOS Software. By enabling IPS, customers can quickly protect their network from known network attacks without disrupting router functions or other embedded security capabilities, such as protocol anomaly detection.
The new Cisco IOS IPS capability enables the user to load and enable any of the 700+ IDS signatures that are supported by the Cisco IDS Sensor to deter network attacks. In addition, Cisco IOS IPS allows the user to modify any existing signature or create a new signature to deter newly discovered intrusions. Cisco IOS IPS enables the following actions:
•
•
•
Figure 26
Cisco IOS Intrusion Prevention System
Benefits
•
Cisco IOS IPS is supported on a broad range of Cisco routers, enabling the user to protect network users and assets deep into the network architecture. The router is a security enforcer.
•
Cisco IOS IPS enables users to stop known network attacks. By alerting the router to an event, Cisco IOS IPS will intercept intrusion attempts to traverse the router. Cisco IOS IPS utilizes deep packet inspection to get into the payload of a packet and uncover the known malicious activity.
•
Cisco IOS IPS can now be enabled with any of the 700+ IDS signatures supported by the Cisco IDS Sensors to mitigate today's known network attacks. As attacks are identified in the Internet, these signatures are updated and posted to Cisco.com so that they can be downloaded to the Cisco router by way of the VMS IDS MC 2.3 or SDM 2.0. IDS MC also provisions the Cisco IDS Sensor appliance products.
•
Cisco IOS IPS can now customize existing signatures, while also creating new ones. This Day 1 capability mitigates attacks that try to capitalize on slight deviations of known or newly discovered attacks.
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.htmlProduct Management Contact: ask-stg-ios-pm@cisco.com
3.3.4) Cisco IOS Security Device Event Exchange
Cisco IOS Software now supports the Security Device Event Exchange (SDEE) protocol. SDEE is a new standard that specifies the format of messages and protocol used to communicate events generated by security devices. SDEE is flexible, so that all vendors can support address compatibility. This allows mixed IDS vendor environments to have one network management alert interface. TrueSecure (ICSA) is currently proposing as the unified industry protocol format for all vendors to communicate with network management applications. SDEE uses a pull mechanism: requests come from the network management application and the IDS/IPS router responds. SDEE utilizes HTTP and XML to provide a standardized interface. The Cisco IOS IPS router will still send IDS alerts via syslog.
Figure 27
Cisco IOS Security Device Event Exchange
Benefits
•
SDEE will become the standard format for all vendors to communicate events to a network management application. This lowers the cost of supporting proprietary vendor formats and potentially multiple network management platforms.
•
The use of HTTP over SSL or HTTPS ensures that data is secured as it traverses the network.
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.htmlProduct Management Contact: ask-stg-ios-pm@cisco.com
3.3.5) Cisco IOS Firewall IPv6 FTP Support
Cisco IOS Software now performs stateful packet inspection of the IPv6 File Transfer Protocol (FTP). Cisco IOS Firewall creates dynamic data channel monitors for FTP session RFC compliance and alerts the network about any protocol anomalies performed by the end user trying to perform a malicious act as a result of stateful inspection of FTP in order to allow return traffic traversing Cisco IOS Firewall back to the FTP client. Cisco IOS Firewall tracks the initial FTP hand-shaking and session termination by ensuring that all users have been authenticated before any data traverses the Cisco IOS Firewall. This enables Cisco IOS Firewall to prevent network intrusion by unauthorized users who attempt to initiate a connection across the network or leverage the session of an authorized user. When the user logs off or initiates other forms of session termination (abort), the Firewall immediately closes all open data and control channels associated with the authorized user.
Additionally, Cisco IOS Firewall now supports Port to Address Mapping (PAM) for IPv6. PAM correlates TCP or UDP port numbers to specific network services or applications. By mapping port numbers to network services or applications, an administrator can force firewall inspection on custom configurations not defined by well-known ports.
Benefits
•
A wide range of Cisco routers, from the Cisco 1700 Series through the Cisco 7200 Series, support Cisco IOS Firewall. This further enhances the total return of investment in Cisco routers by providing a broad range of network enforcement points, while coexisting in IPv4 and IPv6 environments.
•
Cisco IOS Firewall maintains the integrity of the network by monitoring it for network attacks that leverage protocol RFC non-compliance.
•
Only allows users who have been authorized by an end ftp server to initiate session creation. Cisco IOS Software ensures that unauthorized users do not take advantage of data and control channels left open by a previous user. This decreases network vulnerability to unauthorized users.
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.htmlProduct Management Contact: ask-stg-ios-pm@cisco.com
3.3.6) Cisco Easy VPN 4.0
Release 12.3(11)T introduces several enhancements to the Easy VPN Remote:
•
Cisco Easy VPN 4.0 adds support for configuration of 802.1x port-based authentication on the private interfaces of the Easy VPN Remote router. This was not available in previous instances of Easy VPN Remote.
Cisco Easy VPN 4.0 also supports Public Key Infrastructure (PKI)/certificates. Previously, only pre-shared keys could be used as key material for the Internet Key Exchange (IKE) (IPsec Phase 1) connection. Configuration is the same as for standard site-to-site IPsec. When configuring PKI on the remote router, it is critical that the subject-name command is set to the subject name in the certificate or PKI will fail.
•
Easy VPN Remote allows the configuration of multiple servers (concentrators) to which the remote router will attempt to connect. With this enhancement, the Easy VPN Server can "push" this server list to Easy VPN Remote clients, eliminating the requirement to manually configure the list of servers on the Easy VPN Remote. Instead, only one server needs to be preconfigured on the remote, and the rest of the server list will be pushed from the server at connect time.
•
This feature simplifies the remote management of a Cisco IOS Router acting as an Easy VPN Remote. It does this by making the IP address pushed from the server at connect time fully manageable. The pushed address is automatically assigned to a loopback interface that is dynamically created. This enables ping, Telnet, SNMP, and even dynamic routing to use the pushed address as the address to reach the router. The user can design central site management solutions that use the pushed address as the address to reach the remote routers. This feature can be enabled in both client and network extension modes; it is possible to push an address in NEM, although users can manage the static IP address assigned to the private interface.
•
When configured for load balancing, the Cisco VPN 3000 Series Concentrator with Easy VPN, accepts an incoming request from the Easy VPN Remote router on its virtual IP address, and if required (for instance, if the server is heavily loaded), it sends a "notify" message to the remote that contains an IP address that represents the new peer to which the client should connect. The Easy VPN Remote router can receive this "redirect" message and it attempts to connect a different server at the address contained in the notify message. Syslog messages indicate when a transition from one peer to another occurs.
•
It is now possible to define a VLAN as an Easy VPN Remote inside (private) interface. This may be an internal VLAN on the remote router (for instance, switch ports in a Cisco 1711 Router). This means that upon definition, IPsec Service Adapters will be established for the VLAN inside interface just as they are for the physical inside interfaces.
•
This enhancement allows multiple subnets on a single inside interface on the Easy VPN Remote router to be defined to Easy VPN. Previously, only a single subnet could be defined for Easy VPN on each inside interface. The subnets can be multiple hops away (cascaded) off the inside interface LAN (for example, the Easy VPN router private interface is connected to a router that has a subnet behind it). The subnets must be configured manually; they cannot be learned by dynamic routing.
•
Easy VPN Remote and server functions now can be configured on the same interface. A typical application would be a remote router that acts as a client to the headquarters Easy VPN server, while it acts as a server for local software clients. Such a router typically would have a single public interface to the Internet, and both the server and client functions would be configured on this interface.
•
Easy VPN Remote and site-to-site (standard IPsec) functions now can be configured on the same interface. A typical application would be a remote router that acts as a client to the headquarters Easy VPN server while it also has a site-to-site tunnel that is used strictly for management.
•
The PFS setting for the Easy VPN connection now can be dynamically set at connect time using MODCFG policy push from the server. Previously, PFS had to be configured manually on the Easy VPN Remote.
Hardware
•
•
Additional Information: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801541d5.html
Product Management Contact: ask-stg-ios-pm@cisco.com
3.3.7) Cisco Security and Router Device Manager 2.0
Cisco Security and Router Device Manager (SDM) 2.0 combines routing and security services management with ease of use, intelligent wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of integrating services onto the router. Customers can now synchronize the routing and security policies throughout the network, enjoy a more comprehensive view of their router services status, and reduce their operational costs.
Key new features in Cisco SDM 2.0 includes support for:
•
•
•
•
•
•
Hardware
•
•
Additional Information: http://www.cisco.com/go/sdm
Product Management Contact: ask-stg-ios-pm@cisco.com
3.4) Quality of Service
3.4.1) Cisco AutoQoS for the Enterprise—Suggested Policy
The show auto discovery qos command has been extended to display the Quality of Service (QoS) policy that Cisco AutoQoS suggests, based on the statistics collected during AutoDiscovery. This suggested policy configuration is the one that would be applied in response to the command auto qos.
The new Suggested Policy output follows the existing display of Cisco AutoQoS Class information, showing traffic rates and recommended minimum bandwidth by traffic class, with the recommended class-map and policy-map configuration commands to support the observed traffic.
Figure 28
Cisco AutoQoS for the Enterprise—Suggested Policy
Benefits
The user has several possible options:
1.
2.
3.
4.
Hardware
•
•
Additional Information: http://www.cisco.com/go/qos
Product Management Contact: Tim McSweeney, timcswee@cisco.com
3.5) IP Routing
3.5.1) Border Gateway Protocol Support for Named Extended Community Lists
Border Gateway Protocol (BGP) uses extended community lists to apply policies to groups of prefixes to distinguish routing paths. This enhancement introduces support for named extended community lists. Previously, extended community lists could only be numbered and were limited to a few hundred entries.
Benefits
•
•
Hardware
Product Management Contact: Pepe Garcia, pepe@cisco.com
3.5.2) Border Gateway Protocol Support for Sequenced Entries in Extended Community Lists
Border Gateway Protocol (BGP) uses extended community lists to apply policies to groups of prefixes, in order to distinguish routing paths. These extended community lists are applied in sequential order and can become large in some implementations.
This enhancement provides support for sequencing individual entries in an extended community list.
Benefits
Specific entries within an extended community list are more easily removed, added, and/or modified in a list without having to remove and re-apply the whole list. Each entry has its own sequence number allowing configuration changes to be more efficiently done to individual entries.
Hardware
Product Management Contact: Pepe Garcia, pepe@cisco.com
3.5.3) Border Gateway Protocol Support for Dual Autonomous System Configuration for Network Autonomous System Migrations
When a Service Provider merges its Autonomous System (AS) with another (i.e.: via business acquisition), this features provides for a seamless way to transition the customers over to the new AS.
This transition involves two integrated feature components:
•
•
Benefits
This feature allows Service Provides to more easily transition customers from one of their AS numbers to another during the transition phase. Customers can change the Service Provider AS number in their configurations at their convenience.
Hardware
Product Management Contact: Pepe Garcia, pepe@cisco.com
3.5.4) Cisco Optimized Edge Routing Support for Policy-Rules Configuration and Port-Based Prefix Learning
The Cisco Optimized Edge Routing (OER) policy-rules master subcommand facilitates easy switching between configured OER policies. Customers can define more than one oer-map and select the current map with the policy-rules enhancement.
Cisco OER automatically learns prefixes that have the highest throughput or greatest delay. In addition to this automatic prefix learning, Cisco OER now can filter prefixes on the basis of "interesting" protocol-ports configured by the administrator.
Benefits
•
•
Hardware
Considerations
•
•
Product Management Contact: Paul Kohler, pkohler@cisco.com
3.5.5) Enabling Open Shortest Path First v2 on an Interface Using the ip ospf area Command
Historically, Open Shortest Path First (OSPF) v2 is enabled on interfaces based on the network command in the "router ospf" mode. OSPFv2 per interface Area command allows OSPF to be enabled under the interface configuration mode.
Benefits
•
•
Hardware
Product Management Contact: Chetan Khetani, cpk@cisco.com
3.6) Manageability
3.6.1) Egress Netflow
Understanding who is using the network and for how long, what protocols and applications are being utilized, and where the network data is flowing is a necessity for today's IP network managers. NetFlow data can be used for a variety of purposes: network management and planning, user and security monitoring, protocol and application monitoring, enterprise accounting, departmental charge backs, Internet Service Provider (ISP) billing, data warehousing, and data mining for marketing purposes.
NetFlow traditionally monitors IP flows entering or ingress to a Cisco IOS Software device; however, it does not track egress information. Egress NetFlow can track egress IP flows or flows exiting a Cisco IOS Software device. This new capability will ease IP accounting and flow monitoring in some network topologies. For example, egress NetFlow will simplify the tracking of all IP traffic going to a server farm.
With Egress NetFlow also enables the tracking of flows after features such as QoS or NAT have made changes to the IP packet. Egress NetFlow can be used with an MPLS or IP network.
Benefits
•
•
•
•
Hardware
Additional Information: http://www.cisco.com/go/netflow
Product Management Contact: Tom Zingale, tomz@cisco.com
3.6.2) Netflow MIB and Top N Talkers
Understanding who is using the network and for how long, what protocols and applications are being utilized and where the network data is flowing is a necessity for today's IP network managers. NetFlow data can be used for a variety of purposes: network management and planning, user and security monitoring, protocol and application monitoring, enterprise accounting, departmental charge backs, Internet Service Provider (ISP) billing, data warehousing, and data mining for marketing purposes.
NetFlow information is traditionally exported from the router and persistently stored and analyzed by network management applications. An additional method to retrieve NetFlow data is now available: NetFlow MIB (cisco-netflow-mib) allows access to NetFlow data. The MIB will provide the ability to configure and modify NetFlow using an SNMP interface. The user can retrieve a snapshot of IP flow, protocol and packet size distribution information easily with SNMP. The NetFlow MIB will be very useful for security monitoring and detection of attacks by monitoring flow information. One of the key features of the NetFlow MIB will be the availability of Top N Talkers and the top conversations (NetFlow cache) information. A new show command, which is part of the Top N Talkers feature, enables users to monitor top conversations in the network using CLI.
Benefits
•
•
•
•
•
•
Hardware
Additional Information:
•
•
Product Management Contact: Tom Zingale, tomz@cisco.com
3.7) IP Multicast
3.7.1) Multicast Enhancements
Bootstrap Router (BSR) for IPV6 is one of the mechanisms by which a IPv6 PIM router learns the set of Group-to-RP mappings required for IPv6 PIM SM & Bi-Dir to function. The mechanism is dynamic, largely self-configuring, and robust to router failure.
Source base filtering for Multicast boundary will add SSM (S,G) filtering support on multicast boundary. This will extend the functionality of "ip multicast boundary <acl>" command to allow SSM to have the same access-control capabilities that have already been offered for ASM. It will also enable SSM to improve the usefulness of the commands functionality as a general tool. IN "ip multicast boundary <acl>" command ACL can be standard or extended ACL.
VRF Aware Multicast Error Messages will display the VRF names for the error messages generated by IP Multicast subsystems when MVPN is in use. This additional information can be better used to associate protocol and packet forwarding events with their MVPNs which can be very useful in software or network problem troubleshooting.
When an MVPN related error message is printed, the first parameter it will display is the VRF name it is related to, followed by whatever is displayed today. This is modeled after the unicast VPN error messages and only applies to the configured VRFs. Error messages related to the global table will stay the same.
Inhibit Customer traffic from flooding in the MVPN core will automatically change the default pim mode for the MDT tunnel according to the pim mode of the native interfaces in the MVRF. The three possible cases of MVRF interface configuration, and their corresponding MDT tunnel modes are:
1.
2.
3.
Hardware
•
•
•
Product Management Contact: g_singh@cisco.com
3.8) Embedded Network Management
3.8.1) Service Selection Gateway Support of Overlapping IP Addresses
Service Selection Gateway (SSG) enables Service Providers to offer services in which the provider assigns IP addresses to subscribers. Because Service Providers assign IP addresses from private IP address pools, identical IP addresses could be assigned to different subscribers. The SSG Support for Overlapping Subscriber IP Addresses feature enables SSG to support overlapping subscriber IP addresses by adding VRF support to SSG downlink interfaces. VRF support on SSG downlink interfaces allows the same IP address to be assigned to different subscribers that are bound to different downlink interfaces and connected to different uplink services. VRF support on downlink interfaces also eliminates the need for SSG to perform NAT on the subscriber traffic.
SSG allows subscribers with overlapping IP addresses to access multiple services, so that a subscriber who is assigned an IP address for one service will be able to access other services. To provide access to multiple services, NAT will be performed on the subscriber traffic by SSG or through the Cisco IOS NAT configuration on the router.
Multiple subscribers with overlapping IP addresses can simultaneously connect to a common service, but SSG must perform NAT on all the connections to provide non-overlapping IP addresses.
Benefits
•
•
Hardware
Restrictions
The SSG Support for Overlapping Subscriber IP Addresses feature does not support downlink interface redundancy.
•
•
Product Management Contact: mkolli@cisco.com
3.8.2) Service Selection Gateway Support for Radius Attributes 27 and 29
The Service Selection Gateway (SSG) Support for Radius Attributes 27 and 29 feature introduces SSG compliance with RFC-3580 with respect to RADIUS attributes #27 (Session-Timeout) and #29 (Termination-Action). RFC-3580 recommends using attributes #27 and #29 in Access-Accept packets during authentication to enforce periodic re-authentication of users. See RFC-3580 "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines" for details.
For instances that indicate re-authentication after the session timeout, SSG uses the cached username and password while performing re-authentication. If SSG does not have these credentials, the session is brought down as if re-authentication has failed. If a particular deployment makes use of one-time passwords for authenticating users, SSG re-authentication will fail and the session will be brought down.
For SSG transparent auto-logon (TAL) hosts (TAL users who have host objects created on SSG), SSG will perform TAL reauthorization upon session timeout whenever attribute #29 is present in the RADIUS profile of the user. (Note that for TAL users, SSG performs re-authorization and not re-authentication because the user profile is downloaded on the basis of the IP address and service password).
In SSG RADIUS proxy deployments, SSG will not perform session timeout processing when attribute #29 is present in the Access-Accept packet and is set to re-authenticate.
Benefits
•
•
Hardware
Restrictions
•
•
Product Management Contact: mkolli@cisco.com
3.8.3) Service Selection Gateway Default Quota for Prepaid Billing Server Failure
The Service Selection Gateway (SSG) default quota for prepaid billing server failure allows Service Selection Gateway (SSG) to allocate a default quota when the prepaid server fails to respond to an authorization request. This functionality allows prepaid users to connect to a service even when the prepaid server is unavailable during authorization. SSG can be configured to allocate multiple default quotas up to a configured maximum. SSG will also allocate default quotas when the prepaid server is unresponsive to reauthorization requests, thus preventing existing connections from being terminated.
SSG can be configured to allocate a default quota when the prepaid server fails to respond to an authorization request. The default quota for a service is specified in the service profile. SSG stores the value when the service profile is downloaded from the AAA server. If the prepaid server is not accessible during initial authorization, SSG allocates the default quota and activates the connection, thus allowing the prepaid user to connect to the respective service.
When a default quota expires, SSG attempts to reauthorize the user. If the prepaid server still does not respond, SSG will allocate another default quota. SSG will allocate multiple default quotas up to a configured maximum. Once SSG has allocated the configured maximum number of default quotas, no further default quota allocations will be made, and the user's connection to the service will be terminated.
SSG will also allocate default quotas when the prepaid server fails during the reauthorization of existing connections. Allocation of a default quota for the reauthorization of an existing connection prevents the connection from being terminated due to the unavailability of the prepaid server.
Benefits
This enhancement ensures continued subscriber connectivity against any temporary connection failures with pre-paid billing servers.
Hardware
Considerations
•
•
Product Management Contact: mkolli@cisco.com
3.8.4) Service Selection Gateway Support for Dynamic Load Balancing
The Service Selection Gateway (SSG) Support for Dynamic Load Balancing feature enables the Dynamic Feedback Protocol (DFP) to be used to facilitate dynamic load balancing among multiple Service Selection Gateways (SSGs). When DFP support is configured on SSG, SSG registers with the DFP agent and hands over weights at configured intervals. The DFP agent conveys the weights to a DFP manager, such as a Cisco IOS Server Load Balancing device, which uses the weights to determine load balancing among the SSGs.
When multiple SSGs are deployed with Cisco IOS Server Load Balancing, DFP enables the real servers (the SSGs) to communicate server health to the DFP manager. SSG registers with the DFP agent and hands over weights at configured intervals. The DFP agent calculates relative weights for SSG on the basis of three factors:
•
•
•
The weights are conveyed by the DFP agent to the load balancer, which uses the weights in an algorithm to determine load balancing among the SSG devices. A higher weight for a server indicates higher availability; a weight of zero indicates that a server has no availability.
SLB always uses weights to balance loads. If DFP is not configured or if the DFP connection has been terminated and the DFP agent cannot relay the current weights, SLB uses static weights that have been configured for the server. If weights have not been configured, SLB uses default weights.
Benefits
•
•
•
Hardware
Product Management Contact: mkolli@cisco.com
3.9) IP Addressing and Services
3.9.1) First Hop Redundancy Protocols—Virtual Router Redundancy Protocol MIB RFC 2787
Cisco First Hop Redundancy Protocols (FHRP) is a collection of three separate features in Cisco IOS Software:
•
•
•
Support for the VRRP MIB RFC 2787 enables Cisco customers who have selected the VRRP support within Cisco IOS Software for redundancy, to use SNMP to configure and monitor their VRRP redundancy groups. Customers have complete Set and Get and Trap support.
Benefits
•
•
•
•
Hardware
Additional Information:
For details of the MIB, refer to RFC 2787 and the download the VRRP MIB from Cisco.
•
http://www.ietf.org/rfc/rfc2787.txt•
Product Management Contact: Mark Denny, mdenny@cisco.com
3.10) Connectivity
3.10.1) Upstream Connection Speed Transfer at LAC
This feature allows the configuration for Layer 2 Tunneling Protocol (L2TP) Attribute-Value Pair 38 (AVP) at the L2TP Access Concentrator (LAC). AVP38 allows the communication of the upstream (from the remote site to the LAC) connection speed and complements Cisco's existing support for AVP24 for downstream (from LAC to remote site) connection speed. This support allows for the creation of asymmetric broadband services where the upstream and downstream connection speeds differ.
Benefits
•
•
•
Hardware
Product Management Contact: sbhardwa@cisco.com
3.10.2) Configurable MAC Address for bba-group
This feature allows the configuration of separate MAC addresses for PPPoE and RBE sessions on the same physical ATM interface. This is important since the aggregation router, as shown in Figure 29, uses the ATM interfaces MAC address as the source address for both the PPPoE and RBE incoming sessions. In cases where multiple hosts exist and PPPoE and RBE sessions have been initiated, there is a need to have the ability to configure the MAC address (versus simply taking the MAC address from the ATM interface of the CPE router) so that the different sessions can be differentiated. This feature is only available under the bba-group configuration mode and requires each session to be on its own PVC.
Figure 29
Configurable MAC Address for bba-group
Benefits
Allows support of multiple session types, like RBE and PPPoE, on the same ATM interface for broadband applications.
Hardware
Considerations
•
•
Product Management Contact: sbhardwa@cisco.com
4) Release 12.3(8)T Highlights
4.1) New Hardware Support
4.1.1) Cisco 2800 Series Integrated Services Router
The Cisco 2800 Series comprises four new routers: Cisco 2801, 2811, 2821, and 2851 Routers. The Cisco 2800 Series provides significant additional value compared to prior generations of Cisco routers at similar price points by offering up to a fivefold performance improvement, up to a tenfold increase in security and voice performance, new embedded service options, and dramatically increased slot performance and density while maintaining support for most of the more than 90 existing modules that are available today for the Cisco 1700 Series and Cisco 2600 Series.
The Cisco 2800 Series features the ability to deliver multiple high-quality simultaneous services at wire speed up to multiple T1/E1/xDSL connections. The routers offer embedded encryption acceleration and motherboard voice digital-signal-processor (DSP) slots; intrusion prevention system (IPS) and firewall functions; integrated call processing and voice mail; high-density interfaces for a wide range of connectivity requirements; and sufficient performance and slot density for future network expansion requirements and advanced applications.
Figure 30
Cisco 2800 Series
Benefits
•
•
•
•
Hardware
Additional Information: http://www.cisco.com/en/US/products/ps5854/index.html
Product Management Contact: cs-2800@cisco.com
4.1.2) Cisco 1800 Series Integrated Services Router
Cisco 1800 Series Integrated Services Routers are the next evolution of the award-winning Cisco 1700 Series modular access routers. The Cisco 1841 Router is designed for secure data connectivity and provides significant additional value compared to prior generations of Cisco 1700 Series routers by offering more than a fivefold performance increase, integrated hardware-based encryption enabled by an optional Cisco IOS Software security image, and a dramatic increase in interface card slot performance and density while maintaining support for more than 30 existing WAN interface cards (WICs) and multiflex trunk cards (voice/WICs [VWICs]—for data only on the Cisco 1841 router) of the Cisco 1700 Series.
The Cisco 1841 Router features secure, fast, and high-quality delivery of multiple, concurrent services for small-to-medium-sized businesses and small enterprise branch offices. The Cisco 1841 router offers embedded hardware-based encryption enabled by an optional.
Cisco IOS Software security image; further enhancement of VPN performance with an optional VPN acceleration module; an intrusion prevention system (IPS) and firewall functions; interfaces for a wide range of connectivity requirements, including support for optional integrated switch ports; plus sufficient performance and slot density for future network expansion and advanced applications as well as an integrated real-time clock.
Figure 31
Cisco 1800 Series
Benefits
•
•
•
•
•
Hardware
Additional Information: http://www.cisco.com/en/US/products/ps5853/index.html
Product Management Contact: cs-1800@cisco.com
4.2) Cisco IOS Security
4.2.1) Dynamic Multipoint VPN Spoke to Spoke Functionality
Dynamic Multipoint VPN (DMVPN) Spoke to Spoke Functionality allows dynamic on-demand direct spoke to spoke tunnels to be created between two DMVPN spoke CPEs without traversing the hub. This feature enables production-ready spoke-to-spoke functionality in a single hub and multi-hub environment in a DMVPN network. It also incorporates increased spoke to spoke resiliency and redundancy in multi-hub configurations.
Figure 32
Dynamic Multipoint VPN Spoke to Spoke Functionality
Benefits
•
This functionality allows direct spoke to spoke tunnel creation between two branch offices without the traffic having to go through the hub. Spokes can take advantage of an internet connection directly available between them. This leads to reduced latency and jitter for spoke to spoke traffic and improved bandwidth utilization. DMVPN networks deliver a lower cost per MByte of Bandwidth than native IPsec networks because the spoke to spoke traffic is not restricted by hub bandwidth utilization and at the same time it does not add any additional overhead to the hub bandwidth utilization.
•
Native IPsec and IPsec + GRE networks are organized as hub and spoke networks. This results in all spoke to spoke traffic going through the hub and requiring a dual encrypt and decrypt for all traffic putting an additional burden on the hub CPU. DMVPN alleviates the problem by creating direct on-demand spoke to spoke tunnels.
•
DMVPN allows smaller spoke CPE to participate in a virtual on demand full mesh. Creating and managing a full mesh is often not possible for smaller spoke CPE which cannot handle more than a dozen IPsec tunnels. DMVPN allows the spokes to create tunnels to other spokes on demand and tear down the tunnels after use.
Hardware
•
•
Additional Information:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtmlProduct Management Contact: IOS-Security-PM@cisco.com
4.2.2) Cisco IOS Network Admission Control
Cisco IOS Network Admission Control (NAC) adds vital access router support for the Cisco NAC solution, which empowers organizations to contain security threats before they cause damage. Cisco IOS NAC, the software-based portion of this solution, enables Cisco access routers to detect a user's compliance with anti-virus policies, and thus enforce network access privileges appropriately. Non-compliant devices can be denied access, placed in a quarantined area, or given restricted access to computing resources. The access decision can be based on information such as the endpoint's anti-virus state and operating system patch level.
Cisco NAC now enables Cisco IOS Software devices to identify and isolate unprotected or infected hosts as they connect to the network, thereby preventing them from potentially spreading viruses in the network. Network administrators can define and enforce posture validation of endpoint devices connecting to the network.
The initial release of Cisco NAC consists of four components:
•
•
•
•
This release of Cisco NAC addresses the two most pressing compliance tests required: anti-virus software state and operating system information. These tests include anti-virus vendor software version, engine level, and signature file levels as well as the operating system type and patch levels. Anti-virus vendors, such as Network Associates, Symantec and Trend Micro, are integrating their applications with Cisco NAC.
Figure 33
Cisco IOS Software Router Support for Cisco IOS NAC
•
Cisco NAC helps ensure that all hosts comply with the latest corporate anti-virus and operating system patch policies prior to obtaining normal network access. Vulnerable and noncompliant hosts may be isolated and assigned reduced access until they are patched and secured, preventing them from being the targets of or the sources for worm and virus infections.
•
Cisco NAC is supported on a broad range of Cisco IOS Software routers, ranging from the Cisco 800 Series to the Cisco 7200 Series Routers. This solution integrates and increases the value of investments in the Cisco network infrastructure, Cisco endpoint security, and anti-virus technology.
•
Cisco NAC provides comprehensive access control across all access methods that hosts use to connect to the network. It also supports heterogeneous vendor scenarios. This solution also allows the setting of differentiated access policy for responsive hosts (those running the Cisco trust agent) and non-responsive hosts.
•
By taking information about endpoint security status and combining it with network admission enforcement, Cisco NAC enables customers to dramatically improve the security of their computing infrastructures.
•
In addition to the initial list of partners, Cisco will continue to work with more anti-virus and host-based application vendors to allow customers greater flexibility in the choice of anti-virus vendors.
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.htmlProduct Management Contact: IOS-Security-PM@cisco.com
4.2.3) Quality of Service per VPN Group
Quality of Service (QoS) per VPN Group allows the application of Cisco IOS QoS mechanisms to group of IPsec flows. Application of QoS per VPN session group means that all flows that belong to an ISAKMP profile, can be classed together and may be policed on the interface with crypto map and service policy applied to it.
The QoS per VPN session group feature is well suited for situations where a head-end device has large groups of IPsec peers. For e.g. in Figure 16, the IPsec peers of the head-end router are executives, engineers and sales. Each of these groups are identified by an IPsec Security Association (SA). The QoS policies, applied to IPsec flows, are based on a QoS group ID. The IDs are mapped to a QoS group, which is used in the definition of class maps for QoS. From there, the QoS policies are applied on group level.
Figure 34
QoS with Cisco IOS VPN
Benefits
QoS per VPN session group feature can provide several benefits to the user. This feature can be used to:
•
•
•
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.htmlProduct Management Contact: IOS-Security-PM@cisco.com
4.2.4) Cisco AutoSecure Rollback & Logging
Cisco AutoSecure, originally introduced in Cisco IOS Software Major Release 12.3 (May 2003), enables rapid implementation of security policies and procedures to ensure secure networking services by offering a single CLI command to lock down the device.
Cisco AutoSecure Rollback enhances the feature by providing a method to restore the system configuration back to its state prior to execution of the autosecure command. This feature takes a snapshot of the current running configuration and stores that in the ATA Disk prior to execution of the autosecure command. When rollback is initiated, the system will be restored to the snapshot configuration.
Rollback could occur in either automated or manual mode. Automated rollback will be initiated if Cisco AutoSecure experiences a failure during its operation. In manual mode, the user simply issues the standard CLI rollback command and the rollback process will be initiated.
Cisco AutoSecure Logging initiates a syslog message when the autosecure set of commands are executed.
Benefits
•
With Cisco AutoSecure Rollback & Logging, users will feel more confident using the Cisco AutoSecure. If the command was accidentally issued, one can easily restore the configuration back to its original state.
•
With the Cisco AutoSecure logging feature, a system administrator can track when autosecure has been executed.
Hardware
Product Management Contact: IOS-Security-PM@cisco.com
4.2.5) Easy Secure Device Deployment Authentication, Authorization, and Accounting Integration
Easy Secure Device Deployment (SDD) Authentication, Authorization, and Accounting (AAA) Integration allows an end device to connect to another end device using Trusted Transitive Introduction (TTI) to deploy Public Key Infrastructure (PKI) without having to be "introduced" by a third device, such as a system administrator. If the first end device has an account on an AAA server, it can obtain authentication and authorization directly from the server database, which eliminates the need to obtain an access password from the third device.
Figure 35
Easy SDD AAA Integration
Benefits
•
•
•
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.htmlProduct Management Contact: IOS-Security-PM@cisco.com
4.2.6) Cisco IOS Resilient Configuration
Cisco IOS Resilient Configuration provides a safeguard to restore the configuration after unwanted erasure of the Cisco IOS Software configuration.
After an accidental or hostile intentional erasure of the configuration, the device will not be able to operate normally resulting in network downtime. By using Cisco IOS Resilient Configuration feature as a precautionary measure, administrators can quickly restore the system to a running state.
Cisco IOS Resilient Configuration CLI command operates by taking a snapshot of the running router configuration and securely archives it in persistent storage. The archived file is hidden and cannot be viewed or removed but can only be over-written. The restore option simply reproduces a copy of the secure configuration archive and the system is restored.
This feature requires devices that support a PCMCIA ATA disk.
Benefits
•
Because the archived configuration file is not removable and it is hidden, even if the running configuration is erased, whether accidental or intentional, a backup copy is stored on the device.
•
Since a copy of the configuration is stored right on the device and Resilient configuration feature provides a quick restore command, system administrators can quickly restore a system to a running state.
Hardware
Product Management Contact: IOS-Security-PM@cisco.com
4.2.7) Call Admission Control for Internet Key Exchange
This feature helps VPN tunnel stability and router resource usage by rate limiting the number of concurrent incoming and outgoing Internet Key Exchange (IKE) requests to be processed depending on the available resources on the router. The feature also allows for a hard limit to be applied for the number of IKE requests handled by a device.
Benefits
•
•
Hardware
Product Management Contact: IOS-Security-PM@cisco.com
4.2.8) Certificate to Internet Security Association and Key Management Protocol Profile Mapping
Certificate to Internet Security Association and Key Management Protocol (ISAKMP) Profile Mapping is used in the context of PKI deployment. This feature aids in uniquely identifying a group of users, by mapping the DN field or a part of the DN fields in a certificate to groups of users. When certificates are used for authentication, the identity payload contains the subject name from the certificate. However, some PKI deployments do not allow users to have control on the SubjectName field in the Certificate; therefore, this feature can be used to resort to other fields in the certificate to distinguish a user.
Mapping DN field can be used as an alternative for the identity field. Currently with this feature using the Cisco IOS ISAKMP profiles, there is the ability to match on various fields (i.e.: fqdn, ip address, group name).
Benefits
An alternative means for identifying user authenticating with Certificates.
Hardware
Product Management Contact: IOS-Security-PM@cisco.com
4.2.9) Crypto Access Check On Clear Text Packet
Crypto Access Check on Clear-Text Packet provides for the removal of the double interface Access Control List (ACL) checking against the outside interface for the inbound clear-text packets that are received as part of an IPsec-encrypted packet.
ACL checking was performed at two spots for inbound packets with IPsec, both on encrypted and unencrypted packets. This feature enables the second ACL checking for customers who require this on the decrypted clear text packet. The command "crypto access checks ACL in" must be configured under the crypto map. This feature enables the second ACL checking on clear text decrypted packets.
Benefits
•
•
•
Hardware
Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.htmlProduct Management Contact: IOS-Security-PM@cisco.com
4.3) Mobile IP
4.3.1) Support for RFC 3519 NAT Traversal
IETF RFC 3519 defines the process by which Mobile IP enabled devices can roam into and traverse networks with a Network Address Translation (NAT) device at the exist points of the network.
Typically, the ability to roam into and through a network with NAT deployed is unpredictable and dependent upon the NAT implementation deployed. The best way to ensure seamless IP roaming through a NAT device is by supporting RFC 3519 and using UDP to encapsulate the Mobile IP packets.
It is very common for Public WLAN "Hot Spot" networks and GPRS Wireless WAN networks to use private IP addressing and NAT devices at the exit points of their networks.
Support is provided in the Foreign Agent and Home Agent capability within Cisco IOS Software:
•
•
–
–
NAT Traversal encapsulates the Mobile IP packets in a UDP packet, which requires any Firewalls in the path to PERMIT UDP Port 434.
The use of RFC 3519 is transparent to the individual.
Benefits
Ensure the ability for individual users to maintain their IP sessions when roaming into networks using NAT.
Hardware
Product Management Contact: Mark Denny, mdenny@cisco.com
4.4) Quality of Service
4.4.1) Cisco AutoQoS AutoDiscovery "Trust" Option
The new "trust" option extends the use of Cisco AutoQoS for the Enterprise to routers where Differentiated Services Code Point (DSCP) values have already been assigned to traffic at the network edge. This option enables customers to automatically set the Quality of Service (QoS) policy on routers by allowing the network to trust internally established priority levels for various types of traffic.
For example, it is typically recommend that traffic be marked, DSCP values assigned, to traffic at the network edge. Once DSCP marking is complete, these values can then be "trusted" by other routers. Therefore, this "trust" option enables potential use of Cisco AutoQoS for the Enterprise to set the QoS policy on other routers without running the NBAR protocol discovery infrastructure (i.e.: DSCP markings assigned at the edge are "trusted").
Figure 36
Cisco AutoQoS for the Enterprise: "Trust" Option for DSCP-Marked Traffic
Benefits
•
•
•
Hardware
•
•
Additional Information: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802000a7.html
Product Management Contact: Tim McSweeney, timcswee@cisco.com
4.5) IP Routing
4.5.1) Cisco Optimized Edge Routing
Cisco Optimized Edge Routing (OER) automates routing performance and allows customers to minimize bandwidth costs and engineering operating expenses. Cisco IOS OER leverages Cisco IOS Netflow and Cisco IOS Service Assurance Agent to choose the optimal outbound route based on cost minimization, load distribution policy, and overall network performance.
Cisco OER enables intelligent network traffic load distribution and dynamic failure detection of data-paths at the WAN edge (i.e.: multi-homing to the Internet or intranet connectivity). While other routing mechanisms can provide both load-sharing and failure mitigation, Cisco OER is unique in that it can make instant routing adjustments based on criteria other than static routing metrics: response time, packet loss, path availability, traffic load distribution, and financial cost minimization policies.
Cisco OER is implemented in Cisco IOS Software as an integrated part of Cisco core routing functionality. It can be deployed with familiar simplicity via standard CLI configuration. Cisco OER may also be configured with an external Cisco 2100 Series Intelligence Engine (Cisco appliance) management device to provide enhanced scalability, extended history and a web-based GUI for configuration and reporting. Cisco OER offers increased Cisco product value and differentiation by leveraging various Cisco IOS Software features (i.e.: Cisco IOS Netflow, Cisco IOS SAA) and cross product integration to support multiple hardware products and routing protocols.
Figure 37
Cisco OER Deployment Example
Benefits
Hardware
•
•
Product Management Contact: Paul Kohler, pkohler@cisco.com or Anita Freeman, anfreema@cisco.com
4.5.2) Enhanced Interior Gateway Routing Protocol Support for Route Map Filtering
Enhanced Interior Gateway Routing Protocol (EIGRP) Support for Route-Map Filtering enables the filtering of internal and external routes based on multiple route-map options. The functionality enables EIGRP to process currently permitted set and match parameters within route-map, and also extends the parameters with EIGRP specific set and match choices.
Benefits
•
•
•
Hardware
Product Management Contact: Chetan Khetani, cpk@cisco.com
4.5.3) Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE Site of Origin
Enhanced Interior Gateway Routing Protocol (EIGRP) MPLS VPN PE-CE Site of Origin (SoO) introduces support for back door links. A back door link is a connection that is configured outside of the VPN between a remote and main site; for example, a WAN leased line that connects a remote site to the corporate network. Back door links are typically used as backup routes between EIGRP sites if there is a failure in the VPN link or it is not available. A metric is set on the back door link, so that the route through the back door router is not selected unless there is a VPN link failure.
Benefits
EIGRP MPLS VPN PE-CE SoO allows EIGRP Enterprise customers who pay MPLS VPN providers and have back door links to optimize their investments on VPN connections. Before this functionality became available, back door links were always preferred over MPLS VPN connections, because it was impossible to filter routes on the PE/back door routers. This was re-learned from other PEs.
Hardware
Product Management Contact: Chetan Khetani, cpk@cisco.com
4.5.4) Border Gateway Protocol Cost Community Support for Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE with Back Door Links
This feature allows one to customize the local route preference and influence the Border Gateway Protocol (BGP) best path selection process. Before EIGRP SoO BGP Cost Community support was introduced, BGP preferred locally sourced routes to routes learned from BGP peers. Back door links in an EIGRP MPLS VPN topology will be preferred by BGP if the back door link is learned first.
The "pre-bestpath" point of insertion (POI) was introduced in the BGP Cost Community feature to support mixed EIGRP VPN network topologies that contain VPN and back door links.
Benefits
Without this functionality, back door links were always preferred over MPLS VPN connections. As a result, EIGRP enterprise customers who are paying to MPLS VPN providers and have back door links were not optimizing their investments on the VPN connections.
Hardware
Product Management Contact: Chetan Khetani, cpk@cisco.com
4.6) Manageability
4.6.1) Cisco IOS Service Assurance Agent Multiple Operation Scheduling
Cisco IOS Service Assurance Agent (SAA) uses various metrics to assess network's performance and availability. It can perform network assessments, verify service level agreements, and assist administrators with troubleshooting. It automates service level monitoring for both end customers and Service Providers. Cisco IOS SAA uses unique service level assurance metrics and methodology to provide highly accurate, precise service level assurance measurements.
Cisco IOS SAA will inform users if the Quality of Service (QoS) is working and configured correctly. It reduces operational costs by identifying issues and tests the network infrastructure continuously. It also reduces the time required to track and isolate network performance problems, thus decreasing operating expenses. Cisco IOS SAA sends data across the network to measure performance between multiple network locations or across multiple network paths. It simulates network data and IP services, collecting network performance information in real time. Collected information includes response time, one-way latency, jitter, packet loss, voice quality scoring, and server response time.
Cisco IOS SAA Multiple Operation Scheduling allows the user to easily schedule active performance measurements to a group of destination devices from a source device. This capability allows sequential activation of a large number of SAA operations with one CLI command or SNMP MIB set. For example, the user can schedule a set of SAA jitter operations to measure edge to edge jitter, packet loss, and response time from a source router to a large number of destination routers with one CLI command.
Figure 38
Cisco IOS Service Assurance Agent Multiple Operation Scheduling
Benefits
•
•
•
•
•
•
•
•
•
•
•
•
•
Hardware
Additional Information: http://www.cisco.com/go/saa
Product Management Contact: Tom Zingale, tomz@cisco.com
4.6.2) MPLS Aware NetFlow
Understanding who is using the network and for how long, what protocols and applications are being utilized and where the network data is flowing is a necessity for today's IP networks managers. IP network managers rely on exported NetFlow data for a variety of purposes, including:
•
•
•
•
•
•
NetFlow version 9 is a new flexible and extensible format for exporting IP flow information from Cisco routers and switches, providing rapid support for IP accounting of Cisco technologies. New features that leverage NetFlow version 9 include MPLS Aware NetFlow, NetFlow multicast and NetFlow BGP Next Hop. The NetFlow Version 9 extensible format is recognized as a new standard for exporting flow information from IP devices.
Capacity planning is a necessity for Cisco customers using MPLS VPN, MPLS traffic engineering, and MPLS label distribution protocol. MPLS network management and capacity planning has now been enhanced with the addition of MPLS Aware NetFlow, which allows customers to determine the IP destination of labeled switched traffic and to understand the utilization of labeled switched paths.
Figure 39
Feature Name MPLS Aware NetFlow
Benefits
•
•
•
•
•
•
•
•
•
•
•
Hardware
Considerations
MPLS Aware NetFlow is also available in Cisco IOS Software Release 12.0(24)S on the Cisco 12000 Series Internet Router, and in Release 12.0(26)S for additional hardware products.
Additional Information: http://www.cisco.com/go/netflow
Product Management Contact: Tom Zingale, tomz@cisco.com
4.6.3) Service Selection Gateway Interface Redundancy
In Service Selection Gateway (SSG), each service is associated with an outbound interface. When a subscriber chooses to use a service, SSG connects the subscriber to the service via the associated outbound interface. SSG interface redundancy allows services to be associated with more than one interface to protect against link failures.
When redundant interfaces are configured for a service, a distance metric is assigned to the service binding. This influences the order in which SSG selects the interface to be used to reach a service. The interface for the service binding with the lowest metric is the primary interface. The interface for the service binding with the second lowest weight is the secondary interface, and so on. If a failure occurs on an active interface, SSG will recognize the failure and switch the service connection to the interface associated with the next lowest metric. When the primary uplink interface or next hop becomes available again, SSG will switch back to using the primary interface.
SSG Uplink Interface Redundancy Topologies
The SSG Interface Redundancy feature supports uplink interface redundancy in the following network topologies:
Figure 40
Multiple Next-Hops per Service Sample Topology
Figure 41
Multiple Uplink Interfaces with a Single Next Hop Sample Topology
Figure 42
Multiple Uplink Interfaces with No Next Hop Sample Topology
Figure 43
Combinations of Directly Connected Uplink Interfaces and Interfaces with Next Hops Sample Topology
Benefits
•
Service Providers can use SSG Interface Redundancy to configure a redundant interface for services they offer to subscribers. Any failures on primary interface will activate the backup interface reducing the service connection downtimes. It also helps subscribers to get an uninterrupted access to services that Service Providers are providing.
Hardware
Product Management Contact: Murali Kolli, mkolli@cisco.com
4.7) IP Addressing and Services
4.7.1) Dynamic Host Configuration Protocol—Dynamic Default Gateway on a Statically Configured Route
This feature enables the dynamic configuration of the Default Gateway for a configured IP Static Route using Dynamic Host Configuration Protocol (DHCP). This enhancement allows a static route to be configured with the keyword `dhcp'.
The DHCP Client within Cisco IOS Software will use DHCP Option 3 (DHCP gateway address) obtained from a DHCP server and plug in this DHCP Gateway Address as the "next hop" in the static IP Route command.
Example:Route configuration:
ip route 3.3.3.3 255.255.255.255 dhcpIf a DHCP ip address is obtained and option 3 has also been obtained from server (ie: option 3 contains 3.3.3.2), then a sh ip route command will show the configured static route:
S 3.3.3.3 255.255.255.255 via 3.3.3.2This can be an alternative to using DHCP Option 33—Static Route Option. Customers may not always have control or influence over the DHCP Server configurations of the network providers.
Benefits
Simplifies static routing configurations in networks that make use of DHCP.
Hardware
Product Management Contact: Mark Denny, mdenny@cisco.com
4.7.2) Dynamic Host Configuration Protocol—Configurable DHCP Client
Configurable Dynamic Host Configuration Protocol (DHCP) Client is the ability to manually configure several DHCP Client options:
•
–
–
•
–
–
•
–
–
Benefits
Provides customers additional flexibility in the allocation and control of their IP Address space.
Hardware
Additional Information: http://www.ietf.org/rfc/rfc2132.txt
Product Management Contact: Mark Denny, mdenny@cisco.com
4.7.3) First Hop Routing Protocols—Object Tracking List Support
First Hop Routing Protocols (FHRP) Object Tracking List Support refers to the ability to group multiple objects, track the state of these objects collectively, and influence the FHRP design dynamically.
FHRP Object Tracking List support influences Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP) to initiate a fail-over to another router in the group. It also influences GLBP to shift the IP traffic of a specific Gateway Load Balancing Protocol (GLBP) router to the rest of the GLBP group.
FHRP is comprised of GLBP, HSRP, and VRRP. These protocols can track on a single "object" at one time, using the information obtained from this "object" to influence whether to failover from one redundant gateway router to another in the case of HSRP or VRRP, or shift the traffic of one GLBP router to the rest of the GLBP group.
The result of tracking an object is to perform some pre-defined action when this object state changes. For example, the user can track an interface when there is a failure and change the HSRP priority such that an election takes place and a new router takes over as the primary HSRP router. When the interface comes back up, the user can change the HSRP priority again, so the original primary router takes over its role again.
With the "Object Tracking list" enhancement, multiple objects can now be defined in a list and actions will be determined by collective state or combined status of the defined objects. It provides logical operations, threshold and weighting, and percentage comparison among the tracking objects defined in the list. An object tracking list can be defined as follows:
•
•
•
•
•
track 1 interface e0/1 line-protocol
track 2 interface e0/2 line-protocol
track 3 interface e0/3 line-protocol
track 4 list
object 1 weight 10
object 2 weight 20
object 3 weight 10
threshold percentage up 30 down 29
track 5 list
object 1
object 2
object 3
object 4
boolean and
track 6 list
object 1
object 2
object 3
object 4
boolean or
Benefits
•
•
Hardware
Product Management Contact: Mark Denny, mdenny@cisco.com
4.7.4) Network Address Translation—Support for H.323 Fragmented Control Messages
For various reasons, control messages for most multimedia applications (ie: H323, Skinny Client Control Protocol) messages may arrive at a router as fragments. Reasons include: low MTU at origin, TCP window size limitations, and fragmentation by some middle box. While IP level (layer 3) fragmentation is common and well understood, some applications have control messages that could span across several IP datagrams. For example, control message of an application that uses TCP could arrive at a router running Network Address Translation (NAT) as multiple IP (TCP) packets that are not fragmented.
Currently Cisco IOS NAT expects the entire control message to be present in a single IP packet. If NAT receives a control message that is fragmented, the packet is simply dropped.
This enhancement supports:
•
•
In order to translate embedded address/port in the payload, NAT will have to reassemble fragments so that the control message is available in its entirety in the payload. Once a set of packets that make up a complete control message have been received, the complete packet is processed by Nat and then routed on to its destination.
Benefits
Provides enhanced support for H.323 based Voice over IP sessions.
Hardware
Product Management Contact: Mark Denny, mdenny@cisco.com
4.8) Connectivity
4.8.1) Explicit Call Transfer for ETSI PRI
Explicit Call Transfer (ECT) allows the router to transfer a call received from the PSTN to the final destination number on the PSTN instead of "hairpinning" the call on the router interface and consuming DS0 channel on a PRI interface. This particular feature will allow the ECT functionality to work on ETSI (NET5) switch-type and will help make better use of channels on a PRI interface. The typical architecture for this functionality has the AS5xxx to acting as a voice gateway between a SIP (Session Initiation Protocol) based Voice Recognition Server(VRS) and a Central Office Switch in the PSTN network. The application is to be able to provide call transfer services based upon voice recognition (the typical voice activated menus of call centers like an airline reservation system) to service provider customers looking to operate large customer contact centers. In these applications, the call flow proceeds as follows:
1.
2.
3.
Benefits
Allows better utilization of DS0 channels on PRI interfaces for VoIP applications and allows Call Transfer functionality to work with ETSI (NET5) switch types, which are found in Europe and Asia.
Hardware
Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com
4.8.2) Protocol Translation Template
Protocol Translation Template (PTT) will allow Telco DCN (Data Communication Network) customers increased flexibility in configuring PT sessions in environments where a large number of PT sessions must be configured. The current PT configuration requires static mapping between incoming connections (like PAD, Telnet, LAT) and configuration parameters to the outbound protocol connection (PAD, Telent, LAT, PPP, SLIP, ...) and configuration parameters. The new PTT will allow the construction of a template which will contain `ruleset' capabilities to allow for the dynamic configuration construction to simplify the task of creating large scale PT configurations. The `ruleset' capability will allow for multiline string searches, comparisons, and substitutions in the PTT to create a configuration for PT.
Benefits
Using Protocol Translation Templates will allow Telco DCN administrators to create large scale PT configurations in a quicker and more error-free manner. Administrators will not have to configure a large number of static PT sessions and will have a simple method to configure a general purpose PTT.
Hardware
Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com
4.8.3) Asynchronous Line Monitoring
Asynchronous Line Monitoring enables the monitoring of control characters, along with the character mode traffic on an asynchronous line. A new keyword `control-char' will be added to the existing CLI `monitor traffic' to turn on this function.
Asynchronous Line Monitoring also adds the ability to lock the keyboard, preventing the insertion of typed characters into the stream of characters on the asynchronous line.
The modified CLI will look like this:
monitor traffic line <line> [in] [out] [control-char][interactive]This functionality is important for Telco Data Communication Network (DCN) applications where Service Providers want to monitor remote Network Elements via asynchronous lines.
Figure 44
Asynchronous Line Monitoring
In the DCN application example shown above, the user opens a telnet session from the Operation Support System (OSS) host to the Network Element.
Benefits
Asynchronous Line Monitoring provides added granularity and enables network administrators to control traffic on asynchronous lines.
Hardware
Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com
5) Release 12.3(7)T Highlights
Below are some of the key features available in Release 12.3(7)T.
5.1) New Hardware Support
5.1.1) Cisco 1711 and 1712 Security Access Routers
Description
The Cisco 1711 and 1712 Security Access Routers offer an all-in-one security, routing, and switching solution for enterprise small branch offices and small and medium sized businesses. They feature built-in Fast Ethernet LAN switching, Fast Ethernet port for DSL or broadband modem connectivity, integrated Cisco IOS Security and backup WAN for link redundancy to help ensure high availability of critical business applications.
Figure 45
Cisco 1711/1712 Application Advantages—Workgroup Segmentation with Dial Backup
Benefits
•
•
•
•
•
•
•
Hardware
Product Management Contact: dthaele@cisco.com
5.1.2) Network Modules for Circuit Emulation Services over IP for the 2600, 3600 and 3700 Series Routers
Description
The Cisco 2600/3660/3700 Circuit Emulation over IP (CEoIP) network modules (product IDs: NM-CEM-4T1E1 and NM-CEM-4SER) enable service provider customers to create a new revenue stream by offering a leased line service over existing packet infrastructure. Enterprise and government customers will be enabled to migrate applications which require TDM transport on to their IP networks, thus saving operational expenses.
Hardware
Product Management Contact: cschwaig@cisco.com
5.1.3) Network Analysis Module for the 2600, 3660 and 3700 Series Routers
Description
The Cisco 2600/3660/3700 Series Network Analysis Module (product ID: NM-NAM) is an integrated traffic-monitoring network module that enables network managers to gain application-level visibility into network traffic at remote sites with the ultimate goal of improving performance, reducing failures, and maximizing return on network investments. It expands the Cisco NAM solution available for Cisco Catalyst® 6500 Series switches and Cisco 7600 Series routers. It provides the unique advantage of performing remote troubleshooting and traffic analysis through its Web-based NAM Traffic Analyzer without having to send personnel to remote sites or haul large amounts of data to the central site.
Figure 46
The Cisco 2600/3660/3700 Series Network Analysis Module
Benefits
•
•
•
•
•
Hardware
Product Management Contact: massung@cisco.com
5.2) Security
5.2.1) RADIUS Attribute Screening support for Access-Request
Description
The RADIUS Attribute Screening feature allows users to configure a list of "accept" or "reject" RADIUS attributes on the network access server (NAS) for purposes such as authorization or accounting.
This new enhancement to the attribute screening provides support for filtering on Access-Request in addition to Access-Accept & Accounting-Requested already supported in Cisco IOS Software.
Benefits
Improving Control Manageability—Better control of sending especially called-station ID's in access request to ISP based on the pre-arrangement.
Hardware
•
•
Product Management Contact: IOS-Security-PM@cisco.com
5.2.2) Role-Based CLI Access
<
