Guest

Cisco 800 Series Routers

Cisco IOS Software Release 12.3T New Features and Hardware

Hierarchical Navigation

Table Of Contents

Cisco IOS Software Release 12.3T New Features and Hardware

1) Introduction: Cisco IOS Software Release 12.3T

1.1) Migration Guide

1.2) Release 12.3T Additional Information

1.3) Cisco IOS Packaging

2) Cisco IOS Software Release 12.3(14)T Highlights

2.1) Security and VPN

2.2) Cisco IOS Software Infrastructure

2.3) Routing

2.4) Management and Provisioning

2.5) IP Services

2.6) IPv6

2.7) Multiprotocol Label Switching

3) Release 12.3(11)T Highlights

3.1) New Hardware Support

3.2) High Availability

3.3) Cisco IOS Security

3.4) Quality of Service

3.5) IP Routing

3.6) Manageability

3.7) IP Multicast

3.8) Embedded Network Management

3.9) IP Addressing and Services

3.10) Connectivity

4) Release 12.3(8)T Highlights

4.1) New Hardware Support

4.2) Cisco IOS Security

4.3) Mobile IP

4.4) Quality of Service

4.5) IP Routing

4.6) Manageability

4.7) IP Addressing and Services

4.8) Connectivity

5) Release 12.3(7)T Highlights

5.1) New Hardware Support

5.2) Security

5.3) Mobile IP

5.4) Quality of Service

5.5) Multicast

5.6) Embedded Network Management

5.7) Routing

5.8) Connectivity

5.9) IP Addressing & Services

5.10) Multiprotocol Label Switching

6) Release 12.3(4)T Highlights

6.1) New Hardware Support

6.2) Security

6.3) IP Addressing & Services

6.4) Mobile IP

6.5) Voice & Video

6.6) Quality of Service

6.7) Connectivity/VPN

6.8) Embedded Network Management

7) Release 12.3(2)T Highlights

7.1) Security

7.2) IP Addressing & Services

7.3) Embedded Network Management

7.4) Connectivity/VPN

8) Appendix: Release 12.3(8)T—New Feature Enhancements

9) Appendix: Release 12.3(7)T—New Feature Enhancements

10) Appendix: Release 12.3(4)T—New Feature Enhancements

11) Appendix: Release 12.3(2)T—New Feature Enhancements

11.1) Hardware Products and Modules Newly Supported in Cisco IOS Software Release 12.3(2)T

12) Appendix: Release 12.3(11)t—new Feature Enhancements


Product Bulletin, No. 2215

Cisco IOS Software Release 12.3T New Features and Hardware


This Product Bulletin introduces Cisco IOS Software Release 12.3T, and includes the following sections:

1) Introduction: Cisco IOS Software Release 12.3T

Cisco IOS® Software is the world's premiere network infrastructure software, delivering seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, from small home office routers to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.

The Release 12.3T family will be issued as a series of individual releases, each of which will create significant new revenue opportunities and will include hundreds of business-critical features, the latest hardware support, and ongoing quality improvements. Cisco will ultimately consolidate all of these individual 12.3T releases to form a single major release.

With more than sixty new features, Cisco IOS Software Release 12.3(14)T extends the functionality and benefits of Cisco IOS Software.

Release 12.3(T) powers the new Cisco Integrated Services Routers, the first hardware/software system to deliver secure, wire-speed data, voice, video, and security services to small and medium-sized businesses, Enterprise branch offices, and Service Providers who offer managed services. By speeding application deployment and reducing operating complexity, customers realize a lower total cost of ownership.

Release 12.3(11)T, extends the benefits of Cisco IOS High Availability to the small and medium sized business and branch office by minimizing router downtime during planned or unplanned outages.

In order to maximize the value of the network, Cisco customers are continually integrating new technologies, hardware, and services into the existing infrastructure. In recognition of the challenges this can pose, Release 12.3(8)T delivers network intelligence with integrated features that secure branch office communications, automate the deployment of new applications, and optimize the flow of outbound traffic.

Release 12.3(7)T, the third release of this family, extends the robust suite of Cisco IOS Security capabilities with features that further reduce network vulnerability. The powerful new hardware support, enhanced security management capabilities, and enriched Cisco IOS Firewall functionality in Release 12.3(7)T protect sensitive data and corporate resources from malicious attacks.

Release 12.3(4)T, the second of the 12.3T releases, allows customers to leverage embedded Cisco IOS Software functionality to more easily deploy Security, Voice and Wireless applications. By enabling integrated small-scale deployment scenarios, Release 12.3(4)T provides the infrastructure for future expansion of small and medium business and Enterprise branch customers.

Release 12.3(2)T, the first of the 12.3T releases, greatly enhances customer productivity with nearly one hundred new features across more than thirty Cisco hardware products. Highlights of Release 12.3(2)T include the Cisco 830 Series Router and Cisco Security Device Manager.

Figure 1

Major Release and New Technology Release Relationship

1.1) Migration Guide

Cisco recommends that the customers who require features found in Release 12.2T upgrade to the latest version of Major Release 12.3 or 12.3T. Release 12.2T is scheduled for End of Sales on October 31, 2003. Software releases that End of Sales are no longer orderable, but are still available to customers under maintenance contract for downloading from Cisco.com and the Technical Assistance Center (TAC).

Figure 2 illustrates the migration path into Release 12.3T.

Figure 2

Release 12.3T Migration Path

Cisco IOS Software Release 12.3T will now continue to undergo an ongoing testing and review cycle to continuously improve and increase reliability and quality. Unlike the Major Release 12.3 family, Release 12.3T will integrate new features with every maintenance release. Release 12.3T will be updated via regular maintenance releases to include improvements resulting from the testing cycle. Maintenance for Release 12.2T ceased upon the introduction of Major Release 12.3 and 12.3T. Users of Release 12.2T should move to Major Release 12.3 or 12.3T in order to receive maintenance.

Each Cisco IOS Software new technology release is built upon the previous release. It adds new software features hardware support and software fixes for previous major releases and new technology releases. Release 12.3(4)T, for example, is built upon the existing functionality of Release 12.3(2)T. Customers interested in upgrading to Release 12.3T should determine their functionality needs and choose the corresponding release in the Release 12.3T family.

1.2) Release 12.3T Additional Information

Release 12.3T Information

http://www.cisco.com/go/release123t/

Release 12.3T Q&A

http://www.cisco.com/go/123tqa/

Product Bulletin No. 2214, Cisco IOS Software Product Lifecycle Dates & Milestones

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.html

Cisco IOS Software Center

Download Cisco IOS Software releases and access software upgrade planners.

http://www.cisco.com/public/sw-center/sw-ios.shtml

Cisco Feature Navigator

A web-based application that allows you to quickly match Cisco IOS Software releases to features to hardware.

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Cisco Software Advisor

Determine the minimum supported software for selected hardware.

http://www.cisco.com/pcgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi

Cisco IOS Upgrade Planner

View all major releases, hardware, and software features from a single interface.

http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi

Cisco IOS Software Questions and Feedback

http://www.cisco.com/warp/public/732/feedback/release/

1.3) Cisco IOS Packaging

Cisco IOS Packaging simplifies the image selection process by consolidating the total number of packages and using consistent package names across all hardware products.

Figure 3

Cisco IOS Packaging for Cisco Routers

2) Cisco IOS Software Release 12.3(14)T Highlights

Tables 1and 2 describe and identify the feature highlights of Cisco IOS Software Release 12.3(14)T.

Table 1  Cisco IOS Software Release 12.3(14)T Technology Summary 

Section
Feature Highlights and Benefits

Security enhancements provide greater security for IP networks whether they use IPsec VPNs, Secure Sockets Layer (SSL) VPNs, Cisco IOS Firewall, or authentication, authorization, and accounting (AAA)

Embedded Event Manager ushers in new ways to react to network events and take automatic action

Routing protocol enhancements for Enhanced Interior Gateway Routing Protocol (EIGRP), Border Gateway Protocol (BGP), and Open Shortest Path First (OSPF)

More tools for monitoring and managing bandwidth and service levels

Additional capabilities for Service Selection Gateway (SSG), Network Address Translation (NAT), and Mobile IP

Dynamic Host Configuration Protocol (DHCP) v6 prefix delegation and support for Simple Network Management Protocol (SNMP) for IPv6

Additional capabilities for Multiprotocol Label Switching (MPLS)-based network connectivity


Table 2  Release 12.3(14)T Highlights 

2.1.1) Cisco IOS Software Login Password Retry Lockout (per EAL4 Compliance)

2.1.2) Cisco IOS Firewall: HTTP Inspection Engine

2.1.3) Cisco IOS Firewall: Granular Protocol Inspection

2.1.4) Cisco IOS Firewall: Email Inspection Engine

2.1.5) Cisco IOS Firewall: Inspection of Router-Generated Traffic

2.1.6) Virtual Routing and Forwarding Aware Cisco IOS Firewall

2.1.7) Intrusion Prevention Systems Signature Enhancements

2.1.8) Secure Device Provisioning Phase 4: Administrative Introducer

2.1.9) Secure Device Provisioning Phase 4: Hierarchical Certificate Servers

2.1.10) OS Universal Serial Bus Token Support: Public Key Infrastructure Enhancements

2.1.11) Persistent Self-Signed Certificates

2.1.12) Easy VPN Remote Phase 4.1: Enhancements

2.1.13) IPsec Preferred Peer

2.1.14) IPsec Antireplay Window Expansion and Disable Options

2.1.15) IPsec Virtual Tunnel Interface

2.1.16) Reverse Route Injection

2.1.17) Easy VPN Remote Web-Based Activation

2.1.18) WebVPN

2.1.19) Cisco Router and Security Device Manager 2.1

2.2.1) Cisco IOS Embedded Event Manager 2.1

2.2.2) Embedded Resource Manager

2.3.1) Enhanced Interior Gateway Routing Protocol Prefix Limit Support

2.3.2) Enhanced IGRP Simple Network Management Protocol Support

2.3.3) Open Shortest Path First Sham-Link MIB Support

2.3.4) Border Gateway Protocol Support for Fast Peering Session Deactivation

2.3.5) Border Gateway Protocol Support for IP Prefix Import from Global Table into Virtual Routing and Forwarding Table

2.3.6) Border Gateway Protocol Support for Next-Hop Address Tracking

2.3.7) Routemap Display Extension

2.3.8) Optimized Edge Routing Support for Cost-Based Optimization and Traceroute Reporting

2.3.9) Policy-Based Routing: Recursive Next Hop

2.3.10) Internet Group Management Protocol Version 3 Host Stack

2.3.11) Per Interface mroute State Limit

2.3.12) Integrated Routing and Bridging Support on MGX-RPM-XF-512

2.4.1) Multicast VPN MIB

2.4.2) Exclusive Configuration Change Access

2.4.3) Selective Enabling of Applications Using HTTP Server

2.4.4) Bandwidth Estimation Using Corvil Bandwidth Technology

2.4.5) IP Service Level Agreements Voice over IP Call Setup (Postdial Delay) Monitoring

2.4.6) IP Service Level Agreements—Voice over IP Gatekeeper Delay Monitoring

2.4.7) IP Service Level Agreements CLI Introduction

2.4.8) IP Service Level Agreement Sub-Millisecond Accuracy Improvements

 

2.5.1) Network Address Translation Virtual Interface

2.5.2) Network Address Translation Routemaps Outside-to-Inside Support

2.5.3) Dynamic Host Configuration Protocol Intelligent Services Gateway Enhancements

2.5.4) Dynamic Host Configuration Protocol Relay Subscriber Identifier Suboption

2.5.5) Virtual Router Redundancy Protocol Message Digest Algorithm 5 Authentication

2.5.6) Extended Prepaid Tariff Switch with Service Selection Gateway

2.5.7) MAC Address-Based Authorization with Service Selection Gateway

2.5.8) Service Selection Gateway Aware On-Demand IP Address Renewal

2.5.9) Service Selection Gateway Support for Subnet-Based Authentication

2.6.1) Dynamic Host Configuration Protocol version 6 Prefix Delegation Using Authentication, Authorization, and Accounting

2.6.2) Mobile IP: Mobile IPv6 Home Agent

2.6.3) Cisco Express Forwarding Support for Network Address Translation-Protocol Translation

2.6.4) Simple Network Management Protocol Using IPv6 Transport

2.6.5) IPv6 Bootstrap Router Bidirectional Support

2.6.6) IPv6 Bootstrap Router Scoped Zone Support

2.7.1) Multiprotocol Label Switching: Label Distribution Protocol Graceful Restart

2.7.2) Multiprotocol Label Switching: Label Distribution Protocol Inbound Label Binding Filtering

2.7.3) Multiprotocol Label Switching: Virtual Routing and Forwarding-Aware Static Labels

2.7.4) Multiprotocol Label Switching: Label Distribution Protocol Session Protection

2.7.5) Multiprotocol Label Switching: Label Distribution Protocol Autoconfiguration

2.7.6) Multiprotocol Label Switching: Label Distribution Protocol-Interior Gateway Protocol Synchronization

 

2.1) Security and VPN

2.1.1) Cisco IOS Software Login Password Retry Lockout (per EAL4 Compliance)

Login password retry lockout conforms to the EAL4 requirement of providing these enhancements to Cisco IOS Software-enabled devices:

The administrator will specify an optional number of attempted logins before lockout. The default value will be 3 (and configurable).

When a user makes the specified (as configured in the preceding item) number of unsuccessful attempts to log in, that user will be locked out of the system until the administrator unlocks that user.

Only the administrator or users with administrator-equivalent privileges are able to unlock users.

Local AAA will maintain a list of locked-out users.

This configuration is not user specific but is device (per-box) specific.

Exception: The system does not allow the administrator to be placed on the locked-out list.

The locked-out list will not be maintained by an external server such as a RADIUS server.

The command-line interface (CLI) can be used to display a list of locked-out users by use of a show command.

Benefits

Improves the security of the networking device.

Helps the network administrator to prevent potential unwanted access to the networking device.

Offers flexibility for the network administrator to allow networking device access that meets the security policies and industry standards of individual corporations.

Provides audit trail of locked-out users for security risk assessment.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.2) Cisco IOS Firewall: HTTP Inspection Engine

Cisco IOS Firewall has been enhanced with the introduction of Advanced Application Inspection and Control. Often companies decide to permit common applications, such as Web browsing, through their firewalls. Unfortunately, such access can result in non-HTTP applications, such as instant messaging (IM), attempting to take advantage of hosts behind this opening in the firewall. Although traditional firewall enforcement blocks traffic based on source and destination addresses and protocol and port numbers, the Cisco IOS Firewall HTTP Inspection Engine enforces protocol conformance and prevents malicious or unauthorized behavior such as port 80 tunneling, malformed packets, and Trojans from passing through. The HTTP Inspection Engine gives Cisco IOS Firewall the intelligence not only to block non-HTTP traffic, but also to help ensure that traffic that is assumed to be HTTP is legitimate Web browsing and not IM or similar traffic trying to gain access through the firewall. The net result is that network administrators will have more granular control of applications passing through the firewall.

Benefits

Defines and enforces security policies for port 80.

Controls misuse of port 80 by rogue applications that tunnel traffic inside HTTP and use port 80 to avoid scrutiny.

Performs protocol anomaly detection services.

Detects misuse of HTTP and Web connectivity.

Prevents protocol masquerading.

Provides strict RFC compliance enforcement.

Allows RFC command control (for example, get or put).

Enforces URL-length and header-length policy.

Supports real-time alarms and audit trail messages.

Provides MIME-type filtering and content validation.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall HTTP Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.3) Cisco IOS Firewall: Granular Protocol Inspection

With this feature, Cisco IOS Firewall can perform more granular protocol inspection of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic for most application types as defined in RFC 1700.

IP packets that contain most well-known ports defined in RFC 1700 plus user-defined ports and ranges that map to specific applications can be inspected. Additionally, the current Cisco IOS Firewall feature called Port-to-Application Mapping (PAM) has been enhanced to distinguish between TCP and UDP.

Benefits

Greater flexibility by allowing more granularity in the selection of protocols to be inspected.

Ease of use by providing for group inspection of multiple ports into a single, user-defined application keyword.

Enhanced functionality with the addition of more well-known ports, user-defined applications, and user-defined port ranges.

Improved performance and reduced CPU load resulting from focused inspection selections.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

A single port can only be mapped to one application.

Port ranges cannot be specified directly in the ip inspect name command; the PAM table should be used instead.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Granular Protocol Inspection feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.4) Cisco IOS Firewall: Email Inspection Engine

Cisco IOS Firewall Advanced Application Inspection and Control features Inspection Engines to provide protocol anomaly detection services. This latest enhancement adds support for Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) to the Email Inspection Engine in addition to the existing support for Simple Mail Transfer Protocol (SMTP) and Extended Simple Mail Transfer Protocol (ESMTP).

Benefits

Inspects SMTP, ESMTP, POP3, and IMAP.

Detects misuse of email connectivity.

Prevents protocol masquerading.

Enforces strict RFC compliance.

Performs protocol anomaly detection services.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Users will need to have sufficient free memory.

Additional Information: http://.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Email Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.5) Cisco IOS Firewall: Inspection of Router-Generated Traffic

The Inspection of Router-Generated Traffic feature enables the inspection of local router traffic to single-channel TCP and UDP connections originated by or terminated at a router. Local H.323 connections are also supported.

Benefits

Cisco IOS Firewall policy can now be applied to router local traffic.

The inspection of local H.323 connections enables the deployment of Cisco CallManager Express and Cisco IOS Firewall on the same router with a simplified access control list (ACL) configuration of the Cisco CallManager Express interface through which H.323 connections are made.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Inspection of Router-Generated Traffic is supported only on the following protocols: H.323, TCP, and UDP.

Cisco IOS Firewall supports only Version 2 of the H.323 protocol.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Inspection of Router-Generated Traffic feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.6) Virtual Routing and Forwarding Aware Cisco IOS Firewall

Virtual Routing and Forwarding (VRF) Aware Cisco IOS Firewall applies Cisco IOS Firewall functionality to VRF interfaces when the firewall is configured on a service provider or large enterprise edge router. Service providers can provide managed services to small and medium business markets. VRF-Aware Cisco IOS Firewall supports VRF-aware URL filtering and VRF-lite (also known as multi-VRF customer edge [CE]).

Benefits

Allows users to configure a per-VRF firewall. The firewall inspects IP packets that are sent and received within a VRF.

Allows service providers to deploy the firewall on the provider edge (PE) router.

Supports overlapping IP address space, thereby allowing traffic from nonintersecting VRFs to have the same IP address.

Supports per-VRF (not global) firewall command parameters and denial-of-service (DoS) parameters so that the VRF-aware firewall can run as multiple instances (with VRF instances) allocated to various VPN customers.

Performs per-VRF URL filtering.

Generates VRF-specific syslog messages that can be seen only by a particular VPN. These alert and audit trail messages allow network administrators to manage the firewall; that is, they can adjust firewall parameters, detect malicious sources and attacks, add security policies, and so on.

Supports the ability to limit the number of firewall sessions per VRF.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

VRF-Aware Cisco IOS Firewall is not supported on MPLS interfaces.

If two VPN networks have overlapping addresses, VRF-aware NAT is required for them to support VRF-aware firewalls.

When crypto tunnels belonging to multiple VPNs terminate on a single interface, per-VRF firewall policies cannot be applied.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

VRF-Aware Firewall is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.7) Intrusion Prevention Systems Signature Enhancements

This release adds the TCP, UDP, and Internet Control Message Protocol (ICMP) signature microengines (SMEs) to the list of supported SMEs. This allows for Cisco IOS Software routers to defend networks against common worms and viruses such as the following:

String TCP Worm and Virus Support

Agobot

ANTS

Apache/mod_ssl Worm

Bagle

Blaster

GaoBot

Klez

Minmai

MyDoom

Netsky

Norvag

Phatbot

Sober

Worm Slapper (Buffer Overflow)

ZAFI.D

String UDP Worm and Virus Support

Agobot

Blaster

GaoBot

Phatbot

Slammer

String ICMP Worm and Virus Support

Nachi

       

Also included in this release is the local shun action. This can be configured on any signature. A shun places an ACL-type block on the interface from which the attacking traffic is entering the router to more quickly defend the network from attack traffic.

Benefits

Support for more than 400 more signatures for a total of more than 1275 from which to choose.

Increased efficiency for traffic blocking with shun action.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

IPS Signature Enhancements are positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tom Guerrette ( ask-stg-ios-pm@cisco.com)

2.1.8) Secure Device Provisioning Phase 4: Administrative Introducer

Secure Device Provisioning (SDP) Phase 4 allows an IT administrator to introduce and preprovision several end routers without the need of an end user. Administrative login and device specification have been introduced into the SDP framework.

SDP, formerly known as EZ Secure Device Deployment, simplifies introduction of a VPN device into the public key infrastructure (PKI) network. SDP mechanisms assume a permanent relationship between the introducer and the device. As a result, the introducer username is used to define the device hostname. Often the introducer username is used as the database locator to determine the Cisco IOS Software configuration template, template variables (pulled from the AA database and expanded into the template), and the appropriate subject name for the PKI certificates issued to the device.

In some deployment scenarios, the introducer is an administrator (or an administrative service such as a CiscoWorks VPN/Security Management Solution [VMS] or the Cisco IP Solution Center [ISC]) doing the introduction for many devices. In this situation, the administrator's username cannot be used as a database locator so the SDP GUI has been enhanced to provide the username as a separate parameter.

Figure 4

SDP Administrative Introducer

Benefits

Allows an IT administrator or security management solution to provision multiple devices.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

SDP Phase 4: Administrative Introducer is positioned in the Advanced Security packages across Cisco routers
( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.9) Secure Device Provisioning Phase 4: Hierarchical Certificate Servers

PKI deployments have a certificate server that issues certificates to the nodes in the VPN installation. A root certificate server is a CA server that holds a self-signed certificate, and its key pair is the root of the trust associations (digital signatures in the certificates) of the whole VPN installation. Because the root RSA key pairs are extremely important in a PKI hierarchy, it is often advantageous to keep them offline or archived. To support such an arrangement, PKI hierarchies allow for subordinate certificate authorities that have been signed by the root authority. In this way the root authority can be kept offline (except to issue occasional Certificate Revocation List [CRL] updates) and the sub-Certificate Authority (sub-CA) can be used during normal operation.

Figure 5

SDP Hierarchical Certificate Server

Benefits

Allows for hierarchical certificate servers, ensuring better scalability and availability.

Simplifies PKI deployment in geographically distributed VPN installations where each location could have its own certificate server handling the network beneath it.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

SDP Phase 4: Hierarchical Certificate Servers is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.10) OS Universal Serial Bus Token Support: Public Key Infrastructure Enhancements

The Cisco IOS Software Universal Serial Bus (USB) Token Support project provides support for USB cryptographic tokens and flash drives on Cisco IOS Software. The USB token plugs into the router's USB port.

Tokens provide a secure place to store keys and configurations, where they can be protected with a PIN. Tokens do not have enough storage to hold images or other bulk data. The tokens supported in this release have a capacity of 32 KB, of which about half is taken up by token and Cisco IOS Software system overhead. This size is suitable for a small configuration and a few certificates and keys.

Flash drives can be used to store images, configurations, and other data, but are not suitable for private keys because they have no security.

Figure 6

USB Token: PKI

Benefits

Simplifies secure initial deployment. Router can be drop-shipped by distributor, while the token containing configuration and private keys is distributed by other means.

Simplifies replacement of failed routers. The user just needs to remove the spare from the closet or have it drop-shipped and plug in the token from the failed router, and it should work. This method assumes that the token contains the configuration and keys.

Helps in securing a VPN connection. The router may have access to the Internet at all times, but it can only use the VPN when the token is present, because the keys on the token are used to set up the tunnel, and the tunnel is torn down when the token is removed.

Hardware

Routers

Cisco 871, 1811, 1812, and 1841 Routers, and Cisco 2800 and 3800 Series


Cisco IOS Packaging

OS USB Token Support: PKI Enhancements is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.11) Persistent Self-Signed Certificates

Cisco IOS Software has an HTTPS server that allows access to Web-based management pages using a SSL connection. SSL requires the server to present its certificate to the client during the SSL handshake prior to establishing a secure connection between the server and the client.

If the Cisco IOS Software does not have a certificate that the HTTPS server can use, it generates a self-signed certificate by calling the PKI API. This API is then presented to the client, which prompts the user to accept the certificate. If the user accepts, the certificate is stored in the browser for future use.

Future SSL handshakes require the same certificate. However, on reloads, this certificate is lost, and a new one has to be generated and go through the same authentication sequence. The Persistent Self-Signed Certificate feature overcomes these limitations by saving a certificate in the router's startup configuration and having persistence using HTTPS connections with clients.

Figure 7

Persistent Self-Signed Certificates

Benefits

Ease of use: a persistent self-signed certificate stored in the router's startup configuration eliminates need for manual user intervention to accept a certificate every time the router reloads.

Improved performance: as user intervention is no longer necessary to accept the certificate, the secure connection process is faster.

Better security: having a persistent self-signed certificate stored in the router's startup configuration (NVRAM) lessens the opportunity for an attacker to substitute an unauthorized certificate.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Persistent Self Signed Certificates is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.12) Easy VPN Remote Phase 4.1: Enhancements

Easy VPN Phase 4.1 supports two enhancements for Easy VPN Remote: Support for Reliable Static Routing using Object Tracking and Tunnel Activation on Interesting Traffic on Easy VPN Remote.

Support for Reliable Static Routing using Object Tracking is a current feature the enables Cisco IOS Software to identify when a Point-to-Point Protocol over Ethernet (PPPoE) or IPsec VPN tunnel goes down and initiate a dial-on-demand routing (DDR) connection to a preconfigured destination from any alternative WAN/LAN port (for example, T1, ISDN, analog, or AUX). This feature delivers a solution for deployments in which a remote router only has a static route to the corporate network. The IP Static route-tracking feature allows an object to be tracked (by IP address or host name) using ICMP, TCP, or other protocols and installs or removes the static route based on the state of the tracked object. If this feature determines that Internet connectivity is lost, then the default route for the primary interface is removed, and the floating static route for the backup interface is enabled.

This new enhancement delivers the capability to establish a secondary Easy VPN connection, if the primary Easy VPN connection fails, using support of Reliable Static Routing using Object Tracking. However, it is based on the dial backup interface only.

Two new Easy VPN Remote CLI configuration options support Reliable Static Routing using Object Tracking: a connection to the backup Easy VPN remote configuration and a connection to the tracking system.

backup < ezvpn-cfg-name> specifies the Easy VPN configuration that will be activated when backup is triggered. track <tracked-object-number> specifies the link to the tracking system so that the Easy VPN state machine can get the notification to trigger backup.

   crypto ipsec client ezvpn <ezvpn-cfg-name>
     backup <ezvpn-cfg-name> track <tracked-object-number>

Easy VPN Remote registers to the tracking system to get the notifications for change in the state of the object. The above command will inform the tracking process that Easy VPN Remote is interested in tracking an object, identified by the object number. The tracking process will in turn inform Easy VPN Remote when the state of this object changes. This notification prompts Easy VPN Remote to bring up the backup connection when the tracked object state is DOWN. When the tracked object is UP again, the backup connection is torn down, and Easy VPN Remote will switch back to using the primary connection. The primary connection is not torn down when the tracked object goes DOWN; however, it may timeout or reset eventually on its own. The pings will continue to be attempted to be sent using the primary tunnel. If the tunnel is not up, the pings will be dropped. The primary tunnel will continue to attempt to reestablish, and once it does, the pings will be successful, and the tracked object state will go UP again.

Benefits

Allows flexibility to track an object and initiate dial backup.

Tunnel Activation on Interesting Traffic on Easy VPN Remote is a feature that introduces a new method of activating Easy VPN tunnels based on user traffic. Prior to this feature there were two ways to bring up the tunnel: manual entry of the XAuth user/password, and automatic activation of the tunnel with the user/password stored in the configuration file. The new feature will only bring up the tunnel when user traffic needs to use it. It can be used with an idle timer on the tunnel to bring the tunnel up and down only when it is needed for user traffic. This arrangement can reduce the load on the Easy VPN concentrator, because tunnels are only brought up when needed.

Figure 8

Activation Triggered by Easy VPN Remote Traffic

Benefits

Reduces the load on the Easy VPN concentrator, because tunnels are only brought up when needed.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Easy VPN Remote Phase 4.1: Enhancements is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.13) IPsec Preferred Peer

IPsec Preferred Peer allows a user to tag a peer as the default peer in a multiple-set peer configuration. The provisions include setting a peer with default option and setting an IPsec idle timer with default option.

Setting a peer with default option: a new keyword—default—has been added to mark the first peer in a multiple-set peer configuration as the default peer. This peer will then be retried in certain failure cases before a connection to the next peer on the list is attempted. If a failure is detected by dead peer detection (DPD), the default peer will be tried once more before the next peer is tried. If the default peer is unresponsive, failure using retransmits of Internet Key Exchange (IKE) initiation messages will set the new current peer to the next one on the list. Further connections through that crypto map will then try this new current peer.

This feature is useful in a dial backup scenario in which transmission stops because of remote peer failure traffic on a physical link. DPD will indicate that the remote peer is unavailable, although it will remain the current peer. The dial backup link will come up. Once connectivity through the physical link is restored, the default peer will be tried again. This procedure allows the user to always give preference to certain peers in the event of failover and is useful if the original failure occurred because of a connectivity problem through the network, as opposed to the remote peer itself failing. If the remote peer has indeed failed, retransmits to that peer (this process takes approximately 45 seconds) will force the default peer to be skipped and the next peer on the list to be tried.

Benefits

Allows flexibility to use a primary peer when it is better (for example, closer, less expensive, or provides more bandwidth).

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

The set a peer with default option must be used in conjunction with DPD. It is most effective on a remote site running DPD in periodic mode. DPD will detect the failure of the other device quickly and reset the peer list to try the default peer again on the next attempt.

Only one peer may be designated the default on a crypto map.

The default peer must be the first peer in the list.

Use with the crypto map set peer default feature.

Idle timers with the default keyword are only available on a per-crypto-map basis. This command will not work with the global idle timer command.

If a global idle timer is set, the crypto map idle timer value must be different from the global value; otherwise it will not be added to the crypto map.

Cisco IOS Packaging

The Cisco IOS IPsec Preferred Peer feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.14) IPsec Antireplay Window Expansion and Disable Options

IPsec antireplay window is a 32-bit counter and a bitmap (or equivalent) used to describe whether an inbound authentication header or ESP packet is a replay. The Expansion and Disable options supported in this feature give IPsec users two additional options with which to control the antireplay mechanism in IPsec. Users can now choose to expand the antireplay window size or, alternatively, disable antireplay checking completely. The default antireplay window size and default enabling of antireplay checking for IPsec in Cisco IOS Software will be the same as in prior Cisco IOS Software releases.

Figure 9

IPsec Antireplay

Benefits

Allows an IT administrator flexibility to control antireplay window size or disable it.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

IPsec Antireplay Window Expansion and Disable Options is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.15) IPsec Virtual Tunnel Interface

VPNs are increasingly being recognized as a mainstream solution for secure WAN connectivity. They replace or augment existing private networks using leased lines, Frame Relay, or ATM to connect remote and branch offices and central sites more cost effectively and with increased flexibility. This new status requires that VPN devices deliver higher performance, support for both LAN and WAN interfaces, and high network availability. IPsec virtual tunnel interfaces (VTIs) are a new tool that can be used by customers to configure IPsec-based VPNs between site-to-site devices. IPsec VTI tunnels provide a designated pathway across the shared WAN and encapsulate traffic with new packet headers, ensuring delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. In addition, IPsec provides true confidentiality (as does encryption) and can carry encrypted traffic.

With IPsec VTIs delivered by Cisco, enterprises can use cost-effective VPNs and continue to add voice and video to their data networks without compromising quality and reliability.

Cisco IPsec VTIs provide secure connectivity for site-to-site VPNs combined with the Cisco Architecture for Voice, Video and Integrated Data (AVVID) architecture for delivering converged voice, video, and data over IP networks. VPNs deliver cost-effective, flexible wide-area connectivity, while providing a network infrastructure that supports the latest converged network applications such as IP telephony and video.

Figure 10

IPsec Static Virtual Tunnel Interfaces Between Two Sites

Benefits

Simplified management—Customers can use Cisco IOS Software virtual tunnel constructs to configure an IPsec VTI, thus simplifying VPN configuration complexity, which translates into reduced costs as the need for local IT support is minimized. In addition, existing management applications that can monitor interfaces can be used for monitoring purposes.

Support for multicast encryption—Customers can use Cisco IOS Software IPsec VTIs to transfer the multicast traffic, control traffic, or data traffic-for example, many voice and video applications,-from one site to another securely.

Routable interface—Cisco IOS Software IPsec VTIs can support all types of IP routing protocols. Customers can use these capabilities of VTI to connect larger office environments, such as branch offices, complete with a PBX extension.

Improved scaling—IPsec virtual interfaces need fewer security associations to be established to cover different types of traffic, both unicast and multicast, thus enabling improved scaling.

Flexibility of defining features—An IPsec virtual interface is an encapsulation within its own interface. This arrangement offers flexibility of defining features to run on either the physical or the IPsec interface.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

The Cisco IOS IPsec Virtual Tunnel Interface feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.16) Reverse Route Injection

Reverse Route Injection (RRI) is used to create static routes based on remote proxy IDs (subnet/mask) for remote IPsec devices. It is platform independent (except for Cisco Catalyst 6000 Series and Cisco 7600 Series Router) and is dynamic in that it saves the user from statically defining routes. It is remote agnostic as well and works on both dynamic and static crypto maps. Typically in an RRI, routes are injected into the routing process.

RRI enhancements included in this release: Cisco IOS Software can now alter RRI behavior for static L2L. IPsec tunnels and can retain RRI routes when a crypto ACL is modified. In addition, it is enhanced to retain RRI routes for dynamic customer premises equipment CPE as well as remove RRI routes when same crypto map is applied to two different interfaces.

Figure 11

Reverse Route Injection

Benefits

Saves the user from statically defining routes.

Considerations

Cisco IOS Software will not allow RRI in the same crypto map on multiple interfaces.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

Reverse Route Injection is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.17) Easy VPN Remote Web-Based Activation

Easy VPN contains two primary hardware client applications: Teleworker and Branch Office. Teleworker allows user-driven authentication of the client router (for example, interactive XAuth credential entry) with optional authentication of devices behind the client router. Teleworker is also possibly useful for offices in which one person is authorized to activate the office connection. The second application is Branch Office, where a client router connects automatically without user intervention (XAuth credentials saved in configuration file). Optionally, it is possible to authenticate devices behind the client router.

Easy VPN Remote Web-Based Activation allows the authentication of the remote router more easily by having a Web-based interface in which to enter xAuth username/password.

Figure 12

Easy VPN Remote Web-Based Activation

Benefits

Small office or home office (SOHO) users benefit greatly by using a Web-based interface to activate Easy VPN Remote.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

Easy VPN Remote Web-Based Activation is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.18) WebVPN

WebVPN is an SSL-based VPN solution that provides clientless remote access by using a Web browser as the remote user's VPN client. Because most personal computers already have a Web browser installed, no further application installation is required to securely access network resources. This feature can augment the existing IPsec remote access (Easy VPN) functionality or, in environments with relatively simple remote access requirements, WebVPN may offer sufficient functionality to address all remote access demands. Cisco IOS Software WebVPN makes it easy to deploy remote access to internal applications on a single integrated network device.

The first release of WebVPN in Cisco IOS Software supports two functional modes:

The first mode (clientless) provides secure access to private Web resources and will provide access to Web content. This mode is useful for accessing most content that you would expect to use within a Web browser, such as Web browsing, databases, or online tools that employ a Web interface.

The second functional mode (thin client) extends the capability of the cryptographic functions of the Web browser to enable remote access for email applications using POP3, SMTP, and IMAP.

Benefits

Uses a standard Web browser to access the corporate network and does not require a client to be installed on the client machine.

SSL encryption native to browser provides transport security.

Has granular access control.

Additional client and server applications are accessed using a Java applet.

Allows access from noncorporate machines such as airport kiosks.

Allows easy firewall and network traversal from any location.

Allows transparent wireless roaming.

Integrated Cisco IOS Firewall provides enhanced security.

Hardware

Routers

Cisco 1800, 2800, 3700, 3800, and 7200 Series; Cisco 7301 Router


Considerations

If WebVPN needs to be enabled on the router that is running HTTP Secure Server, the administrator must configure an IP address for WebVPN using the gateway-addr keyword option of the webvpn enable command.

The browsing of URLs that are referred by Macromedia Flash is not modified for secure retrieval by the WebVPN gateway.

This feature in Cisco IOS Software Release 12.3(14)T supports SSL Version 3. Transport Layer Security (TLS) is not supported.

Thin client used for TCP port-forwarding applications requires administrative privileges on the computer of the end user.

Cisco IOS Packaging

WebVPN is positioned in the Advanced Security packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gary Sockrider ( ask-stg-ios-pm@cisco.com)

2.1.19) Cisco Router and Security Device Manager 2.1

Cisco Router and Security Device Manager (SDM) 2.1 combines routing and security services management with ease of use, intelligent wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of integrating services onto the router. Customers can now synchronize routing and security policies throughout the network, enjoy a more comprehensive view of their router services status, and reduce their operational costs.

Benefits

New hardware support

Cisco Small Business 100 Series

Cisco VPN Acceleration Module 2+ (VAM2+)

High-speed WAN interface card 4T (HWIC-4T), HWIC-4A/S, HWIC-8A/S, HWIC-8A, and HWIC-16A

Provides ability to recognize, configure, and monitor the new hardware

Localized in six languages

Cisco SDM user interface and online help translated into Japanese, simplified Chinese, French, German, Spanish, and Italian (available in May 2005)

Microsoft Windows OS support for these languages (available now)

Simplifies router management for native language users

Cisco SDM Express

Wizard-based deployment of router

Offers quick and easy router deployment for basic WAN access configurations

Ideal router deployment tool for nonexpert users

PC-based SDM

Cisco SDM installed on Windows-based PC instead of router flash memory

No extra flash memory space required on router for SDM

Great tool to manage the installed base of Cisco routers

PPP over ATM (PPPoA)

Offers quick and easy deployment of xDSL router interfaces for PPPoA configurations

Three new Intrusion Prevention Systems (IPS) engines

STRING.TCP, STRING.UDP, STRING.ICMP

Allows deployment of 500+ additional IPS signatures through SDM

Dial-backup improvements

Support for dial-back for dynamically addressed primary WAN interface

Offers several fixes to make the configuration process more user friendly

Hardware

Routers

Cisco 830, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, 7200VXR, and 7301 Series Routers


Cisco IOS Packaging

Router and Security Device Manager 2.1 is positioned in the Advanced Security packages across Cisco routers
( Figure 3).

Product Management Contacts: ask-stg-ios-pm@cisco.com, sdm-feedback@cisco.com

2.2) Cisco IOS Software Infrastructure

2.2.1) Cisco IOS Embedded Event Manager 2.1

Cisco IOS Embedded Event Manager (EEM) has been enhanced significantly since it first become available in Cisco IOS Software Release 12.3(4)T. Now EEM allows user-programmable action based on Tool Command Language (TCL).

EEM marks a shift in network management systems design. Cisco has committed to increasing the level of management intelligence and self-awareness within Cisco IOS Software. EEM provides the infrastructure for detection of specific events and the ability to take local action based on those events.

Local actions, called EEM policies, can be defined using simple CLI commands, or more complex or custom actions can be specified using TCL. The TCL interpreter with TCL extensions embedded within Cisco IOS Software provides full access to the CLI, so the type of actions is limited only by the imagination.

Figure 13

Embedded Event Manager 2.1 Architecture

Benefits

Onboard event detection.

Extensive set of event detectors.

User-programmable automatic actions triggered by specific events.

EEM policy definition using TCL.

Hardware

Routers

Cisco 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contacts: Rohit Shrivastava ( roshriva@cisco.com), Rick Williams ( rwill@cisco.com)

2.2.2) Embedded Resource Manager

Continuing on the commitment to add more embedded intelligence within the network devices, Embedded Resource Manager (ERM) lays the groundwork for even more internal monitoring and reporting capabilities.

ERM provides internal mechanisms for monitoring internal Cisco IOS Software tasks and shared resource consumption.

Figure 14

ERM Architecture

Benefits

Allows dynamic monitoring of internal resource utilization.

Provides ability to take actions to improve the performance and availability of the device.

Yields information to allow better understanding of scalability requirements in terms of resource consumption.

Delivers infrastructure for future development and delivery of autonomic functions.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Cisco IOS Embedded Resource Manager is positioned in the IP Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Valliappan ( svalliap@cisco.com)

2.3) Routing

2.3.1) Enhanced Interior Gateway Routing Protocol Prefix Limit Support

Enhanced Interior Gateway Routing Protocol (EIGRP) allows the network administrator to limit the number of prefixes learned by EIGRP. This feature provides a means to limit the shared resources (memory and CPU) consumed by the EIGRP process.

Additional CLI configuration options are added to support this feature.

Benefits

Provides optional facility to force an upper bound on the number of prefixes learned by the EIGRP routing process.

Is useful for preventing unwanted oversubscription of shared resources.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: Chetan Khetani ( cpk@cisco.com)

2.3.2) Enhanced IGRP Simple Network Management Protocol Support

This feature provides SNMP MIB support for SNMP GET and SNMP TRAPS for EIGRP and provides an infrastructure interface for network management.

Benefits

Provides the ability to monitor EIGRP from a remote management system.

Provides notification on EIGRP events.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

EIGRP SNMP Support is positioned in the Enterprise Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Chetan Khetani ( cpk@cisco.com)

2.3.3) Open Shortest Path First Sham-Link MIB Support

In some MPLS VPN networks, OSPF sham link is used to interconnect two VPN sites that share the same OSPF area.

This arrangement presents some difficulty for network management. Prior to this feature, no SNMP MIB objects have provided useful information for OSPF sham links.

This feature enhances the specific Cisco MIB (CISCO-OSPF-MIB.my) to allow for monitoring of OSPF sham links. The enhancement allows for:

Status queries

Notification of error

Notification of state change

Statistical information on retransmissions

Benefits

Provides a means to manage OSPF sham links.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

The implementation is RFC 1850 compliant and based on an OSPFv2 MIB IETF draft. See IETF draft draft-rosen-vpns-ospf-bgp-mpls-05.txt.

Product Management Contact: Chetan Khetani ( cpk@cisco.com)

2.3.4) Border Gateway Protocol Support for Fast Peering Session Deactivation

Border Gateway Protocol (BGP) support for Fast Peering Session Deactivation accelerates speed at which the BGP subsystem releases a peering session. The BGP subsystem will deactivate the peering session immediately upon indication that the peer is gone and eliminates an internal wait timer. This feature optimizes the software such that multiple failure detection mechanisms are linked to trigger session deactivation.

Benefits

Improves routing protocol reconvergence.

Speeds BGP session deactivation in the event of a dead neighbor.

Provides support for faster session deactivation when peers go away.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

BGP Support for Fast Peering Session Deactivation is positioned in the Advanced Security and SP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Pepe Garcia ( pepe@cisco.com)

2.3.5) Border Gateway Protocol Support for IP Prefix Import from Global Table into Virtual Routing and Forwarding Table

This feature allows customers to specify which specific prefixes from the global routing table are to be imported into a VPN routing and forwarding table.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

BGP Support for IP Prefix Import From Global Table Into a VRF Table is positioned in the Advanced Security and SP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Pepe Garcia ( pepe@cisco.com)

2.3.6) Border Gateway Protocol Support for Next-Hop Address Tracking

Border Gateway Protocol (BGP) Next-Hop Address Tracking provides a mechanism for routes learned using BGP to converge more quickly on a new path when triggered by a change to a monitored BGP next-hop address.

An address-tracking filter mechanism is used to filter notifications to the routing information base. This mechanism allows for new path selection to begin as soon as the notification regarding the change in reachability state of the next hop occurs. The results are much faster convergence of traffic to a new path and less impact to traffic flows.

All of these facts mean faster reconvergence, leading to improved perception of reliability for users.

Figure 15

Next-Hop Tracking Speeds Reconvergence

Next-Hop Tracking will trigger the BGP scanner at PE-1 to run immediately on Interior Gateway Protocol (IGP) convergence, so the route through PE-3 will handle traffic upon failure to PE-2.

Benefits

Provides faster routing protocol reconvergence.

Avoids delays for traffic to get to destination.

Reduces service impact.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: Pepe Garcia ( pepe@cisco.com)

2.3.7) Routemap Display Extension

Routemap Display Extension enhances the display of dynamic routemaps to include detailed information about the ACLs used in the match clauses.

Benefits

Makes more details available using CLI show command.

Simplifies troubleshooting and checking of configuration.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Routemap Display Extension is positioned in IP Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Chetan Khetani ( cpk@cisco.com)

2.3.8) Optimized Edge Routing Support for Cost-Based Optimization and Traceroute Reporting

Optimized Edge Routing (OER) provides automatic outbound route optimization for multihomed enterprises by establishing criteria for the optimal exit point for traffic destined for other networks. OER enables link selection according to performance, cost, and load distribution policy.

This enhancement provides outbound traffic optimization based on financial link cost. The idea is to minimize the cost associated with service through efficient and effective traffic routing. This is called cost minimization.

The configuration for cost minimization supports fixed-cost Service Level Agreements (SLAs) and tier-based-with-bursting cost SLAs. SLAs encompass the billing criteria that are established with each ISP. Although the specific details of "tier-based-with-bursting" billing models will vary by ISP, most ISPs will use some variation of the following algorithm to calculate what an enterprise should pay in a tiered billing plan:

1. Gather periodic measurements of egress and ingress traffic carried on the enterprise's connection to the ISP's network and aggregate the measurements to generate a rollup value for a rollup period.

2. Generate one or more rollup values per billing period.

3. Rank the rollup values for the billing period from the largest value to the smallest.

4. Discard the top 5 percent of the rollup values to accommodate bursting.

5. Apply the highest remaining rollup value to a tiered structure to determine a tier associated with the rollup value.

6. Charge the customer based on a set cost associated with the determined tier.

Cisco OER seeks to minimize the overall service cost by distributing traffic in the most cost-efficient way (or as configured). By deploying the Cisco OER bandwidth cost minimization functionality, customers can instruct Cisco OER to select the exit links that provide the most cost-effective bandwidth utilization, while still maintaining the desired performance characteristics.

This release also adds support for traceroute reporting. The feature allows the network administrator to form a clearer picture of the amount of delay introduced by different segments in the path. If an unexpected round-trip delay value for a prefix on a particular exit is observed, the delay can be quantified on a per-hop basis.

Benefits

Allows companies to minimize traffic sent over expensive links or consolidate multiple flat-rate connections to fewer and lower cost connection services.

Provides statistics on traffic distribution and usage before and after route optimization.

Helps enterprise customers manage ISP costs more effectively.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

OER Support for Cost-Based Optimization and Traceroute Reporting feature is positioned in the Advanced Security, SP Services, and Enterprise Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Paul Kohler ( pkohler@cisco.com)

2.3.9) Policy-Based Routing: Recursive Next Hop

Policy-Based Routing (PBR): Recursive Next Hop provides the ability to set a next hop that is not directly connected to enable load balancing when PBR is used.

With this feature enabled, the routing table will be examined recursively to find the directly connected next hop when PBR is used to set an indirect next hop.

The following new configuration command is introduced:

set ip next-hop recursive

This command may be used to set a directly connected next hop or subnet as well as an indirect next hop or subnet.

Figure 16

Using Recursive Next Hop for Load Balancing

Benefits

Allows use of Cisco Express Forwarding load balancing when PBR is configured.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Policy-Based Routing: Recursive Next Hop is positioned in the IP Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Chetan Khetani ( cpk@cisco.com)

2.3.10) Internet Group Management Protocol Version 3 Host Stack

Internet Group Management Protocol (IGMP) Version 3 Host Stack support enables the router or switch to behave as a multicast network endpoint or host. The support for IGMPv3 also allows other Cisco IOS Software subsystems to take advantage of the infrastructure to use Source Specific Multicast (SSM) for broadcast functions.

One reason to use this feature is the rapid deployment of voice applications and gateway functionality within Cisco IOS Software. Cisco devices that provide voice services may join a multicast channel for music on hold and convert and distribute that stream to analog or ISDN interfaces.

Benefits

Provides infrastructure needed to support voice applications, specifically Multicast Music on Hold (MMoH).

Aids troubleshooting for problems related to multicast.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

IGMPv3 Host Stack is positioned in the IP Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)

2.3.11) Per Interface mroute State Limit

The Per Interface mroute State Limit feature will limit the number of mroute states on a per-interface basis. This limitation is beneficial for access routers or Layer 3 switches, particularly for deployments of advanced Ethernet services or Ethernet to the home, curb, pedestal, business, multiple tenant dwelling unit, and so on.

Prior to this feature, Cisco IOS Software supported an ability to limit mroute states on a per-VRF basis using ip multicast [vrf <name>] route-limit. This feature extends that capability to allow specification on an interface basis.

Benefits

Extends the benefits of Ethernet as a last-mile technology.

Offers more granular DoS attack prevention.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Per Interface mroute State Limit is positioned in the IP Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)

2.3.12) Integrated Routing and Bridging Support on MGX-RPM-XF-512

Integrated routing and bridging (IRB) is a bridging mechanism that allows integration of traditional systems with your IP network. IRB is useful when you need to connect bridged networks with Layer 3 routed networks.

IRB has existed in Cisco IOS Software since Release 11.2, and is available on a wide variety of Cisco products. This feature adds support for the Cisco MGX® Route Processor Module.

Benefits

Increases the deployment options for the Cisco MGX Route Processor Module.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

IRB Support on Cisco MGX Route Processor Module is positioned in the Enterprise Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Christopher Kolstad ( ckolstad@cisco.com)

2.4) Management and Provisioning

2.4.1) Multicast VPN MIB

Multicast VPN MIB provides enhancements and support for SNMP Multicast VPN MIB.

Benefits

Improves management for Multicast VPN deployments.

Provides interfaces to Cisco AutoSecure.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)

2.4.2) Exclusive Configuration Change Access

The Cisco IOS Software CLI has offered a familiar and effective interface for configuration and troubleshooting for many years. With the increased importance and proliferation of network connections and equipment, management and maintenance activities have grown. Some organizations have segmented their network engineering and operations teams, with multiple groups or systems now requiring access to the CLI.

The feature introduces a configuration session locking mechanism. It allows a user to have exclusive access to the Cisco IOS Software configuration mode, preventing any other user from changing the system configuration for the duration of the lock.

Benefits

Ensures consistent and error-free configuration changes by preventing conflicts.

Prevents conflicts between programmatic interfaces and back-end systems.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: Mark Basinski ( mbasinsk@cisco.com)

2.4.3) Selective Enabling of Applications Using HTTP Server

Cisco IOS Software incorporates an internal HTTP server that permits easy configuration using a browser interface. A number of Cisco IOS Software subsystems and features use the included server. However, until now, each feature could not individually be controlled with respect to the HTTP server interface. For example, a user can now enable one particular subsystem for Web-based configuration and control, but not another.

The feature enables selective enabling of Cisco IOS Software applications or subsystems that use the internal HTTP server in Cisco IOS Software.

Benefits

Provides more secure environment for configuration and control of network devices.

Enables specific control over applications that use the internal HTTP server in Cisco IOS Software.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: Mark Basinski ( mbasinsk@cisco.com)

2.4.4) Bandwidth Estimation Using Corvil Bandwidth Technology

Allocating adequate bandwidth is crucial to ensuring the network performance required for applications. However, allocating too much bandwidth can be costly. Bandwidth Estimation in Cisco IOS Software, using Corvil Bandwidth technology, allows network managers to determine the correct bandwidth requirements to achieve user-specified Quality of Service (QoS) targets for networked applications.

Corvil Bandwidth can determine the minimum bandwidth required to meet a customer-specified QoS target with statistical reliability. From a network manager's perspective, an application's QoS requirements are characterized with respect to its sensitivity to packet loss and delay. Corvil Bandwidth gives the network manager a way to specify limits for delay and packet loss and to get a close estimate of the minimum bandwidth essential to achieve desired application performance.

Figure 17

Corvil Bandwidth

Benefits

Users can set service-level objectives for the desired performance of networked applications.

Network managers can eliminate operational overhead and guesswork in bandwidth provisioning and QoS configuration.

Potentially significant bandwidth cost savings while meeting QoS requirements are possible.

Increased capability and flexibility to offer bandwidth-on-demand types of services are possible.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3700, 3800, 7200, and 7301 Series Routers


Cisco IOS Packaging

Bandwidth Estimation Using Corvil Bandwidth Technology is positioned in the SP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tim McSweeney ( timcswee@cisco.com)

2.4.5) IP Service Level Agreements Voice over IP Call Setup (Postdial Delay) Monitoring

Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS IP Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco IOS IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.

This feature enhances Cisco IOS IP SLAs further by including a capability to monitor the call setup delay for VoIP calls. With this feature, Cisco IOS SLAs measure the call setup time using the H.323/Session Initiation Protocol (SIP) over an IP network.

The Jitter operation in IP SLAs offers the ability to configure various codec types and provide the corresponding Impairment/Calculated Impairment Planning Factor (ICPIF) and mean opinion scores (MOSs). This capability is widely used to monitor VoIP performance. This enhancement focuses on measuring call setup time. It provides the capability to send an H.323 or SIP call setup message and to measure the time to ringing, busy, or connect. The typical setup time measured is from setup/INVITE message is sent to the time the alert/ringing message is received.

Figure 18

Cisco IOS IP SLAs VoIP Call Setup (Postdial Delay) Monitoring

Benefits

Measures call setup delay for VoIP calls.

Extends the functionality provided by IP SLAs.

Adds to the already strong VoIP-monitoring capabilities.

Provides performance visibility for VoIP, video, business-critical applications, MPLS, and VPN networks.

Monitors SLAs.

Monitors network performance.

Provides IP service network health readiness or assessment.

Monitors edge-to-edge network availability.

Monitors business-critical applications performance.

Troubleshoots network operation.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Cisco IOS IP SLAs VoIP Call Setup (Postdial Delay) Monitoring is positioned in the IP Voice packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tom Zingale ( tomz@cisco.com)

2.4.6) IP Service Level Agreements—Voice over IP Gatekeeper Delay Monitoring

Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS IP Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco IOS IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.

With Voice over IP (VoIP) deployments accelerating, even more requirements are being placed on the operations staff to ensure that service meets or exceeds the required levels. A converged network with VoIP Gatekeeper functionality adds another aspect to performance monitoring.

This feature adds a VoIP Gatekeeper (GK) registration delay monitoring operation to the IP SLAs feature set. This operation measures the "lightweight registration time" from an H.323 Gateway (GW) to the GK. The lightweight registration time is the time from the sending of a registration request (RRQ) to the time a registration confirmation (RCF) is received by the GW.

Figure 19

IP SLAs VoIP Gatekeeper Delay Monitoring

Benefits

Adds to the already strong VoIP-monitoring capabilities.

Provides performance visibility for VoIP, video, business-critical applications, MPLS, and VPN networks.

Monitors SLAs.

Monitors network performance.

Provides IP service network health readiness assessment.

Monitors edge-to-edge network availability.

Monitors business-critical applications performance.

Troubleshoots network operations.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Cisco IOS IP SLAs VoIP Gatekeeper Delay Monitoring is positioned in the IP Voice packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tom Zingale ( tomz@cisco.com)

2.4.7) IP Service Level Agreements CLI Introduction

Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS IP Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco IOS IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.

IP SLAs used past Cisco IOS Software service assurance functionality and added recent enhancements. The new CLI is being implemented to ease the deployment of service monitoring and will simplify configuration of IP SLA measurements and enhance command-line views for service-level measurement data.

The transition to the new configuration command set is made easy because support for the previous configuration commands is included. In future releases the command structure will be simplified more based on customer input.

Other new commands are also included with this Cisco IOS Software release.

Benefits

Ease-of-use improvements.

Improved show commands with more detailed and useful information.

Performance visibility for VoIP, video, business-critical applications, MPLS, and VPN networks.

SLA monitoring.

Network performance monitoring.

IP service network health readiness assessment.

Edge-to-edge network availability monitoring.

Business-critical applications performance monitoring.

Network operation troubleshooting.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Because some display commands are changed, automated scripts that parse output of the commands may need to be modified. Consult the documentation for details.

Cisco IOS Packaging

Cisco IOS IP SLAs CLI Introduction is positioned in the IP Voice, Advanced Security, and Enterprise Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tom Zingale ( tomz@cisco.com)

2.4.8) IP Service Level Agreement Sub-Millisecond Accuracy Improvements

Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS Software IP Service Level Agreements are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as VoIP, audio and video, VPN, and other business-critical applications. Cisco IOS Software IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS Software IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.

This feature adds granular and highly accurate measurements to the robust set functions included in Cisco IOS Software IP SLAs. The functions within IP SLAs measure various performance parameters such as round-trip time, one-way latency, jitter (interpacket delay variance), packet loss, and so on.

Improvements such as increased link speeds and the deployment of higher performing routers and switches have reduced the latency, increased capacity, and enormously expanded the throughput in today's high-speed networks. Because of these facts, the accuracy of the measurements provided in IP SLAs is likewise being improved upon.

Improvements have been made in two primary areas:

The accuracy of measurements is improved from one millisecond to one-tenth of a millisecond.

More efficient time stamping also results in greater accuracy of measurements.

Benefits

Provides very accurate performance data.

Offers more granular and accurate results to reflect the characteristics of networks being deployed now and into the future.

Allows more efficient use of internal resources for enhanced performance.

Provides performance visibility for VoIP, video, business-critical applications, MPLS, and VPN networks.

Monitors SLAs.

Monitors network performance.

Provides IP service network health readiness assessment.

Monitors edge-to-edge network availability.

Monitors business-critical applications performance.

Troubleshoots network operation.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

IP SLAs Sub-millisecond Accuracy Improvements is positioned in the IP Voice packages across Cisco routers
( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Considerations

In order to utilize the accuracy enhancements, the source and destination endpoints of the measurements must have Cisco IOS Software Release 12.3(14)T.

Product Management Contact: Tom Zingale ( tomz@cisco.com)

2.5) IP Services

2.5.1) Network Address Translation Virtual Interface

Cisco IOS Software provides a NAT subsystem with extensive support for protocols that embed IP addresses within the payload using Application Layer Gateway (ALG) functions. Cisco IOS NAT was extended to support VPN VRF tables in Cisco IOS Software Release 12.2(15)T. This support allowed NAT to be centrally deployed and provided a solution for interconnection between communities with overlapping addresses in different VRFs. However, prior to the introduction of this feature, NAT could not be performed on traffic flowing between two interfaces, both marked as inside interfaces within a single device.

The feature offers an alternative way to configure NAT and permits packets between different VRFs to undergo NAT, while traffic from each VRF to common services can also be processed.

Benefits

More deployment options available for service providers offering MPLS-based services.

Reduced complexity for configurations where NAT is required.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

NAT Virtual Interface is positioned in the IP Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.5.2) Network Address Translation Routemaps Outside-to-Inside Support

Cisco IOS NAT allows for the configuration of routemaps to establish traffic eligible for translation. Certain environments and network designs will benefit from the ability to interrogate defined routemaps for traffic flowing from the NAT outside interface toward the NAT inside interface.

This feature provides for interrogation and use of defined routemaps for traffic flowing from outside to inside.

Prior to this feature, Cisco IOS NAT did not permit traffic from outside destined to a global address associated with a dynamic entry based on a routemap. With this support, customers can use routemaps to allocate global addresses and permit return traffic to use these global addresses. Return traffic is verified to match the defined routemap in the reverse direction.

Figure 20

NAT Routemap Outside-to-Inside Support

In Figure 20, suppose A and B want to converse. When each registered with the directory server, a routemap was used to allocate the global IP address. With this feature, A is allowed to connect to B directly through R2 (as long as its traffic matches the routemap), even though B's global IP address was established using a routemap. Other traffic from other devices that does not match the routemap is dropped.

Benefits

Provides more flexibility in allocation of global addresses.

Allows for service-based address allocation and selective address translation.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

NAT Routemap Outside-to-Inside Support is positioned in the IP Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.5.3) Dynamic Host Configuration Protocol Intelligent Services Gateway Enhancements

To make it possible for ISPs (or address providers) to provide service to customers using one network infrastructure, Cisco IOS Software features are closely integrated. These enhancements extend the feature integration between Cisco IOS Software DHCP services and other features.

More specifically, this work enables a router, under control of the administrator, to specify which address provider, or address pool, should be used to provide various end stations and customers with an IP address.

This infrastructure will enable other services in future releases.

Benefits

Extends integration of Cisco IOS Software features to meet customer requirements.

Enables more flexible deployment and control over IP address assignments.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

DHCP Intelligent Services Gateway Enhancements is positioned in the IP Base packages across Cisco routers
( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.5.4) Dynamic Host Configuration Protocol Relay Subscriber Identifier Suboption

The DHCP Relay function in Cisco IOS Software provides support for forwarding DHCP requests to designated DHCP servers.

This feature allows configuration of a character string on an interface or subinterface basis and can be used to uniquely identify a subscriber or user. When the DHCP Relay Information option is enabled, this configured string is added in the subscriber-identifier suboption of the Relay Information option in all the DHCP requests that are forwarded on to the specified DHCP servers.

Benefits

Allows more flexibility and granular control over the way IP address assignments are made.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

DHCP Relay Subscriber Identifier Suboption is positioned in the Advanced Enterprise Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.5.5) Virtual Router Redundancy Protocol Message Digest Algorithm 5 Authentication

Hot Standby Router Protocol (HSRP) and Gateway Load Balancing Protocol (GLBP) allow for Message Digest Algorithm 5 (MD5) authentication for passwords exchanged between first-hop redundancy group members. This feature brings this same security feature to Virtual Router Redundancy Protocol (VRRP) as well.

Benefits

Encrypts using MD5 hash the password sent over the wire between VRRP group members.

Provides the same level of security as HSRP and GLBP for users that demand an IETF standard protocol for first-hop redundancy.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Support for MD5 authentication is specific to Cisco and not part of the VRRP standard. It is probably not interoperable with equipment from other vendors.

Cisco IOS Packaging

VRRP MD5 Authentication is positioned in the IP Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.5.6) Extended Prepaid Tariff Switch with Service Selection Gateway

At present, without this new enhancement service providers can request tariff rates in midsession in Service Selection Gateway (SSG) prepaid billing mode. One such example of switching tariff rate is that providers want to charge at a higher rate during business hours and switch to a lower rate after business hours. In another example providers want to switch between a volume base and a time base or the reverse, in which case the tariff model will be changed midsession. Both these tariff switch modes are supported today in SSG. But such changes require billing servers to provide SSG with two quotas and times for tariff switch. The first quota indicates the tariff rate before the switch, and the second quota indicates the postswitch rate. SSG will accordingly apply the quotas and tariff rates based on the switch time.

With this new extension to prepaid tariff switching functionality, prepaid billing servers can choose to provide only one quota instead of two. SSG will use the same quota and report back how much of the quota was used before and after the tariff switch. This approach simplifies service providers' billing and operations server implementations.

Benefits

Simplified billing server implementation for service providers.

Restrictions

Cannot be used when a tariff type is changed in midsession (for example, a change from a time-based tariff to a volume-based tariff).

SSG accounting must be enabled in order for the SSG Extended Prepaid Tariff Switching feature to be used.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Cisco IOS Extended Prepaid Tariff Switch with SSG is positioned in the Advanced IP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Murali Kolli ( mkolli@cisoc.com)

2.5.7) MAC Address-Based Authorization with Service Selection Gateway

SSG currently authenticates users with Web-based login through Cisco Subscriber Edge Services Manager (SESM) or acting as RADIUS proxy in an Extensible Authentication Protocol (EAP) type of authentication. SSG also can authenticate the users based on their IP address through the functionality called Transparent Auto Logon (TAL).

The MAC address-based authentication is developed to trace DHCP IP address allocation with the MAC address for reasons of authenticating the user.

If a connection request comes from an unknown user, SSG mandates explicit Web login with a captive portal. After initial login, the MAC address of the client device is learned and tracked for further authentication during the next login. Thereafter, SSG implicitly authenticates the user at every login until a predefined time interval has passed.

Benefits

After the user authenticates with Web login, further user logins can be avoided as long the user uses same client device until the predefined time period has passed.

Restrictions

Assumes that the device belongs to the same user all the time. If users swap devices, the identity of the users behind the devices can be misunderstood.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

MAC Address-Based Authorization with SSH is positioned in the Advanced IP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Murali Kolli ( mkolli@cisoc.com)

2.5.8) Service Selection Gateway Aware On-Demand IP Address Renewal

Service Selection Gateway (SSG) functionality poses two problems:

1. Subscribers trying to connect to a broadband remote-access server (BRAS) using Ethernet access need to be given a temporary IP address until they are authenticated and are ready to connect to one of the services. Switchover of the IP address to an IP address belonging to the chosen service or SP should happen dynamically.

2. The second situation is for subscribers who are connected and are actively using one of the services. When they try to switch to a new service or SP, if that new service or SP mandates an IP address change to the session (with an IP address from a pool specific to that service or service provider's network), the service selection solution should be aware of that requirement and support such a change. This is an equal access network (EAN) requirement and an application service provider requirement to provide specific services (for example, gaming and Web-sharing applications) belonging to the network.

Benefits

For Ethernet access subscribers, service providers can give a short-term lease of an IP address and renew for a longer lease after authentication.

Subscribers can access services and dynamically change IP address to application service provider distributed addresses. Enables applications access without NAT.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

SSG Aware On-Demand IP Address Renewal is positioned in the Advanced IP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Murali Kolli ( mkolli@cisoc.com)

2.5.9) Service Selection Gateway Support for Subnet-Based Authentication

Subnet-based authentication functionality enables SSG to accept a login from one of the users in a subnet (for example, a business) and to treat a complete subnet as authenticated. This functionality will eliminate the need for all the users in a subnet (or a business) to authenticate individually. This enhancement will also enable services for all users in the subnet and generate aggregate billing records.

Subnet-based authentication is supported for both Web login users and transparent autologon (TAL) users.

Benefits

Enables service providers to offer business Internet services, avoiding the need for every user to identify and log in.

Enables service providers to offer pay-per-use Internet service to their SOHO customers.

Provides easy-to-use dedicated video and voice appliances to deliver those services over the same IP network after initial authentication from a personal computer.

Restrictions

Subnet-based authentication is not supported for users with PPP-based access.

Once a subnet-based authentication is enabled, individual subscribers on that subnet are not identified and tracked.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

SSG Support for Subnet-Based Authentication is positioned in the Advanced IP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Murali Kolli ( mkolli@cisoc.com)

2.6) IPv6

2.6.1) Dynamic Host Configuration Protocol version 6 Prefix Delegation Using Authentication, Authorization, and Accounting

An IPv6 prefix-delegating router (DHCPv6 server) selects prefixes to be assigned to a requesting router (DHCPv6 client) upon receiving a request from the client. Prior to this feature, these prefixes could be obtained only using one of the following:

A statically configured client-specific binding

A locally configured IPv6 prefix pool

This feature enables a third option. It allows the prefix assignment to originate from a RADIUS/AAA Server using the Framed-IPv6-Prefix attribute as described in RFC 3162.

Cisco IOS Software Release 12.3(4)T added support for the Framed-IPv6-Prefix attribute (see DDTS CSCdy19621). The DHCPv6 Prefix Delegation Using AAA feature enables the DHCPv6 server to interface with AAA to obtain the prefix assignment using an AAA/RADIUS authorization request.

Benefits

More flexibility and control of IPv6 address assignments.

Centralized control and management of IPv6 prefix assignments using AAA/RADIUS.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/tech/tk872/technologies_white_paper09186a00801e199d.shtml

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.6.2) Mobile IP: Mobile IPv6 Home Agent

This feature provides support for the Mobile IPv6 Home Agent (HA). It includes the following:

Home Agent

Home agent functionality allows an IPv6 router to act as a home agent for one or more mobile nodes when they are away from home.

Advertisement Interval Option

Allows a configurable Advertisement Interval option to help mobile nodes perform movement detection.

Duplicate Address Detection

Enables verification of the mobile node (MN) IP address by performing duplicate address detection (DAD) when processing a request for registration from an MN.

Dynamic Home Agent Address Discovery

Allows home agents in a subnet to learn of each other's presence and capabilities by listening to router advertisements.

Access Control Lists

Supports use of ACLs to limit sources of binding updates, Dynamic Home Agent Address Discovery (DHAAD) requests, and prefix solicitations. Allows control over roaming.

Benefits

RFC 3775-compliant support for Mobile IPv6 Home Agent.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Does not include full support for correspondent node.

This phase will not deliver support the use of IPsec (ESP) in binding updates and binding acknowledgements between a mobile node and its home agent. However, this phase will not prevent end-to-end IPsec being used to secure communication between a mobile node and a correspondent node when Cisco IOS Software is acting as the home agent.

Additional Information: http://www.cisco.com/warp/public/732/Tech/ipv6/docs/mobileipv6.pdf

Cisco IOS Packaging

Mobile IP: Mobile IPv6 Home Agent is positioned in the Advanced IP Services packages across Cisco routers
( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.6.3) Cisco Express Forwarding Support for Network Address Translation-Protocol Translation

Cisco IOS Network Address Translation-Protocol Translation (NAT-PT) translates packets that traverse between IPv4-only and IPv6-only networks in either direction. NAT-PT translates the IP header and source and destination ports if needed. It also translates the embedded IP addresses and ports for application protocols of which it is aware.

Prior to the introduction of this feature, packets undergoing NAT-PT were process-switched, which limited the throughput that could be achieved while using this feature. Now packets that undergo NAT-PT are processed in the interrupt path and use Cisco Express Forwarding.

Benefits

Better performance when translation between IPv4 and IPv6 networks is necessary.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_data_sheet09186a008011ff51.html

Cisco IOS Packaging

Cisco Express Forwarding Support for NAT-PT is positioned in the IP Base packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.6.4) Simple Network Management Protocol Using IPv6 Transport

IPv6 networks are becoming more prominent, as are the requirements for management in an all-IPv6 environment. To date, most IPv6 networks have been deployed with support for IPv4 and with the assumption that network management was based on IPv4.

SNMP over IPv6 Transport allows network management to be performed from a station running only IPv6.

The feature includes:

Support for SNMP get/set requests and responses on IPv6 transport

SNMP notifications to IPv6 destinations

Modification to snmp-server host CLI to configure IPv6 hosts as trap receiver

SNMPv3 configuration*

Support of MIBs for configuration of SNMPv3 users, groups, and views and configuration of SNMPv3 engines or endstations for use in either an IPv4 or IPv6 environment

SNMP proxy forwarder

Support of SNMP proxy forwarder using IPv6 transport

MIB Changes

MIB updates for IPv6

CISCO-FLASH-MIB

CISCO-CONFIG-COPY-MIB

CISCO-CONFIG-MAN-MIB

CISCO-CONFIG-COPY-CAPABILITY

ENTITY-MIB

NOTIFICATION-LOG-MIB

New MIB

CISCO-SNMP-TARGET-EXT-MIB (extension from SNMP-TARGET-MIB)

Modification of MIB implementation for IPv6

SNMP-USM-MIB

SNMP-VACM-MIB

Benefits

Provides base function needed to enable management of all IPv6 networks.

Includes support for RFC 3419: Textual Conventions for Transport Addresses.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Provides for support of IPv6 using an internal proxy method.

Cisco IOS Packaging

SNMP Using IPv6 Transport is positioned in the Advanced IP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contacts: IPv6—Patrick Grossette ( pgrosset@cisco.com), SNMP—Michael Cheung ( cheung@cisco.com)

2.6.5) IPv6 Bootstrap Router Bidirectional Support

This feature improves upon the IPv6 Bootstrap Router (BSR) implementation by offering support for bidirectionality in BSR.

Benefits

Supports the advertising of bidirectional rendezvous points in C-RP messages and bidirectional ranges in the band splitter module (BSM).

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

All the routers in the system must be upgraded to be able to understand the bidirectional range. Just upgrading candidate RP and candidate BSR routers is not sufficient.

Cisco IOS Packaging

IPv6 BSR Bidirectional Support is positioned in the Advanced IP Services and Enterprise Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)

2.6.6) IPv6 Bootstrap Router Scoped Zone Support

IPv6 Bootstrap Router (BSR) Scoped Zone Support enhances IPv6 BSR, allowing for distribution of group-to-RP mappings in networks using administratively scoped multicast.

Benefits

Allows the customer to configure candidate BSRs and a set of candidate RPs for each administratively scoped region in the domain.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

IPv6 BSR Scoped Zone Support is positioned in the Advanced IP Services and Enterprise Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)

2.7) Multiprotocol Label Switching

2.7.1) Multiprotocol Label Switching: Label Distribution Protocol Graceful Restart

Cisco Nonstop Forwarding (NSF) with Stateful Switchover (SSO) has been proven to increase the availability of networks for service providers and enterprises. Cisco IOS Software Release 12.2(25)S added support for MPLS HA, including Label Distribution Protocol (LDP) Graceful Restart capability as specified by RFC 3478.

This feature brings this support for LDP Graceful Restart to other Cisco IOS Software products that are based on Cisco IOS Software Release 12.3(14)T and future Cisco IOS Software releases.

Benefits

Enables more product deployment options.

Features consistency across products.

Hardware

Routers

Cisco 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

MPL: LDP Graceful Restart is positioned in the SP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Pepe Garcia ( pepe@cisco.com)

2.7.2) Multiprotocol Label Switching: Label Distribution Protocol Inbound Label Binding Filtering

MPLS LDP supports inbound label binding filtering, which allows customers to configure ACLs to control the label bindings a label switch router (LSR) accepts from its peer LSRs.

Benefits

Helps control the amount of memory used to store LDP label bindings advertised by other routers.

In a simple MPLS VPN environment, the VPN PE routers may require LSPs only to their peer PE routers (that is, they do not need LSPs to core routers).

Inbound label binding filtering enables a PE router to accept labels only from other PE routers.

Hardware

Routers

Cisco 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

MPLS: LDP Inbound label Binding Filtering is positioned in the SP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Ripin Checker ( rchecker@cisco.com)

2.7.3) Multiprotocol Label Switching: Virtual Routing and Forwarding-Aware Static Labels

The VRF-Aware Cisco MPLS Static Labels feature allows MPLS static labels to be used for VRF traffic.

When static labels software is not VRF aware, it can only be used for the following purposes:

Configuring MPLS forwarding table entries for the global routing table.

Assigning label values to forwarding equivalence classes (FECs) learned by the LDP for the global routing table.

Those limitations mean that in MPLS VPN environments, the software can be used only in the provider core.

The VRF-Aware MPLS Static Labels feature provides the following benefits:

Static labels can be used at the VPN edge.

Static bindings between labels and IPv4 prefixes can be configured statically.


Note: This feature is supported only in carrier supporting carrier (CSC) mode.


Benefits

Static labels can be used at the VPN edge.

Static bindings between labels and IPv4 prefixes can be configured statically.

Hardware

Routers

Cisco 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_white_paper09186a00801b23af.shtml

Cisco IOS Packaging

MPLS: VRF Aware Static Labels is positioned in the SP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Ripin Checker ( rchecker@cisco.com)

2.7.4) Multiprotocol Label Switching: Label Distribution Protocol Session Protection

MPLS LDP Session Protection maintains LDP bindings when a link fails. MPLS LDP sessions are protected through the use of LDP Hello messages. When you enable MPLS LDP session protection, the LSRs send messages to find other LSRs with which they can create LDP sessions.

If the LSR is one hop from its neighbor, it is directly connected to its neighbor. The LSR sends out LDP Hello messages as UDP packets to all the routers on the subnet. The hello message is called an LDP Link Hello. A neighboring LSR responds to the hello message, and the two routers begin to establish an LDP session.

If the LSR is more than one hop from its neighbor, it is not directly connected to its neighbor. The LSR sends out a directed hello message as a UDP packet, but as a unicast message specifically addressed to that LSR. The hello message is called an LDP Targeted Hello. The nondirectly connected LSR responds to the Hello message, and the two routers establish an LDP session. (If the path between two LSRs has been traffic engineered and has LDP enabled, the LDP session between them is called a targeted session.)

MPLS LDP Session Protection uses LDP Targeted Hellos to protect LDP sessions.

Benefits

Improves network reconvergence time.

Enables more product deployment options.

Features consistency across products.

Hardware

Routers

Cisco 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95d9.html

Cisco IOS Packaging

MPLS LDP Session Protection is positioned in the SP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Ripin Checker ( rchecker@cisco.com)

2.7.5) Multiprotocol Label Switching: Label Distribution Protocol Autoconfiguration

This enhancement provides a global configuration command that enables LDP on interfaces for which a specified IGP has been enabled. This simplifies LDP configuration by making it unnecessary to explicitly configure each interface and reduces the likelihood of accidentally omitting explicit LDP configuration on one or more interfaces for which it is required.

LDP is disabled on all interfaces by default. Prior to this feature, the interface-level [no] mpls ip command enabled or disabled LDP on the interface.

This feature defines a new global configuration command:

mpls ldp autoconfig

When this command is used, it is not necessary to configure mpls ip on each interface covered by the mpls ldp autoconfig command. Optional parameters specify the applicability of the command with regard to the IGP enabled on each interface.

Benefits

Reduces potential for configuration error.

Simplifies configuration.

Enables more product deployment options.

Features consistency across products.

Hardware

Routers

Cisco 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95de.html

Cisco IOS Packaging

MPLS LDP Autoconfiguration is positioned in the SP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Ripin Checker ( rchecker@cisco.com)

2.7.6) Multiprotocol Label Switching: Label Distribution Protocol-Interior Gateway Protocol Synchronization

Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP) Interior Gateway Protocol (IGP) Synchronization ensures that LDP is fully established before the IGP path is used for switching.

This feature provides synchronization of IGP forwarding with MPLS forwarding to reduce the chance of MPLS traffic being lost following link failure or link flap.

Packet loss can occur because the actions of the IGP and LDP are not synchronized. Packet loss can occur in two situations:

When an IGP adjacency is established, the router begins forwarding packets using the new adjacency before the LDP label exchange completes between the peers on that link.

If an LDP session closes, the router continues to forward traffic using the link associated with the LDP peer rather than an alternate pathway with a fully synchronized LDP session.

This feature provides a means to synchronize LDP and IGP to minimize MPLS packet loss.

MPLS LDP-IGP Synchronization enables users to globally enable LDP-IGP Synchronization on every interface associated with an IGP process. (Currently, the only IGP that supports this feature is OSPF.) Also, it provides a means to disable LDP-IGP Synchronization on interfaces that you do not want enabled. The goal of MPLS LDP-IGP Synchronization is to prevent MPLS packet loss because of synchronization conflicts.

Benefits

Improves reconvergence and availability.

Minimizes potential for traffic and packet loss in certain situations.

Hardware

Routers

Cisco 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

There must be an alternate path available for traffic to benefit from this feature.

Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95dd.html

Cisco IOS Packaging

MPLS: LDP Autoconfiguration feature is positioned in the SP Services packages across Cisco routers ( Figure 3).

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Ripin Checker ( rchecker@cisco.com)

3) Release 12.3(11)T Highlights

Table 3  Release 12.3(11)T Feature Highlights 

3.1.1) Cisco 3800 Series Integrated Services Router

3.2.1) Cisco IOS Warm Upgrade

3.2.2) Cisco IOS IPsec Stateful Failover

3.3.1) Role-Based CLI Access—Granular Interface Control

3.3.2) 802.1x Supplicant

3.3.3) Cisco IOS Intrusion Prevention System

3.3.4) Cisco IOS Security Device Event Exchange

3.3.5) Cisco IOS Firewall IPv6 FTP Support

3.3.6) Cisco Easy VPN 4.0

3.3.7) Cisco Security and Router Device Manager 2.0

3.4.1) Cisco AutoQoS for the Enterprise—Suggested Policy

3.5.1) Border Gateway Protocol Support for Named Extended Community Lists

3.5.2) Border Gateway Protocol Support for Sequenced Entries in Extended Community Lists

3.5.3) Border Gateway Protocol Support for Dual Autonomous System Configuration for Network Autonomous System Migrations

3.5.4) Cisco Optimized Edge Routing Support for Policy-Rules Configuration and Port-Based Prefix Learning

3.5.5) Enabling Open Shortest Path First v2 on an Interface Using the ip ospf area Command

3.6.1) Egress Netflow

3.6.2) Netflow MIB and Top N Talkers

3.7.1) Multicast Enhancements

3.8.1) Service Selection Gateway Support of Overlapping IP Addresses

3.8.2) Service Selection Gateway Support for Radius Attributes 27 and 29

3.8.3) Service Selection Gateway Default Quota for Prepaid Billing Server Failure

3.8.4) Service Selection Gateway Support for Dynamic Load Balancing

3.9.1) First Hop Redundancy Protocols—Virtual Router Redundancy Protocol MIB RFC 2787

3.10.1) Upstream Connection Speed Transfer at LAC

3.10.2) Configurable MAC Address for bba-group


3.1) New Hardware Support

3.1.1) Cisco 3800 Series Integrated Services Router

The integrated services routing architecture of the Cisco 3800 Series builds on the powerful Cisco 3700 Series routers designed to embed and integrate security and voice processing with advanced services for rapid deployment of new applications, including application layer functions, intelligent network services, and converged communications. The Cisco 3800 Series supports the bandwidth requirements for multiple Fast Ethernet interfaces per slot, time-division multiplexing (TDM) interconnections, and fully integrated power distribution to modules supporting 802.3af Power over Ethernet (PoE), while still supporting the existing portfolio of modular interfaces. This ensures continuing investment protection to accommodate network expansion or changes in technology as new services and applications are deployed. By integrating the functions of multiple separate devices into a single compact unit, the Cisco 3800 Series dramatically reduces the cost and complexity of managing remote networks.

New models include the Cisco 3825 and the Cisco 3845, available with three optional configurations for AC power, AC power with integrated IP phone power support, and DC power.

Figure 21

Cisco 3800 Series Integrated Services Router

Benefits

This high-performance architecture is optimized for concurrent service deployment and offers increased default and maximum memory for future services growth.

Cisco IOS Software features offer support for identifying, preventing, and adapting to security threats and maintaining a self-defending network, including Cisco SDM 2.0, NAC (antivirus enforcement), Dynamic Multipoint VPN, dynamic in-line IDS, Cisco IOS Software Firewall, and URL filtering capabilities.

Onboard DSPs—Integrated PVDMs support analog voice, digital voice, conferencing, transcoding, and secure Real-Time Transport Protocol (SRTP) media while enabling network-module or AIM slots for switching, concurrent applications, content, and voice mail.

Field-upgradable, modular components are supported on the Cisco 3800 Series, allowing customers to easily change network interfaces without upgrading their entire branch-office network. The Cisco 3800 Series takes advantage of the existing portfolio of WICs, VICs, network modules, and AIMs to reduce sparing, training, configuration, installation, and maintenance costs.

The Cisco 3800 Series minimizes downtime with availability features, including optional redundant power, Error Checking and Correction (ECC) memory for improved fault isolation and correction, USB Flash memory for ease of image recovery, advanced temperature monitoring and variable-speed cooling fans, Cisco IOS Software Warm Reboot for improved bootup times, network-module online insertion and removal, and field-replaceable components such as fan tray, motherboard, and power supplies (Cisco 3845 only).

Additional Information: http://www.cisco.com/en/US/products/ps5855/index.html

Product Management Contact: cs-3800@cisco.com

3.2) High Availability

3.2.1) Cisco IOS Warm Upgrade

Cisco IOS Warm Upgrade significantly reduces planned downtime for Cisco IOS Software devices during upgrades to new Cisco IOS Software images. This improves the overall availability of hardware with single route or switch processors. Users implementing Cisco IOS Warm Upgrade will typically enjoy an eighty percent reduction in downtime during an image upgrade.

Figure 22

Cisco IOS Warm Upgrade

Benefits

Reduced downtime for planned upgrades

Cisco IOS Warm Upgrade allows the image to be directly loaded into memory and uncompressed while the current image is still executing on the Cisco IOS Software device. A failover then occurs to the new image after it is completely loaded. This allows the load and decompress as well as initial boot steps to be bypassed.

Upgrade without storage media

With Cisco IOS Warm Upgrade, it is possible to upgrade to a new image over the network without attempting a netboot from rommon or the boothelper. This allows users to evaluate a new software on a device without placing the image on the flash media of a Cisco IOS Software device. Furthermore, if Cisco IOS Warm Upgrade fails for any reason, the Cisco IOS Software device will continue to run the existing image if possible.

Hardware


Considerations

Users will need to have sufficient free memory to decompress the new Cisco IOS Software image in the system in order to be able to leverage Warm Upgrade.

Additional Information:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a755a.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802b4383.html

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

3.2.2) Cisco IOS IPsec Stateful Failover

IPsec Stateful Failover allows customers to employ a backup IPsec server to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. The backup (secondary) IPsec Server automatically take over the tasks of the active (primary) router, without losing secure connections with its peers in the event the active router loses connectivity for any reason. This process is transparent to the end user and does not require adjustment or reconfiguration of any remote peer.

IPsec Stateful Failover is designed to work in conjunction with Stateful Switchover (SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. IPsec Stateful Failover provides protection for IPsec tunnels, IPsec with GRE, and Cisco IOS Easy VPN traffic.

Figure 23

IPsec Stateful Failover Feature Module

Benefits

Increased Resiliency and Availability for Network applications such as client/server, voice and video over VPN. These applications now can continue uninterrupted during schedule network maintenance time or network outage. IPsec Stateful Failover feature enables rapid IPsec Stateful Failover for geographically dispersed peers, avoiding disruption to critical enterprise applications.

Hardware

Routers

Cisco 3700 and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

3.3) Cisco IOS Security

3.3.1) Role-Based CLI Access—Granular Interface Control

Cisco initially introduced Role-Based CLI Access—Granular Interface Control in Release 12.3(7)T. It enables the network device administrator to set up views that define the set of CLI commands that can be accessed by each user. With this enhancement, administrators can control user access and configure specific ports, logical interfaces, and slots on a router.

Figure 24

Role-Based CLI Access—Granular Interface Control

Benefits

With Role-Based CLI Access—Granular Interface Control, administrators can match user access to CLI commands based on their operational roles in the organization.

Security: Enhances the security of the device by defining the set of CLI commands that is accessible by a particular user. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.

Availability: Prevents unintentional execution of CLI commands by unauthorized personnel, which could result in undesirable results. This minimizes downtime.

Operational efficiency: Users will only see the CLI commands applicable to the ports and CLI to which they have access; therefore, the router appears to be less complex and commands are easier to identify when using on device help.

Hardware

Routers

Cisco 7200 Series

Cisco 1760, 2610XM, 2611XM, 3640A, and 3725 Routers


Product Management Contact: ask-stg-ios-pm@cisco.com

3.3.2) 802.1x Supplicant

There are deployment scenarios in which a network device (a router acting as an 802.1X authenticator) is placed in an unsecured location and cannot be trusted as an authenticator. This scenario mandates that a network device have the ability to authenticate itself against another network device.

The 802.1x supplicant support functionality provides the following solutions:

Extensible Authentication Protocol (EAP) framework: supplicant can "understand" and "respond" to EAP requests. EAP-Message Digest 5 (EAP-MD5) is currently supported.

Two network devices that are connected through an Ethernet link can act as simultaneously as supplicant and authenticator, thus providing mutual authentication capability.

A network device that is acting as a supplicant can authenticate itself with more than one authenticator (ie: a single port on a supplicant can connect to multiple authenticators).

Figure 25

802.1x Supplicant

Benefits

Consistent, standards-based technology for insertion into any mixed multimedia, multi-vendor network.

Enforcing corporate policy for network access at Layer 2.

Single supplicant can connect to multiple authenticators, so different connectivity and security policies can be implemented for different users.

Hardware

Routers

Cisco 800, 1600, 1700, 2600, 3600, 7100, 7200, 7300, 7400, and 7500 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

3.3.3) Cisco IOS Intrusion Prevention System

Cisco IOS Intrusion Prevention System (IPS) utilizes inline deep packet inspection to enhance network attack mitigation capabilities in Cisco IOS Software. By enabling IPS, customers can quickly protect their network from known network attacks without disrupting router functions or other embedded security capabilities, such as protocol anomaly detection.

The new Cisco IOS IPS capability enables the user to load and enable any of the 700+ IDS signatures that are supported by the Cisco IDS Sensor to deter network attacks. In addition, Cisco IOS IPS allows the user to modify any existing signature or create a new signature to deter newly discovered intrusions. Cisco IOS IPS enables the following actions:

Send an alarm

Drop the packet

Reset the connection

Figure 26

Cisco IOS Intrusion Prevention System

Benefits

Ubiquitous protection of network assets

Cisco IOS IPS is supported on a broad range of Cisco routers, enabling the user to protect network users and assets deep into the network architecture. The router is a security enforcer.

Inline deep packet inspection

Cisco IOS IPS enables users to stop known network attacks. By alerting the router to an event, Cisco IOS IPS will intercept intrusion attempts to traverse the router. Cisco IOS IPS utilizes deep packet inspection to get into the payload of a packet and uncover the known malicious activity.

IDS signature support

Cisco IOS IPS can now be enabled with any of the 700+ IDS signatures supported by the Cisco IDS Sensors to mitigate today's known network attacks. As attacks are identified in the Internet, these signatures are updated and posted to Cisco.com so that they can be downloaded to the Cisco router by way of the VMS IDS MC 2.3 or SDM 2.0. IDS MC also provisions the Cisco IDS Sensor appliance products.

Customized signature support

Cisco IOS IPS can now customize existing signatures, while also creating new ones. This Day 1 capability mitigates attacks that try to capitalize on slight deviations of known or newly discovered attacks.

Hardware

Routers

Cisco 830, 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

3.3.4) Cisco IOS Security Device Event Exchange

Cisco IOS Software now supports the Security Device Event Exchange (SDEE) protocol. SDEE is a new standard that specifies the format of messages and protocol used to communicate events generated by security devices. SDEE is flexible, so that all vendors can support address compatibility. This allows mixed IDS vendor environments to have one network management alert interface. TrueSecure (ICSA) is currently proposing as the unified industry protocol format for all vendors to communicate with network management applications. SDEE uses a pull mechanism: requests come from the network management application and the IDS/IPS router responds. SDEE utilizes HTTP and XML to provide a standardized interface. The Cisco IOS IPS router will still send IDS alerts via syslog.

Figure 27

Cisco IOS Security Device Event Exchange

Benefits

Vendor Interoperability

SDEE will become the standard format for all vendors to communicate events to a network management application. This lowers the cost of supporting proprietary vendor formats and potentially multiple network management platforms.

Secured transport

The use of HTTP over SSL or HTTPS ensures that data is secured as it traverses the network.

Hardware

Routers

Cisco 830, 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

3.3.5) Cisco IOS Firewall IPv6 FTP Support

Cisco IOS Software now performs stateful packet inspection of the IPv6 File Transfer Protocol (FTP). Cisco IOS Firewall creates dynamic data channel monitors for FTP session RFC compliance and alerts the network about any protocol anomalies performed by the end user trying to perform a malicious act as a result of stateful inspection of FTP in order to allow return traffic traversing Cisco IOS Firewall back to the FTP client. Cisco IOS Firewall tracks the initial FTP hand-shaking and session termination by ensuring that all users have been authenticated before any data traverses the Cisco IOS Firewall. This enables Cisco IOS Firewall to prevent network intrusion by unauthorized users who attempt to initiate a connection across the network or leverage the session of an authorized user. When the user logs off or initiates other forms of session termination (abort), the Firewall immediately closes all open data and control channels associated with the authorized user.

Additionally, Cisco IOS Firewall now supports Port to Address Mapping (PAM) for IPv6. PAM correlates TCP or UDP port numbers to specific network services or applications. By mapping port numbers to network services or applications, an administrator can force firewall inspection on custom configurations not defined by well-known ports.

Benefits

Investment Protection

A wide range of Cisco routers, from the Cisco 1700 Series through the Cisco 7200 Series, support Cisco IOS Firewall. This further enhances the total return of investment in Cisco routers by providing a broad range of network enforcement points, while coexisting in IPv4 and IPv6 environments.

Protocol Anomaly Detection for FTP

Cisco IOS Firewall maintains the integrity of the network by monitoring it for network attacks that leverage protocol RFC non-compliance.

Authorized FTP users allowed

Only allows users who have been authorized by an end ftp server to initiate session creation. Cisco IOS Software ensures that unauthorized users do not take advantage of data and control channels left open by a previous user. This decreases network vulnerability to unauthorized users.

Hardware

Routers

Cisco 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

3.3.6) Cisco Easy VPN 4.0

Release 12.3(11)T introduces several enhancements to the Easy VPN Remote:

Easy VPN Remote with IEEE 802.1x Authentication

Cisco Easy VPN 4.0 adds support for configuration of 802.1x port-based authentication on the private interfaces of the Easy VPN Remote router. This was not available in previous instances of Easy VPN Remote.

Cisco Easy VPN 4.0 also supports Public Key Infrastructure (PKI)/certificates. Previously, only pre-shared keys could be used as key material for the Internet Key Exchange (IKE) (IPsec Phase 1) connection. Configuration is the same as for standard site-to-site IPsec. When configuring PKI on the remote router, it is critical that the subject-name command is set to the subject name in the certificate or PKI will fail.

Easy VPN Remote Backup Server List Auto-Configuration

Easy VPN Remote allows the configuration of multiple servers (concentrators) to which the remote router will attempt to connect. With this enhancement, the Easy VPN Server can "push" this server list to Easy VPN Remote clients, eliminating the requirement to manually configure the list of servers on the Easy VPN Remote. Instead, only one server needs to be preconfigured on the remote, and the rest of the server list will be pushed from the server at connect time.

Easy VPN Remote Management Enhancements

This feature simplifies the remote management of a Cisco IOS Router acting as an Easy VPN Remote. It does this by making the IP address pushed from the server at connect time fully manageable. The pushed address is automatically assigned to a loopback interface that is dynamically created. This enables ping, Telnet, SNMP, and even dynamic routing to use the pushed address as the address to reach the router. The user can design central site management solutions that use the pushed address as the address to reach the remote routers. This feature can be enabled in both client and network extension modes; it is possible to push an address in NEM, although users can manage the static IP address assigned to the private interface.

Easy VPN Remote Load Balancing

When configured for load balancing, the Cisco VPN 3000 Series Concentrator with Easy VPN, accepts an incoming request from the Easy VPN Remote router on its virtual IP address, and if required (for instance, if the server is heavily loaded), it sends a "notify" message to the remote that contains an IP address that represents the new peer to which the client should connect. The Easy VPN Remote router can receive this "redirect" message and it attempts to connect a different server at the address contained in the notify message. Syslog messages indicate when a transition from one peer to another occurs.

Easy VPN Remote VLAN Support

It is now possible to define a VLAN as an Easy VPN Remote inside (private) interface. This may be an internal VLAN on the remote router (for instance, switch ports in a Cisco 1711 Router). This means that upon definition, IPsec Service Adapters will be established for the VLAN inside interface just as they are for the physical inside interfaces.

Easy VPN Remote Multiple Subnet Support

This enhancement allows multiple subnets on a single inside interface on the Easy VPN Remote router to be defined to Easy VPN. Previously, only a single subnet could be defined for Easy VPN on each inside interface. The subnets can be multiple hops away (cascaded) off the inside interface LAN (for example, the Easy VPN router private interface is connected to a router that has a subnet behind it). The subnets must be configured manually; they cannot be learned by dynamic routing.

Easy VPN Remote and Server on Same Interface

Easy VPN Remote and server functions now can be configured on the same interface. A typical application would be a remote router that acts as a client to the headquarters Easy VPN server, while it acts as a server for local software clients. Such a router typically would have a single public interface to the Internet, and both the server and client functions would be configured on this interface.

Easy VPN Remote and Site-to-Site on Same Interface

Easy VPN Remote and site-to-site (standard IPsec) functions now can be configured on the same interface. A typical application would be a remote router that acts as a client to the headquarters Easy VPN server while it also has a site-to-site tunnel that is used strictly for management.

Easy VPN Perfect Forward Secrecy (PFS) Using Policy Push

The PFS setting for the Easy VPN connection now can be dynamically set at connect time using MODCFG policy push from the server. Previously, PFS had to be configured manually on the Easy VPN Remote.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7100, 7200, and 7500 Series Routers

Cisco 3620, 3640, and 3660 Routers


Additional Information: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801541d5.html

Product Management Contact: ask-stg-ios-pm@cisco.com

3.3.7) Cisco Security and Router Device Manager 2.0

Cisco Security and Router Device Manager (SDM) 2.0 combines routing and security services management with ease of use, intelligent wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of integrating services onto the router. Customers can now synchronize the routing and security policies throughout the network, enjoy a more comprehensive view of their router services status, and reduce their operational costs.

Key new features in Cisco SDM 2.0 includes support for:

Inline IPS with updatable signatures and customization Dynamic Signature update and signature customization (see Cisco IOS IPS)

Role-Based Router Access

Easy VPN Server and AAA

Digital Certificates for IPsec VPNs

VPN and WAN connection troubleshooting

QoS policy configuration and NBAR-based application traffic monitoring

Hardware

Routers

Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800, 7100, 7200, and 7500 Series Routers

Cisco 3620, 3640, and 3660 Routers


Additional Information: http://www.cisco.com/go/sdm

Product Management Contact: ask-stg-ios-pm@cisco.com

3.4) Quality of Service

3.4.1) Cisco AutoQoS for the Enterprise—Suggested Policy

The show auto discovery qos command has been extended to display the Quality of Service (QoS) policy that Cisco AutoQoS suggests, based on the statistics collected during AutoDiscovery. This suggested policy configuration is the one that would be applied in response to the command auto qos.

The new Suggested Policy output follows the existing display of Cisco AutoQoS Class information, showing traffic rates and recommended minimum bandwidth by traffic class, with the recommended class-map and policy-map configuration commands to support the observed traffic.

Figure 28

Cisco AutoQoS for the Enterprise—Suggested Policy

Benefits

The user has several possible options:

1. This enhancement provides the ability to view the policy prior to applying it to the interface with the auto qos command.

2. The use can continue the AutoDiscovery process, collect more traffic statistics, and later view the updated statistics and new Suggested Policy, which might change.

3. The user can copy the Suggested Policy, edit it offline, and then apply it to the interface.

4. The Suggested Policy can be compared as a benchmark to existing policy statements.

Hardware

Routers

Cisco 2610XM-2611XM, 2620XM-2621XM, 2650XM-2651XM, 3631, 3640, 3640A; 3660, 3725, and 3745 Routers

Cisco 7200 and 7500 Series Routers


Additional Information: http://www.cisco.com/go/qos

Product Management Contact: Tim McSweeney, timcswee@cisco.com

3.5) IP Routing

3.5.1) Border Gateway Protocol Support for Named Extended Community Lists

Border Gateway Protocol (BGP) uses extended community lists to apply policies to groups of prefixes to distinguish routing paths. This enhancement introduces support for named extended community lists. Previously, extended community lists could only be numbered and were limited to a few hundred entries.

Benefits

Improves customer's ability to manage and troubleshoot BGP policies by using name strings for extended community lists instead of numerical values.

No inherent limit on the number of named extended community lists, provided that they are uniquely named.

Hardware

Routers

Cisco 1700, 2600, 3700, 7200, 7400, 7500 Series, and 7600-MWAM


Product Management Contact: Pepe Garcia, pepe@cisco.com

3.5.2) Border Gateway Protocol Support for Sequenced Entries in Extended Community Lists

Border Gateway Protocol (BGP) uses extended community lists to apply policies to groups of prefixes, in order to distinguish routing paths. These extended community lists are applied in sequential order and can become large in some implementations.

This enhancement provides support for sequencing individual entries in an extended community list.

Benefits

Specific entries within an extended community list are more easily removed, added, and/or modified in a list without having to remove and re-apply the whole list. Each entry has its own sequence number allowing configuration changes to be more efficiently done to individual entries.

Hardware

Routers

Cisco 1700, 2600, 3600, 3700, 7200, 7300, 7400, 7500 Series, and 7600-MWAM


Product Management Contact: Pepe Garcia, pepe@cisco.com

3.5.3) Border Gateway Protocol Support for Dual Autonomous System Configuration for Network Autonomous System Migrations

When a Service Provider merges its Autonomous System (AS) with another (i.e.: via business acquisition), this features provides for a seamless way to transition the customers over to the new AS.

This transition involves two integrated feature components:

Maintaining the TCP session with the customer's router independent of AS.

Modifying the inbound and outbound as-path lists so that this transition to a new AS is as transparent to the customer as possible.

Benefits

This feature allows Service Provides to more easily transition customers from one of their AS numbers to another during the transition phase. Customers can change the Service Provider AS number in their configurations at their convenience.

Hardware

Routers

Cisco 1700, 2600, 3600, 3700, 7200, 7300, 7400, 7500 Series, and 7600-MWAM


Product Management Contact: Pepe Garcia, pepe@cisco.com

3.5.4) Cisco Optimized Edge Routing Support for Policy-Rules Configuration and Port-Based Prefix Learning

The Cisco Optimized Edge Routing (OER) policy-rules master subcommand facilitates easy switching between configured OER policies. Customers can define more than one oer-map and select the current map with the policy-rules enhancement.

Cisco OER automatically learns prefixes that have the highest throughput or greatest delay. In addition to this automatic prefix learning, Cisco OER now can filter prefixes on the basis of "interesting" protocol-ports configured by the administrator.

Benefits

When the network administrator knows that traffic streams to ports below certain numbers or traffic flowing to a particular protocol or combination of protocol-port is not important and need not be optimized, protocol-port based learning can be configured to optimize the learning process by learning what is important to the administrator and the enterprise.

If the network administrator is interested in learning prefixes destined or originating from/to a particular port, or a set of ports or set of protocols, additional filters are available with the current protocol-port based learning capability that can be applied to the learning mechanism.

Hardware

Routers

Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800, 7200, and 7500 Series Routers


Considerations

This feature adds more granularity to the learn throughput and learn delay features. It optimizes the learning process by learning the prefixes which the administrator intends to optimize.

Learning, optimizing and maintaining uninteresting, superfluous prefixes can cost CPU cycles, increase maintenance overhead, and consume memory on the master controller and the border routers.

Product Management Contact: Paul Kohler, pkohler@cisco.com

3.5.5) Enabling Open Shortest Path First v2 on an Interface Using the ip ospf area Command

Historically, Open Shortest Path First (OSPF) v2 is enabled on interfaces based on the network command in the "router ospf" mode. OSPFv2 per interface Area command allows OSPF to be enabled under the interface configuration mode.

Benefits

Useful in scenarios where there are un-numbered interfaces.

Consistent functionality between OSPFv2 and OSPFv3.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, 7100, 7200, 7301, and 7500 Series Routers


Product Management Contact: Chetan Khetani, cpk@cisco.com

3.6) Manageability

3.6.1) Egress Netflow

Understanding who is using the network and for how long, what protocols and applications are being utilized, and where the network data is flowing is a necessity for today's IP network managers. NetFlow data can be used for a variety of purposes: network management and planning, user and security monitoring, protocol and application monitoring, enterprise accounting, departmental charge backs, Internet Service Provider (ISP) billing, data warehousing, and data mining for marketing purposes.

NetFlow traditionally monitors IP flows entering or ingress to a Cisco IOS Software device; however, it does not track egress information. Egress NetFlow can track egress IP flows or flows exiting a Cisco IOS Software device. This new capability will ease IP accounting and flow monitoring in some network topologies. For example, egress NetFlow will simplify the tracking of all IP traffic going to a server farm.

With Egress NetFlow also enables the tracking of flows after features such as QoS or NAT have made changes to the IP packet. Egress NetFlow can be used with an MPLS or IP network.

Benefits

Ingress and egress NetFlow accounting within Cisco IOS Software.

Tracking of flow information after other Cisco IOS Software features such as QoS or NAT have changed packet characteristics.

Tracking of all flows egress or exiting a specific interface.

Tracking of all flows entering a specific interface destined to a specific egress interface.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, 7200, and 7500 Series Routers


Additional Information: http://www.cisco.com/go/netflow

Product Management Contact: Tom Zingale, tomz@cisco.com

3.6.2) Netflow MIB and Top N Talkers

Understanding who is using the network and for how long, what protocols and applications are being utilized and where the network data is flowing is a necessity for today's IP network managers. NetFlow data can be used for a variety of purposes: network management and planning, user and security monitoring, protocol and application monitoring, enterprise accounting, departmental charge backs, Internet Service Provider (ISP) billing, data warehousing, and data mining for marketing purposes.

NetFlow information is traditionally exported from the router and persistently stored and analyzed by network management applications. An additional method to retrieve NetFlow data is now available: NetFlow MIB (cisco-netflow-mib) allows access to NetFlow data. The MIB will provide the ability to configure and modify NetFlow using an SNMP interface. The user can retrieve a snapshot of IP flow, protocol and packet size distribution information easily with SNMP. The NetFlow MIB will be very useful for security monitoring and detection of attacks by monitoring flow information. One of the key features of the NetFlow MIB will be the availability of Top N Talkers and the top conversations (NetFlow cache) information. A new show command, which is part of the Top N Talkers feature, enables users to monitor top conversations in the network using CLI.

Benefits

A new additional method to retrieve NetFlow information beyond traditional UDP export.

Top N Talker NetFlow information using the CLI and MIB.

MIB access to IP flow, protocol and packet size distribution information.

Retrieval of NetFlow information when the traditional export may not be practical.

Useful security information directly from an SNMP MIB.

Remote configuration of NetFlow features without using CLI.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, 7200, and 7500 Series Routers


Additional Information:

http://www.cisco.com/go/netflow

http://tools.cisco.com/ITDIT/MIBS/servlet/index

Product Management Contact: Tom Zingale, tomz@cisco.com

3.7) IP Multicast

3.7.1) Multicast Enhancements

Bootstrap Router (BSR) for IPV6 is one of the mechanisms by which a IPv6 PIM router learns the set of Group-to-RP mappings required for IPv6 PIM SM & Bi-Dir to function. The mechanism is dynamic, largely self-configuring, and robust to router failure.

Source base filtering for Multicast boundary will add SSM (S,G) filtering support on multicast boundary. This will extend the functionality of "ip multicast boundary <acl>" command to allow SSM to have the same access-control capabilities that have already been offered for ASM. It will also enable SSM to improve the usefulness of the commands functionality as a general tool. IN "ip multicast boundary <acl>" command ACL can be standard or extended ACL.

VRF Aware Multicast Error Messages will display the VRF names for the error messages generated by IP Multicast subsystems when MVPN is in use. This additional information can be better used to associate protocol and packet forwarding events with their MVPNs which can be very useful in software or network problem troubleshooting.

When an MVPN related error message is printed, the first parameter it will display is the VRF name it is related to, followed by whatever is displayed today. This is modeled after the unicast VPN error messages and only applies to the configured VRFs. Error messages related to the global table will stay the same.

Inhibit Customer traffic from flooding in the MVPN core will automatically change the default pim mode for the MDT tunnel according to the pim mode of the native interfaces in the MVRF. The three possible cases of MVRF interface configuration, and their corresponding MDT tunnel modes are:

1. All native interfaces are in sparse-dense or dense mode, the MDT tunnel will be in sparse-dense mode.

2. All native interfaces are in sparse mode, the MDT tunnel will be in sparse mode.

3. Some are in sparse and some are in sparse-dense or dense mode, the MDT tunnel will be in sparse-dense mode.

Hardware

Routers

Cisco 2600, 3700, 7100, 7200, and 7500 Series Routers

Cisco 3620, 3640, and 3660 Routers

Cable Access Routers

Cisco uBR905 and Cisco uBR925 Cable Access Routers


Product Management Contact: g_singh@cisco.com

3.8) Embedded Network Management

3.8.1) Service Selection Gateway Support of Overlapping IP Addresses

Service Selection Gateway (SSG) enables Service Providers to offer services in which the provider assigns IP addresses to subscribers. Because Service Providers assign IP addresses from private IP address pools, identical IP addresses could be assigned to different subscribers. The SSG Support for Overlapping Subscriber IP Addresses feature enables SSG to support overlapping subscriber IP addresses by adding VRF support to SSG downlink interfaces. VRF support on SSG downlink interfaces allows the same IP address to be assigned to different subscribers that are bound to different downlink interfaces and connected to different uplink services. VRF support on downlink interfaces also eliminates the need for SSG to perform NAT on the subscriber traffic.

SSG allows subscribers with overlapping IP addresses to access multiple services, so that a subscriber who is assigned an IP address for one service will be able to access other services. To provide access to multiple services, NAT will be performed on the subscriber traffic by SSG or through the Cisco IOS NAT configuration on the router.

Multiple subscribers with overlapping IP addresses can simultaneously connect to a common service, but SSG must perform NAT on all the connections to provide non-overlapping IP addresses.

Benefits

Sometimes Service Providers assign IP addresses from private IP address pools. When subscribers of multiple Service Providers are aggregated on a single platform, different subscribers could be assigned the same IP address. This SSG Support for Overlapping Subscriber IP Addresses feature enables SSG to support overlapping subscriber IP addresses and hence will let providers assign IP addresses from their private address pools.

This feature also avoids NAT for subscribers connecting into their provider's network where IP address conflict does not arise (even though they are private IP addresses, they are within same private IP address pool).

Hardware

Routers

Cisco 2651XM, 3740, 7200, 7301, and 7600 MWAM


Restrictions

The SSG Support for Overlapping Subscriber IP Addresses feature does not support downlink interface redundancy.

The SSG Support for Overlapping Subscriber IP Addresses feature does not add support for uplink VRFs. The next-hops for services must be globally routable; however, if a service is bound to an Ethernet interface, SSG uses the downlink interface VRF for upstream routing. In such cases, the uplink interface could be within a VRF, but the downlink interface must also be on the same VRF.

Cisco IOS VRF-aware NAT for overlapping users cannot be configured for subscribed services. It can be used for open garden services and services bound to Ethernet interfaces (broadcast interfaces). For all other cases in which services are bound to next-hops, SSG NAT must be used. SSG does not support Cisco IOS NAT for open garden services bound by next-hops.

Product Management Contact: mkolli@cisco.com

3.8.2) Service Selection Gateway Support for Radius Attributes 27 and 29

The Service Selection Gateway (SSG) Support for Radius Attributes 27 and 29 feature introduces SSG compliance with RFC-3580 with respect to RADIUS attributes #27 (Session-Timeout) and #29 (Termination-Action). RFC-3580 recommends using attributes #27 and #29 in Access-Accept packets during authentication to enforce periodic re-authentication of users. See RFC-3580 "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines" for details.

For instances that indicate re-authentication after the session timeout, SSG uses the cached username and password while performing re-authentication. If SSG does not have these credentials, the session is brought down as if re-authentication has failed. If a particular deployment makes use of one-time passwords for authenticating users, SSG re-authentication will fail and the session will be brought down.

For SSG transparent auto-logon (TAL) hosts (TAL users who have host objects created on SSG), SSG will perform TAL reauthorization upon session timeout whenever attribute #29 is present in the RADIUS profile of the user. (Note that for TAL users, SSG performs re-authorization and not re-authentication because the user profile is downloaded on the basis of the IP address and service password).

In SSG RADIUS proxy deployments, SSG will not perform session timeout processing when attribute #29 is present in the Access-Accept packet and is set to re-authenticate.

Benefits

Service Providers can implement time based pre-paid billing model with standard RADIUS attributes (unlike SSG's prepaid model which is proprietary and extensive).

If Service Providers already have a billing system that is implemented based on these RADIUS attributes, they can introduce SSG into that Business System easily.

Hardware

Routers

Cisco 2651XM, 3740, 7200, 7301, and 7600 MWAM


Restrictions

In SSG RADIUS proxy deployments, SSG will not perform session timeout processing when attribute #29 is present in the Access-Accept packet and is set to re-authenticate.

SSG uses the cached username and password while performing re-authentication. If SSG does not have these credentials, the session is brought down as if re-authentication has failed. If a particular deployment makes use of one-time passwords for authenticating users, SSG re-authentication will fail and the session will be brought down.

Product Management Contact: mkolli@cisco.com

3.8.3) Service Selection Gateway Default Quota for Prepaid Billing Server Failure

The Service Selection Gateway (SSG) default quota for prepaid billing server failure allows Service Selection Gateway (SSG) to allocate a default quota when the prepaid server fails to respond to an authorization request. This functionality allows prepaid users to connect to a service even when the prepaid server is unavailable during authorization. SSG can be configured to allocate multiple default quotas up to a configured maximum. SSG will also allocate default quotas when the prepaid server is unresponsive to reauthorization requests, thus preventing existing connections from being terminated.

SSG can be configured to allocate a default quota when the prepaid server fails to respond to an authorization request. The default quota for a service is specified in the service profile. SSG stores the value when the service profile is downloaded from the AAA server. If the prepaid server is not accessible during initial authorization, SSG allocates the default quota and activates the connection, thus allowing the prepaid user to connect to the respective service.

When a default quota expires, SSG attempts to reauthorize the user. If the prepaid server still does not respond, SSG will allocate another default quota. SSG will allocate multiple default quotas up to a configured maximum. Once SSG has allocated the configured maximum number of default quotas, no further default quota allocations will be made, and the user's connection to the service will be terminated.

SSG will also allocate default quotas when the prepaid server fails during the reauthorization of existing connections. Allocation of a default quota for the reauthorization of an existing connection prevents the connection from being terminated due to the unavailability of the prepaid server.

Benefits

This enhancement ensures continued subscriber connectivity against any temporary connection failures with pre-paid billing servers.

Hardware

Routers

Cisco 2651XM, 3740, 7200, 7301, and 7600 MWAM


Considerations

The default quota is applicable for prepaid services only.

The default quota will be used only when the prepaid billing server is not available; that is, when the RADIUS packet retransmit times out.

Product Management Contact: mkolli@cisco.com

3.8.4) Service Selection Gateway Support for Dynamic Load Balancing

The Service Selection Gateway (SSG) Support for Dynamic Load Balancing feature enables the Dynamic Feedback Protocol (DFP) to be used to facilitate dynamic load balancing among multiple Service Selection Gateways (SSGs). When DFP support is configured on SSG, SSG registers with the DFP agent and hands over weights at configured intervals. The DFP agent conveys the weights to a DFP manager, such as a Cisco IOS Server Load Balancing device, which uses the weights to determine load balancing among the SSGs.

When multiple SSGs are deployed with Cisco IOS Server Load Balancing, DFP enables the real servers (the SSGs) to communicate server health to the DFP manager. SSG registers with the DFP agent and hands over weights at configured intervals. The DFP agent calculates relative weights for SSG on the basis of three factors:

The DFP weight configured for the SSG

CPU load

Memory utilization

The weights are conveyed by the DFP agent to the load balancer, which uses the weights in an algorithm to determine load balancing among the SSG devices. A higher weight for a server indicates higher availability; a weight of zero indicates that a server has no availability.

SLB always uses weights to balance loads. If DFP is not configured or if the DFP connection has been terminated and the DFP agent cannot relay the current weights, SLB uses static weights that have been configured for the server. If weights have not been configured, SLB uses default weights.

Benefits

Allows multiple SSGs with different CPU power and memory to be used together easily in a single SSG network with a load balancer.

Increased session reliability by preventing a busy SSG from receiving too many new connection requests.

Allows a new SSG that is being introduced into an existing SSG farm to come up to equal load as the other SSGs dynamically.

Hardware

Routers

Cisco 2651XM, 3740, 7200, 7301, and 7600 MWAM


Product Management Contact: mkolli@cisco.com

3.9) IP Addressing and Services

3.9.1) First Hop Redundancy Protocols—Virtual Router Redundancy Protocol MIB RFC 2787

Cisco First Hop Redundancy Protocols (FHRP) is a collection of three separate features in Cisco IOS Software:

Hot Standby Routing Protocol (HSRP)

Gateway Load Balancing Protocol (GLBP)

Virtual Router Redundancy Protocol (VRRP)

Support for the VRRP MIB RFC 2787 enables Cisco customers who have selected the VRRP support within Cisco IOS Software for redundancy, to use SNMP to configure and monitor their VRRP redundancy groups. Customers have complete Set and Get and Trap support.

Benefits

Ability to use SNMP and remotely configure and monitor all aspects of a VRRP redundancy group.

Set and configure VRRP on the routers.

Get and retrieve detailed information on the state of the VRRP groups and each router in the VRRP groups.

Traps and the ability to receive indicators for events such as the transition of a router in a VRRP group to `Master' state.

Hardware


Additional Information:

For details of the MIB, refer to RFC 2787 and the download the VRRP MIB from Cisco.

Definitions of Managed Objects for the Virtual Router Redundancy Protocol
http://www.ietf.org/rfc/rfc2787.txt

http://tools.cisco.com/ITDIT/MIBS/servlet/index

Product Management Contact: Mark Denny, mdenny@cisco.com

3.10) Connectivity

3.10.1) Upstream Connection Speed Transfer at LAC

This feature allows the configuration for Layer 2 Tunneling Protocol (L2TP) Attribute-Value Pair 38 (AVP) at the L2TP Access Concentrator (LAC). AVP38 allows the communication of the upstream (from the remote site to the LAC) connection speed and complements Cisco's existing support for AVP24 for downstream (from LAC to remote site) connection speed. This support allows for the creation of asymmetric broadband services where the upstream and downstream connection speeds differ.

Benefits

Allows support of asymmetric broadband service speeds such as Asymmetric DSL (ADSL).

Better compliance with RFC2661 for L2TP.

Required for regulatory compliance in European countries like Germany.

Hardware

Routers

Cisco 7200, 7300, and 7400 Series Routers


Product Management Contact: sbhardwa@cisco.com

3.10.2) Configurable MAC Address for bba-group

This feature allows the configuration of separate MAC addresses for PPPoE and RBE sessions on the same physical ATM interface. This is important since the aggregation router, as shown in Figure 29, uses the ATM interfaces MAC address as the source address for both the PPPoE and RBE incoming sessions. In cases where multiple hosts exist and PPPoE and RBE sessions have been initiated, there is a need to have the ability to configure the MAC address (versus simply taking the MAC address from the ATM interface of the CPE router) so that the different sessions can be differentiated. This feature is only available under the bba-group configuration mode and requires each session to be on its own PVC.

Figure 29

Configurable MAC Address for bba-group

Benefits

Allows support of multiple session types, like RBE and PPPoE, on the same ATM interface for broadband applications.

Hardware

Routers

Cisco 7200, 7300, and 7400 Series Routers


Considerations

Only configurable under the bba-group mode and not vpdn-group mode.

Requires each session to be on its own PVC.

Product Management Contact: sbhardwa@cisco.com

4) Release 12.3(8)T Highlights

Table 4  Release 12.3(8)T Feature Highlights 

4.1.1) Cisco 2800 Series Integrated Services Router

4.1.2) Cisco 1800 Series Integrated Services Router

4.2.1) Dynamic Multipoint VPN Spoke to Spoke Functionality

4.2.2) Cisco IOS Network Admission Control

4.2.3) Quality of Service per VPN Group

4.2.4) Cisco AutoSecure Rollback & Logging

4.2.5) Easy Secure Device Deployment Authentication, Authorization, and Accounting Integration

4.2.6) Cisco IOS Resilient Configuration

4.2.7) Call Admission Control for Internet Key Exchange

4.2.8) Certificate to Internet Security Association and Key Management Protocol Profile Mapping

4.2.9) Crypto Access Check On Clear Text Packet

4.3.1) Support for RFC 3519 NAT Traversal

4.4.1) Cisco AutoQoS AutoDiscovery "Trust" Option

4.5.1) Cisco Optimized Edge Routing

4.5.2) Enhanced Interior Gateway Routing Protocol Support for Route Map Filtering

4.5.3) Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE Site of Origin

4.5.4) Border Gateway Protocol Cost Community Support for Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE with Back Door Links

4.6.1) Cisco IOS Service Assurance Agent Multiple Operation Scheduling

4.6.2) MPLS Aware NetFlow

4.6.3) Service Selection Gateway Interface Redundancy

4.7.1) Dynamic Host Configuration Protocol—Dynamic Default Gateway on a Statically Configured Route

4.7.2) Dynamic Host Configuration Protocol—Configurable DHCP Client

4.7.3) First Hop Routing Protocols—Object Tracking List Support

4.7.4) Network Address Translation—Support for H.323 Fragmented Control Messages

4.8.1) Explicit Call Transfer for ETSI PRI

4.8.2) Protocol Translation Template

4.8.3) Asynchronous Line Monitoring


4.1) New Hardware Support

4.1.1) Cisco 2800 Series Integrated Services Router

The Cisco 2800 Series comprises four new routers: Cisco 2801, 2811, 2821, and 2851 Routers. The Cisco 2800 Series provides significant additional value compared to prior generations of Cisco routers at similar price points by offering up to a fivefold performance improvement, up to a tenfold increase in security and voice performance, new embedded service options, and dramatically increased slot performance and density while maintaining support for most of the more than 90 existing modules that are available today for the Cisco 1700 Series and Cisco 2600 Series.

The Cisco 2800 Series features the ability to deliver multiple high-quality simultaneous services at wire speed up to multiple T1/E1/xDSL connections. The routers offer embedded encryption acceleration and motherboard voice digital-signal-processor (DSP) slots; intrusion prevention system (IPS) and firewall functions; integrated call processing and voice mail; high-density interfaces for a wide range of connectivity requirements; and sufficient performance and slot density for future network expansion requirements and advanced applications.

Figure 30

Cisco 2800 Series

Benefits

A wide variety of LAN and WAN options are available. Network interfaces can be upgraded in the field to accommodate future technologies and several types of slots are available to add connectivity and services in the future on an "integrate-as-yougrow" basis.

Each of the Cisco 2800 Series routers comes standard with embedded hardware cryptography accelerators, which when combined with an optional Cisco IOS Software upgrade help enable WAN link security and VPN services.

The Cisco 2800 helps enable end-to-end solutions with full support for the latest Cisco IOS Software-based QoS, bandwidth management, and security features.

On the Cisco 2811, 2821, and 2851 there is a built in external power-supply connector that eases the addition of external redundant power supply that can be shared with other Cisco products to decrease network downtime by protecting the network components from downtime due to power failures.

Hardware

Routers

Cisco 2800 Series Integrated Services Routers


Additional Information: http://www.cisco.com/en/US/products/ps5854/index.html

Product Management Contact: cs-2800@cisco.com

4.1.2) Cisco 1800 Series Integrated Services Router

Cisco 1800 Series Integrated Services Routers are the next evolution of the award-winning Cisco 1700 Series modular access routers. The Cisco 1841 Router is designed for secure data connectivity and provides significant additional value compared to prior generations of Cisco 1700 Series routers by offering more than a fivefold performance increase, integrated hardware-based encryption enabled by an optional Cisco IOS Software security image, and a dramatic increase in interface card slot performance and density while maintaining support for more than 30 existing WAN interface cards (WICs) and multiflex trunk cards (voice/WICs [VWICs]—for data only on the Cisco 1841 router) of the Cisco 1700 Series.

The Cisco 1841 Router features secure, fast, and high-quality delivery of multiple, concurrent services for small-to-medium-sized businesses and small enterprise branch offices. The Cisco 1841 router offers embedded hardware-based encryption enabled by an optional.

Cisco IOS Software security image; further enhancement of VPN performance with an optional VPN acceleration module; an intrusion prevention system (IPS) and firewall functions; interfaces for a wide range of connectivity requirements, including support for optional integrated switch ports; plus sufficient performance and slot density for future network expansion and advanced applications as well as an integrated real-time clock.

Figure 31

Cisco 1800 Series

Benefits

Supports concurrent deployment of high-performance, secure data services with headroom for future applications.

Offers cryptography accelerator as standard integrated hardware that can be enabledwith an optional Cisco IOS Software for 3DES and AES encryption support.

Provides 32 MB of Flash and 128 MB of synchronous dynamic RAM (SDRAM) memory to support deployment of concurrent services.

Supports the Cisco 1841 router starting with Cisco IOS Software Release 12.3T and helps enable end-to-end solutions with support for latest Cisco IOS Software-based QoS, bandwidth management, and security features.

New intrusion-detection-system (IDS) signatures can be dynamically loaded independent of the Cisco IOS Software release.

Hardware

Routers

Cisco 1800 Series Integrated Services Routers


Additional Information: http://www.cisco.com/en/US/products/ps5853/index.html

Product Management Contact: cs-1800@cisco.com

4.2) Cisco IOS Security

4.2.1) Dynamic Multipoint VPN Spoke to Spoke Functionality

Dynamic Multipoint VPN (DMVPN) Spoke to Spoke Functionality allows dynamic on-demand direct spoke to spoke tunnels to be created between two DMVPN spoke CPEs without traversing the hub. This feature enables production-ready spoke-to-spoke functionality in a single hub and multi-hub environment in a DMVPN network. It also incorporates increased spoke to spoke resiliency and redundancy in multi-hub configurations.

Figure 32

Dynamic Multipoint VPN Spoke to Spoke Functionality

Benefits

Direct Spoke-to-Spoke Tunnels

This functionality allows direct spoke to spoke tunnel creation between two branch offices without the traffic having to go through the hub. Spokes can take advantage of an internet connection directly available between them. This leads to reduced latency and jitter for spoke to spoke traffic and improved bandwidth utilization. DMVPN networks deliver a lower cost per MByte of Bandwidth than native IPsec networks because the spoke to spoke traffic is not restricted by hub bandwidth utilization and at the same time it does not add any additional overhead to the hub bandwidth utilization.

Avoids Dual Encrypts and Decrypts

Native IPsec and IPsec + GRE networks are organized as hub and spoke networks. This results in all spoke to spoke traffic going through the hub and requiring a dual encrypt and decrypt for all traffic putting an additional burden on the hub CPU. DMVPN alleviates the problem by creating direct on-demand spoke to spoke tunnels.

Smaller Spoke CPEs can Participate in a Virtual On-Demand Full Mesh

DMVPN allows smaller spoke CPE to participate in a virtual on demand full mesh. Creating and managing a full mesh is often not possible for smaller spoke CPE which cannot handle more than a dozen IPsec tunnels. DMVPN allows the spokes to create tunnels to other spokes on demand and tear down the tunnels after use.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7200, and 7400 Series Routers

Switches

Cisco Catalyst 6000 Series Switch with MWAM Card and VPNSM Module


Additional Information:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml

Product Management Contact: IOS-Security-PM@cisco.com

4.2.2) Cisco IOS Network Admission Control

Cisco IOS Network Admission Control (NAC) adds vital access router support for the Cisco NAC solution, which empowers organizations to contain security threats before they cause damage. Cisco IOS NAC, the software-based portion of this solution, enables Cisco access routers to detect a user's compliance with anti-virus policies, and thus enforce network access privileges appropriately. Non-compliant devices can be denied access, placed in a quarantined area, or given restricted access to computing resources. The access decision can be based on information such as the endpoint's anti-virus state and operating system patch level.

Cisco NAC now enables Cisco IOS Software devices to identify and isolate unprotected or infected hosts as they connect to the network, thereby preventing them from potentially spreading viruses in the network. Network administrators can define and enforce posture validation of endpoint devices connecting to the network.

The initial release of Cisco NAC consists of four components:

Cisco Trust Agent: software that resides on the endpoint system. Cisco Trust Agent collects security state information from multiple security software clients such as anti-virus clients and then communicated this information back to the Cisco IOS network access device which enforces admission control.

Network Access Devices: network devices (Cisco IOS Software routers) enforce admission control policy. These devices demand host security "credentials" and relay the information to policy servers where network admission control decisions are made. Decisions could include permit, deny, quarantine, or restrict.

Policy Server (Cisco Secure Access Control Server [ACS]): evaluates the endpoint security information relayed from the Cisco IOS Software device and determines the appropriate policy to implement. Cisco ACS is the foundation of the policy server system.

Management System: CiscoWorks VPN/Security Management Solution (VMS) provisions Cisco NAC elements, while CiscoWorks Security Information Manager Solution (SIMS) provides monitoring and reporting tools.

This release of Cisco NAC addresses the two most pressing compliance tests required: anti-virus software state and operating system information. These tests include anti-virus vendor software version, engine level, and signature file levels as well as the operating system type and patch levels. Anti-virus vendors, such as Network Associates, Symantec and Trend Micro, are integrating their applications with Cisco NAC.

Figure 33

Cisco IOS Software Router Support for Cisco IOS NAC

Improved Security

Cisco NAC helps ensure that all hosts comply with the latest corporate anti-virus and operating system patch policies prior to obtaining normal network access. Vulnerable and noncompliant hosts may be isolated and assigned reduced access until they are patched and secured, preventing them from being the targets of or the sources for worm and virus infections.

Investment Protection

Cisco NAC is supported on a broad range of Cisco IOS Software routers, ranging from the Cisco 800 Series to the Cisco 7200 Series Routers. This solution integrates and increases the value of investments in the Cisco network infrastructure, Cisco endpoint security, and anti-virus technology.

Deployment Scalability

Cisco NAC provides comprehensive access control across all access methods that hosts use to connect to the network. It also supports heterogeneous vendor scenarios. This solution also allows the setting of differentiated access policy for responsive hosts (those running the Cisco trust agent) and non-responsive hosts.

Increased Resilience and Availability

By taking information about endpoint security status and combining it with network admission enforcement, Cisco NAC enables customers to dramatically improve the security of their computing infrastructures.

Multiple Vendor Compatibility

In addition to the initial list of partners, Cisco will continue to work with more anti-virus and host-based application vendors to allow customers greater flexibility in the choice of anti-virus vendors.

Hardware

Routers

Cisco 831, 836 and 837 Routers

Cisco 1701, 1711, 1712, 1721, 1751, 1751-V and 1760 Routers

Cisco 2600XM and 2691 Routers

Cisco 3640, 3640 A, and 3660-ENT Series Routers

Cisco 3825 and 3745 Routers

Cisco 7200, 7301, and 7401 Routers

Access Servers

Cisco AS5350, AS5400, AS5850 Access Servers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: IOS-Security-PM@cisco.com

4.2.3) Quality of Service per VPN Group

Quality of Service (QoS) per VPN Group allows the application of Cisco IOS QoS mechanisms to group of IPsec flows. Application of QoS per VPN session group means that all flows that belong to an ISAKMP profile, can be classed together and may be policed on the interface with crypto map and service policy applied to it.

The QoS per VPN session group feature is well suited for situations where a head-end device has large groups of IPsec peers. For e.g. in Figure 16, the IPsec peers of the head-end router are executives, engineers and sales. Each of these groups are identified by an IPsec Security Association (SA). The QoS policies, applied to IPsec flows, are based on a QoS group ID. The IDs are mapped to a QoS group, which is used in the definition of class maps for QoS. From there, the QoS policies are applied on group level.

Figure 34

QoS with Cisco IOS VPN

Benefits

QoS per VPN session group feature can provide several benefits to the user. This feature can be used to:

Enable allocation of QoS policies on per group basis.

Ensure equal access to available bandwidth across multiple links in a service provider environment.

Guarantee certain customers a minimal amount of bandwidth.

Hardware

Routers

Cisco 800, 1600, 1700, 2600, 3600, 7100, 7200, 7300, 7400, and 7500 Series Routers

Cable Access Routers

Cisco uBR905 and uBR925 Cable Access Routers

Universal Broadband

Cisco uBR7200 Series Universal Broadband Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: IOS-Security-PM@cisco.com

4.2.4) Cisco AutoSecure Rollback & Logging

Cisco AutoSecure, originally introduced in Cisco IOS Software Major Release 12.3 (May 2003), enables rapid implementation of security policies and procedures to ensure secure networking services by offering a single CLI command to lock down the device.

Cisco AutoSecure Rollback enhances the feature by providing a method to restore the system configuration back to its state prior to execution of the autosecure command. This feature takes a snapshot of the current running configuration and stores that in the ATA Disk prior to execution of the autosecure command. When rollback is initiated, the system will be restored to the snapshot configuration.

Rollback could occur in either automated or manual mode. Automated rollback will be initiated if Cisco AutoSecure experiences a failure during its operation. In manual mode, the user simply issues the standard CLI rollback command and the rollback process will be initiated.

Cisco AutoSecure Logging initiates a syslog message when the autosecure set of commands are executed.

Benefits

Simplifies Device Lockdown

With Cisco AutoSecure Rollback & Logging, users will feel more confident using the Cisco AutoSecure. If the command was accidentally issued, one can easily restore the configuration back to its original state.

Tracking of Cisco AutoSecure Execution

With the Cisco AutoSecure logging feature, a system administrator can track when autosecure has been executed.

Hardware

Routers

Cisco 2691 Router

Cisco 1700 and 3700 Series Routers

Cisco 7200 Series with ATA Disk


Product Management Contact: IOS-Security-PM@cisco.com

4.2.5) Easy Secure Device Deployment Authentication, Authorization, and Accounting Integration

Easy Secure Device Deployment (SDD) Authentication, Authorization, and Accounting (AAA) Integration allows an end device to connect to another end device using Trusted Transitive Introduction (TTI) to deploy Public Key Infrastructure (PKI) without having to be "introduced" by a third device, such as a system administrator. If the first end device has an account on an AAA server, it can obtain authentication and authorization directly from the server database, which eliminates the need to obtain an access password from the third device.

Figure 35

Easy SDD AAA Integration

Benefits

User does not need to enable passwords for devices, because AAA verifies the credentials.

Simplified PKI enrollment and deployment, because the two end devices can now connect directly without the intervention from a system administrator.

User authentication and configuration update occurs through AAA.

Hardware

Routers

Cisco 800, 1600, 1700, 2600, 3600, 7100, 7200, 7300, 7400, and 7500 Series Routers

Cable Access Routers

Cisco uBR905 and uBR925 Cable Access Routers

Universal Broadband

Cisco uBR7200 Series Universal Broadband Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: IOS-Security-PM@cisco.com

4.2.6) Cisco IOS Resilient Configuration

Cisco IOS Resilient Configuration provides a safeguard to restore the configuration after unwanted erasure of the Cisco IOS Software configuration.

After an accidental or hostile intentional erasure of the configuration, the device will not be able to operate normally resulting in network downtime. By using Cisco IOS Resilient Configuration feature as a precautionary measure, administrators can quickly restore the system to a running state.

Cisco IOS Resilient Configuration CLI command operates by taking a snapshot of the running router configuration and securely archives it in persistent storage. The archived file is hidden and cannot be viewed or removed but can only be over-written. The restore option simply reproduces a copy of the secure configuration archive and the system is restored.

This feature requires devices that support a PCMCIA ATA disk.

Benefits

Enhances Protection of the Cisco IOS Software Configuration

Because the archived configuration file is not removable and it is hidden, even if the running configuration is erased, whether accidental or intentional, a backup copy is stored on the device.

Rapid Recovery of the System Configuration

Since a copy of the configuration is stored right on the device and Resilient configuration feature provides a quick restore command, system administrators can quickly restore a system to a running state.

Hardware

Routers

Cisco 2691 Router

Cisco 1700 and 3700 Series Routers

Cisco 7200 Series with ATA Disk


Product Management Contact: IOS-Security-PM@cisco.com

4.2.7) Call Admission Control for Internet Key Exchange

This feature helps VPN tunnel stability and router resource usage by rate limiting the number of concurrent incoming and outgoing Internet Key Exchange (IKE) requests to be processed depending on the available resources on the router. The feature also allows for a hard limit to be applied for the number of IKE requests handled by a device.

Benefits

Prevention of poor performance or resource overload.

Protection of the router from Denial of Service (DoS) attacks, with respect to large number of IKE requests.

Hardware

Routers

Cisco 800, 1600, 1700, 2600, 3600, 7100, 7200, 7300, 7400, and 7500 Series Routers

Cable Access Routers

Cisco uBR905 and uBR925 Cable Access Routers

Universal Broadband

Cisco uBR7200 Series Universal Broadband Routers


Product Management Contact: IOS-Security-PM@cisco.com

4.2.8) Certificate to Internet Security Association and Key Management Protocol Profile Mapping

Certificate to Internet Security Association and Key Management Protocol (ISAKMP) Profile Mapping is used in the context of PKI deployment. This feature aids in uniquely identifying a group of users, by mapping the DN field or a part of the DN fields in a certificate to groups of users. When certificates are used for authentication, the identity payload contains the subject name from the certificate. However, some PKI deployments do not allow users to have control on the SubjectName field in the Certificate; therefore, this feature can be used to resort to other fields in the certificate to distinguish a user.

Mapping DN field can be used as an alternative for the identity field. Currently with this feature using the Cisco IOS ISAKMP profiles, there is the ability to match on various fields (i.e.: fqdn, ip address, group name).

Benefits

An alternative means for identifying user authenticating with Certificates.

Hardware

Routers

Cisco 800, 1600, 1700, 2600, 3600, 7100, 7200, 7300, 7400, and 7500 Series Routers

Cable Access Routers

Cisco uBR905 and uBR925 Cable Access Routers

Universal Broadband

Cisco uBR7200 Series Universal Broadband Routers


Product Management Contact: IOS-Security-PM@cisco.com

4.2.9) Crypto Access Check On Clear Text Packet

Crypto Access Check on Clear-Text Packet provides for the removal of the double interface Access Control List (ACL) checking against the outside interface for the inbound clear-text packets that are received as part of an IPsec-encrypted packet.

ACL checking was performed at two spots for inbound packets with IPsec, both on encrypted and unencrypted packets. This feature enables the second ACL checking for customers who require this on the decrypted clear text packet. The command "crypto access checks ACL in" must be configured under the crypto map. This feature enables the second ACL checking on clear text decrypted packets.

Benefits

Enables the easier configuration of ACLs.

Eliminates the configuration problems associated with a double ACL check.

Gives customers the option of enabling/disabling the second ACL checking for more security in their networks.

Hardware

Routers

Cisco 800, 1600, 1700, 2600, 3600, 7100, 7200, 7300, 7400, and 7500 Series Routers

Cable Access Routers

Cisco uBR905 and uBR925 Cable Access Routers

Universal Broadband

Cisco uBR7200 Series Universal Broadband Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: IOS-Security-PM@cisco.com

4.3) Mobile IP

4.3.1) Support for RFC 3519 NAT Traversal

IETF RFC 3519 defines the process by which Mobile IP enabled devices can roam into and traverse networks with a Network Address Translation (NAT) device at the exist points of the network.

Typically, the ability to roam into and through a network with NAT deployed is unpredictable and dependent upon the NAT implementation deployed. The best way to ensure seamless IP roaming through a NAT device is by supporting RFC 3519 and using UDP to encapsulate the Mobile IP packets.

It is very common for Public WLAN "Hot Spot" networks and GPRS Wireless WAN networks to use private IP addressing and NAT devices at the exit points of their networks.

Support is provided in the Foreign Agent and Home Agent capability within Cisco IOS Software:

Foreign Agent and Home Agent

Mobile Node to Home Agent

Assumes the Mobile Node (Mobile IP client) also supports RFC 3519 NAT Traversal

Example: the Birdstep Mobile IP Client does support RFC 3519 NAT Traversal

NAT Traversal encapsulates the Mobile IP packets in a UDP packet, which requires any Firewalls in the path to PERMIT UDP Port 434.

The use of RFC 3519 is transparent to the individual.

Benefits

Ensure the ability for individual users to maintain their IP sessions when roaming into networks using NAT.

Hardware


Product Management Contact: Mark Denny, mdenny@cisco.com

4.4) Quality of Service

4.4.1) Cisco AutoQoS AutoDiscovery "Trust" Option

The new "trust" option extends the use of Cisco AutoQoS for the Enterprise to routers where Differentiated Services Code Point (DSCP) values have already been assigned to traffic at the network edge. This option enables customers to automatically set the Quality of Service (QoS) policy on routers by allowing the network to trust internally established priority levels for various types of traffic.

For example, it is typically recommend that traffic be marked, DSCP values assigned, to traffic at the network edge. Once DSCP marking is complete, these values can then be "trusted" by other routers. Therefore, this "trust" option enables potential use of Cisco AutoQoS for the Enterprise to set the QoS policy on other routers without running the NBAR protocol discovery infrastructure (i.e.: DSCP markings assigned at the edge are "trusted").

Figure 36

Cisco AutoQoS for the Enterprise: "Trust" Option for DSCP-Marked Traffic

Benefits

Extends use of Cisco AutoQoS for the Enterprise to routers that do not need to or should not perform traffic classification & DSCP marking.

AutoDiscovery "Trust" Option uses the DSCP values assigned by other devices.

QoS policies can be generated for routers where traffic arrives with DSCP markings and does not need local classification and marking.

Hardware

Routers

Cisco 2610XM-2611XM, 2620XM-2621XM, 2650XM-2651XM, 3631, 3640, 3660, 3725, and 3745 Routers

Cisco 7200 and 7500 Series Routers


Additional Information: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802000a7.html

Product Management Contact: Tim McSweeney, timcswee@cisco.com

4.5) IP Routing

4.5.1) Cisco Optimized Edge Routing

Cisco Optimized Edge Routing (OER) automates routing performance and allows customers to minimize bandwidth costs and engineering operating expenses. Cisco IOS OER leverages Cisco IOS Netflow and Cisco IOS Service Assurance Agent to choose the optimal outbound route based on cost minimization, load distribution policy, and overall network performance.

Cisco OER enables intelligent network traffic load distribution and dynamic failure detection of data-paths at the WAN edge (i.e.: multi-homing to the Internet or intranet connectivity). While other routing mechanisms can provide both load-sharing and failure mitigation, Cisco OER is unique in that it can make instant routing adjustments based on criteria other than static routing metrics: response time, packet loss, path availability, traffic load distribution, and financial cost minimization policies.

Cisco OER is implemented in Cisco IOS Software as an integrated part of Cisco core routing functionality. It can be deployed with familiar simplicity via standard CLI configuration. Cisco OER may also be configured with an external Cisco 2100 Series Intelligence Engine (Cisco appliance) management device to provide enhanced scalability, extended history and a web-based GUI for configuration and reporting. Cisco OER offers increased Cisco product value and differentiation by leveraging various Cisco IOS Software features (i.e.: Cisco IOS Netflow, Cisco IOS SAA) and cross product integration to support multiple hardware products and routing protocols.

Figure 37

Cisco OER Deployment Example

Benefits

Features
Benefits
Automatic Performance, Cost Minimization, and Policy-Based Load Distribution

Instant routing adjustments based on performance, path availability, load share, or monetary cost measurements & business objectives.

Multiple Router Support

Delivers advanced networking capabilities and investment protection on many Cisco IOS Software based hardware products.

Multiple Routing Protocol Support

Delivers advanced networking capabilities and investment protection by integrating with IP core routing (i.e.: BGP, static routes) and network characterization features.

Internet and WAN Edge Traffic Optimization

Improve Internet and WAN edge traffic performance for content/application providers' customers.

Passive & Active Measurements

Delivers advanced networking capabilities and investment protection by integrating with existing Cisco IOS Software features, such as Cisco IOS NetFlow and Cisco IOS SAA.

NetFlow passive measurements minimize active probing.

Control & Observation Modes for Different Prefixes

Allows non-disruptive observation of the behavior of OER before controlling prefixes.

Support Multiple Link Billing Models

Provides flexibility for bandwidth cost minimization and ISP selection.

CLI Configuration & Reporting on Cisco IOS Software Based Hardware Products

Provides consistent Cisco IOS CLI which leverages the existing CLI knowledge of IT staff.


Hardware

Routers

Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800, 7200, and 7500 Series Routers

Additional Devices

Master Controller Engine Linux appliance


Product Management Contact: Paul Kohler, pkohler@cisco.com or Anita Freeman, anfreema@cisco.com

4.5.2) Enhanced Interior Gateway Routing Protocol Support for Route Map Filtering

Enhanced Interior Gateway Routing Protocol (EIGRP) Support for Route-Map Filtering enables the filtering of internal and external routes based on multiple route-map options. The functionality enables EIGRP to process currently permitted set and match parameters within route-map, and also extends the parameters with EIGRP specific set and match choices.

Benefits

Helps during re-distribution.

Controls the advertisement.

Learns routes for fine-tuning the network.

Hardware

Routers

All hardware that supports the Cisco IOS Software Release 12.3T family


Product Management Contact: Chetan Khetani, cpk@cisco.com

4.5.3) Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE Site of Origin

Enhanced Interior Gateway Routing Protocol (EIGRP) MPLS VPN PE-CE Site of Origin (SoO) introduces support for back door links. A back door link is a connection that is configured outside of the VPN between a remote and main site; for example, a WAN leased line that connects a remote site to the corporate network. Back door links are typically used as backup routes between EIGRP sites if there is a failure in the VPN link or it is not available. A metric is set on the back door link, so that the route through the back door router is not selected unless there is a VPN link failure.

Benefits

EIGRP MPLS VPN PE-CE SoO allows EIGRP Enterprise customers who pay MPLS VPN providers and have back door links to optimize their investments on VPN connections. Before this functionality became available, back door links were always preferred over MPLS VPN connections, because it was impossible to filter routes on the PE/back door routers. This was re-learned from other PEs.

Hardware

Routers

All hardware that supports the Cisco IOS Software Release 12.3T family


Product Management Contact: Chetan Khetani, cpk@cisco.com

4.5.4) Border Gateway Protocol Cost Community Support for Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE with Back Door Links

This feature allows one to customize the local route preference and influence the Border Gateway Protocol (BGP) best path selection process. Before EIGRP SoO BGP Cost Community support was introduced, BGP preferred locally sourced routes to routes learned from BGP peers. Back door links in an EIGRP MPLS VPN topology will be preferred by BGP if the back door link is learned first.

The "pre-bestpath" point of insertion (POI) was introduced in the BGP Cost Community feature to support mixed EIGRP VPN network topologies that contain VPN and back door links.

Benefits

Without this functionality, back door links were always preferred over MPLS VPN connections. As a result, EIGRP enterprise customers who are paying to MPLS VPN providers and have back door links were not optimizing their investments on the VPN connections.

Hardware

Routers

All hardware that supports the Cisco IOS Software Release 12.3T family


Product Management Contact: Chetan Khetani, cpk@cisco.com

4.6) Manageability

4.6.1) Cisco IOS Service Assurance Agent Multiple Operation Scheduling

Cisco IOS Service Assurance Agent (SAA) uses various metrics to assess network's performance and availability. It can perform network assessments, verify service level agreements, and assist administrators with troubleshooting. It automates service level monitoring for both end customers and Service Providers. Cisco IOS SAA uses unique service level assurance metrics and methodology to provide highly accurate, precise service level assurance measurements.

Cisco IOS SAA will inform users if the Quality of Service (QoS) is working and configured correctly. It reduces operational costs by identifying issues and tests the network infrastructure continuously. It also reduces the time required to track and isolate network performance problems, thus decreasing operating expenses. Cisco IOS SAA sends data across the network to measure performance between multiple network locations or across multiple network paths. It simulates network data and IP services, collecting network performance information in real time. Collected information includes response time, one-way latency, jitter, packet loss, voice quality scoring, and server response time.

Cisco IOS SAA Multiple Operation Scheduling allows the user to easily schedule active performance measurements to a group of destination devices from a source device. This capability allows sequential activation of a large number of SAA operations with one CLI command or SNMP MIB set. For example, the user can schedule a set of SAA jitter operations to measure edge to edge jitter, packet loss, and response time from a source router to a large number of destination routers with one CLI command.

Figure 38

Cisco IOS Service Assurance Agent Multiple Operation Scheduling

Benefits

Enhances Cisco IOS SAA scalability and ease of use.

Provides more flexibility in the ability to schedule SAA operations.

Embedded active monitoring in Cisco IOS Software.

Automated real-time, accurate network performance and network health monitoring.

Capable of verifying and measuring IP service levels and parameters needed for service level agreements.

Per-class QoS traffic monitoring.

Flexible scheduling.

Proactive notifications with Simple Network Management Protocol (SNMP) Trap.

Hop-by-hop and end-to-end performance measurement.

Controlled through SNMP or Command Line Interface (CLI).

VoIP codec simulation and VoIP quality measurement (MOS and ICPIF).

MPLS network monitoring.

Integrated into several third-party diagnostic tools.

Hardware

Routers

All routers that support the Cisco IOS Software Release 12.3T family

Switches

All switches that support the Cisco IOS Software Release 12.3T family, except the Cisco Catalyst 4500 Series Switch


Additional Information: http://www.cisco.com/go/saa

Product Management Contact: Tom Zingale, tomz@cisco.com

4.6.2) MPLS Aware NetFlow

Understanding who is using the network and for how long, what protocols and applications are being utilized and where the network data is flowing is a necessity for today's IP networks managers. IP network managers rely on exported NetFlow data for a variety of purposes, including:

Network management and planning

Enterprise accounting

Troubleshooting

Security monitoring and departmental charge back billing

Data warehousing

Data mining for marketing purposes

NetFlow version 9 is a new flexible and extensible format for exporting IP flow information from Cisco routers and switches, providing rapid support for IP accounting of Cisco technologies. New features that leverage NetFlow version 9 include MPLS Aware NetFlow, NetFlow multicast and NetFlow BGP Next Hop. The NetFlow Version 9 extensible format is recognized as a new standard for exporting flow information from IP devices.

Capacity planning is a necessity for Cisco customers using MPLS VPN, MPLS traffic engineering, and MPLS label distribution protocol. MPLS network management and capacity planning has now been enhanced with the addition of MPLS Aware NetFlow, which allows customers to determine the IP destination of labeled switched traffic and to understand the utilization of labeled switched paths.

Figure 39

Feature Name MPLS Aware NetFlow

Benefits

NetFlow version 9 is a flexible and extensible export format and an emerging IETF standard for exporting information from IP devices.

MPLS aware NetFlow enhances MPLS network planning.

Peering arrangements.

Network Planning.

Traffic Engineering.

Accounting and billing.

Security Monitoring.

Internet access monitoring (protocol distribution, where traffic is going/coming).

User Monitoring.

Application monitoring.

Charge back billing for departments.

Hardware

Routers

Cisco 3700, 7200, 7300, 7400, and 7500 Series Routers


Considerations

MPLS Aware NetFlow is also available in Cisco IOS Software Release 12.0(24)S on the Cisco 12000 Series Internet Router, and in Release 12.0(26)S for additional hardware products.

Additional Information: http://www.cisco.com/go/netflow

Product Management Contact: Tom Zingale, tomz@cisco.com

4.6.3) Service Selection Gateway Interface Redundancy

In Service Selection Gateway (SSG), each service is associated with an outbound interface. When a subscriber chooses to use a service, SSG connects the subscriber to the service via the associated outbound interface. SSG interface redundancy allows services to be associated with more than one interface to protect against link failures.

When redundant interfaces are configured for a service, a distance metric is assigned to the service binding. This influences the order in which SSG selects the interface to be used to reach a service. The interface for the service binding with the lowest metric is the primary interface. The interface for the service binding with the second lowest weight is the secondary interface, and so on. If a failure occurs on an active interface, SSG will recognize the failure and switch the service connection to the interface associated with the next lowest metric. When the primary uplink interface or next hop becomes available again, SSG will switch back to using the primary interface.

SSG Uplink Interface Redundancy Topologies

The SSG Interface Redundancy feature supports uplink interface redundancy in the following network topologies:

Figure 40

Multiple Next-Hops per Service Sample Topology

Figure 41

Multiple Uplink Interfaces with a Single Next Hop Sample Topology

Figure 42

Multiple Uplink Interfaces with No Next Hop Sample Topology

Figure 43

Combinations of Directly Connected Uplink Interfaces and Interfaces with Next Hops Sample Topology

Benefits

Reduces Connectivity Downtime

Service Providers can use SSG Interface Redundancy to configure a redundant interface for services they offer to subscribers. Any failures on primary interface will activate the backup interface reducing the service connection downtimes. It also helps subscribers to get an uninterrupted access to services that Service Providers are providing.

Hardware

Routers

Cisco 2651XM, 3740, and 7301 Routers

Cisco 7200 and 7600 MWAM Series Routers


Product Management Contact: Murali Kolli, mkolli@cisco.com

4.7) IP Addressing and Services

4.7.1) Dynamic Host Configuration Protocol—Dynamic Default Gateway on a Statically Configured Route

This feature enables the dynamic configuration of the Default Gateway for a configured IP Static Route using Dynamic Host Configuration Protocol (DHCP). This enhancement allows a static route to be configured with the keyword `dhcp'.

The DHCP Client within Cisco IOS Software will use DHCP Option 3 (DHCP gateway address) obtained from a DHCP server and plug in this DHCP Gateway Address as the "next hop" in the static IP Route command.

Example:

Route configuration:

ip route 3.3.3.3 255.255.255.255 dhcp

If a DHCP ip address is obtained and option 3 has also been obtained from server (ie: option 3 contains 3.3.3.2), then a sh ip route command will show the configured static route:
S 3.3.3.3 255.255.255.255 via 3.3.3.2

This can be an alternative to using DHCP Option 33—Static Route Option. Customers may not always have control or influence over the DHCP Server configurations of the network providers.

Benefits

Simplifies static routing configurations in networks that make use of DHCP.

Hardware


Product Management Contact: Mark Denny, mdenny@cisco.com

4.7.2) Dynamic Host Configuration Protocol—Configurable DHCP Client

Configurable Dynamic Host Configuration Protocol (DHCP) Client is the ability to manually configure several DHCP Client options:

Client Identifier Option (option 61)

Allows a user to enter a unique hexadecimal value or a unique null terminated ASCII string.

This value is expected to be unique for all clients in an administrative domain.

Vendor Class Identifier (option 60)

Allows user to configure the Vendor Class Identifier string to use in the DHCP interaction.

This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client.

IP Address Lease Time (option 51)

Allows user to configure the suggested lease time to be included as the Lease Time Option in DHCP interaction.

This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer.

Benefits

Provides customers additional flexibility in the allocation and control of their IP Address space.

Hardware


Additional Information: http://www.ietf.org/rfc/rfc2132.txt

Product Management Contact: Mark Denny, mdenny@cisco.com

4.7.3) First Hop Routing Protocols—Object Tracking List Support

First Hop Routing Protocols (FHRP) Object Tracking List Support refers to the ability to group multiple objects, track the state of these objects collectively, and influence the FHRP design dynamically.

FHRP Object Tracking List support influences Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP) to initiate a fail-over to another router in the group. It also influences GLBP to shift the IP traffic of a specific Gateway Load Balancing Protocol (GLBP) router to the rest of the GLBP group.

FHRP is comprised of GLBP, HSRP, and VRRP. These protocols can track on a single "object" at one time, using the information obtained from this "object" to influence whether to failover from one redundant gateway router to another in the case of HSRP or VRRP, or shift the traffic of one GLBP router to the rest of the GLBP group.

The result of tracking an object is to perform some pre-defined action when this object state changes. For example, the user can track an interface when there is a failure and change the HSRP priority such that an election takes place and a new router takes over as the primary HSRP router. When the interface comes back up, the user can change the HSRP priority again, so the original primary router takes over its role again.

With the "Object Tracking list" enhancement, multiple objects can now be defined in a list and actions will be determined by collective state or combined status of the defined objects. It provides logical operations, threshold and weighting, and percentage comparison among the tracking objects defined in the list. An object tracking list can be defined as follows:

Each object in the list of tracked objects will have an associated weight assigned to them. This weight can be set by the user, or may be calculated automatically if all the objects are to have equal weight. The later is the default case.

A threshold value will be defined by the user and by comparing the state of each object and its associated weight, the state of the "track list" object will be determined depending on whether the threshold value has been met.

Use of the logical OR function states that when any object defined within the list provides an "UP" state, then the "track list" object will also define an "UP" state."

Use of the logical OR function states that when any object defined within the list provides an "UP" state, then the "track list" object will also define an "UP" state."

Configuration examples:

track 1 interface e0/1 line-protocol

track 2 interface e0/2 line-protocol

track 3 interface e0/3 line-protocol

track 4 list

object 1 weight 10

object 2 weight 20

object 3 weight 10

threshold percentage up 30 down 29

track 5 list

object 1

object 2

object 3

object 4

boolean and

track 6 list

object 1

object 2

object 3

object 4

boolean or

Benefits

Provides customers additional granularity and control when designing network availability.

Customers can customize the combination of "objects" that will initiate failing over or redistribution of traffic within an FHRP group.

Hardware


Product Management Contact: Mark Denny, mdenny@cisco.com

4.7.4) Network Address Translation—Support for H.323 Fragmented Control Messages

For various reasons, control messages for most multimedia applications (ie: H323, Skinny Client Control Protocol) messages may arrive at a router as fragments. Reasons include: low MTU at origin, TCP window size limitations, and fragmentation by some middle box. While IP level (layer 3) fragmentation is common and well understood, some applications have control messages that could span across several IP datagrams. For example, control message of an application that uses TCP could arrive at a router running Network Address Translation (NAT) as multiple IP (TCP) packets that are not fragmented.

Currently Cisco IOS NAT expects the entire control message to be present in a single IP packet. If NAT receives a control message that is fragmented, the packet is simply dropped.

This enhancement supports:

H.323 Control message that span several IP fragments.

H.323 Control message that span several non-fragmented IP datagrams.

In order to translate embedded address/port in the payload, NAT will have to reassemble fragments so that the control message is available in its entirety in the payload. Once a set of packets that make up a complete control message have been received, the complete packet is processed by Nat and then routed on to its destination.

Benefits

Provides enhanced support for H.323 based Voice over IP sessions.

Hardware


Product Management Contact: Mark Denny, mdenny@cisco.com

4.8) Connectivity

4.8.1) Explicit Call Transfer for ETSI PRI

Explicit Call Transfer (ECT) allows the router to transfer a call received from the PSTN to the final destination number on the PSTN instead of "hairpinning" the call on the router interface and consuming DS0 channel on a PRI interface. This particular feature will allow the ECT functionality to work on ETSI (NET5) switch-type and will help make better use of channels on a PRI interface. The typical architecture for this functionality has the AS5xxx to acting as a voice gateway between a SIP (Session Initiation Protocol) based Voice Recognition Server(VRS) and a Central Office Switch in the PSTN network. The application is to be able to provide call transfer services based upon voice recognition (the typical voice activated menus of call centers like an airline reservation system) to service provider customers looking to operate large customer contact centers. In these applications, the call flow proceeds as follows:

1. An initial call is received on a PRI interface of the Cisco AS5000 Series and routed to the Voice Recognition Server via a SIP interface.

2. The VRS identifies a destination number to transfer the call to based on a voice command selection from the end user.

3. The VRS sends appropriate SIP message with the destination number to the Cisco AS5000 Series and the Cisco AS5000 Series does an Expicit Call Transfer on its PRI interface of the original call.

Benefits

Allows better utilization of DS0 channels on PRI interfaces for VoIP applications and allows Call Transfer functionality to work with ETSI (NET5) switch types, which are found in Europe and Asia.

Hardware

Access Servers

Cisco AS5000 Series Access Server


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

4.8.2) Protocol Translation Template

Protocol Translation Template (PTT) will allow Telco DCN (Data Communication Network) customers increased flexibility in configuring PT sessions in environments where a large number of PT sessions must be configured. The current PT configuration requires static mapping between incoming connections (like PAD, Telnet, LAT) and configuration parameters to the outbound protocol connection (PAD, Telent, LAT, PPP, SLIP, ...) and configuration parameters. The new PTT will allow the construction of a template which will contain `ruleset' capabilities to allow for the dynamic configuration construction to simplify the task of creating large scale PT configurations. The `ruleset' capability will allow for multiline string searches, comparisons, and substitutions in the PTT to create a configuration for PT.

Benefits

Using Protocol Translation Templates will allow Telco DCN administrators to create large scale PT configurations in a quicker and more error-free manner. Administrators will not have to configure a large number of static PT sessions and will have a simple method to configure a general purpose PTT.

Hardware

Routers

Cisco 2610XM, 2620XM, 3662, 3725, and 3745 Routers


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

4.8.3) Asynchronous Line Monitoring

Asynchronous Line Monitoring enables the monitoring of control characters, along with the character mode traffic on an asynchronous line. A new keyword `control-char' will be added to the existing CLI `monitor traffic' to turn on this function.

Asynchronous Line Monitoring also adds the ability to lock the keyboard, preventing the insertion of typed characters into the stream of characters on the asynchronous line.

The modified CLI will look like this:

monitor traffic line <line> [in] [out] [control-char][interactive]

This functionality is important for Telco Data Communication Network (DCN) applications where Service Providers want to monitor remote Network Elements via asynchronous lines.

Figure 44

Asynchronous Line Monitoring

In the DCN application example shown above, the user opens a telnet session from the Operation Support System (OSS) host to the Network Element.

Benefits

Asynchronous Line Monitoring provides added granularity and enables network administrators to control traffic on asynchronous lines.

Hardware

Routers

Cisco 2610XM, 2620XM, 3662, 3725, and 3745 Routers


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

5) Release 12.3(7)T Highlights

Below are some of the key features available in Release 12.3(7)T.

Table 5  Release 12.3(7)T Feature Highlights 

5.1.1) Cisco 1711 and 1712 Security Access Routers

5.1.2) Network Modules for Circuit Emulation Services over IP for the 2600, 3600 and 3700 Series Routers

5.1.3) Network Analysis Module for the 2600, 3660 and 3700 Series Routers

5.2.1-5.2.5) Security Infrastructure Features

5.2.1) RADIUS Attribute Screening support for Access-Request

5.2.2) Role-Based CLI Access

5.2.3) Control Plane Policing Enhancements

5.2.4) IP Source Tracker

5.2.5) Per VRF TACACS+ Support

5.2.6-5.2.8) Security Cisco IOS Firewall Features

5.2.6) Cisco IOS Firewall for IPv6

5.2.7) Transparent Cisco IOS Firewall

5.2.8) Extended Simple Mail Transport Protocol

5.2.9-5.2.10) Security Trust and Identity Features

5.2.9) Key Rollover for Certificate Renewal

5.2.10) PKI: Query Multiple Servers during Certificate Revocation Check

5.2.11-5.2.13) Security IPsec Features

5.2.11) Virtual Private Network Routing and Forwarding Instance Integrated Dynamic Multipoint VPN

5.2.12) Network Address Translation (NAT)—Transparency Aware DMVPN

5.2.13) SEAL Encryption

5.3.1) Mobile IP Foreign Agent Local Routing for Mobile Networks

5.3.2) Mobile IP—Mobile Networks PPP Dynamic Collocated Care-of-Address

5.4.1) AutoQoS for the Enterprise

5.4.2) NBAR-NAT Integration and RTSP

5.5.1-5.5.3) Multicast Features

5.5.1) MSDP Compliance with IETF MSDP Draft 20

5.5.2) IPv6 Multicast Phase 1 & Phase 2

5.5.3) PIM Dense Mode Fallback Prevention after RP Information Loss

5.6.1-5.6.3) SSG Features

5.6.1) SSG Permanent TCP Redirection

5.6.2) SSG Transparent Auto-Logon

5.6.3) SSG TCP Re-direct Exclusion List

5.6.4) Service Assurance Agent VoIP Proactive Monitoring

5.6.5) NetFlow MIB

5.6.6) Configuration Rollback/Configuration Replace

5.7.1-5.7.2) OSPF Features

5.7.1) OSPF Link State Database Overload Protection

5.7.2) OSPF Area Transit Capability

5.7.4) VRF Selection using Policy Based Routing

5.7.4-5.7.5) BGP Features

5.7.4) BGP Transient Memory Usage Enhancement

5.7.5) BGP Support for TTL Security Check

5.7.6) CLNS Support for GRE Tunneling of IPv4 and IPv6

5.8.1) VRF Aware Dialer Watch

5.8.2) PPP/MLP MRRU Negotiation

5.9.1-5.9.2) IPv6 Features

5.9.1) IP over IPv6 Tunnels

5.9.2) IPv6 Policy-Based Routing

5.9.3) NAT—Stateful Failover Asymmetric Outside-to-Inside

5.9.4) NAT—Stateful Failover for Embedded Addressing

5.9.5) NAT—Static IP Support

5.9.6) ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry

5.9.7) Rate Based Satellite Control Protocol (RBSCP)

5.10.1) MPLS—MLPPP Support


5.1) New Hardware Support

5.1.1) Cisco 1711 and 1712 Security Access Routers

Description

The Cisco 1711 and 1712 Security Access Routers offer an all-in-one security, routing, and switching solution for enterprise small branch offices and small and medium sized businesses. They feature built-in Fast Ethernet LAN switching, Fast Ethernet port for DSL or broadband modem connectivity, integrated Cisco IOS Security and backup WAN for link redundancy to help ensure high availability of critical business applications.

Figure 45

Cisco 1711/1712 Application Advantages—Workgroup Segmentation with Dial Backup

Benefits

Complete Solution—delivering broadband access with link redundancy, routing, switching and security.

Integrated Network Security—stateful inspection firewall with URL filtering, hardware accelerated VPN encryption (DES & 3DES) delivering 15 Mbps encryption rates, and IDS detecting 100 signatures.

Integrated LAN Switching—4 port 10/100BaseT switch with 802.1Q VLAN and MDI/MDIX auto-configuration.

High WAN Availability—ensures availability of network connection and applications with analog modem or ISDN S/T back-up WAN.

WAN Migration—Use the Analog modem or ISDN S/T port as primary connection then migrate to high speed Cable/DSL connection when available.

Dual ISP Support—The 10/100BaseT ports can be separated to allow simultaneous connection to two ISPs for load balancing and failover protection.

Superior Manageability—CiscoWorks for centralized configuration and management. Embedded web-based Security Device Manager (SDM) for simplified device configuration management.

Hardware

Routers

Cisco 1711 and 1712 Security Access Routers


Product Management Contact: dthaele@cisco.com

5.1.2) Network Modules for Circuit Emulation Services over IP for the 2600, 3600 and 3700 Series Routers

Description

The Cisco 2600/3660/3700 Circuit Emulation over IP (CEoIP) network modules (product IDs: NM-CEM-4T1E1 and NM-CEM-4SER) enable service provider customers to create a new revenue stream by offering a leased line service over existing packet infrastructure. Enterprise and government customers will be enabled to migrate applications which require TDM transport on to their IP networks, thus saving operational expenses.

Hardware

Routers

Cisco 2600 and Cisco 3700 Series

Cisco 3600 Router


Product Management Contact: cschwaig@cisco.com

5.1.3) Network Analysis Module for the 2600, 3660 and 3700 Series Routers

Description

The Cisco 2600/3660/3700 Series Network Analysis Module (product ID: NM-NAM) is an integrated traffic-monitoring network module that enables network managers to gain application-level visibility into network traffic at remote sites with the ultimate goal of improving performance, reducing failures, and maximizing return on network investments. It expands the Cisco NAM solution available for Cisco Catalyst® 6500 Series switches and Cisco 7600 Series routers. It provides the unique advantage of performing remote troubleshooting and traffic analysis through its Web-based NAM Traffic Analyzer without having to send personnel to remote sites or haul large amounts of data to the central site.

Figure 46

The Cisco 2600/3660/3700 Series Network Analysis Module

Benefits

Real Time and Historical Traffic Monitoring in WANs—Analyze bandwidth usage at application level, proactively monitor data and VoIP applications.

Application Performance Management—Identify application response delays observed at branches.

Fault Isolation and Troubleshooting—Remotely isolate network problems, capture/decode packets.

VoIP and QoS Monitoring—Analyze IP Telephony sessions, validate QoS policies.

Capacity Planning and Extended Applications—with standards based software applications.

Hardware

Routers

Cisco 2600 and Cisco 3700 Series

Cisco 3660 Router


Product Management Contact: massung@cisco.com

5.2) Security

5.2.1) RADIUS Attribute Screening support for Access-Request

Description

The RADIUS Attribute Screening feature allows users to configure a list of "accept" or "reject" RADIUS attributes on the network access server (NAS) for purposes such as authorization or accounting.

This new enhancement to the attribute screening provides support for filtering on Access-Request in addition to Access-Accept & Accounting-Requested already supported in Cisco IOS Software.

Benefits

Improving Control Manageability—Better control of sending especially called-station ID's in access request to ISP based on the pre-arrangement.

Hardware

Routers

Cisco 7200, Cisco 7400 Series

Cisco 7301, Cisco 7304-NPE-G100 and Cisco 7304-NSE-100 Routers


Product Management Contact: IOS-Security-PM@cisco.com

5.2.2) Role-Based CLI Access

Description

This feature enables the network device administrator to set up views defining the set of CLI commands that users may access. It is a new user access control feature in addition to the current privilege feature, but it offers higher degree of customization.

On a single device, up to 16 views can be defined by the network device administrator.

Network administrator can define whether users are in privilege mode or view mode when they log into the device.

Each user can be assigned with one or more views. Each view is associated with a password that is required when user switches between views (if a person is assigned multiple views).

Definition of Views are performed by the network administrator via CLI with keywords such as include (CLI commands accessible by the view) or include-exclusive (CLI commands accessible exclusively by the view).

Either local (on the device) or external (such as TACACS+/RADIUS) AAA server are used for authentication & authorization thus a new VSA addition will be needed to support this feature.

Benefits

With the role-based CLI access control, users can match access to CLI commands based on their operational job roles.

Security—Greatly enhances security of the device by defining the set of CLI command that is accessible by a particular user.

Availability—Prevents unintentional execution of CLI commands by unauthorized personnel resulting in undesirable results. This feature can greatly improve the availability of the device.

Operational Efficiency—Since users will only see the CLI commands that are accessible to them, this greatly improves the operational usability of the device.

Hardware

Routers

Cisco 7200 Series

Cisco 1760, 2610XM, 2611XM, 3640A, and 3725 Routers


Product Management Contact: IOS-Security-PM@cisco.com

5.2.3) Control Plane Policing Enhancements

Description

Control plane policing feature is a popular feature for many customers to protect the control plane of the device from being overwhelmed with traffic (often from DoS attacks).

New enhancements in this release of Cisco IOS Software include providing SNMP access (by extending cbQos MIB) to the policy applied to the control plane as well as enhancement to the policy descriptor of allowing specification of Packet Per Second (vs. current Bits Per Second) in the policy map.

Benefits

Ease of Management—now users can view control plane policies via SNMP.

Operational Simplicity—with the addition of the Packet Per Second specification in the control plane policy map, it may be easier for network administrators to describe the desired policy.

Hardware

Routers

Cisco 7200 Series


Product Management Contact: IOS-Security-PM@cisco.com

5.2.4) IP Source Tracker

Description

The IP Source Tracker feature allows you to gather information about the traffic flowing to a host that is suspected of being under attack. This feature also allows you to easily trace an attack back to its entry point into the network.

To trace attacks, NetFlow and access control lists (ACLs) are used together to determine the source. To block attacks, committed access rate (CAR) and ACLs are been used.

Normally, when you identify the host that is subject to a DoS attack, you must determine the network ingress point to effectively block the attack. This process starts at the router closest to the host.

The IP Source Tracker feature provides an easy, more scalable alternative to output ACLs for tracking DoS attacks.

The IP Source Tracker works as follows:


Step 1. After you identify the destination being attacked, enable tracking for the destination address on the whole router by entering the ip source-track command.

Step 2. A special CEF entry is created for the destination address being tracked. For line cards or port adapters that use specialized ASICs to do packet switching, the CEF entry is used to punt packets to the line card's or port adapter's CPU.

Step 3. Each line card CPU collects information about the traffic flow to the tracked destination (via utilization of NetFlow).

Step 4. The data generated is periodically exported to the router. To display a summary of the flow information, enter the show ip source-track summary command. To display more detailed information for each input interface, enter the show ip source-track command.

Step 5. Statistics provide a breakdown of the traffic to each tracked IP address. This allows you to determine which upstream router to analyze next. You can shut down the IP source tracker on the current router by entering the no ip source-track command, and re-open it on the upstream router.

Step 6. Repeat Step 1 through Step 5 until you identify the source of the attack.

Step 7. Apply CAR or ACLs to limit or stop the attack.

Figure 47

IP Source Tracker

Benefits

Complete Network Coverage: Because the IP Source Tracker feature is now supported on all platforms it allows you to track DoS attacks across your entire network.

Complete Tracking Information Provided: The IP source tracker generates all the necessary information in an easy-to-use format to track the network entry point of a DoS attack.

Tracking an Unlimited Number of IPs Simultaneously: Using the IP source tracker, you can track multiple IPs at the same time. By default there is no limit. To limit the number of IPs that are simultaneously tracked, use the ip source-track address-limit command.

Hardware

Routers

Cisco 800, 1400, 1600, 1700, 2600, 7100, 7200, and 7500 Series

Cisco 3640 and 3660 Routers

Cable Access Routers

Cisco uBR905 and uBR925 Cable Access Routers


Product Management Contact: IOS-Security-PM@cisco.com

5.2.5) Per VRF TACACS+ Support

Description

The Per VRF AAA functionality enables AAA services to be based on VPN routing and forwarding (VRF) instances. The Provider Edge (PE) or Virtual Home Gateway (VHG) can now communicate directly with the customer's TACACS+ server.In this new version of Cisco IOS Software, TACACS+ protocol support is now VRF aware in addition to RADIUS protocol that is already VRF aware in Cisco IOS Release 12.2(15)T.

Benefits

The new Per VRF support of TACACS+.

Scalable Solution—Customers who are using TACACS+ can now support user assignment on a Per VRF level making it much more scalable and manageable.

Hardware

Routers

Cisco 7200 and 7500 Series

Cisco 2620 and 2621 Routers


Product Management Contact: IOS-Security-PM@cisco.com

5.2.6) Cisco IOS Firewall for IPv6

Cisco IOS Firewall provides advanced traffic filtering and stateful packet inspection functionality as an integral part of a network. In addition to providing filtering of Layer 4 through Layer 7 traffic for IPv4 networks, Cisco IOS firewall now extends the same support for IPv6 topologies. Key features supported in this release include:

Layer 4 inspection (ICMP, UDP, TCP) including IP fragment inspection of IPv6 packets. Simple TCP/IP applications, such as a Web browser and telnet clients also covered by the layer 4 inspection.

Track TCP sequence numbers and drop packets not within the range ICMP echo request/reply packets will be inspected using ICMPv6.

Support of IPv6 fragmented packets. The fragment header will be used to trigger fragment processing. The Cisco IOS Firewall virtual fragment reassembly (VFR) will perform the following functions on fragments:

Examine out of sequence fragments and switch the packets in order.

Examine number of fragments from a single IP given a unique identifier (DoS attack).

Perform virtual reassembly to handoff to upper layer protocols.

IPv6 DoS attack mitigation mechanisms supported in the same fashion as for the current Ipv4 implementation.

IPv6 packets tunnelled in going to an IPv4 destination will be terminated on the Cisco IOS Firewall router and inspected.

For additional information, refer to Cisco IOS Firewall documentation at: http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_configuration_guide_chapter09186a00801d65f4.html

Figure 48

Cisco IOS Firewall for IPv6

Benefits

Cisco IOS Firewall now enables users to deploy firewalls in both IPv4 and IPv6 networks on the same platform. Benefits include:

Stateful packet inspection of TCP, UDP, ICMP sessions.

Coexistence in IPv4 and IPv6 environments.

Inspect traffic and mitigate network attacks trying to exploit IPv4 and IPv6 fragments.

Stateful inspection of packets originating from the IPv4 network terminating in an IPv6 environment by providing v4 to v6 translation services.

Ability to interpret or recognize most IPv6 Extension Header information such as routing header, hop-by-hop Options header, fragment header and Destination Option header.

Hardware

Routers

Cisco 1700—7200 Series


Product Management Contact: IOS-Security-PM@cisco.com

5.2.7) Transparent Cisco IOS Firewall

Description

This feature is sometimes referred to as Layer 2 Firewall. Conventional Layer 3 Firewalls require the existing network architecture to be split into three subnets comprising of the inside, outside and DMZ segments. A network not designed to accommodate this subnetted architecture would have to be rearchitected and/or renumbered to securely deploy a Layer 3 firewall. This is time consuming and resource intensive and not technically feasible in some deployment scenarios.

Most commercial firewalls operate in either a transparent mode or the conventional L3 mode. The Cisco IOS Firewall is designed to simultaneously interoperate in both modes and allows for better total ROI by reducing the firewall requirements of an organization.

The following diagram depicts a retail store network with the Transparent Cisco IOS Firewall deployed. Cisco now has a Firewall that can protect the network by applying the appropriate Layer 2 Mac access control lists and Layer 3 IP access control lists.

Figure 49

Transparent Cisco IOS Firewall Deployment

The transparent firewall is configured just like the current L3 firewall using the "ip inspect" command. The `inspect in/out' command can be configured on any of the bridged interfaces for L2 protection while also being configured on any LAN or serial interfaces to provide traditional Layer 3 protection. The transparent firewall operates on the bridged packets and the Layer 3 firewall continues to operate on the routed packets.

Benefits

The Transparent Cisco IOS Firewall offers several distinctive advantages over conventional Layer 3 Firewalls.

Ability to insert a Stateful Layer 2 firewall within an existing network.

No need to readdress statically addressed devices due to the introduction of a firewall into the network. It can be deployed into existing networks without creating any L3 subnet separations and offers complete Cisco IOS Firewall Functionality (tcp, udp, icmp and application support).

Untrusted wireless access points that are part of existing network can be seamlessly deployed behind the Transparent Cisco IOS Firewall to provide added security to wireless users.

It can be deployed on vlan trunks running between switches and routers for added security.

Users can allow selected devices from a subnet to traverse the firewall while denying access to other devices on the same subnet.

Ability to provide both Layer 2 and Layer 3 firewalling capabilities on the same router.

Hardware

Routers

Cisco 800—2600 Series


Product Management Contact: IOS-Security-PM@cisco.com

5.2.8) Extended Simple Mail Transport Protocol

Description

Cisco IOS Firewall has always detected and blocked SMTP attacks (illegal SMTP commands) and issued alerts when it detects an SMTP attack. The Firewall detects a limited number of SMTP attack signatures. A signature in a SYSLOG message indicates a possible attack against the protected network, such as the detection of illegal SMTP commands in a packet. Whenever a signature is detected, the connection will be reset.

The Cisco IOS Firewall now supports the inspection of ESMTP (Extended Simple Mail Transport Protocol) by inspecting SMTP commands for legality. Commands that will be inspected include AUTH, DATA, EHLO, ETRN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML and VRFY. All others are considered illegal. RFC 1869 describes the SMTP Service Extensions.

Included in the current SMTP implementation is an IDS signature capability built into the Cisco IOS Firewall. SMTP firewall currently scans for set of hard coded attack signatures. The detection of a signature causes the Cisco IOS Firewall to raise an alert message and close the SMTP session. There are 11 "IDS Sensor" attack signatures and five have always been integrated into the Cisco IOS Firewall SMTP implementation.

Signature
Description
Mail: bad rcpt

Triggers on any mail message with a "pipe" ( | ) symbol in the recipient field.

Mail: bad from

Triggers on any mail message with a "pipe" ( | ) symbol in the "From:" field.

Mail: old attack

Triggers when "wiz" or "debug" commands are sent to the SMTP port.

Mail: decode

Triggers on any mail message with a ":decode@" in the header.

Majordomo

A bug in the Majordomo program will allow remote users to execute arbitrary commands at the privilege level of the server.


Benefits

The Cisco IOS Firewall now dynamically supports the traversal of ESMTP messages.

Able to identify ESMTP/SMTP attacks with built in IDS signature capability.

Hardware

Routers

Cisco 800-2600 Series


Product Management Contact: IOS-Security-PM@cisco.com

5.2.9) Key Rollover for Certificate Renewal

Description

Automatic certificate enrollment was introduced to allow the router to automatically request a certificate from the certification authority (CA) server. By default, the automatic enrollment feature requests a new certificate when the old certificate expires. Connectivity can be lost while the request is being serviced because the existing certificate and key pairs are deleted immediately after the new key is generated. The new key does not have a certificate to match it until the process is complete and incoming Internet Key Exchange (IKE) connections cannot be established until the new certificate is issued. The Key Rollover for Certificate Renewal feature allows the certificate renewal request to be made before the certificate expires and retains the old key and certificate until the new certificate is available.

Figure 50

Key Rollover for Certificate Renewal

Benefits

Certificate Autoenrollment with key rollover allows you to configure your router to automatically request a certificate from the certification authority (CA) that is using the parameters in the configuration. Thus, operator intervention is no longer required at the time the enrollment request is sent to the CA server. When the certificate expires, a new certificate is requested. This provides unattended recovery from expiration of certificates.

Hardware

Routers

Cisco 800, 1600, 1700, 2600, 3600, 7100, 7200, 7300, and 7400


Product Management Contact: IOS-Security-PM@cisco.com

5.2.10) PKI: Query Multiple Servers during Certificate Revocation Check

Description

When validating an X.509 certificate presented by a peer, the Certificate Revocation List (CRL) is checked to make sure the certificate has not been revoked by the issuing Certificate Authority (CA). The certificate usually contains a Certificate Distribution Point (CDP) in the form of a URL. Cisco IOS Software uses the CDP to locate and retrieve the CRL.

Previous versions of Cisco IOS Software make only one attempt to retrieve the CRL, even when the certificate contains more than one CDP. If the CDP server does not respond, the Cisco IOS Software reports an error which may result in the peer's certificate being rejected.

Cisco IOS Release 12.3(103)T introduces the ability for the Cisco IOS Software to use all of the available CDPs in a certificate. The Cisco IOS Software will attempt to retrieve a CRL until all of the CDPs in the certificate have been tried. In addition this feature introduces the ability to override the CDPs in a certificate with a manually configured CDP.

Figure 51

Checking the Certificate Revocation List

Benefits

This feature introduces the ability for Cisco IOS Software to make multiple attempts to retrieve the CRL, allowing operations to continue when a particular server is not available. In addition, the ability to override the CDPs in a certificate with a manually configured CDP has been introduced. Manually overriding the CDPs in a certificate can be advantageous when a particular server may be unavailable for an extended period of time. The certificates CDPs can be replaced with a URL or directory specification without re-issuing all of the certificates containing the original CDP.

Hardware

Routers

Cisco 800, 1600, 1700, 2600, 3600, 7100, 7200, 7300, and 7400


Product Management Contact: IOS-Security-PM@cisco.com

5.2.11) Virtual Private Network Routing and Forwarding Instance Integrated Dynamic Multipoint VPN

Virtual Private Network (VPN) Routing and Forwarding (VRF) Instance Integrated Dynamic Multipoint VPN (DMVPN) enables users to map site-to-site DMVPN IPsec sessions into Multiprotocol Label Switching (MPLS) VPNs. This allows service providers to extend their existing MPLS VPN service by mapping off-net sites (typically a branch office) to their respective VPNs. IPsec sessions are terminated on the DMVPN PE device and traffic is placed in VRFs for MPLS VPN connectivity. Specifically, work was done to extend the Next Hop Routing Protocol (NHRP) to look into the VRF Tables while building the database of spoke addresses in the hub.

Figure 52

Dynamic Multipoint VPN

Benefits

DMVPNs can be used to extend the MPLS networks deployed by service providers to take advantage of the ease of configuration of hub and spokes, support for dynamically addressed CPEs and zero touch provisioning for adding new spokes into a DMVPN.

DMVPN architecture can coalesce many spokes into a single multipoint GRE interface, removing the need for a distinct physical/logical interface for each spoke in a native IPsec installation.

Hardware

Routers

Cisco 1700, 2600, 3600, 7200, and 7400 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

5.2.12) Network Address Translation (NAT)—Transparency Aware DMVPN

When DMVPN spokes need to send a packet to a destination (private) subnet behind another spoke, it queries the NHRP server for the real (outside) address of the destination spoke. The DMVPN hub maintains a NHRP database of the tunnel endpoints and the physical address of the spokes. In the diagram, it is very likely for spokes in a DMVPN cloud to be given the same physical address by the NAT Boxes sitting in front of them. As the spokes oftentimes have no control over the addresses provided to them by the ISP, DMVPN was enhanced to work for spokes behind a NAT Box.

Figure 53

Hardware

Routers

Cisco 1700, 2600, 3600, 7200, and 7400 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

5.2.13) SEAL Encryption

The Software Encryption Algorithm (SEAL) Encryption feature adds support for the SEAL in IP Security implementations. SEAL encryption is an alternative algorithm to Software based Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES). SEAL has a lower impact to the CPU, when compared to other software based algorithms. It uses a 160-bit key for encryption and provide adequate encryption for many applications. The SEAL encryption is recommended for use on IPsec peers without crypto accelerators hardware present. Configuring SEAL also require the use of authentication transform. Also, SEAL transform cannot be used with a manually keyed crypto map.

For additional information, please visit:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801e9e7e.html

Product Management Contact: IOS-Security-PM@cisco.com

5.3) Mobile IP

5.3.1) Mobile IP Foreign Agent Local Routing for Mobile Networks

Description

The Mobile IP v4 protocol, as defined in RFC 3344, does not allow direct routing from any corresponding node (IP host/device) to any mobile node or to mobile networks behind a mobile router. The protocol requires the traffic to go through the mobile node's Home Agent (HA) thus creating a behavior to be known as "triangle routing".

Foreign Agent (FA) Local Routing to Mobile Networks provides a solution to this problem by allowing the corresponding nodes (IP host/device) connected to a FA to route traffic directly via the FA to mobile networks which have roamed to and connected to the same FA.

The FA and HA work together in a secured fashion to learn the necessary routing information that the FA will add to its own routing table. This information enables the ip traffic from natively attached (Ethernet, wlan) IP hosts to follow the optimized routing path to the mobile networks.

Learning consists of identifying when a mobile networks attaches to the FA, the subnets of the mobile networks, and when the mobile networks have left the FA in question. With this information the FA is able to add routing information to its routing table and subsequently clean up and remove the routing reachability information.

It is a mandatory requirement to turn on FA-HA Authentication (FHAE) which is off by default as per Mobile IP RFC 3344.

Figure 54

Foreign Agent Local Routing to Mobile Networks—Before

Figure 55

Foreign Agent Local Routing to Mobile Networks—After

Benefits

Optimized routing path between IP devices connected to a Foreign Agent and Mobile Networks that roam into and connect to the same Foreign Agent.

Latency sensitive applications such as Video and Voice will benefit from a shorter routing path.

Conserve link bandwidth between FA and HA, beneficial when low speed connections are in use.

Refer to the following document for additional information:

IP Mobility Support for IPv4: http://www.ietf.org/rfc/rfc3344.txt?number=3344

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp


Product Management Contact: mdenny@cisco.com

5.3.2) Mobile IP—Mobile Networks PPP Dynamic Collocated Care-of-Address

Description

Per RFC 3344 when a mobile node/mobile router is connecting to a Home Agent (HA) directly, bypassing a Foreign Agent (FA), it must obtain an IP address from the local network it has roamed into and use this address as its Co-Located Care of Address (CCoA).

Mobile node; Mobile IP client capability on an individual IP device.

Mobile router; Mobile IP client capability on a router or Layer 3 device with one or more subnets connected to it.

This enhancement enables a mobile router to acquire an IP Address dynamically from the network it has roamed into, and use this address as its CcoA.

This enhancement supports the use of PPP/IPCP to dynamically acquire an IP Address.

Support of DHCP to dynamically acquire an IP Address will follow.

The mobile router registers itself with its Home Agent using the dynamically acquired IP Address. Upon successful registration, the home agent builds a tunnel to the mobile routers CCoA.

Prior to this enhancement all interfaces on a mobile router requiring CCoA support had to have an IP address statically pre-configured.

Figure 56

Mobile Networks PPP Dynamic Co-Located CCoA

Benefits

Greatly simplifies configuration and provision of a mobile router, such as the Cisco 3200 Mobile Access Router.

With Dynamic CCoA support the mobile router can automatically detect whether or not a Foreign Agent is present in the roamed to network, and determine the appropriate method for connecting to it's Home Agent.

Flexibility to roam into and connect through networks that might not be known in advance.

Ability to dynamically acquire an IP Address from a roamed to network.

Initial support for Static Co-located Care-of-Address (CCoA) required upfront knowledge of all potential networks the Mobile Access Router would connect to and through, and required an IP address be pre-provisioned for each mobile router.

Refer to the following document for additional information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtcolloc.htm

IP Mobility Support for IPv4: http://www.ietf.org/rfc/rfc3344.txt?number=3344

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp


Product Management Contact: mdenny@cisco.com

5.4) Quality of Service

5.4.1) AutoQoS for the Enterprise

Description

AutoQoS for the Enterprise provides automation for deployment of QoS policies in a general business environment, particularly for mid-size companies and branch offices of larger companies. A customer will use AutoQoS for the Enterprise in two steps. First, AutoDiscovery is invoked to run for a period of time—several days or a week—as desired by the user. AutoDiscovery will use NBAR-based protocol discovery to detect the applications as they arrive, collect data from the offered traffic, and perform statistical analysis. Users can view the applications that have been detected before the AutoDiscovery interval is finished. Then this information will be used to automatically build an MQC-based QoS policy, mapping the applications to their corresponding DiffServ classes and assigning appropriate values for bandwidth and scheduling parameters. Existing QoS policies may or may not be present during the data collection phase (AutoDiscovery). However, existing QoS policies are replaced by AutoQoS-generated policies when the user issues the auto qos command.

Figure 57

AutoQoS for the Enterprise Comprehensive QoS Deployment in Two Steps

Benefits

AutoQoS for the Enterprise provides comprehensive QoS deployment in two steps, reducing QoS deployment time and cost.

Hardware

Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers

Cisco 3631, 3640, 3640A, and 3660 Routers

Cisco 3725 and 3745 Routers

Cisco 7200 and Cisco 7500 Series


Product Management Contact: timcswee@cisco.com

5.4.2) NBAR-NAT Integration and RTSP

Description

Network Address Translation (NAT) is one of the most widely deployed IP services, and Port Address Translation (PAT) is one of its most popular configurations. With this NBAR-NAT integration, RTSP-based applications can work in PAT configuration mode.

Port Address Translation (PAT) configuration mode in Cisco IOS NAT allows customers to multiplex multiple users concurrently on a single IP Address. A maximum of 65535 individual users can concurrently be using a single source IP Address. A unique source port is used to differentiate each user.

In PAT configuration, NAT needs to be able to detect ports being used by RTSP (the default port is TCP 554) and set them aside to ensure that those source ports are not used to identify general users in a PAT configuration.

Real Time Streaming Protocol (RTSP) is a client-server multimedia presentation control protocol that underlies multimedia applications—video delivery, for example—that are becoming increasingly popular via products such as these.

RealSystem G2 by RealNetworks

Windows Media Services (WMS) by Microsoft

QuickTime by Apple

IPTV by Cisco

Figure 58

NBAR Provides NAT with RTSP Parsing Results

Benefits

With this NBAR-NAT integration the many customers who use NAT can now run RTSP-based applications in Port Address Translation (PAT) mode.

Hardware

Routers

Cisco 1710, 1720, 1721, 1750, 1751 and 1760 Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers

Cisco 3620, 3631, 3640 and 3660 Routers

Cisco 3725 and 3745 Routers

Cisco 7200, 7300 and 7500 Series


Product Management Contacts: NAT, mdenny@cisco.com; NBAR, timcswee@cisco.com

5.5) Multicast

5.5.1) MSDP Compliance with IETF MSDP Draft 20

Description

MSDP compliance with IETF MSDP Draft 20 feature enables you to use BGP route reflectors without running MSDP on them. It also allows you to use an Interior Gateway Protocol (IGP) for the RPF check and thereby giving you the ability to run peerings without BGP or MBGP.

Benefits

This feature adds support for the following functions:

Allows the use of BGP route reflectors without running MSDP on them.

Allows the use of an Interior Gateway Protocol (IGP) for the RPF check and thereby giving you the ability to run peerings without BGP or MBGP.

Provides ability to have peerings between routers in non-directly connected autonomous systems (that is, with one or more autonomous systems between them). This helps in confederation configurations and for redundancy.

Provides valuable information while debugging MSDP problems with the new "show ip msdp rpf" command.

Hardware

Routers

Cisco 3700 Series

Cisco 7200 Series and Cisco 7500 Series


Product Management Contact: g_singh@cisco.com

5.5.2) IPv6 Multicast Phase 1 & Phase 2

Description

IPv6 Multicast is a new version of IP Multicast which is designed to be an evolutionary step from IPv4 Multicast. Although the basic notion of multicasting is common to IPv4 and IPv6, differences of multicasting between IPv4 and IPv6 require several original approaches toward implementation, including handling of multicast interfaces, using scoped addresses in PIM and more.

Cisco IPv6 Multicast feature set (Phase 1 & Phase 2) introduces all the mandatory software components required to deploy a production IPv6 Multicast network, to support any IPv6 Multicast application end-to-end in a given network. It supports the deployment scenarios for both intra-domain and inter-domain IPv6 Multicast.

IPv6 Multicast Phase 1 feature introduces the support for:

RFC 2373

RFC 3569

RFC 3590

PIM (Protocol Independent Multicast)

Source Specific Multicast (PIM-SSM)

Sparse-Mode (PIM-SM)

Full MLDv1/v2 Compatibility

Explicit Tracking in v2 Mode

Full Support for DR Functionality (registers, etc.)

Static RP Assignment with Multiple RP Mapping

Intra-Domain Multicast Routing via PIMv6-SM

Inter-Domain Multicast via PIMv6-SSM

Multicast v6 Ping

Mtrace for v6

IPv6 Scoped Address Architecture

Basic Multicast v6 Debugging Capabilities

v6-in-v4 Tunneling

IPv6 Multicast Phase 2 feature introduces the support for:

Support for Embedded RP Mapping

mBGP for Multicast v6

Static mroutes

Forwarding Support for BSR Messages

MLD Access-Groups for Receiver Control

Register Filters for Source Control

Enhanced Boundaries, Policy per Sources and per Groups

Distributed Fast Switching for Multicast v6

v6-in-v6 Tunneling

Figure 59

IPv6 Multicast Phase 1 & Phase 2

Benefits

Cisco IPv6 Multicast feature set allows you to deploy a production IPv6 Multicast network, to support any IPv6 Multicast application end-to-end in a given network.

It supports the deployment scenarios for both intra-domain and inter-domain IPv6 Multicast.

Hardware

Routers

Cisco 3700 Series

Cisco 7200 and 7500 Series


Product Management Contact: g_singh@cisco.com

5.5.3) PIM Dense Mode Fallback Prevention after RP Information Loss

Description

Preventing the use of PIM dense mode is very important to multicast networks whose reliability is critical. This feature enables you to prevent Protocol Independent Multicast (PIM) dense mode fallback when all rendezvous points fail. It provides a mechanism to keep the multicast groups in sparse mode and also allows you to block multicast traffic for groups not specifically configured.

Benefits

Ability to block multicast traffic for groups not specifically configured.

Provides a mechanism to keep the multicast groups in sparse mode.

Hardware

Routers

Cisco 3700 Series

Cisco 7200 and 7500 Series


Product Management Contact: g_singh@cisco.com

5.6) Embedded Network Management

5.6.1) SSG Permanent TCP Redirection

Description

The SSG Permanent TCP Redirection feature enables Service Selection Gateway (SSG), in conjunction with Cisco Subscriber Edge Services Manager (SESM), to provide service selection support to users whose web browsers are configured with HTTP proxy servers. This feature supports plug-and-play functionality in public access networks such as Public Wireless LANs.

Release
Modification

12.3(3)B

This feature was introduced.

12.3(7)T

This feature was implemented in Cisco IOS Release 12.3(7)T.


Benefits

The SSG Permanent TCP Redirection feature enables SSG to provide service selection support to users whose web browsers are configured with HTTP proxy servers. This solution enables SSG, in conjunction with SESM, to provide an emulation of the HTTP proxy so the experience of the user is as if the user's web browser were exchanging traffic with the user's real HTTP proxy server. This feature supports plug-and-play functionality in public access networks such as Public Wireless LANs.

Restrictions:

The following restrictions apply to the SSG Auto-logoff Enhancement feature:

SSG will not provide concurrent service selection to the HTTP proxy user who uses web traffic to reach more than one service. SSG can redirect web traffic to only one service or server.

SSG will not provide TCP redirection for unauthorized services for HTTP proxy users who are unauthenticated because SSG will not know the destination of the traffic.

SSG simulates the proxy for HTTP traffic, so if a user tries to send any traffic other than HTTP traffic, the connection will fail. For example, a user will be unable to use FTP to access the HTTP proxy server configured in the browser.

If a user changes his HTTP proxy settings after authentication, SSG will not be able to detect the changes.

Hardware

Routers

Cisco 2651XM, Cisco 2691 Routers

Cisco 3725 and 3745 Routers

Cisco 7200 Series Routers

Cisc0 7301 Router


Product Management Contact: mkolli@cisco.com

5.6.2) SSG Transparent Auto-Logon

Description

The Transparent Auto-Logon (TAL) feature enables SSG to authenticate/authorize users based on IP packets received from the user. SSG authorizes users by using information from the Authentication, Authorization, and Accounting (AAA) server when a first IP packet is received from the user.

Users can be activated on SSG through Web-based login procedures using Service Edge Subscriber Management (SESM), RADIUS Proxy, and PPP session termination. The Transparent Auto-Logon feature provides an additional activation method. Transparent Auto-Logon provides SSG services to a user who is authorized based on the source IP address of packets received on a downlink interface of SSG, without any previous authentication phase. Depending on the customer deployment, there can still be user access via Web-based login, RADIUS Proxy, and PPP session termination. The SSG provides the flexibility to allow the coexistence of these different authentication methods.

Figure 60

User-to-Service Packet Flow

Release
Modification

12.3(3)B

This feature was introduced.

12.3(7)T

This feature was implemented in Cisco IOS Release 12.3(7)T.


Benefits

The SSG application (which includes the TAL function described in this document) provides the following benefits:

Prevents interactive subscriber authentication where subscriber identity is verified by other means.

Enables always-on access to network services, to specific classes of users (transparent, flat-rate users.

Provides an authentication model to support Pay-per-use users to still require interactive authentication to network services that are subject to explicit sign-on.

Restrictions:

If SSG Transparent Auto Logon is used, a subscriber's identity is solely tied to his/her source IP address. To provide proper security, service providers have to ensure that the subscriber connections are secure and the IP addresses are not spoofed for illegal use.

Hardware

Routers

Cisco 2651XM and 2691 Routers

Cisco 3725 and 3745 Routers

Cisco 7200 Series Routers

Cisco 7301 Router


Product Management Contact: mkolli@cisco.com

5.6.3) SSG TCP Re-direct Exclusion List

Description

Existing TCP Redirect feature is enhanced to allow access lists to be associated with server groups. This enhancement can be used to limit the kind of traffic that is redirected based on the source or destination IP address and TCP ports. It can also be used to redirect different sets of users to different dashboards for unauthenticated users and unauthorized service redirection. The access list can be a simple or extended access list. It can also be a named or numbered access list.

Release
Modification

12.3(3)B

This feature was introduced.

12.3(7)T

This feature was implemented in Cisco IOS Release 12.3(7)T.


Benefits

Allows an access list to be associated with a TCP redirect server group to redirect subscribers to different server groups.

Can be applied to any type of redirections such as those for authentication, authorization, initial and periodic captivation, prepaid redirection, etc.

Hardware

Routers

Cisco 2651XM and 2691 Routers

Cisco 3725 and 3745 Routers

Cisco 7200 Series Routers

Cisco 7301 Router


Product Management Contact: Murali Kolli, 408-526-5228, mkolli@cisco.com

5.6.4) Service Assurance Agent VoIP Proactive Monitoring

Description

Understanding network performance is essential to deploying and running a Voice over IP (VoIP) network. Service Assurance Agent (SAA) proactively measures network performance. If you are deploying a new VoIP network, then SAA can be used for network assessment. SAA will tell you if the Quality of Service is working and configured correctly and if the network can support VoIP. After deployment of VoIP you will need to understand the network performance and trouble shoot network issues. SAA provides this essential information. SAA reduces operational costs by identifying issues and provides a continuous and reliable test of your network infrastructure. SAA also reduces the time to track and isolate network performance problems, thus saving expenses.

The Cisco IOS Software SAA feature actively sends data across the network to measure performance between multiple network locations or across multiple network paths. It simulates VoIP codecs and collects network performance information in real time: response time, one-way latency, one-way jitter, one-way packet loss, voice quality scoring (MOS scores), and additional network statistics.

The Cisco IOS Software SAA feature enables the user to monitor network performance thresholds and send SNMP alerts for proactive notification. In the past SAA has supported threshold monitoring for performance parameters such as average jitter, unidirectional latency, bidirectional round trip time and connectivity. The latest release of Cisco IOS Software includes new capabilities to monitor thresholds for important VoIP related parameters including: unidirectional jitter, unidirectional packet loss, and unidirectional VoIP voice quality scoring (MOS scores).

Figure 61

Cisco IOS Service Assurance Agent

Benefits

Embedded in Cisco IOS Software—no additional cost.

Proactive notifications with Simple Network Management Protocol (SNMP) Trap.

New SNMP traps unidirectional jitter, unidirectional packet loss, and unidirectional VoIP voice quality scoring (MOS scores).

Real-time, accurate VoIP network performance monitoring.

VoIP codec simulation and VoIP quality measurement (MOS and ICPIF).

VoIP Network Assessment.

Per-class QOS traffic monitoring.

Flexible scheduling of operations.

Hop-by-hop and end-to-end performance measurement.

Controlled through SNMP or Command Line Interface (CLI).

Extensive partnerships with industry leaders.

Hardware

Routers

All (platform independent)


Additional Information: http://www.cisco.com/go/saa

Product Management Contact: tomz@cisco.com

5.6.5) NetFlow MIB

Description

Understanding network user identities, usage time, the protocols and applications being utilized and the flow of network data is a necessity for today's IP network managers. Exported NetFlow data can be used for a variety of purposes, including network management and planning, user and security monitoring, protocol and application monitoring, enterprise accounting, and departmental charge backs, Internet service provider (ISP) billing, data warehousing, and data mining for marketing purposes.

Traditionally NetFlow information is exported from the router and persistently stored and analyzed by network management applications. An additional method to retrieve NetFlow data is now available: The NetFlow MIB allows access to NetFlow data when export is not practical. The NetFlow MIB is very useful for security monitoring and attack detection by monitoring flow information. The MIB will provide the ability to configure and modify NetFlow using an SNMP interface. The user can retrieve a snapshot of IP flow, protocol and packet size distribution information easily with SNMP.

Figure 62

NetFlow MIB

Benefits

A new additional method to retrieve NetFlow information.

Retrieval of NetFlow information when the traditional export may not be practical.

Useful security information directly from an SNMP MIB.

Remote configuration of NetFlow features without using CLI.

MIB access to IP flow, protocol and packet size distribution information.

Hardware

Routers

All (platform independent)


Additional Information: http://www.cisco.com/go/netflow/

Product Management Contact: tomz@cisco.com

5.6.6) Configuration Rollback/Configuration Replace

Description

Configuration Rollback is now available in Cisco IOS Software via the new "configuration replace" command. The "configuration replace" command is a mechanism to revert to a previous configuration state, effectively allowing configuration changes to be rolled back. Instead of basing the rollback operation on a specific set of changes that have been applied, the Cisco IOS Configuration Rollback capability allows reverting to a specific configuration state, based on a saved Cisco IOS configuration file.

The "configuration replace" command compares the current running configuration with the specified target configuration, and internally generates a set of diffs (using the same mechanism used by the Cisco IOS "show archive diff" command), and then applies the resulting diffs in order to achieve the desired configuration state. Only the diffs are applied, avoiding potential service disruption from re-applying configuration commands which have not changed. The config rollback mechanism effectively handles changes to order-dependent commands, such as access lists, via a multipass algorithm.

Benefits

Allows the user to revert to a previous configuration state, effectively "rolling back" configuration changes.

Allows the user to replace the running configuration file with the startup configuration file without having to reload the router or manually undo CLI changes to the running configuration file, reducing system downtime1 .

Simplifies configuration change by allowing the user to push a complete configuration file to the router, where only the commands which need to added or removed will be applied2 .

Allows the user to revert to any desired configuration, via replacement of the running configuration with any previously saved configuration file.

Hardware

Routers

All (platform independent)


Additional Information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/index.htm

Product Management Contact: mbasinsk@cisco.com

5.7) Routing

5.7.1) OSPF Link State Database Overload Protection

Description

OSPF Link State Database (LSDB) Overload Protection addresses the requirement to limit the number of non-self generated link-state advertisements (LSAs) for a given OSPF process. The goal is to prevent resource starvation (CPU and Memory) on the router that can be caused by excess LSAs received.

Benefits

Excessive LSAs can be generated in the network because of wrong redistribution or abnormal growth in the network. This processing of excessive LSAs and its storage in the LSDB can lead to resource starvation—CPU and memory on a given router. OSPF LSDB Overload Protection is applicable to any given OSPF Process.

Hardware

Routers

All (platform independent)


Product Management Contact: cpk@cisco.com

5.7.2) OSPF Area Transit Capability

Description

RFC 2328 defines OSPF area transit capability as the ability of the area to carry data traffic that neither originates nor terminates in the area itself. OSPF Area Transit Capability enables the OSPF ABR to discover shorter paths through the transit area and forward traffic along those paths rather than using the virtual link or path, which are not as optimal.

Hardware

Routers

All (platform independent)


Product Management Contact: cpk@cisco.com

5.7.3) OSPF Per-Interface Link Local Signaling (LLS)

Description

When LLS is enabled at the router level, it is automatically enabled for all interfaces. The OSPF Link-Local Signaling per-Interface feature allows one to selectively enable or disable the LLS feature for a specific interface. Disabling LLS on an interface that is connected to a non-Cisco device that may be noncompliant with RFC 2328 can prevent problems with the forming of Open Shortest Path First (OSPF) neighbors in the network.

Hardware

Routers

All (platform independent)


Product Management Contact: cpk@cisco.com

5.7.4) VRF Selection using Policy Based Routing

Description

VRF Selection using Policy Based Routing is an extension of VRF Selection based on Source IP Address. This functionality takes advantage of the existing Route-map (which is capable of supporting multiple selection criteria) and uses Policy Based Routing (PBR) as a way to classify packets and set the relevant routing/forwarding decision. Classification criteria include source and/or destination IP addresses, protocol number, source and/or destination port number, IP precedence value, DSCP value, TCP flags, packet length and ICMP type.

Hardware

Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, 2651XM and 2691 Routers

Cisco 3631, 3640, 3640A, and 3660 Routers

Cisco 3725 and 3745 Routers

Cisco 7200, 7400 and 7500 Series Routers

Cisco 7301 and 7304-NPE-G100 Routers


Product Management Contact: cpk@cisco.com

5.7.4) BGP Transient Memory Usage Enhancement

Description

BGP uses a large amount of running memory when processing updates for full Internet routes. This feature reduces significantly the amount of the transient memory (i.e., temporarily allocated and released memory) for processing those updates more efficiently. Transient memory usage is more consistent throughout the processing of large Internet routing table updates.

Hardware

Routers

All (platform independent)


Product Management Contact: pepe@cisco.com

5.7.5) BGP Support for TTL Security Check

Description

This feature enables checking of TTL (Time To Live) values on BGP packets from peers to minimize possible session spoofing attacks. All TCP packets from BGP are sent out with a TTL value of 255. All incoming TCP packets for BGP will be checked for a TTL value that is greater than or equal to the configured incoming TTL value.

For most cases, since the peer is just one hop away, the incoming TTL value will be configured as 254. If the EBGP peer is multiple hops away, then the incoming TTL value should be configured to allow all required paths between the two peers.

Hardware

Routers

All (platform independent)


Product Management Contact: pepe@cisco.com

5.7.6) CLNS Support for GRE Tunneling of IPv4 and IPv6

Description

This enhancement adds support for GRE encapsulation of IPv4 and IPv6 packets through a CLNS network in accordance with RFC 3147 for statically configured tunnels.

Hardware

Routers

All (platform independent)


Product Management Contact: pepe@cisco.com

5.8) Connectivity

5.8.1) VRF Aware Dialer Watch

Description

The virtual routing and forwarding instance (VRF) Aware Dialer Watch feature enhances dialer watch functionality by allowing an IP address and VRF pair to be watched for dial backup. In this way, a given VRF (or set of VRFs) may be backed up by an ISDN or Dial Connection. This functionality provides an added measure of fault tolerance in a VPN environment.

Figure 63

VRF Aware Dialer Watch Typical Configuration

A typical scenario for the VRF Aware Dialer Watch feature follows:

A VRF router learns the route to the CE (Customer Edge) from a PE (Provider Edge).

The VRF router watches these learned routes to the CEs.

The primary link between a PE and CE goes down.

The watched route goes down in the VRF router.

Dialer Watch call is initiated to the corresponding CE.

Benefits

Enhanced fault tolerance and network Resiliency in VPN environments.

Hardware

Routers

Cisco 3631, 3640, 3640A and 3660 Routers

Cisco 3725 and 3745 Routers


Product Management Contact: sbhardwa@cisco.com

5.8.2) PPP/MLP MRRU Negotiation

Description

The PPP/MLP MRRU Negotiation Configuration feature enables a router to send and receive frames over Multilink PPP (MLP) bundles that are larger than the default Maximum Receive Reconstructed Unit (MRRU) limit of 1524 bytes. Previously, configuring the MRRU option negotiated on a multilink bundle with the MLP was not possible. Cisco IOS Software provided an MRRU default value of 1524 bytes, which meant that the maximum transmission unit (MTU) of the peer's bundle interface was restricted to a value of 1524 bytes or fewer for a successful data transfer.

The PPP/MLP MRRU Negotiation Configuration feature allows configuration control over MRRU negotiation. A new interface configuration command introduced with this feature, ppp multilink mrru, allows configuration of the specific MRRU value that the router will advertise, and optionally establishing a lower boundary on the MRRU value of the peer.

Benefits

This feature is useful when the addition of a header, such as an IPsec header or application software header, causes the MTU of packets on an MLP interface to exceed the 1500 byte MTU of a typical IP packet.

Hardware

Routers

All (platform independent)


Product Management Contact: sbhardwa@cisco.com

5.9) IP Addressing & Services

5.9.1) IP over IPv6 Tunnels

Description

IP over IPv6 tunnels encapsulates IPv4 or IPv6 packets in IPv6 packets for delivery across a native IPv6 infrastructure.

Figure 64

IP over IPv6 Tunnels

Benefits

IPv6 VPN over a native IPv6 infrastructure enable through IPv6 over IPv6 tunnels.

Allow IPv6 Multicast traffic to go over a native IPv6 infrastructure that is not "IPv6 Multicast" enable.

Enable IPv6 Multi-Homing as proposed in RFC 3178.

IPv4 sites can be connected over a native IPv6-only infrastructure.

Refer to the following document for additional information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_vcg.htm

Hardware

Routers

Cisco 1700-7500 Series Routers


Product Management Contact: pgrosset@cisco.com

5.9.2) IPv6 Policy-Based Routing

Description

This software release introduces support for policy-based routing on the Cisco IOS Release 12.3T. Policy-based routing provides a tool for expressing and implementing forwarding and routing of data packets based on the policies defined by network administrators. In effect, policy-based routing is a way to have policy override routing protocol decisions. Policy-based routing includes a mechanism for selectively applying policies based on access list or packet size. The actions taken can include routing packets on user-defined routes or setting the precedence and type of service bits.

Benefits

Source-Based Transit Provider Selection—Internet service providers and other organizations can use policy-based routing to route traffic originating from different sets of users through different Internet connections across the policy routers.

Quality of Service (QoS)—Organizations can provide QoS to differentiated traffic by setting the Traffic Class values in the IPv6 packet header at the periphery of the network and leveraging queuing mechanisms to prioritize traffic in the core or backbone of the network.

Cost Savings—Organizations can achieve cost savings by distributing interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost, switched paths.

Load Sharing—In addition to the dynamic load-sharing capabilities offered by destination-based routing that the Cisco IOS Software has always supported, network managers can now implement policies to distribute traffic among multiple paths based on the traffic characteristics.

Refer to the following document for additional information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_vcg.htm

Hardware

Routers

Cisco 1700-7500 Series Routers


Product Management Contact: pgrosset@cisco.com

5.9.3) NAT—Stateful Failover Asymmetric Outside-to-Inside

Description

The Stateful NAT feature enables two NAT routers to participate in a Primary—Backup design. One of the routers is designated as the primary NAT router and a second router takes the backup NAT role. As traffic is actively transferred by the primary NAT router it updates the backup NAT router with the NAT translation state (NAT translation table entries).If the primary NAT router fails or is out of service the backup NAT router will automatically take over. When the primary comes back into service it will take over and request an update from the backup NAT router.

The expected behavior in Stateful NAT phase 1 is that all sessions will pass through the primary NAT router in control of the NAT translation entries, unless the primary NAT router is unavailable. This assured integrity of the translation information by guarding against the possibility of some packet relevant to NAT session control, traversing the backup and without the primary being aware of it. When the translation information is not synchronized, the IP session in question will eventually stop working.

Figure 65

Stateful NAT—Asymmetric Outside-to-Inside Support—Before

With the Stateful Failover Asymmetric Outside-to-Inside enhancement, return traffic is handled by either the primary or the backup NAT translator and NAT translation integrity is preserved.

When the Backup NAT router receives asymmetric IP traffic and performs NAT to the packets, it will update the Primary NAT router to ensure both the primary and backup NAT Translation tables remain synchronized.

Figure 66

Stateful NAT D A Symmetric Outside-to-Inside Support

This enhancement is the next step towards having two or more NAT devices actively performing NAT and backing each other up or `Active-Active' NAT.

Benefits

Ability to support multiple routing paths from outside-to-inside.

Ability to handle IP Flow or Per Packet load balancing of asymmetric routing from outside-to-inside.

Improved ROI as the Backup NAT router is not sitting idle.

Refer to the following document for additional information:

For overview of the initial Stateful NAT capability please refer to:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftsnat.htm

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp


Product Management Contact: mdenny@cisco.com

5.9.4) NAT—Stateful Failover for Embedded Addressing

Description

Stateful Failover Embedded Addressing enhancement allows the Secondary (backup) NAT router to properly handle NAT and deliver IP traffic.

This feature is an enhancement to the Stateful Network Address Translation (NAT) feature introduced in Release 12.2(13)T. The initial Stateful NAT feature targeted IP header translations only, with a plan to deliver embedded translation support in a phase 2 release.

Cisco IOS NAT inspects all IP traffic entering interfaces which have been configured with the NAT feature. The inspection consists of matching the incoming traffic against a rule set or set of translation rules and perform an address translation if a match occurs. For example:

Matching a source address range.

Matching a specific destination address range. Matching a list of applications known to NAT which might.

·  Require a specific source port for control plane negotiation.

·  Embed source IP addresses within the application protocol.

Some of the applications and protocols which embed Source Port or IP Address information include:

H.323 RAS

DNS A and PTR queries

NetMeeting Internet Locator Server (ILS)

ICMP

SMTP

PPTP

Cisco Selsius Skinny Client Protocol (SCCP)

A complete list of current Applications Layers Gateways (ALGs) supported by Cisco IOS NAT can be found at: http://www.cisco.com/en/US/tech/tk648/tk361/tech_brief09186a00801af2b9.html

Figure 67

Cisco IOS NAT ALG Support

When the Stateful NAT capability performs a failover, all of the Application Layer Gateways (applications and protocols) supported by Cisco IOS NAT at the time of this release seamlessly failover.

Figure 68

Stateful NAT—Primary to Secondary State Synchronization

Figure 69

Stateful NAT—Failover to the Secondary NAT

Benefits

Ability to seamlessly failover translated IP sessions with traffic that includes embedded IP addressing (VoIP applications, FTP, DNS—refer to ALG chart and URL provided).

Refer to the following document for additional information:

For overview of the initial Stateful NAT capability please refer to:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftsnat.htm

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp


Product Management Contact: mdenny@cisco.com

5.9.5) NAT—Static IP Support

Description

The majority of users on public WLAN networks use DHCP for dynamic addresses assignment, however some percentage of users will have a statically assigned IP Address. This static assignment is specific to their "home" network.

With a static address assignment these users will not able to be access a public WLAN network and gain access to the IP network and services offered.

Figure 70

Public WLAN Access for Static IP Users Before NAT—Static IP Support

The NAT—Static IP enhancement allows public WLAN providers to offer service to customers that use static IP address assignment for their users.

No reconfiguration is required on the part of the user with the statically assigned IP Address. The user can roam into a public WLAN "hotspot", login to the public WLAN network and immediately gain access to services offered.

Cisco IOS NAT feature detects the user trying to access the network and dynamically assigns the user a unique routable IP address for the life of the session.

Works with ARP to ensure proper reachability.

Translates to and from the static source IP address and a routable unique IP address on the public WLAN network.

Generates user accounting information processed by the Cisco Service Selection Gateway (SSG) feature.

Handles all clean up when the user has logged off.

Figure 71

Public WLAN Access for Static IP Users with NAT—Static IP Support

Benefits

Ability for static IP address users to connect to a public WLAN network.

Ability to prevent malicious client from preventing access to valid host on the outside domain.

No client reconfiguration needed for clients configured with static IP addresses.

Accounting information generated per user session.

Access Zone Router assists to support the following cases.

Web login using static IP address.

802.1x login using static IP address.

Hardware

Routers

See Feature Navigator for supported platforms: http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp


Product Management Contact: Mark Denny, mdenny@cisco.com

5.9.6) ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry

Description

Prior to this enhancement, multiple application ports could be listed on the same Access Control Entry (ACE) but they had to be contiguous. If they weren't contiguous, a separate ACE was required for each non-contiguous port.

This enhancement enables customers to specify an ACE with non-contiguous application ports, which will reduce the number of ACE's within an Access Control List (ACL) group and simplify management of their ACL groups.

There is a maximum or 10 source ports and 10 destination ports per ACE.

Example of ACL—Support for non-contiguous Port Ranges on an ACE.

access-list host 100.52.65.11 host 172.23.56.194 eq www smtp lpd telnet tftp
access-list host 100.52.65.11 host 172.23.56.10 eq www
access-list host 100.52.65.11 host 172.23.56.10 eq smtp
access-list host 100.52.65.11 host 172.23.56.10 eq lpd
access-list host 100.52.65.11 host 172.23.56.10 eq telnet
access-list host 100.52.65.11 host 172.23.56.10 eq tftp

With the enhancement

access-list host 100.52.65.11 host 172.23.56.194 eq www smtp lpd telnet tftp

Benefits

Reduction in the number of entries within an ACL group.

Improved management of large ACL groups.

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp


Product Management Contact: mdenny@cisco.com

5.9.7) Rate Based Satellite Control Protocol (RBSCP)

Description

Two well-known characteristics of satellite links cause very poor TCP performance:

Higher bit-error rates over the satellite link as compared to hard links cause an increase in lost packets.

Long round-trip time (RTT) over the satellite link, typically > 500ms.

These characteristics cause the following problems:

The slow start time is much longer (due to the long RTT), increasing the time it takes for a TCP sender to fully ramp up its sending rate.

The incorrect interpretation of packet loss by TCP as congestion results in a congestion window collapse such that only one MTU of data may be allowed to be outstanding. In addition, the long RTT prevents the use of localized link retransmissions as an effective method to mitigate the packet loss.

The combination of these two issues keep a TCP sender in a perpetual slow start, sending well below the available bandwidth of the satellite link. The traditional solution to this problem is to utilize a disruptive Performance Enhancing Proxy (PEP) in order to improve TCP performance across satellite links.

Figure 72

IP Over Satellite Before—Disruptive TCP Performance Enhancing Proxy Model

Note that there are multiple boxes in a customer PEP configuration. Basically hosts on the remote side connect to the Internet through their default router. The router has two links, one to the network of hosts the other leading to a PEP box. The router considers its upstream gateway to the internet to be the PEP, thus it routes all traffic to the PEP. PEP terminates any TCP connection flowing to the Internet, spoofing all internet addresses and ports. Traffic is buffered and then retransmitted through a single PEP connection over satellite. The PEP on the other side of the satellite connection receives the data and transmits incoming data over separate TCP connections to the destination host on the Internet3 for each connection between the remote side and the network side. Data coming from the network side is translated in a similar manner to the remote side. Any non-TCP traffic4 is intercepted and forwarded as well.

The advantages the customer gains using this disruptive PEP configuration are the following:

Elimination of the TCP flows across the satellite misidentifying dropped packets as congestion.

Full bandwidth utilization of the satellite link by the elimination of the classic TCP slow-start and initial cwnd variables.

Increased bandwidth by minimizing the amount of TCP-Ack traffic transmitted over the satellite link (allowing for any overhead).

Greatly reduced TCP slow start time from the end host perspective by generating TCP ACKs at each local router.

The disadvantages to this configuration are quite numerous including (refer to Section 4 of RFC 3135 for more):

Each new protocol introduced to the Internet needs special handling to assure the PEPs know and can handle the new type of traffic (examples of upcoming protocols include SCTP and DCCP).

Any encrypted traffic such as IPsec or AES cannot be enhanced since the end hosts control the encryption. The only exception to this is if the end hosts are willing to terminate the IPsec connection at the PEP and trust the provider to send the data in some secure fashion over the satellite link. Alternatively, IPsec traffic may be tunneled inside TCP flows, requiring client and server software to be present at the end hosts.

Loss of shared fate in an end-to-end communication path. Fate is shared because if one of the end hosts fails, the transport will also fail and provide an appropriate indication to the peer end host. In a disruptive PEP, the PEP will provide a local ACK for data that has not been delivered to the end host. This has the consequence that the end hosts may not be aware of a crash or other path failure for some time.

A simple protocol, Rate Based Satellite Control Protocol (RBSCP), will be used in place of PEP. This protocol will allow two routers to control and monitor the sending rates of the satellite link, thus acquiring better bandwidth utilization. RBSCP will also retransmit lost packets over the satellite link to increase link reliability and help keep the end host TCP senders out of slow start.

Figure 73

IP Over Satellite After with Rate Based Satellite Control Protocol (RBSCP)

RBSCP as a Virtual Interface

RBSCP is implemented with a virtual tunnel interface in Cisco IOS Software, and it will look and behave like any other tunnel interface within the router. IP traffic will be sent across the satellite link with appropriate modifications and/or enhancements, as determined by the router configuration.

Time Warp Delay Insertion

One side of the router pair will delay frames in transit between the two sides. This delay will increase the RTT time that the end host's TCP (or any other protocol) stack estimates; this will "time-warp" the sender into allowing RBSCP to attempt localized, limited retransmission and recovery of lost TCP (or other protocol) frames. The delay allows for a single retransmission before the end host's TCP sender attempts retransmission and congestion window collapse.

TCP ACK Splitting

Additional performance improvements can be made for clear-text TCP senders. When the satellite link is under utilized, each router may perform ACK splitting for clear-text TCP ACKs traversing the link. This causes the end host TCP sender to open the congestion window more quickly and thus increases bandwidth utilization.

Benefits

Single device handles both routing and optimized IP over the satellite network.

Non-disruptive software solution preserves the end-to-end IP session.

Maximizes link bandwidth utilization while reducing slow start.

Supports IPsec encryption of end host clear text traffic across the satellite link (e.g. a VPN service configuration).

Does not require any stack/software changes or additional software at the end hosts (e.g. TCP stack changes, additional client-server software, etc.).

Supports the use of existing Cisco IOS Software features such as QoS, IPsec and others.

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp


Product Management Contact: mdenny@cisco.com

5.10) Multiprotocol Label Switching

5.10.1) MPLS—MLPPP Support

Description

The Multiprotocol Label Switching (MPLS)—Multilink Point-to-Point Protocol (MLPPP) Support feature ensures that MPLS Layer 3 Virtual Private Networks (VPNs) with Quality of Service (QoS) can be enabled for bundled links. Service providers that use relatively low-speed access links can use MLPPP to spread traffic across multiple low-speed links in their MPLS networks. Link Fragmentation and Interleaving (LFI) should be deployed in the CE-to-PE link for efficiency, where you use smaller link bandwidths (less than 768 kbps).

This feature supports MPLS over MLPPP links in the edge (provider edge [PE]-to-customer edge [CE]) or in the MPLS core (PE-to-PE and PE-to-provider router [P]).

Figure 74

MLP on PE-P/P-P and PE-CE Links

Hardware

Routers

Cisco 7200 and Cisco 7500 Series


Product Management Contact: ahanspal@cisco.com

6) Release 12.3(4)T Highlights

The Appendix includes a complete list of new features introduced in Release 12.3(4)T.

6.1.1) Cisco Unity Express

6.1.2) Cisco IDS Network Module

6.2.1) Control Plane Policing

6.2.2) Secure Shell Version 2

6.2.3) Secure Access Mode—Silent Mode

6.2.4) Image Verification

6.2.5) Login Enhancements—Password Retry Delay

6.2.6) Router IP Traffic Export

6.2.7) Cisco IOS Easy VPN Remote Phase 3.2

6.2.8) Cisco IOS Certificate Server

6.2.9) VPN Access Control using 802.1x Authentication

6.2.10) Cisco IOS IPv6 IPsec Phase I—IPsec Authentication for Open Shortest Path First Version 3

6.2.11) Cisco IOS Firewall Access Control Lists Bypass

6.2.12) User Management Enhancements for Easy VPN Server

6.2.13) IPsec VPN Monitoring

6.3.1) IPv6 Anycast Address

6.3.2) Border Gateway Protocol—Policy Accounting Output Interface Accounting

6.3.3) ACL—Filtering IP Options and IP Options Selective Drop

6.3.4) NAT—Performance Related Enhancements

6.3.5) NAT—Rate Limiting NAT Translation

6.3.6) NAT—Translation of External IP Addresses only

6.3.7) FHRP—Enhanced Object Tracking—Integration with SAA

6.3.8) ACL-TCP Flags Filtering

6.4.1) Dynamic Security Associations and Key Distribution

6.5.1) Cisco CallManager Express

6.6.1) Network Based Application Recognition Extended Inspection for HTTP Traffic

6.6.2) NBAR User-Defined Custom Application Classification

6.6.3) Updates to Class-Based QoS MIB

6.6.4) Turbo-Classification for QoS

6.6.5) Real-Time Transport Protocol Header Compression over Asymmetric/Satellite Links

6.7.1) Digital Private Network Signaling System Backhaul

6.7.2) V.120 Support for Network Access Servers

6.7.3) Layer 2 Tunnel Protocol Tunnel Connection Speed Labeling

6.7.4) Peer Pool Backup Command

6.7.5) Point to Point Protocol over Ethernet Relay

6.7.6) PPPoE Session Limit per NAS Port Download

6.8.1) Cisco IOS Service Assurance Agent for VoIP UDP Operation

6.8.2) Cisco IOS Embedded Event Manager 1.0

6.8.3) Contextual Configuration Diff Utility

6.8.4) Service Selection Gateway Unconfig

6.8.5) SSG to Accommodate New L2TP Error Codes

6.8.6) SSG Support of NAS Port ID

6.8.7) Extensible Authentication Protocol Transparency and Extensible Authentication Protocol-SIM Enhancements

6.8.8) SSG Complete ID

6.8.9) SSG L2TP Dialout

6.8.10) SSG Auto Logoff Enhancement

6.8.11) SSG Open Garden Configuration Enhancements

6.8.12) SSG Direction Command for Interfaces and Ranges

6.8.13) SSG Prepaid Idle Timeout

6.8.14) SSG Suppression of Unused Accounting Records

6.8.15) SSG Unique Session ID


6.1) New Hardware Support

6.1.1) Cisco Unity Express

Cisco Unity Express offers entry-level voice mail and automated attendant services as an option for the Cisco CallManager Express call-processing solution. This product is critical for Cisco CallManager Express customers in small/medium businesses or branches that need data connectivity and IP Telephony functionality, and those that require the productivity benefits that voice mail and auto attendant services provide. Cisco Unity Express is delivered on a network module that can be used in the Cisco 2600XM Series, Cisco 2691, and the Cisco 3700 Series Access Routers.

Figure 75

Cisco Unity Express

Benefits

Voice-mail and automated attendant features specifically designed for the small and medium office or branch. Cisco Unity Express provides up to 100 personal mailboxes, 20 general delivery mailboxes, 8 concurrent sessions or ports, and 100 hours of onboard storage.

Cisco Unity Express is delivered on a network module form factor that can be integrated into and shared across a broad range of access routers (Cisco 2691 Routers; Cisco 2600XM and 3700 Series Access Routers).

First release of Cisco Unity Express offers superior voice message management to the user by support voice mail features (ie: replying, forwarding, and saving messages; message marking and play out options for privacy or urgency; alternate greetings and envelope information).

Cisco Unity Express includes a built-in automated attendant that simplifies self service for callers by allowing them to quickly reach the right person without the assistance of an operator, but maintains the option to return to an operator at any time when greater assistance is needed.

A choice of GUI, command-line interface (CLI) and telephony user interface (TUI) streamlines administration.

Cisco Unity Express software is loaded on the network module at the factory, simplifying deployment. The Cisco Unity Express initialization wizard further expedites the administrator's startup by automatically importing information from Cisco CallManager Express, thereby eliminating the need to replicate data entry.

Hardware

Routers

Cisco 2691 Routers

Cisco 2600XM and 3700 Series Access Routers


Product Management Contact: access-ccme-cue@cisco.com

6.1.2) Cisco IDS Network Module

With the increased complexity of security threats, achieving efficient network intrusion security solutions is critical to maintaining a high level of protection. Vigilant protection helps ensure business continuity and minimizes the effect of costly intrusions. The Cisco IDS Network Module for the Cisco 2600XM and 3700 Series Routers and the Cisco 3660 Router is part of the Cisco IDS Family sensor portfolio and the Cisco Intrusion Protection System. These IDS sensors work in concert with the other IDS components (Figure 49), including Cisco IDS Management Console, CiscoWorks VPN/Security Management Solution, and Cisco IDS Device Manager, to efficiently protect data and information infrastructure.

The Cisco IDS product line delivers a broad range of solutions that allow easy integration into many different environments, including enterprise and service provider environments. Each sensor addresses the bandwidth requirements of different routers up to 10 Mbps in the Cisco 2600XM, and up to 45 Mbps in the Cisco 3700 Series. The appliance product supports 80 Mbps to 1 Gbps.

The Cisco IDS Network Module can monitor up to 45 Mbps of traffic and is suitable for T1/E1 and T3 environments. A router installed with this IDS network module also supports other Cisco IOS Security features such as VPN, firewall, Multiprotocol Label Switching (MPLS), Network Address Translation (NAT), and Web Cache Control Protocol (WCCP), while supporting all common Cisco IOS Software functions.

Cisco IDS Network Modules fit into a single network module slot on the Cisco 2600XM Series, Cisco 3660, and Cisco 3700 Series Routers. The available configuration is a 20-gigabyte hard disk for logging and storage of events. The external Ethernet port is used for command and control to enable a secure outbound port for management. This setup also allows for both security operations and network operations to have their own command and control interfaces.

Figure 76

Cisco IDS Network Module

Benefits

By integrating IDS and branch office routing, Cisco reduces the complexity of securing WAN links, while reducing operational costs. Following are the benefits associated with the integration of the IDS into the branch office router:

Physical Space Savings: uses a single network module slot in a Cisco 2600XM Series, Cisco 3660, or Cisco 3700 Series branch office routers.

Simple Power and Cable Management: takes advantage of the power options of the router, including DC power and redundant power.

Common Management Interface: can be configured and managed from the Cisco IOS Software CLI. This network module supports all the same CiscoWorks Management Center for Cisco IDS Sensors that the Cisco IDS 4200 Series supports, allowing customers to use one centralized management system for both appliance and router IDS sensors.

Network Command and Control Interface: by using the external Fast Ethernet port for command and control, the Cisco IDS Network Module internal router connection is free to capture the packets to the network module for processing by the IDS engine.

Separate Processor for the Cisco IDS Network Module to Maximize Performance: a dedicated CPU in the network module frees the router CPU from process-intensive IDS tasks.

Lower Operational Costs: the Cisco IDS Network Module is covered via Cisco maintenance service for the router. This setup minimizes network operational costs.

Hardware

Routers

Cisco 2600XM, 3600, and 3700 Series Routers

Cisco 2691 Router


Product Management Contact: Kevin Sullivan, sullivan@cisco.com

6.2) Security

6.2.1) Control Plane Policing

Packets sent to an address of the networking device are processed by the control plane (Route Processor [RP]). There is potential of a denial of service (DoS) on the router if the control plane overwhelmed with packets.

Cisco Control Plane Policing protects the control plane by using QoS Policies to limit the incoming traffic destined to the control plane. Users define the policy most suitable for their environment using QoS Policy Maps to control the volume of different types of traffic that will be processed by the control plane, therefore, reducing the incoming processed traffic and alleviating potential of a successful DoS attack.

Benefits

Control plane policing reduces the success of a DoS attack by policing incoming rate of traffic destined to the control plane.

Easily defined though Qos Policy maps.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7100, 7200 Series

Cisco 3620, 3640, 3660 Routers


Product Management Contact: IOS-Security-PM@cisco.com

6.2.2) Secure Shell Version 2

Secure Shell Version 2 (SSHv2) provides strong authentication and encryption capabilities. It supports logging into the router remotely for secure management and administration, executing commands remotely, and moving files from one host to another.

Figure 77

SSHv2

Benefits

Protects from host spoofing, password sniffing, and eavesdropping by providing a secure session.

Provides capabilities to a network administrator for secure remote configuration and management.

Improved security compared to SSHv1.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, 7100, 7200, 7400, and 7500 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

6.2.3) Secure Access Mode—Silent Mode

When packets are destined to the processor, the control plane makes a decision that may include discarding the packet. When a packet is discarded, the control plane may provide additional information as to why the packet was dropped (ie: ICMP unreachable). Hackers use this drop information for reconnaissance when preparing for an attack.

Silent Access Mode is a new feature that provides the means to define a policy (via QoS policy map) about the type of information that will be communicated from discarded packets—basically outbound filtering on control plane.

Benefits

Improves the security posture of the Cisco IOS Software devices by returning no error messages for discarded packets:

Makes hacker reconnaissance more challenging.

Policy definition offers flexibility to define relevant information to be communicated about discarded packets.

Reduces the risk of an attack against the router.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7100, 7200, and 7500 Series

Cisco 3620, 3640, and 3660 Routers

Cable Access Routers

Cisco uBR905 and Cisco uBR925 Cable Access Routers


Additional Information: http://www.cisco.com/warp/public/732/Tech/security/

Product Management Contact: IOS-Security-PM@cisco.com

6.2.4) Image Verification

To verify the integrity of Cisco IOS Software images, Cisco uses the method of MD5 hash coding method for Cisco IOS Software images. While the MD5 hash code is published on Cisco.com, users must perform Cisco IOS Software image verification:

Run an MD5 hash coding software either by using the Cisco IOS Software "verify" CLI command or generate the MD5 hash coding using a MD5 software running on a separate server.

Manually compare the MD5 coding with the code published on Cisco.com or include the Cisco.com value as part of the verify command.

As of Cisco IOS Software Release 12.3(4)T, Cisco IOS Software images embed the MD5 hash coding within the images to simplify this process:

The "verify" command instead of generating MD5 hash coding, now return three MD5 coding values & performs the verification:

1. Computed MD5—value of MD5 hash coding

2. Embedded MD5—value of MD5 value embedded in the IOS image

3. CCO MD5—value of MD5 value that is published on Cisco.com

4. If computed & embedded values are the same, image verification is considered successful

Additionally, extensions to several common Cisco IOS Software image operational CLI commands are made:

1. copy command now has an extension "verify|noverify" which will automatically perform MD5 hash validation.

2. Reload command will also have an extension "verify|noverify" that will also automatically perform MD5 hash validation.

3. User can also use the new config command "file verify auto", then the copy & reload command will automatically include the "verify" option.

Benefits

Image Verification automates the validation process of the Cisco IOS Software image running on the router by providing automated checks during the download process:

Simplifies the Cisco IOS Software image verification process.

Improves the security of the router by alleviating potential corrupted Cisco IOS Software images being loaded to the router.

Removes having to trust this process is done manually by network administrators upgrading a router.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7100, 7200, and 7500 Series Routers

Cisco 3620, 3640, and 3660 Routers

Cable Access Routers

Cisco uBR905 and Cisco uBR925 Cable Access Routers


Product Management Contact: IOS-Security-PM@cisco.com

6.2.5) Login Enhancements—Password Retry Delay

Cisco IOS Login Enhancement increases the security of the networking device by offering a new time-based dimension to user login. Network administrators can specify a time period between retries in order to alleviate dictionary attacks. User account lockout can now include a time period in which a user must succeed in attempt to logon to the device.

Benefits

Cisco IOS Login Enhancements adds a new dimension to the current Cisco IOS Software login/password method by providing new tools to prevented unwanted accessibility to the networking device:

Delay potential dictionary attacks.

Adds new flexibility to Lock-out unwanted attempts to access the device.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7100, 7200, and 7500 Series Routers

Cisco 3620, 3640, and 3660 Routers

Cable Access Routers

Cisco uBR905 and Cisco uBR925 Cable Access Routers


Product Management Contact: IOS-Security-PM@cisco.com

6.2.6) Router IP Traffic Export

Router IP Traffic Export feature is a lightweight mechanism to export IP packets as they arrive at or leave the router. A designated Ethernet interface is used for exporting captured IP packets out of the router. The objective is to export raw IP packets in their unaltered form to a designated server, analyzer, or security device connected directly to the router's designated export interface for further analysis.

Filter capability (using ACL) to help focus on exporting only traffic of interest.

Sampling option is available to minimize the volume of traffic exported.

An Ethernet port using either a MAC/802.1q/ISL address associated with the destination host or an IP address can be used.

Syslog information is provided when the feature is activated or deactivated.

Benefits

A lightweight mechanism embedded in Cisco IOS Software to export IP traffic.

Alleviate the need to attach an in-line device to capture traffic destine to or from the network device.

Ability to monitor multiple interfaces simultaneously by connecting to a single interface.

Filtering capability to focus on only traffic of interest.

Add or remove traffic analyzers for in-line analysis without disrupting the network connection.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7100, 7200, and 7500 Series Routers

Cisco 3620, 3640, and 3660 Routers

Cable Access Routers

Cisco uBR905 and Cisco uBR925 Cable Access Routers


Product Management Contact: IOS-Security-PM@cisco.com

6.2.7) Cisco IOS Easy VPN Remote Phase 3.2

Cisco IOS Easy VPN Remote allows Cisco IOS Software routers to act like a PC IPsec Software client (Unity Client). Cisco IOS Easy VPN simplifies router configuration and deployment dramatically by allowing IPsec VPN parameters to be pushed down from the concentrator (Easy VPN Server), which can also be an Cisco IOS Software router.

Phase 3.2 introduces two new features:

Xauth password & username saving option.

Backup Peers (multiple peer support, stateless failover with Dead Peer Detection).

Figure 78

Cisco IOS Easy VPN Remote Phase 3.2

Benefits

Xauth Password and Username Saving Option

Currently, when Xauth authentication is enabled, a user must telnet to CLI in order to type in the Xauth username and password. The saving option allows the Cisco IOS Easy VPN Remote router to save the Xauth username and password, so that user does not have to retype this information when the tunnel is established again.

Backup Peers (multiple peer support, stateless failover with Dead Peer Detection)

The other new addition is the locally configured backup peer list. This is a list of multiple Easy VPN Servers that will be attempted when building an IPsec tunnel, if the previous server on the list is unavailable. Also, a failover to a new server on the list will occur if the Hello timers from the dead peer detection routines expire. This feature increases VPN availability by allowing for backup servers to be used when the primary server is unavailable.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7100, 7200, and 7500 Series Routers

Cisco 3620, 3640, and 3660 Routers

Cable Access Routers

Cisco uBR905 and Cisco uBR925 Cable Access Routers


Additional Information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftezvpnr.htm

Product Management Contact: IOS-Security-PM@cisco.com

6.2.8) Cisco IOS Certificate Server

Cisco IOS Certificate Server embeds a certificate server into the Cisco IOS Software. The router can now act as a Certificate Authority on the network.

Figure 79

Cisco IOS Certificate Server

Benefits

Offers a simpler solution to deploy IPsec VPN with certificates.

Provides relief from the expense and workload of configuring a full-function third-party Certificate Authority.

Simpler, easier, and less expensive Public Key Infrastructure (PKI) deployment.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, 7100, and 7200

Cisco 3640 and 3660 Routers


Product Management Contact: IOS-Security-PM@cisco.com

6.2.9) VPN Access Control using 802.1x Authentication

VPN Access Control using 802.1x Authentication allows Enterprise employees to access their enterprise networks from home while allowing other household members to access only the Internet. The feature uses the Institute of Electrical and Electronics Engineers (IEEE) 802.1x protocol framework to achieve the VPN access control. The authenticated employee has access to the VPN tunnel and others (unauthenticated users on the same LAN) have access only to the Internet. This feature is targeted to the SOHO/Telecommuter market segment.

Figure 80

VPN Access Control using 802.1x Authentication

Benefits

Enforcing corporate policy for network access to home/telecommuter/day time extender users.

Authentication at Layer 2 to allow only authenticated traffic to access VPN tunnels to access corporate resources.

Hardware

Routers

Cisco 806, 831, 836, 837, 1701, 1710, 1721, 1751-V, and 1760 Routers


Additional Information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123limit/123x/123xa/gt_802_1.htm

Product Management Contact: IOS-Security-PM@cisco.com

6.2.10) Cisco IOS IPv6 IPsec Phase I—IPsec Authentication for Open Shortest Path First Version 3

IPv6 specifications mandate the implementation of IPsec to enable end-to-end security. First IPv6 IPsec implementation in Cisco IOS Software ensures security between routers that run Open Shortest Path First version 3 (OSPFv3. In OSPFv3 (RFC 2740), authentication field has been removed from OSPF headers, instead OSPFv3 relies on the IPv6 Authentication Header (AH) and IPv6 Encapsulating Security Payload (ESP) to ensure integrity, authentication and confidentiality of routing exchanges. Data traffic encryption is not supported in this first phase

Reference: draft-ietf-ospf-ospfv3-auth

Figure 81

Cisco IOS IPv6 IPsec Phase I—IPsec Authentication for OSPFv3

Benefits

Encrypting routing protocol exchange information increases the security of the internet infrastructure. OSPFv3 IPsec support is another step in the Cisco IPv6 support strategy.

Hardware

Routers

Cisco 800—7500 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

6.2.11) Cisco IOS Firewall Access Control Lists Bypass

Cisco IOS Firewall Access Control Lists (ACL) Bypass enhances the performance of Cisco IOS Firewall by removing multiple lookups on the return traffic passing through the router. The previous implementation performed multiple checks of each packet of the return traffic of an existing firewall flow: the input ACL search, the output ACL search and the inspection session search. Now a check is only done once and packets are marked if they belong to an existing firewall session before the input ACL search, and this marking is used to skip the input and output dynamic ACL searches.

Figure 82

Cisco IOS Firewall ACL Bypass

Benefits

The primary benefit is that the throughput performance improvement of Cisco IOS Firewall will be approximately 10%. This feature is transparent to the user, because there are no associated configuration changes to enable or disable.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, and 7000 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

6.2.12) User Management Enhancements for Easy VPN Server

This feature includes the following enhancements:

RADIUS Support for User Profiles:

Radius attributes can now be applied on a per-user basis. If you apply attributes on a per-user basis, you can override a group attribute value with the individual user attribute. The attributes are retrieved at the time that user authentication via Xauth occurs. The attributes are then combined with group attributes and applied during Mode Configuration.

Session Monitoring for VPN Group Access:

It is now possible to limit the maximum number of connections to a specific server group as well as limit the number of simultaneous logins for users in that group. After user-defined thresholds are defined in each VPN group, new connections will be denied until existing connections drop below these thresholds. This limit can be specified in CLI or using a RADIUS server, such as CiscoSecure ACS. When enabling this feature on the router itself, only connections to groups on that specific device are monitored.

Benefits

Enables customized per user policy control when using RADIUS.

Alleviate the need for local configuration on the router and enables user mobility with the use of radius.

Ability to limit the number of users according to the available network resources.

For more information contact: IOS-Security-PM@cisco.com

6.2.13) IPsec VPN Monitoring

The IPsec Virtual Private Network (VPN) Monitoring feature provides VPN session monitoring enhancements that will assist in troubleshooting the VPN and monitor the end-user interface. Session monitoring enhancements include the following:

Ability to specify an Internet Key Exchange (IKE) peer description in the configuration file.

Summary listing of crypto session status.

Syslog notification for crypto session up or down status.

Ability to clear both IKE and IPsec security associations (SAs) using one command-line interface (CLI).

Benefits

Simplified listing for current active IPsec tunnels.

Granular control and monitoring on per session basis.

Real time reporting of session changes activities with syslog.

For more information contact: IOS-Security-PM@cisco.com

6.3) IP Addressing & Services

6.3.1) IPv6 Anycast Address

An IPv6 Anycast address is an address that is assigned to a set of interfaces that typically belong to different nodes. A packet sent to an Anycast address is delivered to the closest interface—as defined by the routing protocols in use—identified by the anycast address. Anycast addresses are syntactically indistinguishable from unicast addresses because anycast addresses are allocated from the unicast address space. Assigning an IPv6 unicast address to more than one interface makes a unicast address an anycast address.

Example (Figure 65): Cisco IOS Software routers set as 6to4 Relay [see RFC 3056] can be configured with the 6to4 Relay Anycast address as defined in RFC 3068.

Figure 83

Anycast Prefix for 6to4 Relay

Benefits

Compliancy with the IPv6 addressing architecture document.

Enhanced scalability, discovery and failure recovery of 6to4 Relay.

Hardware

Routers

Cisco 830—7500 Series


Additional Information: http://www.cisco.com/warp/public/732/Tech/ipv6/

RFC 3068—An Anycast Prefix for 6to4 Relay Routers

Product Management Contact: ipv6-pm@cisco.com

6.3.2) Border Gateway Protocol—Policy Accounting Output Interface Accounting

Border Gateway Protocol (BGP) policy accounting measures and classifies IP traffic that is sent to, or received from, different peers. Policy accounting was previously available on an input interface only. BGP Policy Accounting Output Interface Accounting introduces several extensions to enable BGP policy accounting on an output interface, and to include accounting based on a source address for both input and output traffic on an interface. Counters based on parameters such as community list, autonomous system number, or autonomous system path are assigned to identify the IP traffic.

Benefits

Account for IP Traffic Differentially

BGP policy accounting classifies IP traffic by autonomous system number, autonomous system path or community list string, and increments packet and byte counters. Policy accounting can also be based on the source address. Service Providers can account for traffic and apply billing, according to the origin of the traffic or the route that specific traffic traverses.

Efficient Network Circuit Peering and Transit Agreement Design

Implementing BGP policy accounting on an edge router can highlight potential design improvements for peering and transit agreements.

Hardware

Routers

Cisco 2600—7500 Series Routers


Product Management Contact: routing-pm@external.cisco.com

6.3.3) ACL—Filtering IP Options and IP Options Selective Drop

IP Options provide control functions that are required in some situations but unnecessary for the most common communications. IP Options include provisions for timestamps, security, and special routing.

IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and gateways). What is optional is their transmission in any particular datagram, not their implementation.

ACL Support for Filtering IP Options and ACL IP Options Selective Drop are separate enhancements that provide the customer total flexibility in determining how to best filter on IP traffic that include IP Options fields.

ACL Support for Filtering IP Options, allows you to filter packets based on a particular "option" value.

ACL IP Options Selective Drop, allows you to either `Drop' all packets that contain IP Options or `Ignore' in which case the packets are forwarded as usual.

Benefits

Filters packets that contain IP Options from the network and relieves downstream routers and hosts of the load from options packets.

Reduced load to the Route Processor (RP) for packets with IP Options that require RP processing on distributed systems. Previously, the packets were always routed to or processed by the RP CPU. Filtering the packets prevents them from impacting the RP.

Drop mode filters packets from the network and relieves downstream routers and hosts of the load from options packets.

Reduced load to the Route Processor (RP) for options that require RP processing on distributed systems. Previously, the packets were always routed to or processed by the RP CPU. Now, the ignore and drop forms keep the packets from impacting the RP.

Hardware


Restrictions

Resource Reservation Protocol (RSVP) Multiprotocol Label Switching terminal equipment (MPLS TE), Internet Group Management Protocol Version 2 (IGMPV2), and other protocols that use IP Options packets may not function in drop or ignore mode if this feature is configured.

Turbo ACLs do not support ACLs with entries that filter using the option keyword and such ACLs will not get Turbo compiled. This option keyword restriction will not affect any other ACLs on the router. In general, not using Turbo ACLs in such cases is not considered a performance issue because as of 12.3(2)T performance of software based ACLs is considerably faster in the order of Turbo ACLs or faster

The ACL—Support for Filtering IP Options feature can be used only with named, extended ACLs

Additional Information:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtipofil.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s23/sel_drop.htm

RFC 791: complete list and description of IP Options
http://www.faqs.org/rfcs/rfc791.html

Product Management Contact: Mark Denny, mdenny@cisco.com

6.3.4) NAT—Performance Related Enhancements

Collection of enhancements aimed at improving overall performance of the Network Address Translation (NAT) feature within Cisco IOS

Majority of the effort will be transparent to the end customer, however under certain circumstances they should see

Optimized CPU utilization—taking longer to ramp to higher CPU percentages

Will vary based on the IP type of traffic inspected by NAT, Specific platform in question, and other features active within the router

Improved throughput when using NAT

The specific enhancements are

Support for CEF

TCP Flags—SYN, FIN and RST now handled in CEF

- Translation entry creation in the CEF path under

- Support for dCEF

Translation table optimization

- Improved creation and searching of translations

- Pool and Port List optimization

Support of Fragmented Packets

Benefits

Improved efficiency of CPU utilization when Network Address Translation is enabled in a router.

Overall improved throughput, may vary slightly depending on the type and complexity of protocols NAT is inspecting.

Hardware


Product Management Contact: Mark Denny, mdenny@cisco.com

6.3.5) NAT—Rate Limiting NAT Translation

This enhancement, "NAT—Rate Limiting NAT Translation", enhances the existing capability within Cisco IOS Network Address Translation (NAT) to configure a maximum number of concurrent NAT Translations within the router. This original capability was sufficient for the initial implementation of NAT, but with the increase in DoS attacks and different provider edge aggregation designs, there has been a need for a more flexible method for controlling how to whom NAT addresses are deployed

The enhancement allows customers to configure a NAT Rate Limiting hierarchy within each NAT router:

Maximum number of concurrent translations for the router

Maximum number of concurrent translations applied to each MPLS VPNs (assuming the router is part of an MPLS network)

Maximum number of concurrent translations for an individual MPLS VPNs (assuming the router is part of an MPLS network)

Maximum number of concurrent translations applied to an ACL

The ACL might be used to describe a specific subnet to apply this maximum to, or a specific prefix list, or prefix lists

Rate limiting can be applied to multiple ACLs with the router

Maximum number of concurrent translations applied to all IP Hosts (All-hosts) transiting the router

Maximum number of concurrent translations for an individual IP Host

This value will override the `All-hosts' maximum if configured for the specific IP host

Examples

Setting a General NAT Limit

The following example shows how to limit the maximum number of allowed NAT entries to 300:

Router(config)# ip nat translation max-entries 300  

Setting NAT Limits for VRF Instances

The following example shows how to limit each VRF instance to 200 NAT entries:

Router(config)# ip nat translation max-entries all-vrf 200

The following example shows how to limit the VRF instance named "vrf1" to 150 NAT entries:

Router(config)# ip nat translation max-entries vrf vrf1 150

The following example shows how to limit the VRF instance named "vrf2" to 225 NAT entries, but limit all other VRF instances to 100 NAT entries each:

Router(config)# ip nat translation max-entries all-vrf 100 
Router(config)# ip nat translation max-entries vrf vrf2 225  

Setting NAT Limits for Access Control Lists

The following example shows how to limit the access control list named "vrf3" to 100 NAT entries:

Router(config)# ip nat translation max-entries list vrf3 100 

Setting NAT Limits for an IP Address

The following example shows how to limit the host at IP address 127.0.0.1 to 300 NAT entries:

Router(config)# ip nat translation max-entries host 127.0.0.1 300 

Benefits

Allows customers a great deal of control over how their NAT Address pools and translation table is allocated and made us of.

Option to implement a hierarchy of Rate Limiting to tailor to the specific network or devices requirements and concerns.

Control how many concurrent translation all users can have.

Additionally control how many translations a specific individual IP host can have.

Limit across all MPLS VPNs, and set limits for a specific MPLS VPN.

Helps control and mitigate Denial-of-Service Attacks in the form of Viruses and Worms that indirectly can use up the routers NAT resources and seriously effect the overall performance of that router.

Hardware


Additional Information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt_natrl.htm

Product Management Contact: Mark Denny, mdenny@cisco.com

6.3.6) NAT—Translation of External IP Addresses only

Previous to this feature, any IP addresses embedded in the packet payload were translated according to the configured NAT rules and the list protocols or applications that NAT supports.

With this enhancement, Cisco IOS Network Address Translation (NAT) can be configured to ignore all embedded IP addresses for any application and traffic type.

Translation of external IP addressing will still be occur according to the NAT rules configured within the router.

Main driver for this enhancement is where IP addresses for a source and destination pairs is based on public routable addresses, but the network they traverse is privately addressed.

Any embedded addressing is valid between the source and destination already and requires no translation. The only translation required is on the external addresses to allow the IP sessions to pass properly over the privately address network in between.

Figure 84

Benefits

Provides customer increased flexibility to adapt the NAT functionality to their specific network design.

Typically only appropriate where

Source and Destination pair have IP addresses from the same addressing scheme, but the network they are traversing has a completely different addressing scheme.

Any IP addresses and ports embedded within the payload are already relevant to the source and destination networks.

Simplifies NAT processing performed within each NAT router.

Hardware


Additional Information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnatxip.htm

Product Management Contact: Mark Denny, mdenny@cisco.com

6.3.7) FHRP—Enhanced Object Tracking—Integration with SAA

Cisco's First Hop Redundancy Protocols (FHRP) is a collection of three separate features in Cisco IOS:

Hot Standby Routing Protocol (HSRP)

Gateway Load Balancing Protocol (GLBP)

Virtual Router Redundancy Protocol (VRRP)

Cisco enables each protocol to "track" events within a router that can be used to influence which router is the "Active" router, or with GLBP change the load sharing metric or change which router is the lead Active router along with the load sharing metric.

The `Enhanced Object Tracking—integration with SAA' enhancement, significantly expands the number of "objects" or "events" that can now be tracked by HSRP, GLBP and VRRP.

SAA is a network performance measurement agent within Cisco IOS, and provides a scalable, cost-effective solution for service level monitoring. It eliminates the deployment of dedicated monitoring devices by including the "probe" capabilities in the routers.

SAA collects network performance information in real time: response time, one-way latency, jitter, packet loss, website download time, as well as other network statistics. It also provides the mechanism to monitor performance for different class of traffic over the same connection.

SAA objects include:

1. UDP Echo; Round-trip delay

2. UDP Jitter; Round-trip delay, one-way delay, jitter, packet loss. One-way delay requires time synchronization between the SAA source and target routers.

3. TCP Connect; Connection Time

4. DNS; DNS Lookup Time

5. DHCP; Round-trip time to get an IP address

6. FTP; Round-trip time to transfer a file

7. HTTP; Round-trip time to get a web page

8. ICMP Echo; Round-trip delay

9. ICMP Path Echo; Round-trip delay for the full path. The path can be discovered by "trace route" or Loose Source Routing (LSR).

10. ICMP Path Jitter; Round-trip delay, jitter and packet loss for the full path

11. DLSw+; Peer tunnel performance; Frame Relay; Circuit availability, round-trip delay and frame delivery ratio

12. ATM; Availability, round-trip delay and delivery ratio. Supported through Visual Network UpTime.

FHRP protocols can track a single object or event at a time.

IP Host Tracking: Example

The following example shows SAA tracking on router 1:

rtr 1
  type echo protocol ipIcmpEcho 10.51.12.4
  timeout 1000
  frequency 3
  threshold 2
  request-data-size 1400
rtr sched 1 start-time now life forever

!
track 2 rtr 1 state
track 3 rtr 1 reachability
!
interface e0/1
  ip address 10.21.0.4 255.255.0.0
  no shutdown
  standby 3 ip 10.21.0.10d
  standby 3 priority 120
  standby 3 preempt
  standby 3 track 2 decrement 10
  standby 3 track 3 decrement 10

Benefits

Increased flexibility when designing high availability into the network.

Expands tracking off the FHRP router for the first time, customer can track a specific destination or the latency within the network path and alter the characteristics of their redundancy group.

Redirect traffic around network failures.

Ensure VoIP or Video applications have the most optimal path for latency.

Hardware


Additional Information:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtfhrp.htm

http://www.cisco.com/warp/public/732/Tech/nmp/saa/

Product Management Contact: Mark Denny, mdenny@cisco.com

6.3.8) ACL-TCP Flags Filtering

This feature provides a flexible mechanism for filtering on TCP flags. The ACL TCP Flags Filtering feature allows you to select any desired combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags, thus enhancing security.

Before Cisco IOS Release 12.3(4)T, only ORing of TCP flags was supported in Cisco IOS.

Two new keywords are introduced "match-all" or "match-any" which indicates the type of matching. Also, customers can specify whether to match on a flag set as well as on a flag not set.

To enable this, the TCP flags can be prefixed with a + or a - sign to indicate that the flag to be matched on should be set or not set respectively. These two mechanisms give the user a great degree of control for filtering on TCP flags.

Configuring the ACE to Filter TCP Packets Based on TCP Flags: Example

The following ACE has been configured to allow TCP packets only if the TCP flags SYN and ACK are set and the FIN flag is not set:

Router> enable
Router# configure terminal
Router(config)# ip access-list extended aaa
Router(config-ext-nacl)# permit tcp any any match-all +ack +syn
Router(config-ext-nacl)# permit tcp any any match-any -urg +syn -psh
Router(config-ext-nacl)# end

The show access-list command has been entered to show the following matches based on the configured ACLs:

Router# show access-list aaa

Extended IP access list aaa

 1o permit tcp any any match-all +ack +syn
 20 permit tcp any any match-any -psh +syn -urg

Benefits

Provides customer more flexibility in dealing with various attacks involving TCP packets, which can be sent as false synchronization packets that can be accepted by a listening port. It is recommended that administrators of firewall devices set up some filtering rules to drop false TCP packets.

The customer can configure an ACL to detect and drop unauthorized TCP packets by allowing only the packets that have very specific group of TCP flags set or not set.

Users can select any desired combination of TCP flags on which to filter TCP packets.

Users can configure ACEs in order to allow matching on a flag set as well as on a flag not set

Hardware


Additional Information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtaclflg.htm

Product Management Contact: Mark Denny, mdenny@cisco.com

6.4) Mobile IP

6.4.1) Dynamic Security Associations and Key Distribution

Dynamic Security Associations and Key Distribution facilitates Mobile IP deployment by simplifying security aspect of Mobile IP configurations and provision. Before this feature, the security associations, including security parameter index, authentication algorithm, and pre-shared key, need to be determined in advance and configured on a Mobile IP client. With this feature, the security associations do not need to be configured manually in advance. The Mobile IP client can now derive the security associations from its user's Windows login name and password upon logging in the Windows domain. The Home Agent router will authenticate the user from an existing Windows authentication system, such as Window Domain Controller or Window Active Directory. Once the user is authenticated, HA generates the user's security associations dynamically to perform Mobile IP registration authentication. Additionally, the dynamic key can be renewed to further improve security.

Figure 85

Dynamic Security Associations and Key Distribution

Benefits

Improve user mobility experience by allowing user to integrate Windows login and Mobile IP client login.

Simplify Mobile IP provisioning for network administrators by leveraging existing authentication infrastructure and eliminating additional key allocation to the mobile users.

Increase mobility security through dynamic re-keying.

Hardware

Routers

Cisco 1700, 2600, 7100, 7200, and 7500 Series Routers

Cisco 3620, 3640, and 3660 Routers


Product Management Contact: Mark Denny, mdenny@cisco.com

6.5) Voice & Video

6.5.1) Cisco CallManager Express

Cisco CallManager Express is a solution embedded in Cisco IOS Software that provides call processing for Cisco IP phones. This solution enables the large portfolio of Cisco access routers to deliver telephony features similar to those that are commonly used by business users to meet the requirements of the small office, thereby enabling deployment of a cost-effective, highly reliable, IP Communications solution for the small office.

Customers can now scale IP telephony to a small site or branch office with a solution that is very simple to deploy, administer, and maintain. Cisco CallManager Express is best suited for customers who are looking for a low-cost, reliable, feature-rich solution for a deployment of up to one hundred users.

Figure 86

Cisco CallManager Express

Benefits

IP telephony is currently undergoing tremendous growth, accelerated by access to value-added features and applications only IP telephony can provide to the end user. Additionally, the cost benefits of converging voice, video, and data onto a single network are fueling the rapid acceptance of this technology. Because it is integrated into a router, Cisco CallManager Express enhances the advantages of convergence by offering the following unique Benefits:

Cost-effective operations through a single, integrated voice-and-data device for all branch office needs.

Robust set of commonly used key system and low-end PBX capabilities.

Investment protection and ease of upgrade to centralized call-processing solutions.

Remote maintenance and troubleshooting using Cisco IOS Software CLI or Web-based Graphical User Interface GUI.

Hardware

Routers

Cisco 1751-V and 1760-V Access Routers

Cisco 261xXM, 262xXM 265xXM Series Access Routers

Cisco 2691, 3725, and 3745 Access Routers

Integrated Access Devices

Cisco IAD 2400 Series Integrated Access Devices


Product Management Contact: access-ccme-cue@cisco.com

6.6) Quality of Service

6.6.1) Network Based Application Recognition Extended Inspection for HTTP Traffic

NBAR Extended Inspection for HTTP Traffic identifies HTTP traffic on ports beyond well-known TCP port 80 by using an HTTP-specific criterion. As with existing HTTP classification on port 80, users can further classify HTTP application traffic based on URL strings, by particular host names, and by MIME types for specific HTTP payload types, such as image, text or video, using the existing command.

Prior to this Extended Inspection enhancement, HTTP traffic on ports other than port 80 was not inspected for an HTTP-specific signature. With this enhancement, traffic on ports other than port 80 is inspected for a specific signature and, when it matches, is classified as HTTP.

Figure 87

NBAR Extended Inspection for HTTP Traffic

Benefits

HTTP traffic is classified more precisely and inclusively for the growing number of HTTP-based applications assigned to ports other than well-known port 80.

Hardware

Routers

Cisco 1701, 1710, 1711, 1712, 1721, 1751, and 1760 Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers

Cisco 3620, 3631, 3640, 3660, 3725, and 3745 Routers

Cisco 7200 and 7500 Series Routers


Product Management Contact: Tim McSweeney, timcswee@cisco.com

6.6.2) NBAR User-Defined Custom Application Classification

With the ip nbar custom command, users can specify their own match criteria to identify TCP- or UDP-based applications across a range of ports, as well as on specific ports, in addition to the protocols and applications identified natively by NBAR or via downloaded PDLMs imported to NBAR. The user can specify a string or value to match at a specified byte offsetwithin the packet payload. More than 30 custom PDLMs can be created and given user-defined names with the ip nbar custom command.

Figure 88

NBAR User-Defined Custom Application Classification

Benefits

NBAR User-Defined Application Classification enables NBAR users to specify their own criteria to match a string or numeric value inside the data packet to identify application traffic.

Hardware

Routers

Cisco 1701, 1710, 1711, 1712, 1721, 1751, and 1760 Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers

Cisco 3620, 3631, 3640, 3660, 3725, and 3745 Routers

Cisco 7200 and 7500 Series Routers


Product Management Contact: Tim McSweeney, timcswee@cisco.com

6.6.3) Updates to Class-Based QoS MIB

The Cisco Class-Based Quality of Service Management Information Base (CBQoSMIB) supports the CLI for Cisco QoS, the Modular QoS CLI (MQC). New MQC commands are reflected in changes to the CBQoSMIB. MIB updates provide support for the following Cisco IOS Software features:

Two-Rate Policer, Cisco IOS Software Release 12.2(4)T.

Policer Enhancement: Multiple Actions, Cisco IOS Software Release 12.2(8)T.

Weighted Random Early Detection (WRED): Explicit Congestion Notification (ECN), Cisco IOS Software Release 12.2(8)T.

Modular QoS CLI (MQC) Unconditional Packet Discard, Cisco IOS Software Release 12.2(13)T.

In addition to supporting the features listed above, the CBQoSMIB has been enhanced to provide support for the following functionality:

Specifying the queue unit type in both the number of cells and bytes.

Using the Multiprotocol Label Switching (MPLS) experimental (EXP) value in classifying, marking, and transmitting packets.

Also, the objects associated with the marking types currently supported by the MIB have been changed. Specifically, the marking type configured when using the set command has been changed to the bitmap (that is, BITS) type. This enhancement enables the MIB to record more than eight marking types.

Support for the following features provides enhanced traffic policing, marking, and queuing functionality.

MPLS-DiffServ Tunneling, Cisco IOS Software Release 12.2(13)T

This feature allows users to base WRED on the discard class value of a packet. This feature also includes the ability to mark and set the MPLS EXP value for the TopMost Label when policing and classifying traffic.

Percentage-Based Policing and Shaping, Cisco IOS Software Release 12.2(13)T

This feature provides the ability to configure traffic policing and traffic shaping on the basis of a percentage of bandwidth available on the interface.

Class-Based RTP and TCP Header Compression, Cisco IOS Software Release 12.2(13)T

This feature allows you to configure Real-Time Transport Protocol (RTP) or TCP IP header compression on a per-class basis, when a class is configured within a policy map.

Finally, these additions reflect additional support for policing, shaping and packet marking.

Two time-based MIB objects, burst ms and excess burst ms, used when you are configuring traffic policing. These parameters were added to allow users to specify the appropriate burst values to be used for policing traffic. However, these two parameters can be used when you are configuring traffic policing on the basis of a percentage of bandwidth only.

Two time-based MIB objects, sustained burst size in msec and excess burst size in msec, used when you are configuring traffic shaping. These parameters were added to allow users to specify the appropriate burst values to be used for shaping traffic. However, these parameters can be used when you are configuring traffic shaping (either average rate traffic shaping or peak rate traffic shaping) on the basis of a percentage of bandwidth only.

A table used to count statistics for marking and three tables used to support the "Enhanced Packet Marking" feature available with the Cisco IOS Software Release 12.2(13)T.

Benefits

The CBQoSMIB provides read access to configuration and statistical information for MQC, following the same structure as MQC.

Hardware

Routers

Cisco 1701, 1710, 1711, 1712, 1721, and 1751 Routers

Cisco2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers

Cisco 3725 and 3745 Routers

Cisco 7200 and 7500 Series Routers


Additional Information:

To locate and download Cisco MIBs for selected hardware products, Cisco IOS Software releases, and feature sets, please visit the Cisco IOS MIB Locator: http://www.cisco.com/go/mibs/

Product Management Contact: Tim McSweeney, timcswee@cisco.com

6.6.4) Turbo-Classification for QoS

Turbo-Classification for QoS improves performance on the Cisco 7200 Series Router for configurations that utilize TurboACLs and QOS features. The technique is limited to the Cisco 7200 Series Router as a reference product at this time. There are no changes to the configuration of access lists.

One new configuration command has been added:

[ no ] service turboacl

This command will enable or disable TurboACL (initially, TurboACL will default to disabled).

Benefits

TurboACLs improve performance by matching a packet against an access list faster than a sequential search.

Hardware

Routers

Cisco 7200 Series Router


Product Management Contact: Tim McSweeney, timcswee@cisco.com

6.6.5) Real-Time Transport Protocol Header Compression over Asymmetric/Satellite Links

RTP Header Compression over Asymmetric/Satellite Links relies on the existence of a feedback mechanism to recover from packet channel loss. If the round trip time of the link is large, or if there is no feedback path, then the chance of loss propagation is greatly increased when a packet is dropped on the link. If there is no feedback path, a compressed stream may never recover. RTP Header Compression over Asymmetric/Satellite Links provides a configurable option to allow periodic refreshes of the compressed stream using FULL_HEADER packets. This option is detrimental to the compression efficiency of cRTP but will increase robustness in certain conditions such as over satellite, or other asymmetric links.

Figure 89

RTP Header over Asymmetric/Satellite Links

Compressed RTP (cRTP) packet loss recovery time may be large if link latency is high.

Configurable option to periodically transmit full cRTP header.

Benefits

RTP Header Compression over Asymmetric/Satellite Links provides improved system performance by reducing network overhead and speeding up transmission of RTP packets, when the links are slow or are subject to loss.

Hardware

Routers

Cisco 1751, 1760, 2691, 3631, 3640, 3640A, 3660, 3725, 3745 Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers

Cisco 7200 and 7500 Series Routers

Cisco 8850RPM-PR

Switches

Cisco Catalyst 4000-AGM Series Switch

Access Servers

Cisco AS5400, AS5850-ERSC, and AS5850-RSC Series Access Servers


Product Management Contact: Ken Kauffmann, kauffman@cisco.com

6.7) Connectivity/VPN

6.7.1) Digital Private Network Signaling System Backhaul

This feature introduces support for Digital Private Network Signaling System (DPNSS) Layer 2 functionality on the Cisco Gateway (GW) Router. It supports Layer 3 backhauling to a Cisco PGW2200 using DPNSS and Digital Access Signaling System (DASS) User Adaptation (DUA) over Stream Control Transmission Protocol (SCTP).

DPNSS was developed by British Telecom and is used in the United Kingdom, Northern Europe, and parts of Asia. It is a standard and open protocol used between PBXs in a private network that enables complex features to work on a network basis. This feature applies the DPNSS backhaul solution on Cisco gateways to provide connectivity and services to the PBXs that are running the DPNSS protocol.

Benefits

This functionality enables Cisco routers to interoperate with PBXs that run the DPNSS signaling protocol. This will allow for successful migration of Cisco VoIP solutions into a DPNSS-based PBX environment.

Hardware

Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers

Cisco 3725 and 3745 Routers


Product Management Contact: sbhardwa@cisco.com

6.7.2) V.120 Support for Network Access Servers

The V.120 Support for Network Access Server (NAS) feature supports the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) V.120 bit rate adaptation standard, which allows connectivity to slower bandwidth devices through rate adaption. This feature was developed for the Media Gateway Control Protocol (MGCP) network access server (NAS) package, and allows ISDN terminal adapters to transfer data. The MGCP NAS package implements signals and events to create, modify, and close data calls. The events include signaling the arrival of an outbound call, such as IP to Public Switched Telephone Network (PSTN) to the media gateway controller (call agent), reporting carrier loss and call authorization status, and receiving callback requests.

Benefits

This feature enables Cisco routers to function in Gateway role between networks with different data rates that use the V.120 standard.

Hardware

Access Servers

Cisco AS5300, AS5350, AS5400, AS5850-ERSC, and AS5850-RSC Series Access Servers


Product Management Contact: sbhardwa@cisco.com

6.7.3) Layer 2 Tunnel Protocol Tunnel Connection Speed Labeling

In previous releases of Cisco IOS Software, when a Layer 2 Tunnel Protocol (L2TP) Network Server (LNS) received an Incoming-Call-Connected (ICCN) message, there was no authentication check on the users connection speed. L2TP Tunnel Connection Speed Labeling introduces the ability to accept or deny an L2TP session based on the allowed connection speed that is configured on the Cisco Access Registrar (ARS) RADIUS server for that user. This allows RADIUS server authorization of users based on their Service Level Agreement (SLA).

Benefits

This feature enables an LNS to authorize users for network access based upon the connection speed of the session. This is useful in certain European markets due to regulatory requirements.

Hardware

Routers

Cisco 7200 and 7400 Series Routers

Cisco 7301, 7304-NPE-G100, and 7304-NSE-100 Routers


Product Management Contact: sbhardwa@cisco.com

6.7.4) Peer Pool Backup Command

The "peer pool backup" facility provides ability to specify a "preferred" IP address pool from AAA (on a per user basis) and still provide alternate pools when then AAA specified pool is exhausted or not yet created. This functionality is driven by the emergence of numerous independently controlled AAA servers in a large scale dial or DSL environments where user groups are assigned address ranges, but there is a common "over flow" pool set so that the number of users in a group can far exceed the address range assigned. This facility also provides the ability to suppress the loading of dynamic IP address pools on a per interface basis and the ability to limit the AAA pool name to a set acceptable to the NAS, both key features when the NAS and AAA are controlled by separate parties.

Benefits

Allows Cisco routers increased flexibility and scalability in assigning IP addresses for Dial/DSL environments which have a large service subscriber base.

Hardware

Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers

Cisco 3620, 3640, and 3660 Routers

Cisco 7200 and 7400 Series Routers

Access Servers

Cisco AS5300, AS5350, AS5400, AS5850-ERSC, and AS5850-RSC Series Access Servers


Product Management Contact: sbhardwa@cisco.com

6.7.5) Point to Point Protocol over Ethernet Relay

Point to Point Protocol over Ethernet Relay (PPPoE) Relay enables an L2TP access controller (LAC) to relay active discovery and service selection functionality for PPP over Ethernet (PPPoE), over a L2TP control channel, to an L2TP network server (LNS) or tunnel switch. The relay functionality of this feature enables the LNS or tunnel switch to advertise the services it offers to the client, thereby providing end-to-end control of services between the LNS and a PPPoE client.

Benefits

PPPoE Relay allows end-to-end control of services between LNS and PPPoE client. This allows a broadband Service Provider added flexibility in the services offered to the user base or further granularity to customize the network based upon the subscriber.

Hardware

Routers

Cisco 7200 and 7400 Series Routers


Product Management Contact: sbhardwa@cisco.com

6.7.6) PPPoE Session Limit per NAS Port Download

PPPoE Session Limit Per NAS Port limits the number of PPPoE sessions on a specific virtual circuit (VC) or VLAN configured on an L2TP access concentrator (LAC). The NAS port is either an ATM VC or a configured VLAN ID.

The PPPoE per-NAS-port session limit is maintained in a RADIUS server customer profile database. This customer profile database is connected to a LAC and is separate from the RADIUS server that the LAC and L2TP Network Server (LNS) use for the authentication and authorization of incoming users. See Figure 72 for a sample network topology.

Figure 90

PPPoE Session Limit Per NAS Port Sample Topology

Benefits

Allows centralized control of the number of users on a given port for a service provider. This is useful when dealing with multiple LAC devices.

Hardware

Routers

Cisco 7200, 7400, and 10000-PRE1 Series Routers


Product Management Contact: sbhardwa@cisco.com

6.8) Embedded Network Management

6.8.1) Cisco IOS Service Assurance Agent for VoIP UDP Operation

Understanding network performance is essential to deploying and running a Voice over IP (VoIP) network. Cisco IOS Service Assurance Agent (SAA) VoIP UDP Operation proactively measures network performance. It can assess the network when deploying a new VoIP network: evaluate how QoS is functioning and whether it is configured correctly, and determine whether the network can support VoIP.

Following VoIP deployment, users need to understand the network performance in order to troubleshoot network issues. Cisco IOS SAA provides this essential information. It will reduce operational costs by identifying issues and will enable a continuous and reliable test of the network infrastructure. Cisco IOS SAA will reduce the time needed to track and isolate network performance problems saving expenses.

Cisco IOS SAA actively sends data across the network to measure performance between multiple network locations or across multiple network paths. It simulates VoIP codecs and collects network performance information in real time: response time, one-way latency, one-way jitter, one-way packet loss, voice quality scoring (MOS scores), and additional network statistics. It also provides the mechanism to monitor performance for different class of traffic and can send threshold violations to NMS workstations.

Figure 91

Cisco IOS SAA VoIP UDP Operation

Benefits

Embedded in Cisco IOS Software—no additional cost!

Real-time, accurate VoIP network performance monitoring.

VoIP codec simulation and VoIP quality measurement (MOS and ICPIF).

VoIP Network Assessment.

Per-class QoS traffic monitoring.

Flexible scheduling of operations.

Proactive notifications with Simple Network Management Protocol (SNMP) Trap.

Hop-by-hop and end-to-end performance measurement.

Controlled through SNMP or CLI.

Extensive partnerships with industry leaders.

Hardware

Routers

All routers that support Cisco IOS Software new technology (T) releases


Additional Information: http://www.cisco.com/go/saa

Product Management Contact: Tom Zingale, tomz@cisco.com

6.8.2) Cisco IOS Embedded Event Manager 1.0

Cisco IOS Embedded Event Manager (EEM) 1.0 enables a distributed, scalable and customizable approach to
Event/Fault Management directly into devices that support Cisco IOS Software. The on-device, proactive event management capabilities are especially useful because not all event management occur off-router, as certain problems may compromise communication between the router and the external network management device.

Capturing the state of the router during such situations can be invaluable in taking immediate recovery actions and gathering information to perform root-cause-analysis. EEM 1.0 is a flexible, policy driven framework that supports in-box monitoring of different components of the system with the help of software agents known as event detectors. Event detectors notify the EEM when an event of interest occurs. The EEM policies that are configured using Cisco IOS Software CLI implement recovery based on the current state of the system and on the actions specified in the policy for the given event. An extendible EEM framework will allow new Event Detectors to be added in future Cisco IOS Software releases.

Figure 92

Cisco IOS Embedded Event Manager 1.0

Benefits

Enables a distributed, flexible and proactive approach to fault/event management directly in a Cisco IOS Software device.

Supports on-device, predictive self-health monitoring capabilities for key system parameters (CPU utilization, Processor and IO Memory utilization etc.) in Cisco IOS Software with ability to take immediate recovery actions.

Provides a flexible and customizable High Availability and Serviceability tool.

Hardware

Routers

Cisco 1700, 2600, 3600, and 7200 Series


Product Management Contact: Rohit Shrivastava, roshriva@cisco.com

6.8.3) Contextual Configuration Diff Utility

Contextual Configuration Diff Utility provides the ability to perform a line-by-line comparison of any two configuration files (accessible through the Cisco IOS File System) and generate a list of the differences between them. The generated output includes information regarding the following items:

Configuration lines that have been added, modified, or deleted.

Configuration modes within which a changed configuration line exists.

Location changes of configuration lines that are order-sensitive. For example, the "ip access-list" and "community-lists" commands are order-sensitive commands dependent on where they are listed within a configuration file in relation to other Cisco IOS Software commands of similar type.

Benefits

Simplifies Troubleshooting: easily identify changes between startup and running configuration or any other saved configurations.

Improve MTTR: quickly identify changes to the configuration in order to address configuration errors.

Simple Output Format: output format follows conventions of standard UNIX "diff" utilities, clearly indicating lines that have been added, deleted, or modified when comparing two configuration files.

Hardware

Routers

Cisco 801, 802, 803, 804, 805, 806, 811, 813, 820, 827, and 828 Routers

Cisco 1400, 1600, 1600R, 4500, 7100, 7200, and 7500 Series

Cisco 1710; 2420, and 2691 Routers

Cisco 2610, 2611, 2612, 2613, 2610XM, 2611XM, 2620XM, 2621XM, 2650, 2651, 2650XM, 2651XM Routers

Cisco 2501-2525, 3620, 3631, 3640, 3660, 3725, and 3745 Routers

Cisco MC3810 Series

SOHO Routers

Cisco SOHO70, SOHO76, SOHO77, SOHO77H, and SOHO78 Routers

Broadband Aggregators

Cisco 6400-NRP-1, 6400-NRP-2, and 6400-NRP-2SV Broadband Aggregators

Universal Broadband Routers

Cisco UBR7100 and UBR7200 Series Universal Broadband Routers

Cable Access Routers

Cisco UBR905 and UBR925 Cable Access Routers

Switches

Cisco IGX8400-URM Series Switch

Access Servers

Cisco AS5300, AS5350, AS5400, AS5800, and AS5850 Series Universal Gateways

Devices

Cisco 8850RPM-PR, CVA120, ICS7750, VG200, and ONS15104


Product Management Contact: Mark Basinski, mbasinsk@cisco.com

6.8.4) Service Selection Gateway Unconfig

Service Selection Gateway (SSG) Unconfig enhances the user's ability to disable SSG at any time. It releases the data structure and system resources created by SSG when SSG is unconfigured.

SSG Unconfig enhances several Cisco IOS Software commands to delete all host objects, delete a range of host objects. You can also delete all service objects or connection objects. The show ssg host command has been enhanced to display information about an interface and its IP address when Host-Key mode is enabled on that interface.

Benefits

The SSG Unconfig feature enables users to release and clean up system resources when SSG is not in use.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Router


Considerations

SSG Unconfig clears all SSG resources on the system, so it should only be used when all users are logged out and there is no need to run SSG features on the router.

Product Management Contact: Murali Kolli, mkolli@cisco.com

6.8.5) SSG to Accommodate New L2TP Error Codes

SSG will accommodate and map the error code from L2TP to pass it on to SESM and Radius Authentication Server. More specifically, when the SSG tunnel (L2TP) service fails or the session setup is unsuccessful, the SSG shall answer the service logon request with a radius access reject towards SESM or Radius Authentication Server with a reason describing the error code. The interface to report error code already exists, but this enhancement extends to report the more granular error codes that customers need. L2TP error codes are generated in compliance with RFC3145.

Benefits

Service Providers will have specific reasons for failed L2TP tunnel setup for analysis and error correction.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Router


Considerations

This feature only addresses the error codes that are compliant with RFC 3145.

Product Management Contact: Murali Kolli, mkolli@cisco.com

6.8.6) SSG Support of NAS Port ID

SSG Support of NAS Port ID will carry the NAS-Port attribute in the authentication packet. This will allow the authentication server to use consistent policies while authenticating PPPoX and RFC1483 users. Currently, NAS-Port attribute is sent only for PPPoX users.

Benefits

This feature enables the customizing of subscriber services based on the NAS Port ID.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Router


Product Management Contact: Murali Kolli, mkolli@cisco.com

6.8.7) Extensible Authentication Protocol Transparency and Extensible Authentication Protocol-SIM Enhancements

Cisco Extensible Authentication Protocol (EAP) transparency enables the SSG on a Cisco router to receive and forward EAP packets and create the host objects. Supported EAP flavors include EAP-SIM, EAP-TLS, and PEAP. Additionally, Cisco EAP enhancements add the following to the EAP transparency implementation:

Prevent the Use of Previously Valid IP Addresses After an Access Zone Router (AZR) Reboot

SSG now cleans up the list of active hosts after receiving an Accounting On/Off command from the AZR after a reboot. It cleans up those users connected through Subscriber Edge Services Manager (SESM) and EAP-SIM. This feature closes a security hole that could have allowed an illegal user to hijack the session of a valid user through the IP address.

Allow EAP Users to Reconnect Through SESM

SSG auto-logon services are automatically enabled for users successfully authenticated through EAP. This enables users to access those services without having to log in through the SESM GUI, after EAP authentication is complete. When EAP users access SESM services and perform an Account Logoff, they can later access the SESM and perform another Account Logon. Without this feature, users would receive the SESM Account Logon page, without knowing their user name and password, so they could not access SESM services again.

Benefits

Service Providers can now use EAP for subscriber authentication and avoid interactive user login through user interface.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Route


Considerations

To use EAP-SIM enhancements, the Dynamic Host Configuration (DHCP) server needs to allocate IP addresses with a small lease time.

Product Management Contact: Murali Kolli, mkolli@cisco.com

6.8.8) SSG Complete ID

SSG Complete ID provides enhancements to the current interaction mechanism between SSG and SESM, allowing SSG to pass along the following additional information:

Client IP Address

Client MAC Address

Sub-interface

VPI/VCI

Mobile subscriber ISDN number (MSISDN)

Benefits

This allows SESM to offer greater customization of Web portals, specifically by locations. Each hotspot can now have its own branded portal.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Router


Product Management Contact: Murali Kolli, mkolli@cisco.com

6.8.9) SSG L2TP Dialout

SSG L2TP Dialout enhances SSG tunnel services and provides a dialout facility to users. Many Small Office Home Offices (SOHOs) use the Public Switched Telephone Network (PSTN) to access their intranet. SSG L2TP provides mobile users secure connection to their SOHO through the PSTN. SSG L2TP Dialout also provides a convenient way for GPRS users to connect to their SOHO.

Figure 93

SSG L2TP Dialout Network

Benefits

SSG L2TP Dialout provides mobile users and General Packet Radio Service (GPRS) users the benefit of connecting to their SOHO using Public Switched Telephone Network (PSTN). L2TP Dialout service, in conjunction with SSG auto-logon, will facilitate an automatic service logon to L2TP dialout service, thus avoiding additional prompts for service logon.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Router


Considerations

SSG L2TP Dialout does not support the following:

L2TP dialout as a primary service for PPP users.

Challenge Handshake Authentication Protocol (CHAP) authentication for dialout tunnel services.

A single user connecting to two overlapping services.

Dialout tunnels support for protocols other than L2TP protocols.

Product Management Contact: Murali Kolli, mkolli@cisco.com

6.8.10) SSG Auto Logoff Enhancement

SSG Auto-logoff Enhancement configures SSG to check the MAC address of a host each time that SSG performs an Address Resolution Protocol (ARP) ping. If SSG finds that the MAC address of the host has changed, then SSG automatically initiates the logoff of that host.

Benefits

SSG Auto-logoff Enhancement enables Service Providers that use SSG to prevent a malicious host from spoofing the IP address of a logged-on host and accessing the logged-on host's services. Using SSG MAC address checking, Service Providers can prevent SSG host session reuse when a DHCP server assigns the same IP address to a second host. The first host released its IP address (through either a lease time expiration or an explicit DHCP release), but did not log off from SSG.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Router


Considerations

The following restrictions apply to the SSG Auto-logoff Enhancement feature:

ARP ping should be used only in deployments in which all hosts are directly connected to SSG through a broadcast interface (ie: Ethernet interface) or a bridged interface (ie: routed bridge encapsulation (RBE) or integrated routing and bridging (IRB) interface). Internet Control Message Protocol (ICMP) ping can be used in all types of deployment scenarios.

ARP ping will work only on hosts that have a MAC address. It will not work for Point to Point Protocol (PPP) users because they do not have a MAC table entry.

ARP ping does not support overlapping IP addresses.

SSG auto-logoff that uses the ARP ping mechanism will not work for hosts that have static ARP entries.

Session reuse is not prevented if a malicious host performs a MAC address spoof.

Product Management Contact: Murali Kolli, mkolli@cisco.com

6.8.11) SSG Open Garden Configuration Enhancements

Currently, SSG open garden services can be configured and managed on the router itself, even though they are similar to normal SSG (subscribed) services. These proposed modifications will allow open garden services to be defined and managed on the RADIUS server.

Benefits

This feature makes it easier to configure and maintain open garden services on multiple SSG routers.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Router


Product Management Contact: Murali Kolli, mkolli@cisco.com

6.8.12) SSG Direction Command for Interfaces and Ranges

SSG Direction Command for Interfaces and Ranges introduces the ssg direction command, which replaces the ssg bind direction command. This new command streamlines and simplifies SSG configuration by allowing users to configure interface direction, either uplink or downlink, for a range of sub-interfaces at once.

Benefits

The new ssg direction command makes SSG configuration simpler and faster. For example, users can provision a large number of Asynchronous Transfer Mode (ATM) Routed Bridge Encapsulation (RBE) subscribers at once, instead of entering one command for each subscriber, which could mean entering thousands of commands. This feature enables streamlined provisioning and configuration, with decreased CPU load.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Router


Considerations

This command cannot be used on an individual subinterface that is part of a permanent virtual circuit (PVC) range, because all members of a range must have the same direction. It can only be used on the entire range.

An interface that does not exist will not be created as a result of the ssg direction command.

Before the direction is changed from uplink to downlink, or vice versa, the no ssg direction command must be used to clear the direction; otherwise, users will see an error message, such as:

Changing direction from Downlink to Uplink is denied for interface.

Please use `no ssg direction downlink' to clear the previous bind direction.

Product Management Contact: Murali Kolli, mkolli@cisco.com

6.8.13) SSG Prepaid Idle Timeout

SSG Prepaid Idle Timeout enhances the SSG Prepaid feature by enabling SSG to return residual quota to the billing server from services that a user is logged into but not actively using. The quota that is returned to the billing center can be applied to the quota for the services the user is actively using.

Benefits

Concurrent Service Access

SSG Prepaid Idle Timeout is capable of supporting concurrent service access. SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log on to a service while simultaneously connected to other services. Sequential access requires that the user log off from all other services before accessing a service.

Real-Time Billing

This feature allows for real-time billing with maximum flexibility, regardless of the type of service and billing scheme. Users can be billed on a flat rate, air-time, or volume basis.

Redirection Upon Exhaustion of Quota

When a user runs out of quota, SSG can redirect the user to a portal, where the user can replenish the quota without being disconnected from the service.

Returning Residual Quota

SSG Prepaid Idle Timeout enhances the SSG Prepaid feature by enabling SSG to return residual quota to the billing server from services that a user is logged into but not actively using. The quota that is returned to the billing server can be applied to the quota for the services that the user is actively using.

Threshold Values

This prevents revenue leaks by enabling users to configure a threshold value. Configuring a threshold value reauthorizes user connections before the user completely consumes the allotted quota for a service.

Traffic Status During Reauthorization

Revenue leaks can be prevented by configuring SSG to drop connected traffic during reauthorization of a service. The user remains connected to the service and does not need to log back onto the service, but no traffic is forwarded during the reauthorization process. This prevents a user from continuing to use a service for which they have run out of quota while the SSG sends a reauthorization request to the billing server. If SSG is connected to drop traffic during reauthorization and a threshold value is configured, then user traffic continues until the user exhausts the allotted quota. When the allotted quota is used, the traffic is dropped until SSG receives a reauthorization response.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Router


Considerations

Quotas are measured in seconds for time or bytes for volume. There is no way to change the unit of measure.

The volume quota is for combined upstream and downstream traffic.

Simultaneous time and volume quotas for the same service connection are not supported.

Returning quota when the connection is idle is supported only for volume-based connections and is not supported for time-based connections.

After a user runs out of quota and replenishes the quota at the billing server, SSG receives the updated quota and resumes the connection only after the next reauthorization.

Product Management Contact: Murali Kolli, mkolli@cisco.com

6.8.14) SSG Suppression of Unused Accounting Records

SSG Suppression of Unused Accounting Records allows users to disable unneeded Service Selection Gateway (SSG) accounting records. SSG can be configured to send per-host accounting records only, per-service accounting records only, or per-host and per-service accounting records.

Benefits

With this functionality, accounting can be turned off selectively. This will improve the performance of the accounting interface and reduce the processing of the accounting server.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Router


Considerations

If no ssg accounting is configured on the router, then accounting records will not be sent, even if accounting is enabled in a service profile.

Product Management Contact: Murali Kolli, mkolli@cisco.com

6.8.15) SSG Unique Session ID

SSG Unique Session ID supports a unique accounting session ID in RADIUS accounting records. It is compatible with existing back-end billing systems and meets the requirements for the support of wide-area networks based on IEEE 802.11b technology.

Benefits

SSG Unique Session ID is compatible with existing back-end billing systems and meets the requirements for the support of wide-area networks based on IEEE 802.11b technology.

Hardware

Routers

Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

Cisco 7200 Series Router


Product Management Contact: Murali Kolli, mkolli@cisco.com

7) Release 12.3(2)T Highlights

to Below are some of the key features available in Release 12.3(4)T. The Appendix includes a complete list of new features introduced in Release 12.3(4)T.

7.1.1) Online Certificate Status Protocol

7.2.1) Cisco Express Forwarding Switching for IPv6 Tunnels (Configured, Automatic, 6to4, ISATAP)

7.3.1) Embedded Syslog Manager Version 1.0

7.3.2) Cisco IOS Scripting with Tool Command Language

7.4.1) Telnet/Packet Assembler/Dissembler Translation Authorization

7.4.2) X.25 Data Display Trace

7.4.3) PPPoE over VLAN Scaling and ATM Support for PPPoE over VLANs

7.4.4) End of Record Functionality for Data Communication Networks

7.4.5) Packet Assembler/Disassembler Subaddress Formatting Option

7.4.6) Layer 2 Tunneling Protocol Version 3

7.4.7) PPPoE Session Recovery after Reload

7.4.8) L2TP Client-Initiated Tunneling

7.4.9) B-Channel Availability Control

7.4.10) ISDN Backup in Multiprotocol Label Switching Core

7.4.11) V.110 Support for MGCP-Dial

7.4.12) X.25 Call Confirm Packet Address Control


7.1) Security

7.1.1) Online Certificate Status Protocol

Online Certificate Status Protocol (OCSP) allows users to enable OCSP instead of certificate revocation lists (CRLs) to check certificate status. Unlike CRLs, which provide only periodic certificate status, OCSP can provide timely information regarding the status of a certificate.

Figure 94

OSCP

Benefits

OCSP provides revocation status information more frequently than CRLs, which provide only periodic updates.

OCSP allows a network administrator to configure a central OCSP server to collect and update CRLs from different certification authority (CA) servers; thus, the devices within the network can rely on the OCSP server to check the certificate status without retrieving and caching each CRL for every device.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, 7100, 7200, 7400, and 7500 Series Routers

Universal Broadband Routers

Cisco uBR7200 Series Universal Broadband Routers

Cable Access Routers

Cisco uBR905 and uBR925 Cable Access Routers


Additional Information: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a755b.html

Product Management Contact: IOS-Security-PM@cisco.com

7.2) IP Addressing & Services

7.2.1) Cisco Express Forwarding Switching for IPv6 Tunnels (Configured, Automatic, 6to4, ISATAP)

Overlay tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4 infrastructure. By using overlay tunnels, IPv6 hosts and routers can communicate with each other without a need to upgrade the IPv4 infrastructure between them.

Cisco IOS Software introduced support for IPv6 overlay tunnels in Release 12.2(2)T (Configured, automatic and 6to4) and 12.2(15)T (ISATAP).

Cisco Express Forwarding for IPv6 (CEFv6) is advanced, Layer 3 IP switching technology for the fast switching forwarding of IPv6 packets as introduced in Cisco IOS Software Release 12.2(13)T.

In Cisco IOS Software Release 12.3(4)T, IPv6 tunnels—Configured, automatic, 6to4 and ISATAP—are now CEFv6 switched.

Benefits

Improved performances of the IPv6 tunneled traffic to scale the integration of IPv6 applications.

Hardware

Routers

Cisco 830—7500 Series Routers


Additional Information: http://www.cisco.com/warp/public/732/Tech/ipv6/

Product Management Contact: ipv6-pm@cisco.com

7.3) Embedded Network Management

7.3.1) Embedded Syslog Manager Version 1.0

Embedded Syslog Manger (ESM) 1.0 is a customizable framework integrated in Cisco IOS software for correlating, augmenting, filtering, and routing syslog messages generated by the IOS logger. ESM allows complete control over system message logging at the source. ESM provides a programmatic interface to allow you to write custom filters that meet your specific needs in dealing with system logging.

ESM allows the user to configure post-processing of syslog messages with selected ESM filters, via new message queue in parallel with standard IOS syslog message stream. Either filtered or non-filtered syslog streams may be configured for individual syslog destinations. ESM leverages the Cisco IOS Scripting (Tcl 8.3.4).

Figure 95

Embedded Syslog Manager Version 1.0

Benefits

Customization: fully customizable processing of system logging messages, with support for multiple, interfacing syslog collectors.

Severity Escalation for Key Messages: ability to configure unique severity levels for syslog messages instead of using the system-defined severity levels.

Specific Message Targeting: ability to route specific messages or message types, based on type of facility or type of severity, to different syslog collectors.

SMTP-Base Email Alerts: capability for notifications using TCP to external servers, such as TCP-based syslog collectors or Simple Mail Transfer Protocol (SMTP) servers.

Message Limiting: ability to limit and manage syslog "message storms" by correlating device-level events.

Hardware

Routers

Cisco 801, 802, 803, 804, 805, 806, 811, 813, 820, 827, and 828 Routers

Cisco 1400, 1600, 1600R, 7100, 7200, and 7500 Series Routers

Cisco 1710 Router

Cisco 2420, 2501-2525, 2610-2613, 2610XM, 2611XM, 2620-2621, 2620XM-2621XM, 2650, 2651, 2650XM, 2651XM, and 2691 Routers

Cisco 3620, 3631, 3640, 3660, 3725, and 3745 Routers

Cisco MC3810 Series

SOHO Routers

Cisco SOHO70, SOHO76, SOHO77, SOHO77H, and SOHO78 Routers

Broadband Aggregators

Cisco 6400-NRP-1, 6400-NRP-2, and 6400-NRP-2SV Broadband Aggregators

Switches

Cisco Catalyst 4500 Series Switch

Cisco IGX8400-URM Series

Universal Broadband Routers

Cisco UBR7100 and UBR7200 Series Universal Broadband Routers

Cable Access Routers

Cisco UBR905 and UBR925 Cable Access Routers

Access Servers

Cisco AS5300, AS5350, AS5400, AS5800, and AS5850 Series Access Servers

Devices

Cisco VG200, 8850RPM-PR, CVA120, ICS7750, ONS15104, and ONS15104


Additional Information:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_esm.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_tcl.htm

Product Management Contact: Mark Basinski, mbasinsk@cisco.com

7.3.2) Cisco IOS Scripting with Tool Command Language

Cisco IOS Scripting with Tool Command Language (Tcl) provides the ability to run Tcl version 8.3.4 commands from the Cisco IOS Software CLI.

Tcl is a standard scripting language, and a partial implementation of Tcl has been in Cisco IOS Software in support of internal applications, such as Cisco IOS Software Interactive Voice Response (IVR).

Starting in Cisco IOS Software Release 12.3(2)T, Tcl has been updated to version 8.3.4, providing support for the Embedded Syslog Manager (ESM) feature, as well as exposing a Tcl Shell (tclsh) for use in the Cisco IOS Software CLI.

Benefits

Powerful Scripting Capability: powerful method of custom-processing the events or states within a router, and taking a variety of actions based on them.

Easy to Learn: industry standard language.

Complete Coverage of Cisco IOS Software Commands: all Cisco IOS Software CLI commands may be references by Tcl scripts, in both EXEC and CONFIG mode.

Customization of Cisco IOS Software Commands: Tcl scripts can be used to create customized commands, grouping multiple IOS commands, processing and customizing output, even creating auto-refreshing commands for real-time refresh at the CLI level.

Hardware

Routers

Cisco 801, 802, 803, 804, 805, 806, 811, 813, 820, 827, and 828 Routers

Cisco 1400, 1600, 1600R, 7100, 7200, and 7500 Series Routers

Cisco 1710 Router

Cisco 2420, 2501-2525, 2610-2613, 2610XM, 2611XM, 2620-2621, 2620XM-2621XM, 2650, 2651, 2650XM, 2651XM, and 2691 Routers

Cisco 3620, 3631, 3640, 3660, 3725, and 3745 Routers

Cisco MC3810 Series

SOHO Routers

Cisco SOHO70, SOHO76, SOHO77, SOHO77H, and SOHO78 Routers

Broadband Aggregators

Cisco 6400-NRP-1, 6400-NRP-2, and 6400-NRP-2SV Broadband Aggregators

Switches

Cisco Catalyst 4500 Series Switch

Cisco IGX8400-URM Series

Universal Broadband Routers

Cisco UBR7100 and UBR7200 Series Universal Broadband Routers

Cable Access Routers

Cisco UBR905 and UBR925 Cable Access Routers

Access Servers

Cisco AS5300, AS5350, AS5400, AS5800, and AS5850 Series Access Servers

Devices

Cisco VG200, 8850RPM-PR, CVA120, ICS7750, ONS15104, and ONS15104


Additional Information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_tcl.htm

Product Management Contact: Mark Basinski, mbasinsk@cisco.com

7.4) Connectivity/VPN

7.4.1) Telnet/Packet Assembler/Dissembler Translation Authorization

Due to the security risks inherent in allowing unauthorized network usage, it is important to authorize sessions before allowing access to network resources. In previous releases of Cisco IOS Software, protocol translation sessions established the use of a one-step protocol translation without first issuing an authorization request. The Telnet/Packet Assembler/Dissembler (PAD) Translation Authorization feature adds an option to require that an authorization request be issued as a prerequisite to establishing a protocol translation session.

Benefits

The key benefit is enhanced security introduced by the Authorization step when using Telnet sessions or low-cost PAD devices for managing Network Elements in Telco environments with X.25.

Hardware

Routers

Cisco 2610, 2611, 2612, 2613, 2650, 2651, 2691 Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, 2651XM Series

Cisco 3620, 3640, 3640A, and 3660 Routers


Considerations

This feature is supported only for X.25-to-TCP and TCP-to-X.25 protocol translation sessions.

It is supported for both permanent virtual circuit (PVC) and switched virtual circuit (SVC) X.25 connections.

Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

7.4.2) X.25 Data Display Trace

The ability to debug a network is of vital importance when trying to trace the source of problems that cause lack of connectivity or suboptimal performance. X.25 Data Display Trace enhances the Cisco IOS Software debugging capability for X.25. It enables an authorized user to display the entire X.25-encoded traffic stream, including user data, for those packets specified by an X.25 debug command.

Benefits

X.25 Data Display Traces enables enhanced debugging capabilities for maintaining a router network or perhaps using the router to troubleshoot a network with X.25 connectivity.

Hardware

Routers

All routers supporting X.25 encapsulation on serial interfaces


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

7.4.3) PPPoE over VLAN Scaling and ATM Support for PPPoE over VLANs

Scalability, both in terms of session counts and more broadly in terms of media types supported, is of critical importance to Service Providers deploying Broadband Networks. The PPPoE over VLAN Scaling and ATM Support for PPPoE over VLANs feature provides two enhancements to PPP over Ethernet (PPPoE) over IEEE 802.1Q VLAN functionality:

Session Scalability: removes the requirement for each PPPoE over VLAN session to be created on a subinterface. Removing this requirement increases the number of VLANs that can be configured on a router to 4000 VLANs per interface.

Media Support: adds ATM permanent virtual circuit (PVC) support for PPPoE over VLAN traffic that uses bridged RFC 1483 encapsulation.

Figure 96

Sample Network Topology for PPPoE over 802.1Q VLANs over ATM

Benefits

Lower cost per session due to the increase in session scalability.

Increased flexibility in terms of choosing an underlying physical media to carry PPPoE over VLAN traffic over due to the ATM support.

Hardware

Routers

Cisco 1700, 6400, 7200, 7300, and 7400 Series Routers

Cisco 3725 and 3745 Routers


Considerations

PPPoE over 802.1Q VLAN support can be configured without using subinterfaces on the PPPoE server only.

ATM PVC support for PPPoE over 802.1Q VLANs can be configured only on the PPPoE server.

Scalability targets refer to software configurability only. Hardware memory and performance considerations may impose lower limits to the number of usable sessions on a given hardware product.

Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

7.4.4) End of Record Functionality for Data Communication Networks

The Cisco Protocol Translator is designed to support telnet-like applications that are stream-based, with no recognition or accommodation for logical records. This can cause problems for record-oriented applications, because the record boundaries in X.25 data are lost during translation to TCP.

End of Record Functionality for Data Communication Networks (DCN) provides for the configuration of an End of Record (EOR) marker, enabling the X.25 logical boundaries to be marked when translated to TCP. The feature enables the preservation of logical boundaries when translating X.25 data to TCP, enabling X.25-based networking solutions to adapt to and benefit from TCP/IP technologies.

Benefits

The benefit of this feature is that it will preserve data integrity in X.25 over TCP (XOT) protocol translation environments and minimize the need for packet resends; therefore, it will improve network performance/data throughput.

Hardware

Routers

Cisco 2610, 2611, 2612, 2613, 2610XM, 2611XM, 2691, 3620, 3631, 3640, 3660, 3725, and 3745 Routers

Cisco 2500, 7100, 7200, 7400, and 7500 Series Routers

Cisco MC3810 Series

Switches

Cisco IGX8400-URM Switch

Access Servers

Cisco AS5300, AS5350, and AS5400 Series Access Servers

Devices

Cisco 8850RPM-PR


Considerations

This feature is supported only for XOT protocol translation sessions.

Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

7.4.5) Packet Assembler/Disassembler Subaddress Formatting Option

Prior to Cisco IOS Software Release 12.3(2)T, Packet Assembler/Disassembler (PAD) Subaddressing specifies a
two-digit field for subaddressing that requires a leading zero for subaddress values less than 10 (i.e., 0-9). The PAD Subaddress Formatting Option feature introduces the ability to suppress the leading zero for subaddresses with a value of nine or lower. This suppression occurs before the subaddress field is appended to the calling address.

Figure 97

X25 Addressing Scheme: PAD Calls from Branch Office to Host

Benefits

This feature increases compatibility with X.25 host systems that use single-digit subaddresses. This will be particularly relevant for European X.25 host systems, which have a large installed base of single-digit systems.

Hardware

Routers

Cisco 801, 802, 803, 804, and 805 Routers

Cisco 1400, 1701, 1710, and 2500 Series Access Routers

Cisco 2610, 2611, 2612, 2613, 2691, 3631, 3640, 3660, 3725, 3745 Routers

Cisco 7100, 7200, 7400, and 7500 Series Routers

Universal Broadband Routers

Cisco UBR7200 Series Universal Broadband Routers

Switches

Cisco Catalyst 4000-AGM, 6400-NRP-1, and 6400-NRP-2SV Series

Cisco ICS7750 and IGX8400-URM Series Switches

Devices

Cisco 8850RPM-PR


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

7.4.6) Layer 2 Tunneling Protocol Version 3

Layer 2 Tunneling Protocol version 3 (L2TPv3) is the Cisco solution for transporting Layer 2 packets over an IP network. L2TPv3 extends the usability of IP networks by enabling the transport of Layer 2 frames over an IP infrastructure. L2TPv3 is required for supporting legacy services over IP infrastructures and for supporting several new connectivity options, including Layer 2 virtual private networks (VPNs) and Layer 2 virtual leased lines.

L2TPv3 is an update to RFC2661 (L2TPv2). L2TPv2 was originally defined as a method of tunneling PPP frames across packet switched data network. A need emerged to update the draft, so it could include all Layer 2 encapsulations that required tunneling across packet networks, which led to the development of L2TPv3.

L2TPv3 includes to noticeable changes: removal of the PPP specific portions of the L2TPv2 header, thus generalizing it for other applications, and the transition to a performance friendly format for high-speed decapsulation.

L2TPv3 uses a directed Control Channel session between edge routers for setting up and maintaining connections. Forwarding occurs through the use of IP packet forwarding between two edge devices. Two headers, an IP header and the L2TPv3 header, are used to forward packets between routers. The external header is an IP header that routes tunneled packets over the IP backbone to the egress provider edge (PE) device. The L2TPv3 header determines the egress interface, and is used to bind the Layer 2 egress interface to the tunnel.

Figure 98

L2TPv3

Benefits

Reduced Cost: consolidate multiple core technologies (ie: IP and Asynchronous Transfer Mode (ATM)) into a single packet-based infrastructure.

Simplified Services: Layer 2 transport provides options for Service Provider and Enterprise customers who need to provide L2 connectivity and maintain customer/department autonomy. Several key factors assist in the simplification of service deployment:

Configuration only on edge routers.

Service Provider and Enterprise customers do not participate in passing/maintaining routing information for VPN traffic.

Leverages code and mind share from L2VPN access network deployment.

Protect Existing Investments: Service Provider and Enterprise customers can leverage existing IP infrastructures to support Layer 2 networks without deploying an old-world infrastructure.

Feature Support: Layer 2 transport can be tailored to meet customer requirements by using Cisco IOS Software features (ie: Quality of Service (QoS) and IPsec).

New Service (revenue) Opportunities for IP Networks: ie: L2 Transport and Virtual Leased Line (VLL) services.

Standards-Based Approach: standards track open architecture addressed by the IETF.

Hardware

Routers

Cisco 1700, 2600, 3700, 7200, and 7300 Series


Attachments: Frame Relay, Ethernet, HDLC, PPP

Product Management Contact: Neil Abogado, nabog@cisco.com

7.4.7) PPPoE Session Recovery after Reload

If the PPP keepalive mechanism is disabled on customer premises equipment (CPE) device, a Point-to-Point Protocol over Ethernet (PPPoE) session will hang indefinitely after an aggregation device reload. PPPoE Session Recovery After Reload enables the aggregation device to attempt to recover PPPoE sessions that failed because of reload by sending a PPPoE active discovery terminate (PADT) packet to the CPE. The CPE device is expected to take failure recovery action upon receipt of this packet.

Benefits

Network availability will improve, because CPE routers in a Broadband network will be informed to reestablish their PPPoE session after a reload at the Aggregation Router. This will minimize the impact and duration of connectivity loss during a failure in the Aggregation Router.

Hardware

Routers

Cisco 2600, 3600, 7200, and 7400 Series Routers

Cisco 3725 and 3745 Routers

Broadband Aggregators

Cisco 6400-NRP-1 and 6400-NRP-2 Broadband Aggregators


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

7.4.8) L2TP Client-Initiated Tunneling

Layer 2 Tunneling Protocol (L2TP) Client-Initiated Tunneling introduces the ability to establish client-initiated L2TP tunnels. The client may initiate an L2TP or L2TPv3 tunnel to the L2TP network server (LNS) without the intermediate network access server (NAS) participating in tunnel negotiation or establishment.

Benefits

This enables providers to offer value-added services, such as VPNs or Firewalls, directly to their customers.

Hardware

Routers

Cisco 827, 1710, 2610, 2611, 2612, and 2613 Routers


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

7.4.9) B-Channel Availability Control

ISDN B-Channel Availability Control (BCAC) and Round-Robin Channel Selection Enhancements allow more dynamic control of the ISDN B channels by providing additional functionality for configuring message signaling, and an enhanced channel selection scheme that adds round-robin configuration to the existing ascending and descending channel selection schemes already available.

Benefits

BCAC gives Service Providers dynamic control of B-channel availability for applications like aggregating low data volume links.

Hardware

Routers

Cisco 2620, 2621, 3640, 3660 Routers

Access Servers

Cisco AS5300, AS5350, AS5400, AS5800, and AS5850 Series Access Servers


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

7.4.10) ISDN Backup in Multiprotocol Label Switching Core

When a primary link is down in the Multiprotocol Label Switching (MPLS) core network, ISDN Backup in MPLS Core allows a backup ISDN link on a dialer interface to be brought up to restore network connectivity. This feature ensures high availability of the link between two routers in the MPLS core by providing a backup mechanism. In terms of defining the "core" of the MPLS network, this functionality is intended for the Provider-Provider Edge (P-PE) and the Provider-Provider (P-P).

Benefits

Enhanced network availability is the key benefit, as links in an MPLS core network will be backed up by an ISDN connection. This will ensure network connectivity on critical links in the MPLS core.

Hardware

Routers

Cisco 3640 and 7200 Series Routers


Considerations

Works only with dialer profile configuration.

Available only for PPP encapsulation.

Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

7.4.11) V.110 Support for MGCP-Dial

This feature adds V.110 encapsulation support for MGCP NAS package dial technology configurations. V.110 encapsulation allows you to connect to slower bandwidth devices through the V.110 rate adaption protocol, which enables Global System for Mobile Telecommunications (GSM/DCS/PCS) mobile users to access corporate intranets and the Internet through Integrated Services Digital Network (ISDN) networks.

Benefits

This functionality will allow Cisco routers providing Internet connectivity to interoperate in environments where V.110 encapsulation is used for data rate adaptation. An example of this type of environment would be when slow speed Mobile Personal Digital Assistants (PDAs) try to connect to the Internet.

Hardware

Routers

Cisco AS5300, AS5350, AS5400, and AS5850 Series


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

7.4.12) X.25 Call Confirm Packet Address Control

The X.25 Call Confirm Packet Address Control feature provides options for controlling the source and destination addresses that are encoded in outgoing Call Confirm packets. You can suppress the addresses completely or specify that the addresses originally proposed in the received Call packet be encoded in the Call Confirm packet. This feature may be necessary when connecting to equipment that implements a nonstandard or proprietary X.25 service, where the addressing scheme needs to be modified.

Benefits

The key benefit here is improved interoperability with networking equipment that implements X.25 in a slightly proprietary manner.

Hardware

Routers

Cisco 800, 1400, 2500, 4500, 7100, 7200, and 7400 Series Routers

Cisco 1710, 2691, 3631, 3640, 3660, 3725, and 3745 Routers

Universal Broadband Routers

Cisco UBR7200 Series Universal Broadband Routers

Access Servers

Cisco AS5300, AS5350, AS5400, AS5800, and AS5850 Series Access Servers


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

8) Appendix: Release 12.3(8)T—New Feature Enhancements

Asynchronous Line Monitoring

Border Gateway Protocol Cost Community Support for Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE with Back Door Links

Call Admission Control for Internet Key Exchange

Certificate to ISAKMP Profile Manning

Cisco AutoQoS AutoDiscovery "Trust" Option

Cisco AutoSecure Rollback & Logging

Cisco IOS Network Admission Control

Cisco IOS Resilient Configuration

Cisco IOS Service Assurance Agent Multiple Operation Scheduling

Cisco Optimized Edge Routing 1.0

Crypto Access Check on Clear-Text Packet

Dynamic Host Configuration Protocol—Configurable DHCP Client

Dynamic Host Configuration Protocol—Dynamic Default Gateway on a Statically Configured Route

Dynamic Multipoint VPN Spoke to Spoke Functionality

Easy Secure Device Deployment Authentication, Authorization, and Accounting Integration

Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE Site of Origin

Enhanced Interior Gateway Routing Protocol Support for Route-Map Filtering

Explicit Call Transfer for ETSI PRI

First Hop Routing Protocols—Object Tracking List Support

MPLS Aware NetFlow

Network Address Translation—Support for H.323 Fragmented Control Messages

Protocol Translation Template

Quality of Service per VPN Group

Service Selection Gateway Interface Redundancy

Support for RFC 3519 NAT Traversal

9) Appendix: Release 12.3(7)T—New Feature Enhancements

Please find below a list of features and new hardware supported in Release 12.3(7)T.

AAA Dead-Server Detection

AAA Double Authentication Secured by Absolute Timeout

ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry

Attribute Screening for Access Requests

ATA Monlib Enhancements

AutoSecure Enhancements

AutoQoS for the Enterprise

BGP MIB Support Enhancements

BGP Transient Memory Usage Enhancement

BGP Support for TTL Security Check

Buffer Overflow: Detection and Correction of Redzone Corruption

Call Routing Enhancements to the H.323 Gatekeeper and GKTMP (GK API)

Circuit Emulation Service Over IP

Cisco CallManager Express 3.1 Enahncements

Cisco CallManager Express 3.1 New Features

Cisco IOS IPv6 Configuration Library

Cisco IOS Firewall for IPv6

Cisco NM-8AM-V2 and NM-16AM-V2 Analog Modem Network Modules with V.92

Cisco VG224 24-Port Analog Phone Gateway

Cisco IOS Scripting with Tcl

Class-Based Quality of Service (QoS) MIB (CBQoSMIB) Enhancements III

CLNS Support for GRE Tunneling of IPv4 and IPv6 Packets

Configuration Replace and Configuration Rollback

Control Plane Policing Enhancements

Distributed Dial-on-Demand Routing

Easy Secure Device Deployment

Easy VPN Client RSA Signature Support

Enhanced ITU-T G.168 Echo Cancellation

ESMTP for Cisco IOS Firewall

Extended ACL Support for IGMP to Support SSM in IPv4

File Transfer Using HTTP

Four-Wire Mode for SHDSL

GLBP IP Redundancy API

IEEE 802.1Q Tunneling

IEEE 802.1Q-in-Q VLAN Tag Termination

Incremental NVGEN

Interoperability Enhancements to the Cisco Multiservice IP-IP Gateway

IP Communications High-Density Digital Voice/Fax Network Module

IPsec Dead Peer Detection Periodic Message Option

IP over IPv6 Tunnels

IP Source Tracker

IPv6 Multicast: Explicit Tracking of Receivers

IPv6 Multicast Phase 1 & Phase 2

IPv6 Bidirectional PIM

IPv6 Policy-Based Routing

IS-IS Caching of Redistributed Routes

IS-IS Fast-Flooding of LSPs Using the Fast-Flood Command

Key Rollover for Certificate Renewal

Land Mobile Radio over IP

Lossless Compression R1, ATM Cell Switching, and External BITS Clocking Source

Mobile IP—Foreign Agent Local Routing of Mobile Networks

Mobile IP—Generic Routing Encapsulation for Mobile Networks

Mobile Networks PPP Dynamic Collocated Care-of-Address

Modem Calls over QSIG

MPLS—Multilink PPP Support

MPLS VPN VRF Selection Using Policy Based Routing

MSDP Compliance with IETF MSDP Draft 20

Multicast Fast Switching Performance Improvement

NBAR-NAT Integration & RTSP

NAT—Stateful Failover Asymmetric Outside-to-Inside Support

NAT-Stateful Failover for Application Layer Gateway (ALG) Support

NAT—Stateful Failover for Embedded Addressing

NAT—Static IP Support

NetFlow for IPv6

NetFlow MIB

Network Analysis Module (NM-NAM)

New Features in Cisco CallManager Express 3.1

OSPF Area Transit Capability

OSPF Per-Interface Link-Local Signaling

OSPF Link State Database Overload Protection

Per VRF TACACS+ Servers Support

PIM Dense Mode Fallback Prevention after RP Information Loss

PKI: Query Multiple Servers During Certificate Revocation Check

PPP/MLP MRRU Negotiation Configuration

Protected Private Key Storage

Query Mode Definition Per Trustpoint

RADIUS Attribute Screening Support for Access-Request

RADIUS NAS-IP-Address Attribute Configurability

Rate Based Satellite Control Protocol (RBSCP)

Role-Based CLI Access

Route Processor Redundancy Plus (RPR+)

SEAL Encryption

Secure Shell (SSH) Version 2 Client Support

Service Assurance Agent VoIP Proactive Monitoring

Signal ISDN B-Channel ID to Enable Application Control of Voice Gateway Trunks

SSG Default DNS Redirection

SSG Enhancements to SSG-SESM Interaction and Service Logon

SSG Permanent TCP Redirection

SSG TCP Redirect Access Control Lists

SSG Transparent Autologon

Survivable Remote Site Telephony 3.1 Enhancements

T.37 Fax Status Notification Enhancement in an MTA Environment

TCP Congestion Avoidance

TCP Explicit Congestion Notification

Transparent Cisco IOS Firewall

Troubleshooting Enhancements for Multilink PPP over ATM Link Fragmentation and Interleaving

Two-Wire Mode over SHDSL

VoiceXML Store and Forward

VPN Access Control Using 802.1x Authentication

VRF Aware Dialer Watch

VRF Selection Using Policy Based Routing

WCCP Bypass Counters

WCCP Outbound ACL Check

10) Appendix: Release 12.3(4)T—New Feature Enhancements

Please find below a list of features and new hardware supported in Release 12.3(4)T.

16- and 36-Port Ethernet Switch Module for Cisco 2600, 3600, and 3700 Series

AAA IPv6 Attributes Support

ACL Support for Filtering IP Options

ACL—TCP Flags Filtering

Accounting Server Connectivity Failure and Recovery Detection

Avoid DM Fallback when all RPs Fail

BGP Configuration Using Peer Templates

BGP Dynamic Update Peer-Groups

BGP Policy Accounting Output Interface Accounting

Capabilities for Cisco Voice Gateways

CEF Support for Dialer Profiles on 7500

Cisco 1701 ADSL Broadband Router

Cisco CallManager Express

Cisco Easy VPN Remote Enhancements

Cisco IDS Network Module

Cisco IOS Login Enhancements

Cisco IOS MGCP Gateway Support for Cisco CallManager

Cisco IOS Software Feature Removal

Cisco IOS Telephony Service, V3.0

Cisco Survivable Site Remote Telephony, V3.0

Cisco Unity Express Network Module

Cisco VoIP Internal Error Codes

CISCO-MEMPOOL-MIB Enhancements

Class-Based QoS MIB (CBQoSMonMIB) Enhancements

Configuration Change Notification and Logging

Configuring Default Session Application Enhancements

Configuring Flex DSP Resource Management

Control Plane Policing

CPU Thresholding and Notifications

Custom Tone Download to Cisco IOS MGCP Gateways from Cisco CallManager

Deterministic Regular Expression Engine

DHCP—Address Allocation Using Option 82

DHCP—DHCPv6 Prefix Delegation

DHCP—Release and Renew CLI in Exec Mode

DHCP Authorized ARP

Direct HTTP Enroll with CA Servers

DPNSS Backhaul

EAP SIM Enhancements

Easy VPN Server

Embedded Event Manager

Enhanced VoiceXML Diagnostics

Firewall ACL Bypass

Framed Router Attrib 22

Global "No IP Options" CLI

HSRP—Hot Standby Router Protocol V2 (HSRPv2)

IAD2430 Integrated Access Device

Ignore Revocation Check and Expired Certs Based on CERT ACL

Image Verification

Import of RSA Keypair and Certificates in PEM Format

Integrated IS-IS Global Default Metric

Integrated IS-IS Limit on Number of Redistributed Routes

Integrated IS-IS Protocol Shutdown Support Maintaining Configuration Parameters

IOS Certificate Server

IP Communications Voice/Fax Network Module

IP Hosts Tracking

IP Options Selective Drop

IPC Lost Ack Detection by Sender

IPsec for IPv6 PhaseI

IPv6 Anycast Address

IPv6 Compliance of RBE

IPv6 Multicast: Phase II Enhancement

ISDN Calling Name Display

IS-IS Support for Priority-Driven IP Prefix RIB Installation

IVR: Configuring Dynamic Prompts

IVR: Customizing Accounting Templates

IVR: Directing AAA Requests

L2TP Tunnel Connection Speed Labeling

Media Stream Recording Support

Memory Thresholding Fault Detector

Mobile IP—HA Redundancy for Dynamic Mobile Networks

Mobile IP—MIB for Reverse Tunnel, Challenge, and VSE

Mobile IP—Mobile Networks Deployment MIB

Mobile IP—Mobile Networks Dynamic Collocated Care-of-Address

Mobile IP—Dynamic Security Association Management and Key Dist.

MSDP Compliance with IETF MSDP Draft 18

MSDP Enhancements

Multilink PPP Minimum Links Mandatory

Multi-Protocol BGP (MP-BGP) Support for IPv6 Multicast Address Family

NBAR Extended Inspection for HTTP Traffic

NBAR User-Defined Custom Application Classification

NetFlow-Input Filters

OSPF for IPv6 (OSPFv3) Authentication Support with IPsec

OSPF MIB Support of RFC 1850 and Latest Extensions

OSPF Support for Unlimited Software VRFs per Provider Edge (PE) Router

PBR with Multiple Tracking Options

Peer Pool Backup Command

PIM Dense Mode Fallback Prevention in a Network Following RP Information Loss

PPPoE Relay

PPPoE Service Selection

PPPoE Session Limit per NAS Port Download

Private Line Automatic Ringdown for Trading Turrets

Radius IPv6 Compliance

Rate Limiting per User

RAW IP Traffic Export

Real-Time Resolution for IPsec Tunnel Peer

Regex Engine Performance Enhancement

RFC-2867 Tunnel Accounting

Router IP Traffic Export

Router Security Audit Logs

Secure Access Mode: Silent Mode

Service Assurance Agent (SAA) VoIP UDP Probe

SIP Debug Output Filtering Support

SIP Gateway Support Enhancements to the Bind Command

SIP: RFC 3261 Enhancements

SIP: SIP Header Support and Subscribe and Notify for External Triggers

Speech Recognition and Synthesis for Voice Applications

SRST: Survivable Remote Site Telephony Version 3.0

SSG 3-Key Authentication

SSG Autologoff Enhancement

SSG Complete ID

SSG EAP Transparency

SSG L2TP Dialout

SSG Open Garden Configuration Enhancements

SSG Prepaid Enhancements for Mobile

SSG Prepaid Idle Timeout

SSG Proxy for CDMA2000

SSG PTA-MD Exclusion List

SSG RADIUS Proxy Enhancements

SSG Range Command for BIND Statements

SSG Service Profile Caching

SSG Simple CLI Enhancements

SSG Suppression of Ununsed Accounting Records

SSG to Utilize AAA's new Non-Blocking Model

SSG Unconfig

SSG Unique Session ID

SSH Version 2

Subscriber Service Support

Support Import of RSA Keypair in PEM Format

TCP Flags Filtering

Troubleshooting VoIP Networks Using Cisco VoIP Internal Error Codes

Tunnel Authentication via Radius on LNS

Turbo-Classification for QoS

Using Certificate ACLs to Ignore Revocation Check and Expired Certificates

V.120 Support Network Access Servers (NAS)

Videoconferencing on the Cisco Multiservice IP-to-IP Gateway

Voice Call Debug Filtering on Cisco Voice Gateways

Voice Performance Statistics on Cisco Gateways

VLANs on IP Unnumbered Interfaces

VoiceXML RECORD Element

VoiceXML Transfer Enhancements

VoiceXML Voice Store and Forward

VPN Access Control Using 802.1x Authentication

11) Appendix: Release 12.3(2)T—New Feature Enhancements

Please find below a list of Features and new hardware supported in Release 12.3(2)T:

APIP—Async PoS to IP Conversion

ATM Cell Loss Priority (CLP) Bit Marking

B-Channel Availability Control

BGP Route-Map Continue

BGP CLI Show Commands Consolidation

BGP Cost Community

BGP Fast Convergence Optimization

BGP Support for a "Continue" Statement within a Route-Map Definition

Call Status Tracking Optimization

CEFv6 Switching for 6to4 Tunnels

CEFv6 Switching for Automatic IPv6 over IPv4 Tunnels

CEFv6 Switching for IPv6 ISATAP Tunnels

CEFv6 Tunneling Support

Cisco 1700 Series Voice Features

CISCO-CONFIG-COPY MIB: FTP and RCP Support

CISCO-CONFIG-COPY-MIB: Secure Copy Support

CISCO-FLASH-MIB Enhancements

Cisco IOS Scripting with TCL

CISCO-IF-EXT-MIB

CISCO-SIP-UA-MIB Enhancements Providing Functional Parity to SIP Related CLI

Cisco Security Device Manager (SDM)

Class-Based QoS MIB (CBQoSMonMIB) Enhancements

Compressed RTP (cRTP)—DSL Interfaces

Correlation of Link Down Traps Based on Layering

cRTP on MGX-RPM-XF

Crypto Conditional Debug Support

DCEF Support for Standard NAT on 7500 Series

DHCP Lease Limit per ATM RBE Unnumbered Interface

DNS Proxy

DNS Spoofing

DTMF Events Through SIP Signaling

Embedded Syslog Manager (ESM)

Encrypted Pre-Shared Key

End of Record Functionality for DCN Networks

Enhanced Codec Support for SIP using Dynamic Payloads

Enhanced ITU-T G.168 Echo Cancellation

Enhanced Voice and QoS for ADSL and G.SHDSL on Cisco 1700 Series, Cisco 2600 Series, and Cisco 3600 Series

Enhancement to "show snmp user" Command

File Download Using HTTP

Frame Relay—FRF.5 & FRF.8

Frame Relay—Multilink (MLFR-FRF.16)

GLBP MD5 Authentication

H.323 Dual Tone Multifrequency (DTMF) Relay Using Named Telephone Events

Hot Standby Router Protocol (HSRP)

HSRP MD5 Authentication

Internal Cause Code Consistency Between SIP and H.323

Invalid Security Parameter Index Recovery

IPv6 Multicast

ISDN Backup in MPLS Core

ISDN Type of Number to RADIUS Server

IS-IS Incremental SPF

IS-IS Mechanism to Exclude Connected IP Prefix from LSP Advertisements

IS-IS Support for Route Tags

L2TP Client-Initiated Tunneling

L2TPv3: Layer-2 Tunneling Protocol Version 3

Loadsharing IP Packets over More Than Six Parallel Paths

Low Latency Queuing (for 820)

Memory and CPU Measurement

MGCP Controlled Backhaul of BRI Signaling in Conjunction with Cisco Call Manager

MGCP Line Package Enhancements for Loop Current Feed Open (LCFO)

MGCP Support for Call Manager (IP-PBX)

MLPPP Bundling-DSL Interfaces

MLPPP/LFI for ATM Support on MGX-RPM-XF

Mobile IP

Monitoring and Re-Training on Reception of Loss of Margin Messages

MPLS: OAM Insertion and Loop Detection on LC-ATM

Multicast VPN for MPLS on MGX-RPM-XF

NAT—SIP Support

NAT—Support for H.323 Versions 3 and 4

NAT—Support of IP Phone to Cisco Call Manager

NAT-PT—Support for Fragmentation

NAT-PT—Support for FTP

NAT-PT—Support for Overload (PAT)

NetFlow BGP Next hop Support

NetFlow Multicast Support

NetFlow v9 Export Format

Online Certificate Status Protocol (OCSP)

OSPF Incremental SPF

OSPF Limit on Number of Redistributed Routes

OSPF Link-State Advertisement (LSA) Throttling

PAD Subaddress Formatting Option

PCR Support for the Cisco Signaling Link Terminal

Performance Enhancements for IOS ACL

Periodic MIB Data Collection and Transfer Mechanism

Persistent TDM Switched Circuits

Preventive Cyclic Retransmission Support for the Cisco Signaling Link Terminal

PPPoE over VLAN Scaling and ATM Support for PPPoE over VLANs

PPPoE Session Recovery After Reload

RFC 2576: v1/v2c pdu Conversions for Proxy Forwarder

RTP Header Compression over Satellite Links

Service Assurance Agent (SAA)—MPLS/VPN Path Jitter

SIP: SIP Header Support and Subscribe and Notify for External Triggers

SIP Carrier Identification Code

SIP INFO Method for DTMF Tone Generation

SIP Multiple 18x Responses

SIP Session Timer Support

SIP T.37 and Cisco Fax

Show Command Section Filter

SNMP Notifications for Flash Insertion and Removal