Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.4 Mainline

Cisco IOS Software Release 12.4 Features and Hardware Support

Downloads

Table Of Contents

Cisco IOS Software Release 12.4 Features and Hardware

1) Introduction: Cisco IOS Software Release 12.4

1.1) Migration Guide

1.2) Cisco IOS Packaging: Secure Management Access

1.3) Release 12.4T Additional Information

2) Release 12.4 Feature Technology Highlights

2.1) Hardware Support

2.2) Broadband

2.3) High Availability

2.4) Infrastructure

2.5) IP Mobility

2.6) IP Multicast

2.7) IP Routing

2.8) IP Services

2.9) IPv6

2.10) Management Instrumentation

2.11) Multiprotocol Label Switching

2.12) Quality of Service

2.13) Security and VPN

2.14) Voice


Product Bulletin No. 2852

Cisco IOS Software Release 12.4 Features and Hardware

This Product Bulletin introduces Cisco IOS Software Release 12.4T, and includes the following sections:

1) Introduction: Cisco IOS Software Release 12.4
2) Release 12.4 Feature Technology Highlights

Last Updated: July 2006

1) Introduction: Cisco IOS Software Release 12.4

Cisco IOS® Software is the world's leading network infrastructure software, delivering a seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, ranging from the small home office router to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.

One of the most significant delivery milestones for Cisco IOS Software is the introduction of a new major release, which ships once every two years, delivers hundreds of advanced capabilities, and aggregates multiple prior releases into a synergistic whole.

Developed for wide deployment in the world's most demanding Enterprise, Access, and Service Provider Aggregation networks, Major Release 12.4 is a comprehensive portfolio of Cisco technologies, including the leading-edge functionality and hardware support introduced in Release 12.3T, anchored by an intensive stability and testing program.

Major Release 12.4 introduces more than 700 industry-leading features across the widest range of hardware in the industry. These key innovations span multiple technology areas, including Security, Voice, High Availability, IP Routing, Quality of Service (QoS), IP Multicast, IP Addressing, IP Mobility, Multiprotocol Label Switching (MPLS), and VPNs.

Figure 1

Major and Technology Release Relationship

1.1) Migration Guide

Cisco recommends that customers who need to deploy Release 12.3T features upgrade to Cisco IOS Software Major Release 12.4. Release 12.3T is scheduled for End of Sales in Q4CY'05.

While customers can no longer order software releases that reach End of Sales, they can download such releases from Software Center if they have a maintenance contract.

The following Cisco IOS Software releases identify the current recommended migration into Release 12.4.

Figure 2

Release 12.4 Migration Recommendation

Major Release 12.4 undergoes testing and review cycles to continuously improve and increase reliability and quality. As per Cisco's policies, no new technologies or features are added. Cisco updates Release 12.4 via regular maintenance releases to include minor improvements based upon customer experiences.

Maintenance for Release 12.3T ceases upon this introduction of Release 12.4. Users of Release 12.3T should migrate to Major Release 12.4 in order to receive maintenance.

For additional information about Cisco IOS Software Product Lifecycle Dates & Milestones, please visit:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.html

1.2) Cisco IOS Packaging: Secure Management Access

Cisco IOS Software Release 12.4 will introduce support for management access using Secure Shell (SSH), HTTPS and Simple Network Management Protocol version 3 (SNMPv3) on the Cisco 1800, 2800, and 3800 Series Access Routers. These three features work with other device management features (ie: image verification, role-based CLI views, user authentication, and VTY access control lists) to provide flexible and secure management access to any remote router, regardless of which Release 12.4 feature set it is configured on the router.

SSHv2 client and server functionality provides a secure, encrypted alternative to traditional telnet for router configuration and administration.

SSL Server functionality provides an HTTPS-based secure, encrypted complement to access graphical user interfaces (ie: Router and Security Device Manager).

SNMPv3 Server functionality includes authPriv mode, which provides authentication and encryption of SNMP messages.

Note: Export controls on strong encryption vary according to type, strength, territory, end-use, and end-user. Visit the Cisco Encryption Sales Support Tool to determine eligibility for Cisco strong encryption solutions. Send an email to Export Compliance ( export@cisco.com) for clarification. Encryption-free versions of IP Base, IP Voice, Enterprise Base, and Enterprise Services feature sets will continue to be available.

1.3) Release 12.4T Additional Information

Release 12.4

http://www.cisco.com/go/release124/

Product Bulletin No. 2214, Cisco IOS Software Product Lifecycle Dates & Milestones

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.html

Cisco IOS Software Center

Download Cisco IOS Software releases and access software upgrade planners.

http://www.cisco.com/public/sw-center/sw-ios.shtml

Cisco Feature Navigator

A web-based application that allows users to quickly match Cisco IOS Software releases to features to hardware.

http://www.cisco.com/go/fn/

Cisco Software Advisor

Determine the minimum supported software for selected hardware.

http://www.cisco.com/pcgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi

Cisco IOS Upgrade Planner

View all major releases, hardware, and software features from a single interface.

http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi

Cisco IOS Software Questions and Feedback

http://www.cisco.com/warp/public/732/feedback/release/

2) Release 12.4 Feature Technology Highlights

Table 1  Major Release 12.4 Technology Summary 

Section
Feature Highlights and Benefits
2.1) Hardware Support

Coupled with industry-leading Cisco IOS Software, Cisco redefines best in class routing with the industry's first portfolio engineered for secure, wire-speed delivery of concurrent data, voice and video services - Cisco Integrated Services Routers.

2.2) Broadband

As Service Providers scale their offerings to meet growing demand for Broadband subscriptions, they must simplify operations and increase individual subscriber revenue. Broadband aggregation dynamically binds subscribers to critical, revenue-generating services that carriers must deliver. Cisco delivers Broadband Aggregation capabilities on a comprehensive set of routers and software to meet a variety of network requirements - from WiFi hot-spots to carrier-grade aggregation - for millions of Digital Subscriber Line (DSL) and Cable subscribers.

2.3) High Availability

Cisco IOS High Availability enables network-wide resilience to increase IP network availability. Network applications must cross different network segments - from the Enterprise Backbone, Enterprise Edge, and Service Provider Edge, through the Service Provider Core. All segments must be resilient to recover quickly enough for faults to be transparent to users and network applications. A failure that is detected anywhere in the network can result in termination, interruption or violation of service level agreements for business-critical applications such as, voice, e-commerce, storage area networking, work-flow, trading, and point of sales.

2.4) Infrastructure

Cisco IOS Software Infrastructure includes the underlying foundation upon which all network services are built. Cisco IOS Software features integrate the power and flexibility of the infrastructure to provide a complete set of network services. Cisco is enriching Cisco IOS Software in four key areas: High Availability, Security, Manageability, and Scalability. The changes augment and fortify the underlying network infrastructure software and establish a new base for further delivery of advanced, intelligent network services.

2.5) IP Mobility

The mobile workforce needs the ability to communicate with customers, partners, and fellow workers anywhere, anytime and have access to relevant business applications, tools to carryout business effectively. Enterprise mobility is about providing ubiquitous connectivity to the mobile user, independent of the devices and access technologies. Mobile IP, an IETF standard (RFC 2002), allows a host device to be identified by a single IP address even though the device may move its physical point of attachment from one network to another.

2.6) IP Multicast

IP Multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of corporate recipients and homes. Applications that take advantage of multicast technologies include video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news.

2.7) IP Routing

Cisco IP Routing Protocols provide the fundamental infrastructure for the delivery of advanced IP services across all Cisco products. Whether based on Internet Engineering Task Force standards or Cisco innovations, Cisco offers a broad portfolio of IP Routing technologies. All share common attributes and goals of scalability, availability, manageability, fast convergence, and high performance.

2.8) IP Services

Cisco IOS Software contains a wide array of critical network services designed for flexibility, scalability, and reliability to help solve the most difficult problems facing enterprises and service providers. Customers can select the appropriate Cisco IOS Software feature sets to meet their evolving network requirements. Features such as Network Address Translation (NAT), Dynamic Host Configuration Protocol (DHCP), and Hot Standby Router Protocol (HSRP) can be easily deployed individually or in combination with each other across a wide range of Cisco hardware.

2.9) IPv6

IPv6 is a new IP protocol designed to replace IPv4, the Internet protocol that is predominantly deployed and extensively used throughout the world. IPv6 quadruples the number of network address bits from 32 bits (in IPv4) to 128 bits or approximately 3.4 x 1038 addressable nodes, which provides more than enough globally unique IP addresses for every network device on the planet.

2.10) Management Instrumentation

Cisco IOS Software provides a rich set of features that enable customers to efficiently manage their networks. Benefits of this embedded instrumentation functionality include: lowered operating and maintenance costs, rapid incorporation of new network services and devices, management of the network as an integrated system, reduced downtime by adaptive fault management, and measurable and billable differentiated services.

2.11) Multiprotocol Label Switching

Cisco IOS Multiprotocol Label Switching (MPLS) enables Enterprises and Service Providers to build next-generation intelligent networks that deliver a wide variety of advanced, value-added services over a single infrastructure. This economical solution can be integrated seamlessly over any existing infrastructure, such as IP, Frame Relay, ATM, or Ethernet. Subscribers with differing access links can be aggregated on an MPLS edge without changing their current environments, as MPLS is independent of access technologies.

2.12) Quality of Service

A communications network forms the backbone of any successful organization. These networks transport a multitude of applications and data, including high-quality video and delay-sensitive data such as real-time voice. The bandwidth-intensive applications stretch network capabilities and resources, but also complement, add value, and enhance every business process. Networks must provide secure, predictable, measurable, and sometimes guaranteed services. Achieving the required Quality of Service (QoS) by managing the delay, delay variation (jitter), bandwidth, and packet loss parameters on a network becomes the secret to a successful end-to-end business solution. Thus, QoS is the set of techniques to manage network resources.

2.13) Security and VPN

Comprehensive network-security features in Cisco routers help companies protect their infrastructures, devices, and important information, while reducing costs.

2.14) Voice

Cisco CallManager Express is a solution embedded in Cisco IOS Software that provides call processing for Cisco IP phones. This solution enables the large portfolio of Cisco access routers to deliver telephony features similar to those that are commonly used by business users to meet the requirements of the small office, thereby enabling deployment of a cost-effective, highly reliable, IP Communications solution for the small office.


2.1) Hardware Support

Table 2  Hardware Highlights


2.1.1) Cisco 3800 Series Integrated Services Router

The integrated services routing architecture of the Cisco 3800 Series builds on the powerful Cisco 3700 Series routers designed to embed and integrate security and voice processing with advanced services for rapid deployment of new applications, including application layer functions, intelligent network services, and converged communications. The Cisco 3800 Series supports the bandwidth requirements for multiple Fast Ethernet interfaces per slot, time-division multiplexing (TDM) interconnections, and fully integrated power distribution to modules supporting 802.3af Power over Ethernet (PoE), while still supporting the existing portfolio of modular interfaces. This ensures continuing investment protection to accommodate network expansion or changes in technology as new services and applications are deployed. By integrating the functions of multiple separate devices into a single compact unit, the Cisco 3800 Series dramatically reduces the cost and complexity of managing remote networks.

New models include the Cisco 3825 and the Cisco 3845, available with three optional configurations for AC power, AC power with integrated IP phone power support, and DC power.

Figure 3

Cisco 3800 Series Integrated Services Router

Benefits

This high-performance architecture is optimized for concurrent service deployment and offers increased default and maximum memory for future services growth.

Cisco IOS Software features offer support for identifying, preventing, and adapting to security threats and maintaining a self-defending network, including Cisco SDM 2.0, NAC (antivirus enforcement), Dynamic Multipoint VPN, dynamic in-line IDS, Cisco IOS Firewall, and URL filtering capabilities.

Onboard DSPs—Integrated PVDMs support analog voice, digital voice, conferencing, transcoding, and secure Real-Time Transport Protocol (SRTP) media while enabling network-module or AIM slots for switching, concurrent applications, content, and voice mail.

Field-upgradable, modular components are supported on the Cisco 3800 Series, allowing customers to easily change network interfaces without upgrading their entire branch-office network. The Cisco 3800 Series takes advantage of the existing portfolio of WICs, VICs, network modules, and AIMs to reduce sparing, training, configuration, installation, and maintenance costs.

The Cisco 3800 Series minimizes downtime with availability features, including optional redundant power, Error Checking and Correction (ECC) memory for improved fault isolation and correction, USB Flash memory for ease of image recovery, advanced temperature monitoring and variable-speed cooling fans, Cisco IOS Software Warm Reboot for improved bootup times, network-module online insertion and removal, and field-replaceable components such as fan tray, motherboard, and power supplies (Cisco 3845 only).

Additional Information: http://www.cisco.com/en/US/products/ps5855/index.html

Product Management Contact: cs-3800@cisco.com

2.1.2) Cisco 2800 Series Integrated Services Router

The Cisco 2800 Series comprises four new routers: Cisco 2801, 2811, 2821, and 2851 Routers. The Cisco 2800 Series provides significant additional value compared to prior generations of Cisco routers at similar price points by offering up to a fivefold performance improvement, up to a tenfold increase in security and voice performance, new embedded service options, and dramatically increased slot performance and density while maintaining support for most of the more than 90 existing modules that are available today for the Cisco 1700 Series and Cisco 2600 Series.

The Cisco 2800 Series features the ability to deliver multiple high-quality simultaneous services at wire speed up to multiple T1/E1/xDSL connections. The routers offer embedded encryption acceleration and motherboard voice digital-signal-processor (DSP) slots; intrusion prevention system (IPS) and firewall functions; integrated call processing and voice mail; high-density interfaces for a wide range of connectivity requirements; and sufficient performance and slot density for future network expansion requirements and advanced applications.

Figure 4

Cisco 2800 Series

Benefits

A wide variety of LAN and WAN options are available. Network interfaces can be upgraded in the field to accommodate future technologies and several types of slots are available to add connectivity and services in the future on an "integrate-as-yougrow" basis.

Each of the Cisco 2800 Series routers comes standard with embedded hardware cryptography accelerators, which when combined with an optional Cisco IOS Software upgrade help enable WAN link security and VPN services.

The Cisco 2800 helps enable end-to-end solutions with full support for the latest Cisco IOS Software-based QoS, bandwidth management, and security features.

On the Cisco 2811, 2821, and 2851 there is a built in external power-supply connector that eases the addition of external redundant power supply that can be shared with other Cisco products to decrease network downtime by protecting the network components from downtime due to power failures.

Hardware

Routers

Cisco 2800 Series Integrated Services Routers


Additional Information: http://www.cisco.com/en/US/products/ps5854/index.html

Product Management Contact: cs-2800@cisco.com

2.1.3) Cisco 1800 Series Integrated Services Router

Cisco 1800 Series Integrated Services Routers are the next evolution of the award-winning Cisco 1700 Series modular access routers. The Cisco 1841 Router is designed for secure data connectivity and provides significant additional value compared to prior generations of Cisco 1700 Series routers by offering more than a fivefold performance increase, integrated hardware-based encryption enabled by an optional Cisco IOS Software security image, and a dramatic increase in interface card slot performance and density while maintaining support for more than 30 existing WAN interface cards (WICs) and multiflex trunk cards (voice/WICs [VWICs]—for data only on the Cisco 1841 router) of the Cisco 1700 Series.

The Cisco 1841 Router features secure, fast, and high-quality delivery of multiple, concurrent services for small-to-medium-sized businesses and small enterprise branch offices. The Cisco 1841 router offers embedded hardware-based encryption enabled by an optional.

Cisco IOS Software security image; further enhancement of VPN performance with an optional VPN acceleration module; an intrusion prevention system (IPS) and firewall functions; interfaces for a wide range of connectivity requirements, including support for optional integrated switch ports; plus sufficient performance and slot density for future network expansion and advanced applications as well as an integrated real-time clock.

Figure 5

Cisco 1800 Series

Benefits

Supports concurrent deployment of high-performance, secure data services with headroom for future applications.

Offers cryptography accelerator as standard integrated hardware that can be enabledwith an optional Cisco IOS Software for 3DES and AES encryption support.

Provides 32 MB of Flash and 128 MB of synchronous dynamic RAM (SDRAM) memory to support deployment of concurrent services.

Supports the Cisco 1841 router starting with Cisco IOS Software Release 12.3T and helps enable end-to-end solutions with support for latest Cisco IOS Software-based QoS, bandwidth management, and security features.

New intrusion-detection-system (IDS) signatures can be dynamically loaded independent of the Cisco IOS Software release.

Hardware

Routers

Cisco 1800 Series Integrated Services Routers


Additional Information: http://www.cisco.com/en/US/products/ps5853/index.html

Product Management Contact: cs-1800@cisco.com

2.1.4) Cisco 1711 and 1712 Security Access Routers

Description

The Cisco 1711 and 1712 Security Access Routers offer an all-in-one security, routing, and switching solution for enterprise small branch offices and small and medium sized businesses. They feature built-in Fast Ethernet LAN switching, Fast Ethernet port for DSL or broadband modem connectivity, integrated Cisco IOS Security and backup WAN for link redundancy to help ensure high availability of critical business applications.

Figure 6

Cisco 1711/1712 Application Advantages—Workgroup Segmentation with Dial Backup

Benefits

Complete Solution—delivering broadband access with link redundancy, routing, switching and security.

Integrated Network Security—stateful inspection firewall with URL filtering, hardware accelerated VPN encryption (DES & 3DES) delivering 15 Mbps encryption rates, and IDS detecting 100 signatures.

Integrated LAN Switching—4 port 10/100BaseT switch with 802.1Q VLAN and MDI/MDIX auto-configuration.

High WAN Availability—ensures availability of network connection and applications with analog modem or ISDN S/T back-up WAN.

WAN Migration—Use the Analog modem or ISDN S/T port as primary connection then migrate to high speed Cable/DSL connection when available.

Dual ISP Support—The 10/100BaseT ports can be separated to allow simultaneous connection to two ISPs for load balancing and failover protection.

Superior Manageability—CiscoWorks for centralized configuration and management. Embedded web-based Security Device Manager (SDM) for simplified device configuration management.

Hardware

Routers

Cisco 1711 and 1712 Security Access Routers


Product Management Contact: dthaele@cisco.com

2.1.5) Network Modules for Circuit Emulation Services over IP for the 2600, 3600, and 3700 Series Routers

Description

The Cisco 2600/3660/3700 Circuit Emulation over IP (CEoIP) network modules (product IDs: NM-CEM-4T1E1 and NM-CEM-4SER) enable service provider customers to create a new revenue stream by offering a leased line service over existing packet infrastructure. Enterprise and government customers will be enabled to migrate applications which require TDM transport on to their IP networks, thus saving operational expenses.

Hardware

Routers

Cisco 2600 and 3700 Series

Cisco 3600 Router


Product Management Contact: cschwaig@cisco.com

2.1.6) Network Analysis Module for the 2600, 3660, and 3700 Series Routers

Description

The Cisco 2600/3660/3700 Series Network Analysis Module (product ID: NM-NAM) is an integrated traffic-monitoring network module that enables network managers to gain application-level visibility into network traffic at remote sites with the ultimate goal of improving performance, reducing failures, and maximizing return on network investments. It expands the Cisco NAM solution available for Cisco Catalyst® 6500 Series switches and Cisco 7600 Series routers. It provides the unique advantage of performing remote troubleshooting and traffic analysis through its Web-based NAM Traffic Analyzer without having to send personnel to remote sites or haul large amounts of data to the central site.

Figure 7

The Cisco 2600/3660/3700 Series Network Analysis Module

Benefits

Real Time and Historical Traffic Monitoring in WANs—Analyze bandwidth usage at application level, proactively monitor data and VoIP applications.

Application Performance Management—Identify application response delays observed at branches.

Fault Isolation and Troubleshooting—Remotely isolate network problems, capture/decode packets.

VoIP and QoS Monitoring—Analyze IP Telephony sessions, validate QoS policies.

Capacity Planning and Extended Applications—with standards based software applications.

Hardware

Routers

Cisco 2600 and Cisco 3700 Series

Cisco 3660 Router


Product Management Contact: massung@cisco.com

2.1.7) Cisco Unity Express

Cisco Unity Express offers entry-level voice mail and automated attendant services as an option for the Cisco CallManager Express call-processing solution. This product is critical for Cisco CallManager Express customers in small/medium businesses or branches that need data connectivity and IP Telephony functionality, and those that require the productivity benefits that voice mail and auto attendant services provide. Cisco Unity Express is delivered on a network module that can be used in the Cisco 2600XM Series, Cisco 2691, and the Cisco 3700 Series Access Routers.

Figure 8

Cisco Unity Express

Benefits

Voice-mail and automated attendant features specifically designed for the small and medium office or branch. Cisco Unity Express provides up to 100 personal mailboxes, 20 general delivery mailboxes, 8 concurrent sessions or ports, and 100 hours of onboard storage.

Cisco Unity Express is delivered on a network module form factor that can be integrated into and shared across a broad range of access routers (Cisco 2691 Routers; Cisco 2600XM and 3700 Series Access Routers).

First release of Cisco Unity Express offers superior voice message management to the user by support voice mail features (ie: replying, forwarding, and saving messages; message marking and play out options for privacy or urgency; alternate greetings and envelope information).

Cisco Unity Express includes a built-in automated attendant that simplifies self service for callers by allowing them to quickly reach the right person without the assistance of an operator, but maintains the option to return to an operator at any time when greater assistance is needed.

A choice of GUI, command-line interface (CLI) and telephony user interface (TUI) streamlines administration.

Cisco Unity Express software is loaded on the network module at the factory, simplifying deployment. The Cisco Unity Express initialization wizard further expedites the administrator's startup by automatically importing information from Cisco CallManager Express, thereby eliminating the need to replicate data entry.

Hardware

Routers

Cisco 2691 Routers

Cisco 2600XM and 3700 Series Access Routers


Product Management Contact: access-ccme-cue@cisco.com

2.1.8) Cisco IDS Network Module

With the increased complexity of security threats, achieving efficient network intrusion security solutions is critical to maintaining a high level of protection. Vigilant protection helps ensure business continuity and minimizes the effect of costly intrusions. The Cisco IDS Network Module for the Cisco 2600XM and 3700 Series Routers and the Cisco 3660 Router is part of the Cisco IDS Family sensor portfolio and the Cisco Intrusion Protection System. These IDS sensors work in concert with the other IDS components (Figure 49), including Cisco IDS Management Console, CiscoWorks VPN/Security Management Solution, and Cisco IDS Device Manager, to efficiently protect data and information infrastructure.

The Cisco IDS product line delivers a broad range of solutions that allow easy integration into many different environments, including enterprise and service provider environments. Each sensor addresses the bandwidth requirements of different routers up to 10 Mbps in the Cisco 2600XM, and up to 45 Mbps in the Cisco 3700 Series. The appliance product supports 80 Mbps to 1 Gbps.

The Cisco IDS Network Module can monitor up to 45 Mbps of traffic and is suitable for T1/E1 and T3 environments. A router installed with this IDS network module also supports other Cisco IOS Security features such as VPN, firewall, Multiprotocol Label Switching (MPLS), Network Address Translation (NAT), and Web Cache Control Protocol (WCCP), while supporting all common Cisco IOS Software functions.

Cisco IDS Network Modules fit into a single network module slot on the Cisco 2600XM Series, Cisco 3660, and Cisco 3700 Series Routers. The available configuration is a 20-gigabyte hard disk for logging and storage of events. The external Ethernet port is used for command and control to enable a secure outbound port for management. This setup also allows for both security operations and network operations to have their own command and control interfaces.

Figure 9

Cisco IDS Network Module

Benefits

By integrating IDS and branch office routing, Cisco reduces the complexity of securing WAN links, while reducing operational costs. Following are the benefits associated with the integration of the IDS into the branch office router:

Physical Space Savings: uses a single network module slot in a Cisco 2600XM Series, Cisco 3660, or Cisco 3700 Series branch office routers.

Simple Power and Cable Management: takes advantage of the power options of the router, including DC power and redundant power.

Common Management Interface: can be configured and managed from the Cisco IOS Software CLI. This network module supports all the same CiscoWorks Management Center for Cisco IDS Sensors that the Cisco IDS 4200 Series supports, allowing customers to use one centralized management system for both appliance and router IDS sensors.

Network Command and Control Interface: by using the external Fast Ethernet port for command and control, the Cisco IDS Network Module internal router connection is free to capture the packets to the network module for processing by the IDS engine.

Separate Processor for the Cisco IDS Network Module to Maximize Performance: a dedicated CPU in the network module frees the router CPU from process-intensive IDS tasks.

Lower Operational Costs: the Cisco IDS Network Module is covered via Cisco maintenance service for the router. This setup minimizes network operational costs.

Hardware

Routers

Cisco 2600XM, 3600, and 3700 Series Routers

Cisco 2691 Router


Product Management Contact: Kevin Sullivan, sullivan@cisco.com

2.2) Broadband

Table 3  Broadband Feature Highlights

Sections
2.2.1) Upstream Connection Speed Transfer at LAC
2.2.2) Configurable MAC Address for bba-group
2.2.3) Explicit Call Transfer for ETSI PRI
2.2.4) Protocol Translation Template
2.2.5) Asynchronous Line Monitoring
2.2.6) VRF Aware Dialer Watch
2.2.7) PPP/MLP MRRU Negotiation
2.2.8) Digital Private Network Signaling System Backhaul
2.2.9) V.120 Support for Network Access Servers
2.2.10) Layer 2 Tunnel Protocol Tunnel Connection Speed Labeling
2.2.11) Peer Pool Backup Command
2.2.12) Point to Point Protocol over Ethernet Relay
2.2.13) PPPoE Session Limit per NAS Port Download
2.2.14) Telnet/Packet Assembler/Dissembler Translation Authorization
2.2.15) X.25 Data Display Trace
2.2.16) PPPoE over VLAN Scaling and ATM Support for PPPoE over VLANs
2.2.17) End of Record Functionality for Data Communication Networks
2.2.18) Packet Assembler/Disassembler Subaddress Formatting Option
2.2.19) Layer 2 Tunneling Protocol Version 3
2.2.20) PPPoE Session Recovery after Reload 2.2.21) L2TP Client-Initiated Tunneling
2.2.22) B-Channel Availability Control
2.2.23) ISDN Backup in Multiprotocol Label Switching Core
2.2.24) V.110 Support for MGCP-Dial
2.2.25) X.25 Call Confirm Packet Address Control

2.2.1) Upstream Connection Speed Transfer at LAC

This feature allows the configuration for Layer 2 Tunneling Protocol (L2TP) Attribute-Value Pair 38 (AVP) at the L2TP Access Concentrator (LAC). AVP38 allows the communication of the upstream (from the remote site to the LAC) connection speed and complements Cisco's existing support for AVP24 for downstream (from LAC to remote site) connection speed. This support allows for the creation of asymmetric broadband services where the upstream and downstream connection speeds differ.

Benefits

Allows support of asymmetric broadband service speeds such as Asymmetric DSL (ADSL).

Better compliance with RFC2661 for L2TP.

Required for regulatory compliance in European countries like Germany.

Hardware

Routers

Cisco 7200, 7300, and 7400 Series Routers


Product Management Contact: sbhardwa@cisco.com

2.2.2) Configurable MAC Address for bba-group

This feature allows the configuration of separate MAC addresses for PPPoE and RBE sessions on the same physical ATM interface. This is important since the aggregation router, as shown in Figure 10, uses the ATM interfaces MAC address as the source address for both the PPPoE and RBE incoming sessions. In cases where multiple hosts exist and PPPoE and RBE sessions have been initiated, there is a need to have the ability to configure the MAC address (versus simply taking the MAC address from the ATM interface of the CPE router) so that the different sessions can be differentiated. This feature is only available under the bba-group configuration mode and requires each session to be on its own PVC.

Figure 10

Configurable MAC Address for bba-group

Benefits

Allows support of multiple session types, like RBE and PPPoE, on the same ATM interface for broadband applications.

Hardware

Routers

Cisco 7200, 7300, and 7400 Series Routers


Considerations

Only configurable under the bba-group mode and not vpdn-group mode.

Requires each session to be on its own PVC.

Product Management Contact: sbhardwa@cisco.com

2.2.3) Explicit Call Transfer for ETSI PRI

Explicit Call Transfer (ECT) allows the router to transfer a call received from the PSTN to the final destination number on the PSTN instead of "hairpinning" the call on the router interface and consuming DS0 channel on a PRI interface. This particular feature will allow the ECT functionality to work on ETSI (NET5) switch-type and will help make better use of channels on a PRI interface. The typical architecture for this functionality has the AS5xxx to acting as a voice gateway between a SIP (Session Initiation Protocol) based Voice Recognition Server(VRS) and a Central Office Switch in the PSTN network. The application is to be able to provide call transfer services based upon voice recognition (the typical voice activated menus of call centers like an airline reservation system) to service provider customers looking to operate large customer contact centers. In these applications, the call flow proceeds as follows:

1. An initial call is received on a PRI interface of the Cisco AS5000 Series and routed to the Voice Recognition Server via a SIP interface.

2. The VRS identifies a destination number to transfer the call to based on a voice command selection from the end user.

3. The VRS sends appropriate SIP message with the destination number to the Cisco AS5000 Series and the Cisco AS5000 Series does an Expicit Call Transfer on its PRI interface of the original call.

Benefits

Allows better utilization of DS0 channels on PRI interfaces for VoIP applications and allows Call Transfer functionality to work with ETSI (NET5) switch types, which are found in Europe and Asia.

Hardware

Access Servers

Cisco AS5000 Series Access Server


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.4) Protocol Translation Template

Protocol Translation Template (PTT) will allow Telco DCN (Data Communication Network) customers increased flexibility in configuring PT sessions in environments where a large number of PT sessions must be configured. The current PT configuration requires static mapping between incoming connections (like PAD, Telnet, LAT) and configuration parameters to the outbound protocol connection (PAD, Telent, LAT, PPP, SLIP, ...) and configuration parameters. The new PTT will allow the construction of a template which will contain `ruleset' capabilities to allow for the dynamic configuration construction to simplify the task of creating large scale PT configurations. The `ruleset' capability will allow for multiline string searches, comparisons, and substitutions in the PTT to create a configuration for PT.

Benefits

Using Protocol Translation Templates will allow Telco DCN administrators to create large scale PT configurations in a quicker and more error-free manner. Administrators will not have to configure a large number of static PT sessions and will have a simple method to configure a general purpose PTT.

Hardware

Routers

Cisco 2610XM, 2620XM, 3660, 3725, and 3745 Routers


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.5) Asynchronous Line Monitoring

Asynchronous Line Monitoring enables the monitoring of control characters, along with the character mode traffic on an asynchronous line. A new keyword `control-char' will be added to the existing CLI `monitor traffic' to turn on this function.

Asynchronous Line Monitoring also adds the ability to lock the keyboard, preventing the insertion of typed characters into the stream of characters on the asynchronous line.

The modified CLI will look like this: 

monitor traffic line <line> [in] [out] [control-char][interactive]

This functionality is important for Telco Data Communication Network (DCN) applications where Service Providers want to monitor remote Network Elements via asynchronous lines.

Figure 11

Asynchronous Line Monitoring

In the DCN application example shown above, the user opens a telnet session from the Operation Support System (OSS) host to the Network Element.

Benefits

Asynchronous Line Monitoring provides added granularity and enables network administrators to control traffic on asynchronous lines.

Hardware

Routers

Cisco 2610XM, 2620XM, 3660, 3725, and 3745 Routers


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.6) VRF Aware Dialer Watch

Description

The virtual routing and forwarding instance (VRF) Aware Dialer Watch feature enhances dialer watch functionality by allowing an IP address and VRF pair to be watched for dial backup. In this way, a given VRF (or set of VRFs) may be backed up by an ISDN or Dial Connection. This functionality provides an added measure of fault tolerance in a VPN environment.

Figure 12

VRF Aware Dialer Watch Typical Configuration

A typical scenario for the VRF Aware Dialer Watch feature follows:

A VRF router learns the route to the CE (Customer Edge) from a PE (Provider Edge).

The VRF router watches these learned routes to the CEs.

The primary link between a PE and CE goes down.

The watched route goes down in the VRF router.

Dialer Watch call is initiated to the corresponding CE.

Benefits

Enhanced fault tolerance and network Resiliency in VPN environments.

Hardware

Routers

Cisco 3631, 3640, 3640A, and 3660 Routers

Cisco 3725 and 3745 Routers


Product Management Contact: sbhardwa@cisco.com

2.2.7) PPP/MLP MRRU Negotiation

Description

The PPP/MLP MRRU Negotiation Configuration feature enables a router to send and receive frames over Multilink PPP (MLP) bundles that are larger than the default Maximum Receive Reconstructed Unit (MRRU) limit of 1524 bytes. Previously, configuring the MRRU option negotiated on a multilink bundle with the MLP was not possible. Cisco IOS Software provided an MRRU default value of 1524 bytes, which meant that the maximum transmission unit (MTU) of the peer's bundle interface was restricted to a value of 1524 bytes or fewer for a successful data transfer.

The PPP/MLP MRRU Negotiation Configuration feature allows configuration control over MRRU negotiation. A new interface configuration command introduced with this feature, ppp multilink mrru, allows configuration of the specific MRRU value that the router will advertise, and optionally establishing a lower boundary on the MRRU value of the peer.

Benefits

This feature is useful when the addition of a header, such as an IPsec header or application software header, causes the MTU of packets on an MLP interface to exceed the 1500 byte MTU of a typical IP packet.

Hardware

Routers

All (platform independent)


Product Management Contact: sbhardwa@cisco.com

2.2.8) Digital Private Network Signaling System Backhaul

This feature introduces support for Digital Private Network Signaling System (DPNSS) Layer 2 functionality on the Cisco Gateway (GW) Router. It supports Layer 3 backhauling to a Cisco PGW2200 using DPNSS and Digital Access Signaling System (DASS) User Adaptation (DUA) over Stream Control Transmission Protocol (SCTP).

DPNSS was developed by British Telecom and is used in the United Kingdom, Northern Europe, and parts of Asia. It is a standard and open protocol used between PBXs in a private network that enables complex features to work on a network basis. This feature applies the DPNSS backhaul solution on Cisco gateways to provide connectivity and services to the PBXs that are running the DPNSS protocol.

Benefits

This functionality enables Cisco routers to interoperate with PBXs that run the DPNSS signaling protocol. This will allow for successful migration of Cisco VoIP solutions into a DPNSS-based PBX environment.

Hardware

Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers

Cisco 3725 and 3745 Routers


Product Management Contact: sbhardwa@cisco.com

2.2.9) V.120 Support for Network Access Servers

The V.120 Support for Network Access Server (NAS) feature supports the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) V.120 bit rate adaptation standard, which allows connectivity to slower bandwidth devices through rate adaption. This feature was developed for the Media Gateway Control Protocol (MGCP) network access server (NAS) package, and allows ISDN terminal adapters to transfer data. The MGCP NAS package implements signals and events to create, modify, and close data calls. The events include signaling the arrival of an outbound call, such as IP to Public Switched Telephone Network (PSTN) to the media gateway controller (call agent), reporting carrier loss and call authorization status, and receiving callback requests.

Benefits

This feature enables Cisco routers to function in Gateway role between networks with different data rates that use the V.120 standard.

Hardware

Access Servers

Cisco AS5300, AS5350, AS5400, AS5850-ERSC, and AS5850-RSC Series Access Servers


Product Management Contact: sbhardwa@cisco.com

2.2.10) Layer 2 Tunnel Protocol Tunnel Connection Speed Labeling

In previous releases of Cisco IOS Software, when a Layer 2 Tunnel Protocol (L2TP) Network Server (LNS) received an Incoming-Call-Connected (ICCN) message, there was no authentication check on the users connection speed. L2TP Tunnel Connection Speed Labeling introduces the ability to accept or deny an L2TP session based on the allowed connection speed that is configured on the Cisco Access Registrar (ARS) RADIUS server for that user. This allows RADIUS server authorization of users based on their Service Level Agreement (SLA).

Benefits

This feature enables an LNS to authorize users for network access based upon the connection speed of the session. This is useful in certain European markets due to regulatory requirements.

Hardware

Routers

Cisco 7200, 7301, and 7400 Series Routers

Cisco 7301, 7304-NPE-G100, and 7304-NSE-100 Routers


Product Management Contact: sbhardwa@cisco.com

2.2.11) Peer Pool Backup Command

The "peer pool backup" facility provides ability to specify a "preferred" IP address pool from AAA (on a per user basis) and still provide alternate pools when then AAA specified pool is exhausted or not yet created. This functionality is driven by the emergence of numerous independently controlled AAA servers in a large scale dial or DSL environments where user groups are assigned address ranges, but there is a common "over flow" pool set so that the number of users in a group can far exceed the address range assigned. This facility also provides the ability to suppress the loading of dynamic IP address pools on a per interface basis and the ability to limit the AAA pool name to a set acceptable to the NAS, both key features when the NAS and AAA are controlled by separate parties.

Benefits

Allows Cisco routers increased flexibility and scalability in assigning IP addresses for Dial/DSL environments which have a large service subscriber base.

Hardware

Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers

Cisco 3631, 3640, and 3660 Routers

Cisco 7200 and 7400 Series Routers

Access Servers

Cisco AS5300, AS5350, AS5400, AS5850-ERSC, and AS5850-RSC Series Access Servers


Product Management Contact: sbhardwa@cisco.com

2.2.12) Point to Point Protocol over Ethernet Relay

Point to Point Protocol over Ethernet Relay (PPPoE) Relay enables an L2TP access controller (LAC) to relay active discovery and service selection functionality for PPP over Ethernet (PPPoE), over a L2TP control channel, to an L2TP network server (LNS) or tunnel switch. The relay functionality of this feature enables the LNS or tunnel switch to advertise the services it offers to the client, thereby providing end-to-end control of services between the LNS and a PPPoE client.

Benefits

PPPoE Relay allows end-to-end control of services between LNS and PPPoE client. This allows a broadband Service Provider added flexibility in the services offered to the user base or further granularity to customize the network based upon the subscriber.

Hardware

Routers

Cisco 7200 and 7400 Series Routers


Product Management Contact: sbhardwa@cisco.com

2.2.13) PPPoE Session Limit per NAS Port Download

PPPoE Session Limit Per NAS Port limits the number of PPPoE sessions on a specific virtual circuit (VC) or VLAN configured on an L2TP access concentrator (LAC). The NAS port is either an ATM VC or a configured VLAN ID.

The PPPoE per-NAS-port session limit is maintained in a RADIUS server customer profile database. This customer profile database is connected to a LAC and is separate from the RADIUS server that the LAC and L2TP Network Server (LNS) use for the authentication and authorization of incoming users. See Figure 72 for a sample network topology.

Figure 13

PPPoE Session Limit Per NAS Port Sample Topology

Benefits

Allows centralized control of the number of users on a given port for a service provider. This is useful when dealing with multiple LAC devices.

Hardware

Routers

Cisco 7200 and 7400 Series Routers


Product Management Contact: sbhardwa@cisco.com

2.2.14) Telnet/Packet Assembler/Dissembler Translation Authorization

Due to the security risks inherent in allowing unauthorized network usage, it is important to authorize sessions before allowing access to network resources. In previous releases of Cisco IOS Software, protocol translation sessions established the use of a one-step protocol translation without first issuing an authorization request. The Telnet/Packet Assembler/Dissembler (PAD) Translation Authorization feature adds an option to require that an authorization request be issued as a prerequisite to establishing a protocol translation session.

Benefits

The key benefit is enhanced security introduced by the Authorization step when using Telnet sessions or low-cost PAD devices for managing Network Elements in Telco environments with X.25.

Hardware

Routers

Cisco 2691 Router

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, 2651XM Series

Cisco 3631, 3640, 3640A, and 3660 Routers


Considerations

This feature is supported only for X.25-to-TCP and TCP-to-X.25 protocol translation sessions.

It is supported for both permanent virtual circuit (PVC) and switched virtual circuit (SVC) X.25 connections.

Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.15) X.25 Data Display Trace

The ability to debug a network is of vital importance when trying to trace the source of problems that cause lack of connectivity or suboptimal performance. X.25 Data Display Trace enhances the Cisco IOS Software debugging capability for X.25. It enables an authorized user to display the entire X.25-encoded traffic stream, including user data, for those packets specified by an X.25 debug command.

Benefits

X.25 Data Display Traces enables enhanced debugging capabilities for maintaining a router network or perhaps using the router to troubleshoot a network with X.25 connectivity.

Hardware

Routers

All routers supporting X.25 encapsulation on serial interfaces


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.16) PPPoE over VLAN Scaling and ATM Support for PPPoE over VLANs

Scalability, both in terms of session counts and more broadly in terms of media types supported, is of critical importance to Service Providers deploying Broadband Networks. The PPPoE over VLAN Scaling and ATM Support for PPPoE over VLANs feature provides two enhancements to PPP over Ethernet (PPPoE) over IEEE 802.1Q VLAN functionality:

Session Scalability: removes the requirement for each PPPoE over VLAN session to be created on a subinterface. Removing this requirement increases the number of VLANs that can be configured on a router to 4000 VLANs per interface.

Media Support: adds ATM permanent virtual circuit (PVC) support for PPPoE over VLAN traffic that uses bridged RFC 1483 encapsulation.

Figure 14

Sample Network Topology for PPPoE over 802.1Q VLANs over ATM

Benefits

Lower cost per session due to the increase in session scalability.

Increased flexibility in terms of choosing an underlying physical media to carry PPPoE over VLAN traffic over due to the ATM support.

Hardware

Routers

Cisco 1700, 7200, 7300, and 7400 Series Routers

Cisco 3725 and 3745 Routers


Considerations

PPPoE over 802.1Q VLAN support can be configured without using subinterfaces on the PPPoE server only.

ATM PVC support for PPPoE over 802.1Q VLANs can be configured only on the PPPoE server.

Scalability targets refer to software configurability only. Hardware memory and performance considerations may impose lower limits to the number of usable sessions on a given hardware product.

Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.17) End of Record Functionality for Data Communication Networks

The Cisco Protocol Translator is designed to support telnet-like applications that are stream-based, with no recognition or accommodation for logical records. This can cause problems for record-oriented applications, because the record boundaries in X.25 data are lost during translation to TCP.

End of Record Functionality for Data Communication Networks (DCN) provides for the configuration of an End of Record (EOR) marker, enabling the X.25 logical boundaries to be marked when translated to TCP. The feature enables the preservation of logical boundaries when translating X.25 data to TCP, enabling X.25-based networking solutions to adapt to and benefit from TCP/IP technologies.

Benefits

The benefit of this feature is that it will preserve data integrity in X.25 over TCP (XOT) protocol translation environments and minimize the need for packet resends; therefore, it will improve network performance/data throughput.

Hardware

Routers

Cisco 2610XM, 2611XM, 2691, 3631, 3640, 3660, 3725, and 3745 Routers

Cisco 7200, 7400, and 7500 Series Routers

Switches

Cisco IGX8400-URM Switch

Access Servers

Cisco AS5300, AS5350, and AS5400 Series Access Servers


Considerations

This feature is supported only for XOT protocol translation sessions.

Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.18) Packet Assembler/Disassembler Subaddress Formatting Option

Prior to Cisco IOS Software Release 12.3(2)T, Packet Assembler/Disassembler (PAD) Subaddressing specifies a
two-digit field for subaddressing that requires a leading zero for subaddress values less than 10 (i.e., 0-9). The PAD Subaddress Formatting Option feature introduces the ability to suppress the leading zero for subaddresses with a value of nine or lower. This suppression occurs before the subaddress field is appended to the calling address.

Figure 15

X25 Addressing Scheme: PAD Calls from Branch Office to Host

Benefits

This feature increases compatibility with X.25 host systems that use single-digit subaddresses. This will be particularly relevant for European X.25 host systems, which have a large installed base of single-digit systems.

Hardware

Routers

Cisco 800 Series Routers

Cisco 1700 Series Access Routers

Cisco 2691, 3631, 3640, 3660, 3725, 3745 Routers

Cisco 7200, 7400, and 7500 Series Routers

Switches

Cisco Catalyst 4000-AGM Series

Cisco IGX8400-URM Series Switches


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.19) Layer 2 Tunneling Protocol Version 3

Layer 2 Tunneling Protocol version 3 (L2TPv3) is the Cisco solution for transporting Layer 2 packets over an IP network. L2TPv3 extends the usability of IP networks by enabling the transport of Layer 2 frames over an IP infrastructure. L2TPv3 is required for supporting legacy services over IP infrastructures and for supporting several new connectivity options, including Layer 2 virtual private networks (VPNs) and Layer 2 virtual leased lines.

L2TPv3 is an update to RFC2661 (L2TPv2). L2TPv2 was originally defined as a method of tunneling PPP frames across packet switched data network. A need emerged to update the draft, so it could include all Layer 2 encapsulations that required tunneling across packet networks, which led to the development of L2TPv3.

L2TPv3 includes to noticeable changes: removal of the PPP specific portions of the L2TPv2 header, thus generalizing it for other applications, and the transition to a performance friendly format for high-speed decapsulation.

L2TPv3 uses a directed Control Channel session between edge routers for setting up and maintaining connections. Forwarding occurs through the use of IP packet forwarding between two edge devices. Two headers, an IP header and the L2TPv3 header, are used to forward packets between routers. The external header is an IP header that routes tunneled packets over the IP backbone to the egress provider edge (PE) device. The L2TPv3 header determines the egress interface, and is used to bind the Layer 2 egress interface to the tunnel.

Figure 16

L2TPv3

Benefits

Reduced Cost: consolidate multiple core technologies (ie: IP and Asynchronous Transfer Mode (ATM)) into a single packet-based infrastructure.

Simplified Services: Layer 2 transport provides options for Service Provider and Enterprise customers who need to provide L2 connectivity and maintain customer/department autonomy. Several key factors assist in the simplification of service deployment:

Configuration only on edge routers.

Service Provider and Enterprise customers do not participate in passing/maintaining routing information for VPN traffic.

Leverages code and mind share from L2VPN access network deployment.

Protect Existing Investments: Service Provider and Enterprise customers can leverage existing IP infrastructures to support Layer 2 networks without deploying an old-world infrastructure.

Feature Support: Layer 2 transport can be tailored to meet customer requirements by using Cisco IOS Software features (ie: Quality of Service (QoS) and IPsec).

New Service (revenue) Opportunities for IP Networks: ie: L2 Transport and Virtual Leased Line (VLL) services.

Standards-Based Approach: standards track open architecture addressed by the IETF.

Hardware

Routers

Cisco 1700, 2600, 3700, 7200, and 7300 Series


Attachments: Frame Relay, Ethernet, HDLC, PPP

Product Management Contact: Neil Abogado, nabog@cisco.com

2.2.20) PPPoE Session Recovery after Reload

If the PPP keepalive mechanism is disabled on customer premises equipment (CPE) device, a Point-to-Point Protocol over Ethernet (PPPoE) session will hang indefinitely after an aggregation device reload. PPPoE Session Recovery After Reload enables the aggregation device to attempt to recover PPPoE sessions that failed because of reload by sending a PPPoE active discovery terminate (PADT) packet to the CPE. The CPE device is expected to take failure recovery action upon receipt of this packet.

Benefits

Network availability will improve, because CPE routers in a Broadband network will be informed to reestablish their PPPoE session after a reload at the Aggregation Router. This will minimize the impact and duration of connectivity loss during a failure in the Aggregation Router.

Hardware

Routers

Cisco 2600, 3600, 7200, and 7400 Series Routers

Cisco 3725 and 3745 Routers


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.21) L2TP Client-Initiated Tunneling

Layer 2 Tunneling Protocol (L2TP) Client-Initiated Tunneling introduces the ability to establish client-initiated L2TP tunnels. The client may initiate an L2TP or L2TPv3 tunnel to the L2TP network server (LNS) without the intermediate network access server (NAS) participating in tunnel negotiation or establishment.

Benefits

This enables providers to offer value-added services, such as VPNs or Firewalls, directly to their customers.

Hardware

Routers

Cisco 827, 830, 1710, 1711, and 1712 Routers


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.22) B-Channel Availability Control

ISDN B-Channel Availability Control (BCAC) and Round-Robin Channel Selection Enhancements allow more dynamic control of the ISDN B channels by providing additional functionality for configuring message signaling, and an enhanced channel selection scheme that adds round-robin configuration to the existing ascending and descending channel selection schemes already available.

Benefits

BCAC gives Service Providers dynamic control of B-channel availability for applications like aggregating low data volume links.

Hardware

Routers

Cisco 3640 and 3660 Routers

Access Servers

Cisco AS5350, AS5400, and AS5850 Series Access Servers


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.23) ISDN Backup in Multiprotocol Label Switching Core

When a primary link is down in the Multiprotocol Label Switching (MPLS) core network, ISDN Backup in MPLS Core allows a backup ISDN link on a dialer interface to be brought up to restore network connectivity. This feature ensures high availability of the link between two routers in the MPLS core by providing a backup mechanism. In terms of defining the "core" of the MPLS network, this functionality is intended for the Provider-Provider Edge (P-PE) and the Provider-Provider (P-P).

Benefits

Enhanced network availability is the key benefit, as links in an MPLS core network will be backed up by an ISDN connection. This will ensure network connectivity on critical links in the MPLS core.

Hardware

Routers

Cisco 3640 and 7200 Series Routers


Considerations

Works only with dialer profile configuration.

Available only for PPP encapsulation.

Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.24) V.110 Support for MGCP-Dial

This feature adds V.110 encapsulation support for MGCP NAS package dial technology configurations. V.110 encapsulation allows you to connect to slower bandwidth devices through the V.110 rate adaption protocol, which enables Global System for Mobile Telecommunications (GSM/DCS/PCS) mobile users to access corporate intranets and the Internet through Integrated Services Digital Network (ISDN) networks.

Benefits

This functionality will allow Cisco routers providing Internet connectivity to interoperate in environments where V.110 encapsulation is used for data rate adaptation. An example of this type of environment would be when slow speed Mobile Personal Digital Assistants (PDAs) try to connect to the Internet.

Hardware

Routers

Cisco AS5350, AS5400, and AS5850 Series


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.2.25) X.25 Call Confirm Packet Address Control

The X.25 Call Confirm Packet Address Control feature provides options for controlling the source and destination addresses that are encoded in outgoing Call Confirm packets. You can suppress the addresses completely or specify that the addresses originally proposed in the received Call packet be encoded in the Call Confirm packet. This feature may be necessary when connecting to equipment that implements a nonstandard or proprietary X.25 service, where the addressing scheme needs to be modified.

Benefits

The key benefit here is improved interoperability with networking equipment that implements X.25 in a slightly proprietary manner.

Hardware

Routers

Cisco 800, 7200, and 7400 Series Routers

Cisco 1710, 2691, 3631, 3640, 3660, 3725, and 3745 Routers

Access Servers

Cisco AS5350, AS5400, and AS5850 Series Access Servers


Product Management Contact: Sanjay Bhardwaj, sbhardwa@cisco.com

2.3) High Availability

Table 4  High Availability Feature Highlights


2.3.1) Cisco IOS Warm Upgrade

Cisco IOS Warm Upgrade significantly reduces planned downtime for Cisco IOS Software devices during upgrades to new Cisco IOS Software images. This improves the overall availability of hardware with single route or switch processors. Users implementing Cisco IOS Warm Upgrade will typically enjoy an eighty percent reduction in downtime during an image upgrade.

Figure 17

Cisco IOS Warm Upgrade

Benefits

Reduced downtime for planned upgrades

Cisco IOS Warm Upgrade allows the image to be directly loaded into memory and uncompressed while the current image is still executing on the Cisco IOS Software device. A failover then occurs to the new image after it is completely loaded. This allows the load and decompress as well as initial boot steps to be bypassed.

Upgrade without storage media

With Cisco IOS Warm Upgrade, it is possible to upgrade to a new image over the network without attempting a netboot from rommon or the boothelper. This allows users to evaluate a new software on a device without placing the image on the flash media of a Cisco IOS Software device. Furthermore, if Cisco IOS Warm Upgrade fails for any reason, the Cisco IOS Software device will continue to run the existing image if possible.

Hardware


Considerations

Users will need to have sufficient free memory to decompress the new Cisco IOS Software image in the system in order to be able to leverage Warm Upgrade.

Additional Information:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a755a.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802b4383.html

http://www.cisco.com/go/fn

2.3.2) Cisco IOS IPsec Stateful Failover

IPsec Stateful Failover allows customers to employ a backup IPsec server to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. The backup (secondary) IPsec Server automatically take over the tasks of the active (primary) router, without losing secure connections with its peers in the event the active router loses connectivity for any reason. This process is transparent to the end user and does not require adjustment or reconfiguration of any remote peer.

IPsec Stateful Failover is designed to work in conjunction with Stateful Switchover (SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. IPsec Stateful Failover provides protection for IPsec tunnels, IPsec with GRE, and Cisco IOS Easy VPN traffic.

Figure 18

IPsec Stateful Failover Feature Module

Benefits

Increased Resiliency and Availability for Network applications such as client/server, voice and video over VPN. These applications now can continue uninterrupted during schedule network maintenance time or network outage. IPsec Stateful Failover feature enables rapid IPsec Stateful Failover for geographically dispersed peers, avoiding disruption to critical enterprise applications.

Hardware

Routers

Cisco 3700 and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

2.4) Infrastructure

Table 5  Infrastructure Feature Highlights


2.4.1) Cisco IOS Embedded Event Manager 2.1

Cisco IOS Embedded Event Manager (EEM) has been enhanced significantly since it first become available in Cisco IOS Software Release 12.3(4)T. Now EEM allows user-programmable action based on Tool Command Language (TCL).

EEM marks a shift in network management systems design. Cisco has committed to increasing the level of management intelligence and self-awareness within Cisco IOS Software. EEM provides the infrastructure for detection of specific events and the ability to take local action based on those events.

Local actions, called EEM policies, can be defined using simple CLI commands, or more complex or custom actions can be specified using TCL. The TCL interpreter with TCL extensions embedded within Cisco IOS Software provides full access to the CLI, so the type of actions is limited only by the imagination.

Figure 19

Embedded Event Manager 2.1 Architecture

Benefits

Onboard event detection.

Extensive set of event detectors.

User-programmable automatic actions triggered by specific events.

EEM policy definition using TCL.

Hardware

Routers

Cisco 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contacts: Rohit Shrivastava ( roshriva@cisco.com), Rick Williams ( rwill@cisco.com)

2.4.2) Embedded Resource Manager

Continuing on the commitment to add more embedded intelligence within the network devices, Embedded Resource Manager (ERM) lays the groundwork for even more internal monitoring and reporting capabilities.

ERM provides internal mechanisms for monitoring internal Cisco IOS Software tasks and shared resource consumption.

Figure 20

ERM Architecture

Benefits

Allows dynamic monitoring of internal resource utilization.

Provides ability to take actions to improve the performance and availability of the device.

Yields information to allow better understanding of scalability requirements in terms of resource consumption.

Delivers infrastructure for future development and delivery of autonomic functions.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Cisco IOS Embedded Resource Manager is positioned in the IP Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Valliappan ( svalliap@cisco.com)

2.5) IP Mobility

Table 6  IP Mobility Feature Highlights


2.5.1) Support for RFC 3519 NAT Traversal

IETF RFC 3519 defines the process by which Mobile IP enabled devices can roam into and traverse networks with a Network Address Translation (NAT) device at the exist points of the network.

Typically, the ability to roam into and through a network with NAT deployed is unpredictable and dependent upon the NAT implementation deployed. The best way to ensure seamless IP roaming through a NAT device is by supporting RFC 3519 and using UDP to encapsulate the Mobile IP packets.

It is very common for Public WLAN "Hot Spot" networks and GPRS Wireless WAN networks to use private IP addressing and NAT devices at the exit points of their networks.

Support is provided in the Foreign Agent and Home Agent capability within Cisco IOS Software:

Foreign Agent and Home Agent

Mobile Node to Home Agent

Assumes the Mobile Node (Mobile IP client) also supports RFC 3519 NAT Traversal

Example: the Birdstep Mobile IP Client does support RFC 3519 NAT Traversal

NAT Traversal encapsulates the Mobile IP packets in a UDP packet, which requires any Firewalls in the path to PERMIT UDP Port 434.

The use of RFC 3519 is transparent to the individual.

Benefits

Ensure the ability for individual users to maintain their IP sessions when roaming into networks using NAT.

Hardware


Product Management Contact: Mark Denny, mdenny@cisco.com

2.5.2) Mobile IP Foreign Agent Local Routing for Mobile Networks

Description

The Mobile IP v4 protocol, as defined in RFC 3344, does not allow direct routing from any corresponding node (IP host/device) to any mobile node or to mobile networks behind a mobile router. The protocol requires the traffic to go through the mobile node's Home Agent (HA) thus creating a behavior to be known as "triangle routing".

Foreign Agent (FA) Local Routing to Mobile Networks provides a solution to this problem by allowing the corresponding nodes (IP host/device) connected to a FA to route traffic directly via the FA to mobile networks which have roamed to and connected to the same FA.

The FA and HA work together in a secured fashion to learn the necessary routing information that the FA will add to its own routing table. This information enables the ip traffic from natively attached (Ethernet, wlan) IP hosts to follow the optimized routing path to the mobile networks.

Learning consists of identifying when a mobile networks attaches to the FA, the subnets of the mobile networks, and when the mobile networks have left the FA in question. With this information the FA is able to add routing information to its routing table and subsequently clean up and remove the routing reachability information.

It is a mandatory requirement to turn on FA-HA Authentication (FHAE) which is off by default as per Mobile IP RFC 3344.

Figure 21

Foreign Agent Local Routing to Mobile Networks—Before

Figure 22

Foreign Agent Local Routing to Mobile Networks—After

Benefits

Optimized routing path between IP devices connected to a Foreign Agent and Mobile Networks that roam into and connect to the same Foreign Agent.

Latency sensitive applications such as Video and Voice will benefit from a shorter routing path.

Conserve link bandwidth between FA and HA, beneficial when low speed connections are in use.

Refer to the following document for additional information:

IP Mobility Support for IPv4: http://www.ietf.org/rfc/rfc3344.txt?number=3344

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://www.cisco.com/go/fn/


Product Management Contact: mdenny@cisco.com

2.5.3) Mobile IP—Mobile Networks PPP Dynamic Collocated Care-of-Address

Description

Per RFC 3344 when a mobile node/mobile router is connecting to a Home Agent (HA) directly, bypassing a Foreign Agent (FA), it must obtain an IP address from the local network it has roamed into and use this address as its Co-Located Care of Address (CCoA).

Mobile node; Mobile IP client capability on an individual IP device.

Mobile router; Mobile IP client capability on a router or Layer 3 device with one or more subnets connected to it.

This enhancement enables a mobile router to acquire an IP Address dynamically from the network it has roamed into, and use this address as its CcoA.

This enhancement supports the use of PPP/IPCP to dynamically acquire an IP Address.

Support of DHCP to dynamically acquire an IP Address will follow.

The mobile router registers itself with its Home Agent using the dynamically acquired IP Address. Upon successful registration, the home agent builds a tunnel to the mobile routers CCoA.

Prior to this enhancement all interfaces on a mobile router requiring CCoA support had to have an IP address statically pre-configured.

Figure 23

Mobile Networks PPP Dynamic Co-Located CCoA

Benefits

Greatly simplifies configuration and provision of a mobile router, such as the Cisco 3200 Mobile Access Router.

With Dynamic CCoA support the mobile router can automatically detect whether or not a Foreign Agent is present in the roamed to network, and determine the appropriate method for connecting to it's Home Agent.

Flexibility to roam into and connect through networks that might not be known in advance.

Ability to dynamically acquire an IP Address from a roamed to network.

Initial support for Static Co-located Care-of-Address (CCoA) required upfront knowledge of all potential networks the Mobile Access Router would connect to and through, and required an IP address be pre-provisioned for each mobile router.

Refer to the following document for additional information:
 http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtcolloc.htm

IP Mobility Support for IPv4: http://www.ietf.org/rfc/rfc3344.txt?number=3344

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://www.cisco.com/go/fn/


Product Management Contact: mdenny@cisco.com

2.5.4) Dynamic Security Associations and Key Distribution

Dynamic Security Associations and Key Distribution facilitates Mobile IP deployment by simplifying security aspect of Mobile IP configurations and provision. Before this feature, the security associations, including security parameter index, authentication algorithm, and pre-shared key, need to be determined in advance and configured on a Mobile IP client. With this feature, the security associations do not need to be configured manually in advance. The Mobile IP client can now derive the security associations from its user's Windows login name and password upon logging in the Windows domain. The Home Agent router will authenticate the user from an existing Windows authentication system, such as Window Domain Controller or Window Active Directory. Once the user is authenticated, HA generates the user's security associations dynamically to perform Mobile IP registration authentication. Additionally, the dynamic key can be renewed to further improve security.

Figure 24

Dynamic Security Associations and Key Distribution

Benefits

Improve user mobility experience by allowing user to integrate Windows login and Mobile IP client login.

Simplify Mobile IP provisioning for network administrators by leveraging existing authentication infrastructure and eliminating additional key allocation to the mobile users.

Increase mobility security through dynamic re-keying.

Hardware

Routers

Cisco 1700, 2600, 7200, and 7500 Series Routers

Cisco 3631, 3640, and 3660 Routers


Product Management Contact: Mark Denny, mdenny@cisco.com

2.6) IP Multicast

Table 7  IP Multicast Feature Highlights


2.6.1) Multicast Enhancements

Bootstrap Router (BSR) for IPV6 is one of the mechanisms by which a IPv6 PIM router learns the set of Group-to-RP mappings required for IPv6 PIM SM & Bi-Dir to function. The mechanism is dynamic, largely self-configuring, and robust to router failure.

Source base filtering for Multicast boundary will add SSM (S,G) filtering support on multicast boundary. This will extend the functionality of "ip multicast boundary <acl>" command to allow SSM to have the same access-control capabilities that have already been offered for ASM. It will also enable SSM to improve the usefulness of the commands functionality as a general tool. IN "ip multicast boundary <acl>" command ACL can be standard or extended ACL.

VRF Aware Multicast Error Messages will display the VRF names for the error messages generated by IP Multicast subsystems when MVPN is in use. This additional information can be better used to associate protocol and packet forwarding events with their MVPNs which can be very useful in software or network problem troubleshooting.

When an MVPN related error message is printed, the first parameter it will display is the VRF name it is related to, followed by whatever is displayed today. This is modeled after the unicast VPN error messages and only applies to the configured VRFs. Error messages related to the global table will stay the same.

Inhibit Customer traffic from flooding in the MVPN core will automatically change the default pim mode for the MDT tunnel according to the pim mode of the native interfaces in the MVRF. The three possible cases of MVRF interface configuration, and their corresponding MDT tunnel modes are:

1. All native interfaces are in sparse-dense or dense mode, the MDT tunnel will be in sparse-dense mode.

2. All native interfaces are in sparse mode, the MDT tunnel will be in sparse mode.

3. Some are in sparse and some are in sparse-dense or dense mode, the MDT tunnel will be in sparse-dense mode.

Hardware

Routers

Cisco 2600, 3700, 7200, and 7500 Series Routers

Cisco 3631, 3640, and 3660 Routers


Product Management Contact: g_singh@cisco.com

2.6.2) MSDP Compliance with IETF MSDP Draft 20

Description

MSDP compliance with IETF MSDP Draft 20 feature enables you to use BGP route reflectors without running MSDP on them. It also allows you to use an Interior Gateway Protocol (IGP) for the RPF check and thereby giving you the ability to run peerings without BGP or MBGP.

Benefits

This feature adds support for the following functions:

Allows the use of BGP route reflectors without running MSDP on them.

Allows the use of an Interior Gateway Protocol (IGP) for the RPF check and thereby giving you the ability to run peerings without BGP or MBGP.

Provides ability to have peerings between routers in non-directly connected autonomous systems (that is, with one or more autonomous systems between them). This helps in confederation configurations and for redundancy.

Provides valuable information while debugging MSDP problems with the new "show ip msdp rpf" command.

Hardware

Routers

Cisco 3700 Series

Cisco 7200 Series and Cisco 7500 Series


Product Management Contact: g_singh@cisco.com

2.6.3) IPv6 Multicast Phase 1 & Phase 2

Description

IPv6 Multicast is a new version of IP Multicast which is designed to be an evolutionary step from IPv4 Multicast. Although the basic notion of multicasting is common to IPv4 and IPv6, differences of multicasting between IPv4 and IPv6 require several original approaches toward implementation, including handling of multicast interfaces, using scoped addresses in PIM and more.

Cisco IPv6 Multicast feature set (Phase 1 & Phase 2) introduces all the mandatory software components required to deploy a production IPv6 Multicast network, to support any IPv6 Multicast application end-to-end in a given network. It supports the deployment scenarios for both intra-domain and inter-domain IPv6 Multicast.

IPv6 Multicast Phase 1 feature introduces the support for:

RFC 2373

RFC 3569

RFC 3590

PIM (Protocol Independent Multicast)

Source Specific Multicast (PIM-SSM)

Sparse-Mode (PIM-SM)

Full MLDv1/v2 Compatibility

Explicit Tracking in v2 Mode

Full Support for DR Functionality (registers, etc.)

Static RP Assignment with Multiple RP Mapping

Intra-Domain Multicast Routing via PIMv6-SM

Inter-Domain Multicast via PIMv6-SSM

Multicast v6 Ping

Mtrace for v6

IPv6 Scoped Address Architecture

Basic Multicast v6 Debugging Capabilities

v6-in-v4 Tunneling

IPv6 Multicast Phase 2 feature introduces the support for:

Support for Embedded RP Mapping

mBGP for Multicast v6

Static mroutes

Forwarding Support for BSR Messages

MLD Access-Groups for Receiver Control

Register Filters for Source Control

Enhanced Boundaries, Policy per Sources and per Groups

Distributed Fast Switching for Multicast v6

v6-in-v6 Tunneling

Figure 25

IPv6 Multicast Phase 1 & Phase 2

Benefits

Cisco IPv6 Multicast feature set allows you to deploy a production IPv6 Multicast network, to support any IPv6 Multicast application end-to-end in a given network.

It supports the deployment scenarios for both intra-domain and inter-domain IPv6 Multicast.

Hardware

Routers

Cisco 3700 Series

Cisco 7200 and 7500 Series


Product Management Contact: g_singh@cisco.com

2.6.4) PIM Dense Mode Fallback Prevention after RP Information Loss

Description

Preventing the use of PIM dense mode is very important to multicast networks whose reliability is critical. This feature enables you to prevent Protocol Independent Multicast (PIM) dense mode fallback when all rendezvous points fail. It provides a mechanism to keep the multicast groups in sparse mode and also allows you to block multicast traffic for groups not specifically configured.

Benefits

Ability to block multicast traffic for groups not specifically configured.

Provides a mechanism to keep the multicast groups in sparse mode.

Hardware

Routers

Cisco 3700 Series

Cisco 7200 and 7500 Series


Product Management Contact: g_singh@cisco.com

2.7) IP Routing

Table 8  IP Routing Feature Highlights

Sections
2.7.1) Enhanced Interior Gateway Routing Protocol Prefix Limit Support
2.7.2) Enhanced IGRP Simple Network Management Protocol Support
2.7.3) Open Shortest Path First Sham-Link MIB Support
2.7.4) Border Gateway Protocol Support for Fast Peering Session Deactivation
2.7.5) Border Gateway Protocol Support for IP Prefix Import from Global Table into Virtual Routing and Forwarding Table
2.7.6) Border Gateway Protocol Support for Next-Hop Address Tracking
2.7.7) Routemap Display Extension
2.7.8) Optimized Edge Routing Support for Cost-Based Optimization and Traceroute Reporting
2.7.9) Policy-Based Routing: Recursive Next Hop
2.7.10) Internet Group Management Protocol Version 3 Host Stack
2.7.11) Per Interface mroute State Limit
2.7.12) Integrated Routing and Bridging Support on MGX-RPM-XF-512
2.7.13) Border Gateway Protocol Support for Named Extended Community Lists
2.7.14) Border Gateway Protocol Support for Sequenced Entries in Extended Community Lists
2.7.15) Border Gateway Protocol Support for Dual Autonomous System Configuration for Network Autonomous System Migrations
2.7.16) Cisco Optimized Edge Routing Support for Policy-Rules Configuration and Port-Based Prefix Learning
2.7.17) Enabling Open Shortest Path First v2 on an Interface Using the ip ospf area Command
2.7.18) Cisco Optimized Edge Routing
2.7.19) Enhanced Interior Gateway Routing Protocol Support for Route Map Filtering
2.7.20) Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE Site of Origin
2.7.21) Border Gateway Protocol Cost Community Support for Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE with Back Door Links
2.7.22) OSPF Link State Database Overload Protection
2.7.23) OSPF Area Transit Capability
2.7.24) OSPF Per-Interface Link Local Signaling (LLS)
2.7.25) VRF Selection using Policy Based Routing
2.7.26) BGP Transient Memory Usage Enhancement
2.7.27) BGP Support for TTL Security Check
2.7.28) CLNS Support for GRE Tunneling of IPv4 and IPv6

2.7.1) Enhanced Interior Gateway Routing Protocol Prefix Limit Support

Enhanced Interior Gateway Routing Protocol (EIGRP) allows the network administrator to limit the number of prefixes learned by EIGRP. This feature provides a means to limit the shared resources (memory and CPU) consumed by the EIGRP process.

Additional CLI configuration options are added to support this feature.

Benefits

Provides optional facility to force an upper bound on the number of prefixes learned by the EIGRP routing process.

Is useful for preventing unwanted oversubscription of shared resources.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: Chetan Khetani ( cpk@cisco.com)

2.7.2) Enhanced IGRP Simple Network Management Protocol Support

This feature provides SNMP MIB support for SNMP GET and SNMP TRAPS for EIGRP and provides an infrastructure interface for network management.

Benefits

Provides the ability to monitor EIGRP from a remote management system.

Provides notification on EIGRP events.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

EIGRP SNMP Support is positioned in the Enterprise Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Chetan Khetani ( cpk@cisco.com)

2.7.3) Open Shortest Path First Sham-Link MIB Support

In some MPLS VPN networks, OSPF sham link is used to interconnect two VPN sites that share the same OSPF area.

This arrangement presents some difficulty for network management. Prior to this feature, no SNMP MIB objects have provided useful information for OSPF sham links.

This feature enhances the specific Cisco MIB (CISCO-OSPF-MIB.my) to allow for monitoring of OSPF sham links. The enhancement allows for:

Status queries

Notification of error

Notification of state change

Statistical information on retransmissions

Benefits

Provides a means to manage OSPF sham links.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

The implementation is RFC 1850 compliant and based on an OSPFv2 MIB IETF draft. See IETF draft draft-rosen-vpns-ospf-bgp-mpls-05.txt.

Product Management Contact: Chetan Khetani ( cpk@cisco.com)

2.7.4) Border Gateway Protocol Support for Fast Peering Session Deactivation

Border Gateway Protocol (BGP) support for Fast Peering Session Deactivation accelerates speed at which the BGP subsystem releases a peering session. The BGP subsystem will deactivate the peering session immediately upon indication that the peer is gone and eliminates an internal wait timer. This feature optimizes the software such that multiple failure detection mechanisms are linked to trigger session deactivation.

Benefits

Improves routing protocol reconvergence.

Speeds BGP session deactivation in the event of a dead neighbor.

Provides support for faster session deactivation when peers go away.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

BGP Support for Fast Peering Session Deactivation is positioned in the Advanced Security and SP Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Pepe Garcia ( pepe@cisco.com)

2.7.5) Border Gateway Protocol Support for IP Prefix Import from Global Table into Virtual Routing and Forwarding Table

This feature allows customers to specify which specific prefixes from the global routing table are to be imported into a VPN routing and forwarding table.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

BGP Support for IP Prefix Import From Global Table Into a VRF Table is positioned in the Advanced Security and SP Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Pepe Garcia ( pepe@cisco.com)

2.7.6) Border Gateway Protocol Support for Next-Hop Address Tracking

Border Gateway Protocol (BGP) Next-Hop Address Tracking provides a mechanism for routes learned using BGP to converge more quickly on a new path when triggered by a change to a monitored BGP next-hop address.

An address-tracking filter mechanism is used to filter notifications to the routing information base. This mechanism allows for new path selection to begin as soon as the notification regarding the change in reachability state of the next hop occurs. The results are much faster convergence of traffic to a new path and less impact to traffic flows.

All of these facts mean faster reconvergence, leading to improved perception of reliability for users.

Figure 26

Next-Hop Tracking Speeds Reconvergence

Next-Hop Tracking will trigger the BGP scanner at PE-1 to run immediately on Interior Gateway Protocol (IGP) convergence, so the route through PE-3 will handle traffic upon failure to PE-2.

Benefits

Provides faster routing protocol reconvergence.

Avoids delays for traffic to get to destination.

Reduces service impact.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: Pepe Garcia ( pepe@cisco.com)

2.7.7) Routemap Display Extension

Routemap Display Extension enhances the display of dynamic routemaps to include detailed information about the ACLs used in the match clauses.

Benefits

Makes more details available using CLI show command.

Simplifies troubleshooting and checking of configuration.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Routemap Display Extension is positioned in IP Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Chetan Khetani ( cpk@cisco.com)

2.7.8) Optimized Edge Routing Support for Cost-Based Optimization and Traceroute Reporting

Optimized Edge Routing (OER) provides automatic outbound route optimization for multihomed enterprises by establishing criteria for the optimal exit point for traffic destined for other networks. OER enables link selection according to performance, cost, and load distribution policy.

This enhancement provides outbound traffic optimization based on financial link cost. The idea is to minimize the cost associated with service through efficient and effective traffic routing. This is called cost minimization.

The configuration for cost minimization supports fixed-cost Service Level Agreements (SLAs) and tier-based-with-bursting cost SLAs. SLAs encompass the billing criteria that are established with each ISP. Although the specific details of "tier-based-with-bursting" billing models will vary by ISP, most ISPs will use some variation of the following algorithm to calculate what an enterprise should pay in a tiered billing plan:

1. Gather periodic measurements of egress and ingress traffic carried on the enterprise's connection to the ISP's network and aggregate the measurements to generate a rollup value for a rollup period.

2. Generate one or more rollup values per billing period.

3. Rank the rollup values for the billing period from the largest value to the smallest.

4. Discard the top 5 percent of the rollup values to accommodate bursting.

5. Apply the highest remaining rollup value to a tiered structure to determine a tier associated with the rollup value.

6. Charge the customer based on a set cost associated with the determined tier.

Cisco OER seeks to minimize the overall service cost by distributing traffic in the most cost-efficient way (or as configured). By deploying the Cisco OER bandwidth cost minimization functionality, customers can instruct Cisco OER to select the exit links that provide the most cost-effective bandwidth utilization, while still maintaining the desired performance characteristics.

This release also adds support for traceroute reporting. The feature allows the network administrator to form a clearer picture of the amount of delay introduced by different segments in the path. If an unexpected round-trip delay value for a prefix on a particular exit is observed, the delay can be quantified on a per-hop basis.

Benefits

Allows companies to minimize traffic sent over expensive links or consolidate multiple flat-rate connections to fewer and lower cost connection services.

Provides statistics on traffic distribution and usage before and after route optimization.

Helps enterprise customers manage ISP costs more effectively.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

OER Support for Cost-Based Optimization and Traceroute Reporting feature is positioned in the Advanced Security, SP Services, and Enterprise Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Paul Kohler ( pkohler@cisco.com)

2.7.9) Policy-Based Routing: Recursive Next Hop

Policy-Based Routing (PBR): Recursive Next Hop provides the ability to set a next hop that is not directly connected to enable load balancing when PBR is used.

With this feature enabled, the routing table will be examined recursively to find the directly connected next hop when PBR is used to set an indirect next hop.

The following new configuration command is introduced: 

set ip next-hop recursive

This command may be used to set a directly connected next hop or subnet as well as an indirect next hop or subnet.

Figure 27

Using Recursive Next Hop for Load Balancing

Benefits

Allows use of Cisco Express Forwarding load balancing when PBR is configured.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Policy-Based Routing: Recursive Next Hop is positioned in the IP Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Chetan Khetani ( cpk@cisco.com)

2.7.10) Internet Group Management Protocol Version 3 Host Stack

Internet Group Management Protocol (IGMP) Version 3 Host Stack support enables the router or switch to behave as a multicast network endpoint or host. The support for IGMPv3 also allows other Cisco IOS Software subsystems to take advantage of the infrastructure to use Source Specific Multicast (SSM) for broadcast functions.

One reason to use this feature is the rapid deployment of voice applications and gateway functionality within Cisco IOS Software. Cisco devices that provide voice services may join a multicast channel for music on hold and convert and distribute that stream to analog or ISDN interfaces.

Benefits

Provides infrastructure needed to support voice applications, specifically Multicast Music on Hold (MMoH).

Aids troubleshooting for problems related to multicast.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

IGMPv3 Host Stack is positioned in the IP Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)

2.7.11) Per Interface mroute State Limit

The Per Interface mroute State Limit feature will limit the number of mroute states on a per-interface basis. This limitation is beneficial for access routers or Layer 3 switches, particularly for deployments of advanced Ethernet services or Ethernet to the home, curb, pedestal, business, multiple tenant dwelling unit, and so on.

Prior to this feature, Cisco IOS Software supported an ability to limit mroute states on a per-VRF basis using ip multicast [vrf <name>] route-limit. This feature extends that capability to allow specification on an interface basis.

Benefits

Extends the benefits of Ethernet as a last-mile technology.

Offers more granular DoS attack prevention.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Per Interface mroute State Limit is positioned in the IP Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)

2.7.12) Integrated Routing and Bridging Support on MGX-RPM-XF-512

Integrated routing and bridging (IRB) is a bridging mechanism that allows integration of traditional systems with your IP network. IRB is useful when you need to connect bridged networks with Layer 3 routed networks.

IRB has existed in Cisco IOS Software since Release 11.2, and is available on a wide variety of Cisco products. This feature adds support for the Cisco MGX® Route Processor Module.

Benefits

Increases the deployment options for the Cisco MGX Route Processor Module.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

IRB Support on Cisco MGX Route Processor Module is positioned in the Enterprise Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Christopher Kolstad ( ckolstad@cisco.com)

2.7.13) Border Gateway Protocol Support for Named Extended Community Lists

Border Gateway Protocol (BGP) uses extended community lists to apply policies to groups of prefixes to distinguish routing paths. This enhancement introduces support for named extended community lists. Previously, extended community lists could only be numbered and were limited to a few hundred entries.

Benefits

Improves customer's ability to manage and troubleshoot BGP policies by using name strings for extended community lists instead of numerical values.

No inherent limit on the number of named extended community lists, provided that they are uniquely named.

Hardware

Routers

Cisco 1700, 2600, 3700, 7200, 7400, 7500 Series, and 7600-MWAM


Product Management Contact: Pepe Garcia, pepe@cisco.com

2.7.14) Border Gateway Protocol Support for Sequenced Entries in Extended Community Lists

Border Gateway Protocol (BGP) uses extended community lists to apply policies to groups of prefixes, in order to distinguish routing paths. These extended community lists are applied in sequential order and can become large in some implementations.

This enhancement provides support for sequencing individual entries in an extended community list.

Benefits

Specific entries within an extended community list are more easily removed, added, and/or modified in a list without having to remove and re-apply the whole list. Each entry has its own sequence number allowing configuration changes to be more efficiently done to individual entries.

Hardware

Routers

Cisco 1700, 2600, 3600, 3700, 7200, 7300, 7400, 7500 Series, and 7600-MWAM


Product Management Contact: Pepe Garcia, pepe@cisco.com

2.7.15) Border Gateway Protocol Support for Dual Autonomous System Configuration for Network Autonomous System Migrations

When a Service Provider merges its Autonomous System (AS) with another (i.e.: via business acquisition), this features provides for a seamless way to transition the customers over to the new AS.

This transition involves two integrated feature components:

Maintaining the TCP session with the customer's router independent of AS.

Modifying the inbound and outbound as-path lists so that this transition to a new AS is as transparent to the customer as possible.

Benefits

This feature allows Service Provides to more easily transition customers from one of their AS numbers to another during the transition phase. Customers can change the Service Provider AS number in their configurations at their convenience.

Hardware

Routers

Cisco 1700, 2600, 3600, 3700, 7200, 7300, 7400, 7500 Series, and 7600-MWAM


Product Management Contact: Pepe Garcia, pepe@cisco.com

2.7.16) Cisco Optimized Edge Routing Support for Policy-Rules Configuration and Port-Based Prefix Learning

The Cisco Optimized Edge Routing (OER) policy-rules master subcommand facilitates easy switching between configured OER policies. Customers can define more than one oer-map and select the current map with the policy-rules enhancement.

Cisco OER automatically learns prefixes that have the highest throughput or greatest delay. In addition to this automatic prefix learning, Cisco OER now can filter prefixes on the basis of "interesting" protocol-ports configured by the administrator.

Benefits

When the network administrator knows that traffic streams to ports below certain numbers or traffic flowing to a particular protocol or combination of protocol-port is not important and need not be optimized, protocol-port based learning can be configured to optimize the learning process by learning what is important to the administrator and the enterprise.

If the network administrator is interested in learning prefixes destined or originating from/to a particular port, or a set of ports or set of protocols, additional filters are available with the current protocol-port based learning capability that can be applied to the learning mechanism.

Hardware

Routers

Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800, 7200, and 7500 Series Routers


Considerations

This feature adds more granularity to the learn throughput and learn delay features. It optimizes the learning process by learning the prefixes which the administrator intends to optimize.

Learning, optimizing, and maintaining uninteresting, superfluous prefixes can cost CPU cycles, increase maintenance overhead, and consume memory on the master controller and the border routers.

Product Management Contact: Paul Kohler, pkohler@cisco.com

2.7.17) Enabling Open Shortest Path First v2 on an Interface Using the ip ospf area Command

Historically, Open Shortest Path First (OSPF) v2 is enabled on interfaces based on the network command in the "router ospf" mode. OSPFv2 per interface Area command allows OSPF to be enabled under the interface configuration mode.

Benefits

Useful in scenarios where there are un-numbered interfaces.

Consistent functionality between OSPFv2 and OSPFv3.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, 7200, 7301, and 7500 Series Routers


Product Management Contact: Chetan Khetani, cpk@cisco.com

2.7.18) Cisco Optimized Edge Routing

Cisco Optimized Edge Routing (OER) automates routing performance and allows customers to minimize bandwidth costs and engineering operating expenses. Cisco IOS OER leverages Cisco IOS Netflow and Cisco IOS Service Assurance Agent to choose the optimal outbound route based on cost minimization, load distribution policy, and overall network performance.

Cisco OER enables intelligent network traffic load distribution and dynamic failure detection of data-paths at the WAN edge (i.e.: multi-homing to the Internet or intranet connectivity). While other routing mechanisms can provide both load-sharing and failure mitigation, Cisco OER is unique in that it can make instant routing adjustments based on criteria other than static routing metrics: response time, packet loss, path availability, traffic load distribution, and financial cost minimization policies.

Cisco OER is implemented in Cisco IOS Software as an integrated part of Cisco core routing functionality. It can be deployed with familiar simplicity via standard CLI configuration. Cisco OER may also be configured with an external Cisco 2100 Series Intelligence Engine (Cisco appliance) management device to provide enhanced scalability, extended history and a web-based GUI for configuration and reporting. Cisco OER offers increased Cisco product value and differentiation by leveraging various Cisco IOS Software features (i.e.: Cisco IOS Netflow, Cisco IOS SAA) and cross product integration to support multiple hardware products and routing protocols.

Figure 28

Cisco OER Deployment Example

Benefits

Features
Benefits
Automatic Performance, Cost Minimization, and Policy-Based Load Distribution

Instant routing adjustments based on performance, path availability, load share, or monetary cost measurements & business objectives.

Multiple Router Support

Delivers advanced networking capabilities and investment protection on many Cisco IOS Software based hardware products.

Multiple Routing Protocol Support

Delivers advanced networking capabilities and investment protection by integrating with IP core routing (i.e.: BGP, static routes) and network characterization features.

Internet and WAN Edge Traffic Optimization

Improve Internet and WAN edge traffic performance for content/application providers' customers.

Passive & Active Measurements

Delivers advanced networking capabilities and investment protection by integrating with existing Cisco IOS Software features, such as Cisco IOS NetFlow and Cisco IOS SAA.

NetFlow passive measurements minimize active probing.

Control & Observation Modes for Different Prefixes

Allows non-disruptive observation of the behavior of OER before controlling prefixes.

Support Multiple Link Billing Models

Provides flexibility for bandwidth cost minimization and ISP selection.

CLI Configuration & Reporting on Cisco IOS Software Based Hardware Products

Provides consistent Cisco IOS CLI which leverages the existing CLI knowledge of IT staff.


Hardware

Routers

Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800, 7200, and 7500 Series Routers

Additional Devices

Master Controller Engine Linux appliance


Product Management Contact: Paul Kohler, pkohler@cisco.com or Anita Freeman, anfreema@cisco.com

2.7.19) Enhanced Interior Gateway Routing Protocol Support for Route Map Filtering

Enhanced Interior Gateway Routing Protocol (EIGRP) Support for Route-Map Filtering enables the filtering of internal and external routes based on multiple route-map options. The functionality enables EIGRP to process currently permitted set and match parameters within route-map, and also extends the parameters with EIGRP specific set and match choices.

Benefits

Helps during re-distribution.

Controls the advertisement.

Learns routes for fine-tuning the network.

Hardware

Routers

All hardware that supports the Cisco IOS Software Release 12.3T family


Product Management Contact: Chetan Khetani, cpk@cisco.com

2.7.20) Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE Site of Origin

Enhanced Interior Gateway Routing Protocol (EIGRP) MPLS VPN PE-CE Site of Origin (SoO) introduces support for back door links. A back door link is a connection that is configured outside of the VPN between a remote and main site; for example, a WAN leased line that connects a remote site to the corporate network. Back door links are typically used as backup routes between EIGRP sites if there is a failure in the VPN link or it is not available. A metric is set on the back door link, so that the route through the back door router is not selected unless there is a VPN link failure.

Benefits

EIGRP MPLS VPN PE-CE SoO allows EIGRP Enterprise customers who pay MPLS VPN providers and have back door links to optimize their investments on VPN connections. Before this functionality became available, back door links were always preferred over MPLS VPN connections, because it was impossible to filter routes on the PE/back door routers. This was re-learned from other PEs.

Hardware

Routers

All hardware that supports the Cisco IOS Software Release 12.3T family


Product Management Contact: Chetan Khetani, cpk@cisco.com

2.7.21) Border Gateway Protocol Cost Community Support for Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE with Back Door Links

This feature allows one to customize the local route preference and influence the Border Gateway Protocol (BGP) best path selection process. Before EIGRP SoO BGP Cost Community support was introduced, BGP preferred locally sourced routes to routes learned from BGP peers. Back door links in an EIGRP MPLS VPN topology will be preferred by BGP if the back door link is learned first.

The "pre-bestpath" point of insertion (POI) was introduced in the BGP Cost Community feature to support mixed EIGRP VPN network topologies that contain VPN and back door links.

Benefits

Without this functionality, back door links were always preferred over MPLS VPN connections. As a result, EIGRP enterprise customers who are paying to MPLS VPN providers and have back door links were not optimizing their investments on the VPN connections.

Hardware

Routers

All hardware that supports the Cisco IOS Software Release 12.3T family


Product Management Contact: Chetan Khetani, cpk@cisco.com

2.7.22) OSPF Link State Database Overload Protection

Description

OSPF Link State Database (LSDB) Overload Protection addresses the requirement to limit the number of non-self generated link-state advertisements (LSAs) for a given OSPF process. The goal is to prevent resource starvation (CPU and Memory) on the router that can be caused by excess LSAs received.

Benefits

Excessive LSAs can be generated in the network because of wrong redistribution or abnormal growth in the network. This processing of excessive LSAs and its storage in the LSDB can lead to resource starvation—CPU and memory on a given router. OSPF LSDB Overload Protection is applicable to any given OSPF Process.

Hardware

Routers

All (platform independent)


Product Management Contact: cpk@cisco.com

2.7.23) OSPF Area Transit Capability

Description

RFC 2328 defines OSPF area transit capability as the ability of the area to carry data traffic that neither originates nor terminates in the area itself. OSPF Area Transit Capability enables the OSPF ABR to discover shorter paths through the transit area and forward traffic along those paths rather than using the virtual link or path, which are not as optimal.

Hardware

Routers

All (platform independent)


Product Management Contact: cpk@cisco.com

2.7.24) OSPF Per-Interface Link Local Signaling (LLS)

Description

When LLS is enabled at the router level, it is automatically enabled for all interfaces. The OSPF Link-Local Signaling per-Interface feature allows one to selectively enable or disable the LLS feature for a specific interface. Disabling LLS on an interface that is connected to a non-Cisco device that may be noncompliant with RFC 2328 can prevent problems with the forming of Open Shortest Path First (OSPF) neighbors in the network.

Hardware

Routers

All (platform independent)


Product Management Contact: cpk@cisco.com

2.7.25) VRF Selection using Policy Based Routing

Description

VRF Selection using Policy Based Routing is an extension of VRF Selection based on Source IP Address. This functionality takes advantage of the existing Route-map (which is capable of supporting multiple selection criteria) and uses Policy Based Routing (PBR) as a way to classify packets and set the relevant routing/forwarding decision. Classification criteria include source and/or destination IP addresses, protocol number, source and/or destination port number, IP precedence value, DSCP value, TCP flags, packet length and ICMP type.

Hardware

Routers

Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, 2651XM and 2691 Routers

Cisco 3631, 3640, 3640A, and 3660 Routers

Cisco 3725 and 3745 Routers

Cisco 7200, 7400 and 7500 Series Routers

Cisco 7301 Router


Product Management Contact: cpk@cisco.com

2.7.26) BGP Transient Memory Usage Enhancement

Description

BGP uses a large amount of running memory when processing updates for full Internet routes. This feature reduces significantly the amount of the transient memory (i.e., temporarily allocated and released memory) for processing those updates more efficiently. Transient memory usage is more consistent throughout the processing of large Internet routing table updates.

Hardware

Routers

All (platform independent)


Product Management Contact: pepe@cisco.com

2.7.27) BGP Support for TTL Security Check

Description

This feature enables checking of TTL (Time To Live) values on BGP packets from peers to minimize possible session spoofing attacks. All TCP packets from BGP are sent out with a TTL value of 255. All incoming TCP packets for BGP will be checked for a TTL value that is greater than or equal to the configured incoming TTL value.

For most cases, since the peer is just one hop away, the incoming TTL value will be configured as 254. If the EBGP peer is multiple hops away, then the incoming TTL value should be configured to allow all required paths between the two peers.

Hardware

Routers

All (platform independent)


Product Management Contact: pepe@cisco.com

2.7.28) CLNS Support for GRE Tunneling of IPv4 and IPv6

Description

This enhancement adds support for GRE encapsulation of IPv4 and IPv6 packets through a CLNS network in accordance with RFC 3147 for statically configured tunnels.

Hardware

Routers

All (platform independent)


Product Management Contact: pepe@cisco.com

2.8) IP Services

Table 9  IP Services Feature Highlights

Services
2.8.1) Network Address Translation Virtual Interface
2.8.2) Network Address Translation Routemaps Outside-to-Inside Support
2.8.3) Dynamic Host Configuration Protocol Intelligent Services Gateway Enhancements
2.8.4) Dynamic Host Configuration Protocol Relay Subscriber Identifier Suboption
2.8.5) Virtual Router Redundancy Protocol Message Digest Algorithm 5 Authentication
2.8.6) Extended Prepaid Tariff Switch with Service Selection Gateway
2.8.7) MAC Address-Based Authorization with Service Selection Gateway
2.8.8) Service Selection Gateway Aware On-Demand IP Address Renewal
2.8.9) Service Selection Gateway Support for Subnet-Based Authentication
2.8.10) First Hop Redundancy Protocols—Virtual Router Redundancy Protocol MIB RFC 2787
2.8.11) Dynamic Host Configuration Protocol—Dynamic Default Gateway on a Statically Configured Route
2.8.12) Dynamic Host Configuration Protocol—Configurable DHCP Client
2.8.13) First Hop Routing Protocols—Object Tracking List Support
2.8.14) Network Address Translation—Support for H.323 Fragmented Control Messages
2.8.15) IP over IPv6 Tunnels
2.8.16) IPv6 Policy-Based Routing
2.8.17) NAT—Stateful Failover Asymmetric Outside-to-Inside
2.8.18) NAT—Stateful Failover for Embedded Addressing
2.8.19) NAT—Static IP Support
2.8.20) ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry
2.8.21) Rate Based Satellite Control Protocol (RBSCP)
2.8.22) IPv6 Anycast Address
2.8.23) Border Gateway Protocol—Policy Accounting Output Interface Accounting
2.8.24) ACL—Filtering IP Options and IP Options Selective Drop
2.8.25) NAT—Performance Related Enhancements
2.8.26) NAT—Rate Limiting NAT Translation
2.8.27) NAT—Translation of External IP Addresses only
2.8.28) FHRP—Enhanced Object Tracking—Integration with SAA
2.8.29) ACL-TCP Flags Filtering
2.8.30) Cisco Express Forwarding Switching for IPv6 Tunnels (Configured, Automatic, 6to4, ISATAP)

2.8.1) Network Address Translation Virtual Interface

Cisco IOS Software provides a NAT subsystem with extensive support for protocols that embed IP addresses within the payload using Application Layer Gateway (ALG) functions. Cisco IOS NAT was extended to support VPN VRF tables in Cisco IOS Software Release 12.2(15)T. This support allowed NAT to be centrally deployed and provided a solution for interconnection between communities with overlapping addresses in different VRFs. However, prior to the introduction of this feature, NAT could not be performed on traffic flowing between two interfaces, both marked as inside interfaces within a single device.

The feature offers an alternative way to configure NAT and permits packets between different VRFs to undergo NAT, while traffic from each VRF to common services can also be processed.

Benefits

More deployment options available for service providers offering MPLS-based services.

Reduced complexity for configurations where NAT is required.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

NAT Virtual Interface is positioned in the IP Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.8.2) Network Address Translation Routemaps Outside-to-Inside Support

Cisco IOS NAT allows for the configuration of routemaps to establish traffic eligible for translation. Certain environments and network designs will benefit from the ability to interrogate defined routemaps for traffic flowing from the NAT outside interface toward the NAT inside interface.

This feature provides for interrogation and use of defined routemaps for traffic flowing from outside to inside.

Prior to this feature, Cisco IOS NAT did not permit traffic from outside destined to a global address associated with a dynamic entry based on a routemap. With this support, customers can use routemaps to allocate global addresses and permit return traffic to use these global addresses. Return traffic is verified to match the defined routemap in the reverse direction.

Figure 29

NAT Routemap Outside-to-Inside Support

In Figure 20, suppose A and B want to converse. When each registered with the directory server, a routemap was used to allocate the global IP address. With this feature, A is allowed to connect to B directly through R2 (as long as its traffic matches the routemap), even though B's global IP address was established using a routemap. Other traffic from other devices that does not match the routemap is dropped.

Benefits

Provides more flexibility in allocation of global addresses.

Allows for service-based address allocation and selective address translation.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

NAT Routemap Outside-to-Inside Support is positioned in the IP Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.8.3) Dynamic Host Configuration Protocol Intelligent Services Gateway Enhancements

To make it possible for ISPs (or address providers) to provide service to customers using one network infrastructure, Cisco IOS Software features are closely integrated. These enhancements extend the feature integration between Cisco IOS Software DHCP services and other features.

More specifically, this work enables a router, under control of the administrator, to specify which address provider, or address pool, should be used to provide various end stations and customers with an IP address.

This infrastructure will enable other services in future releases.

Benefits

Extends integration of Cisco IOS Software features to meet customer requirements.

Enables more flexible deployment and control over IP address assignments.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

DHCP Intelligent Services Gateway Enhancements is positioned in the IP Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.8.4) Dynamic Host Configuration Protocol Relay Subscriber Identifier Suboption

The DHCP Relay function in Cisco IOS Software provides support for forwarding DHCP requests to designated DHCP servers.

This feature allows configuration of a character string on an interface or subinterface basis and can be used to uniquely identify a subscriber or user. When the DHCP Relay Information option is enabled, this configured string is added in the subscriber-identifier suboption of the Relay Information option in all the DHCP requests that are forwarded on to the specified DHCP servers.

Benefits

Allows more flexibility and granular control over the way IP address assignments are made.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

DHCP Relay Subscriber Identifier Suboption is positioned in the Advanced Enterprise Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.8.5) Virtual Router Redundancy Protocol Message Digest Algorithm 5 Authentication

Hot Standby Router Protocol (HSRP) and Gateway Load Balancing Protocol (GLBP) allow for Message Digest Algorithm 5 (MD5) authentication for passwords exchanged between first-hop redundancy group members. This feature brings this same security feature to Virtual Router Redundancy Protocol (VRRP) as well.

Benefits

Encrypts using MD5 hash the password sent over the wire between VRRP group members.

Provides the same level of security as HSRP and GLBP for users that demand an IETF standard protocol for first-hop redundancy.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Support for MD5 authentication is specific to Cisco and not part of the VRRP standard. It is probably not interoperable with equipment from other vendors.

Cisco IOS Packaging

VRRP MD5 Authentication is positioned in the IP Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.8.6) Extended Prepaid Tariff Switch with Service Selection Gateway

At present, without this new enhancement service providers can request tariff rates in midsession in Service Selection Gateway (SSG) prepaid billing mode. One such example of switching tariff rate is that providers want to charge at a higher rate during business hours and switch to a lower rate after business hours. In another example providers want to switch between a volume base and a time base or the reverse, in which case the tariff model will be changed midsession. Both these tariff switch modes are supported today in SSG. But such changes require billing servers to provide SSG with two quotas and times for tariff switch. The first quota indicates the tariff rate before the switch, and the second quota indicates the postswitch rate. SSG will accordingly apply the quotas and tariff rates based on the switch time.

With this new extension to prepaid tariff switching functionality, prepaid billing servers can choose to provide only one quota instead of two. SSG will use the same quota and report back how much of the quota was used before and after the tariff switch. This approach simplifies service providers' billing and operations server implementations.

Benefits

Simplified billing server implementation for service providers.

Restrictions

Cannot be used when a tariff type is changed in midsession (for example, a change from a time-based tariff to a volume-based tariff).

SSG accounting must be enabled in order for the SSG Extended Prepaid Tariff Switching feature to be used.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Cisco IOS Extended Prepaid Tariff Switch with SSG is positioned in the Advanced IP Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Murali Kolli ( mkolli@cisoc.com)

2.8.7) MAC Address-Based Authorization with Service Selection Gateway

SSG currently authenticates users with Web-based login through Cisco Subscriber Edge Services Manager (SESM) or acting as RADIUS proxy in an Extensible Authentication Protocol (EAP) type of authentication. SSG also can authenticate the users based on their IP address through the functionality called Transparent Auto Logon (TAL).

The MAC address-based authentication is developed to trace DHCP IP address allocation with the MAC address for reasons of authenticating the user.

If a connection request comes from an unknown user, SSG mandates explicit Web login with a captive portal. After initial login, the MAC address of the client device is learned and tracked for further authentication during the next login. Thereafter, SSG implicitly authenticates the user at every login until a predefined time interval has passed.

Benefits

After the user authenticates with Web login, further user logins can be avoided as long the user uses same client device until the predefined time period has passed.

Restrictions

Assumes that the device belongs to the same user all the time. If users swap devices, the identity of the users behind the devices can be misunderstood.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

MAC Address-Based Authorization with SSH is positioned in the Advanced IP Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Murali Kolli ( mkolli@cisoc.com)

2.8.8) Service Selection Gateway Aware On-Demand IP Address Renewal

Service Selection Gateway (SSG) functionality poses two problems:

1. Subscribers trying to connect to a broadband remote-access server (BRAS) using Ethernet access need to be given a temporary IP address until they are authenticated and are ready to connect to one of the services. Switchover of the IP address to an IP address belonging to the chosen service or SP should happen dynamically.

2. The second situation is for subscribers who are connected and are actively using one of the services. When they try to switch to a new service or SP, if that new service or SP mandates an IP address change to the session (with an IP address from a pool specific to that service or service provider's network), the service selection solution should be aware of that requirement and support such a change. This is an equal access network (EAN) requirement and an application service provider requirement to provide specific services (for example, gaming and Web-sharing applications) belonging to the network.

Benefits

For Ethernet access subscribers, service providers can give a short-term lease of an IP address and renew for a longer lease after authentication.

Subscribers can access services and dynamically change IP address to application service provider distributed addresses. Enables applications access without NAT.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

SSG Aware On-Demand IP Address Renewal is positioned in the Advanced IP Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Murali Kolli ( mkolli@cisoc.com)

2.8.9) Service Selection Gateway Support for Subnet-Based Authentication

Subnet-based authentication functionality enables SSG to accept a login from one of the users in a subnet (for example, a business) and to treat a complete subnet as authenticated. This functionality will eliminate the need for all the users in a subnet (or a business) to authenticate individually. This enhancement will also enable services for all users in the subnet and generate aggregate billing records.

Subnet-based authentication is supported for both Web login users and transparent autologon (TAL) users.

Benefits

Enables service providers to offer business Internet services, avoiding the need for every user to identify and log in.

Enables service providers to offer pay-per-use Internet service to their SOHO customers.

Provides easy-to-use dedicated video and voice appliances to deliver those services over the same IP network after initial authentication from a personal computer.

Restrictions

Subnet-based authentication is not supported for users with PPP-based access.

Once a subnet-based authentication is enabled, individual subscribers on that subnet are not identified and tracked.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

SSG Support for Subnet-Based Authentication is positioned in the Advanced IP Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Murali Kolli ( mkolli@cisoc.com)

2.8.10) First Hop Redundancy Protocols—Virtual Router Redundancy Protocol MIB RFC 2787

Cisco First Hop Redundancy Protocols (FHRP) is a collection of three separate features in Cisco IOS Software:

Hot Standby Routing Protocol (HSRP)

Gateway Load Balancing Protocol (GLBP)

Virtual Router Redundancy Protocol (VRRP)

Support for the VRRP MIB RFC 2787 enables Cisco customers who have selected the VRRP support within Cisco IOS Software for redundancy, to use SNMP to configure and monitor their VRRP redundancy groups. Customers have complete Set and Get and Trap support.

Benefits

Ability to use SNMP and remotely configure and monitor all aspects of a VRRP redundancy group.

Set and configure VRRP on the routers.

Get and retrieve detailed information on the state of the VRRP groups and each router in the VRRP groups.

Traps and the ability to receive indicators for events such as the transition of a router in a VRRP group to `Master' state.

Hardware


Additional Information:

For details of the MIB, refer to RFC 2787 and the download the VRRP MIB from Cisco.

Definitions of Managed Objects for the Virtual Router Redundancy Protocol
http://www.ietf.org/rfc/rfc2787.txt

http://tools.cisco.com/ITDIT/MIBS/servlet/index

Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.11) Dynamic Host Configuration Protocol—Dynamic Default Gateway on a Statically Configured Route

This feature enables the dynamic configuration of the Default Gateway for a configured IP Static Route using Dynamic Host Configuration Protocol (DHCP). This enhancement allows a static route to be configured with the keyword `dhcp'.

The DHCP Client within Cisco IOS Software will use DHCP Option 3 (DHCP gateway address) obtained from a DHCP server and plug in this DHCP Gateway Address as the "next hop" in the static IP Route command. 

Example:

Route configuration: 

ip route 3.3.3.3 255.255.255.255 dhcp

If a DHCP ip address is obtained and option 3 has also been obtained from server (ie: option 3 contains 3.3.3.2), then a sh ip route command will show the configured static route:
S 3.3.3.3 255.255.255.255 via 3.3.3.2

This can be an alternative to using DHCP Option 33—Static Route Option. Customers may not always have control or influence over the DHCP Server configurations of the network providers.

Benefits

Simplifies static routing configurations in networks that make use of DHCP.

Hardware


Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.12) Dynamic Host Configuration Protocol—Configurable DHCP Client

Configurable Dynamic Host Configuration Protocol (DHCP) Client is the ability to manually configure several DHCP Client options:

Client Identifier Option (option 61)

Allows a user to enter a unique hexadecimal value or a unique null terminated ASCII string.

This value is expected to be unique for all clients in an administrative domain.

Vendor Class Identifier (option 60)

Allows user to configure the Vendor Class Identifier string to use in the DHCP interaction.

This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client.

IP Address Lease Time (option 51)

Allows user to configure the suggested lease time to be included as the Lease Time Option in DHCP interaction.

This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer.

Benefits

Provides customers additional flexibility in the allocation and control of their IP Address space.

Hardware


Additional Information: http://www.ietf.org/rfc/rfc2132.txt

Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.13) First Hop Routing Protocols—Object Tracking List Support

First Hop Routing Protocols (FHRP) Object Tracking List Support refers to the ability to group multiple objects, track the state of these objects collectively, and influence the FHRP design dynamically.

FHRP Object Tracking List support influences Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP) to initiate a fail-over to another router in the group. It also influences GLBP to shift the IP traffic of a specific Gateway Load Balancing Protocol (GLBP) router to the rest of the GLBP group.

FHRP is comprised of GLBP, HSRP, and VRRP. These protocols can track on a single "object" at one time, using the information obtained from this "object" to influence whether to failover from one redundant gateway router to another in the case of HSRP or VRRP, or shift the traffic of one GLBP router to the rest of the GLBP group.

The result of tracking an object is to perform some pre-defined action when this object state changes. For example, the user can track an interface when there is a failure and change the HSRP priority such that an election takes place and a new router takes over as the primary HSRP router. When the interface comes back up, the user can change the HSRP priority again, so the original primary router takes over its role again.

With the "Object Tracking list" enhancement, multiple objects can now be defined in a list and actions will be determined by collective state or combined status of the defined objects. It provides logical operations, threshold and weighting, and percentage comparison among the tracking objects defined in the list. An object tracking list can be defined as follows:

Each object in the list of tracked objects will have an associated weight assigned to them. This weight can be set by the user, or may be calculated automatically if all the objects are to have equal weight. The later is the default case.

A threshold value will be defined by the user and by comparing the state of each object and its associated weight, the state of the "track list" object will be determined depending on whether the threshold value has been met.

Use of the logical OR function states that when any object defined within the list provides an "UP" state, then the "track list" object will also define an "UP" state."

Use of the logical OR function states that when any object defined within the list provides an "UP" state, then the "track list" object will also define an "UP" state."

Configuration examples:

track 1 interface e0/1 line-protocol

track 2 interface e0/2 line-protocol

track 3 interface e0/3 line-protocol

track 4 list

object 1 weight 10

object 2 weight 20

object 3 weight 10

threshold percentage up 30 down 29

track 5 list

object 1

object 2

object 3

object 4

boolean and

track 6 list

object 1

object 2

object 3

object 4

boolean or

Benefits

Provides customers additional granularity and control when designing network availability.

Customers can customize the combination of "objects" that will initiate failing over or redistribution of traffic within an FHRP group.

Hardware


Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.14) Network Address Translation—Support for H.323 Fragmented Control Messages

For various reasons, control messages for most multimedia applications (ie: H323, Skinny Client Control Protocol) messages may arrive at a router as fragments. Reasons include: low MTU at origin, TCP window size limitations, and fragmentation by some middle box. While IP level (layer 3) fragmentation is common and well understood, some applications have control messages that could span across several IP datagrams. For example, control message of an application that uses TCP could arrive at a router running Network Address Translation (NAT) as multiple IP (TCP) packets that are not fragmented.

Currently Cisco IOS NAT expects the entire control message to be present in a single IP packet. If NAT receives a control message that is fragmented, the packet is simply dropped.

This enhancement supports:

H.323 Control message that span several IP fragments.

H.323 Control message that span several non-fragmented IP datagrams.

In order to translate embedded address/port in the payload, NAT will have to reassemble fragments so that the control message is available in its entirety in the payload. Once a set of packets that make up a complete control message have been received, the complete packet is processed by Nat and then routed on to its destination.

Benefits

Provides enhanced support for H.323 based Voice over IP sessions.

Hardware


Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.15) IP over IPv6 Tunnels

Description

IP over IPv6 tunnels encapsulates IPv4 or IPv6 packets in IPv6 packets for delivery across a native IPv6 infrastructure.

Figure 30

IP over IPv6 Tunnels

Benefits

IPv6 VPN over a native IPv6 infrastructure enable through IPv6 over IPv6 tunnels.

Allow IPv6 Multicast traffic to go over a native IPv6 infrastructure that is not "IPv6 Multicast" enable.

Enable IPv6 Multi-Homing as proposed in RFC 3178.

IPv4 sites can be connected over a native IPv6-only infrastructure.

Refer to the following document for additional information:
 http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_vcg.htm

Hardware

Routers

Cisco 1700-7500 Series Routers


Product Management Contact: pgrosset@cisco.com

2.8.16) IPv6 Policy-Based Routing

Description

This software release introduces support for policy-based routing on the Cisco IOS Release 12.3T. Policy-based routing provides a tool for expressing and implementing forwarding and routing of data packets based on the policies defined by network administrators. In effect, policy-based routing is a way to have policy override routing protocol decisions. Policy-based routing includes a mechanism for selectively applying policies based on access list or packet size. The actions taken can include routing packets on user-defined routes or setting the precedence and type of service bits.

Benefits

Source-Based Transit Provider Selection—Internet service providers and other organizations can use policy-based routing to route traffic originating from different sets of users through different Internet connections across the policy routers.

Quality of Service (QoS)—Organizations can provide QoS to differentiated traffic by setting the Traffic Class values in the IPv6 packet header at the periphery of the network and leveraging queuing mechanisms to prioritize traffic in the core or backbone of the network.

Cost Savings—Organizations can achieve cost savings by distributing interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost, switched paths.

Load Sharing—In addition to the dynamic load-sharing capabilities offered by destination-based routing that the Cisco IOS Software has always supported, network managers can now implement policies to distribute traffic among multiple paths based on the traffic characteristics.

Refer to the following document for additional information:
 http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_vcg.htm

Hardware

Routers

Cisco 1700-7500 Series Routers


Product Management Contact: pgrosset@cisco.com

2.8.17) NAT—Stateful Failover Asymmetric Outside-to-Inside

Description

The Stateful NAT feature enables two NAT routers to participate in a Primary—Backup design. One of the routers is designated as the primary NAT router and a second router takes the backup NAT role. As traffic is actively transferred by the primary NAT router it updates the backup NAT router with the NAT translation state (NAT translation table entries).If the primary NAT router fails or is out of service the backup NAT router will automatically take over. When the primary comes back into service it will take over and request an update from the backup NAT router.

The expected behavior in Stateful NAT phase 1 is that all sessions will pass through the primary NAT router in control of the NAT translation entries, unless the primary NAT router is unavailable. This assured integrity of the translation information by guarding against the possibility of some packet relevant to NAT session control, traversing the backup and without the primary being aware of it. When the translation information is not synchronized, the IP session in question will eventually stop working.

Figure 31

Stateful NAT—Asymmetric Outside-to-Inside Support—Before

With the Stateful Failover Asymmetric Outside-to-Inside enhancement, return traffic is handled by either the primary or the backup NAT translator and NAT translation integrity is preserved.

When the Backup NAT router receives asymmetric IP traffic and performs NAT to the packets, it will update the Primary NAT router to ensure both the primary and backup NAT Translation tables remain synchronized.

Figure 32

Stateful NAT D A Symmetric Outside-to-Inside Support

This enhancement is the next step towards having two or more NAT devices actively performing NAT and backing each other up or `Active-Active' NAT.

Benefits

Ability to support multiple routing paths from outside-to-inside.

Ability to handle IP Flow or Per Packet load balancing of asymmetric routing from outside-to-inside.

Improved ROI as the Backup NAT router is not sitting idle.

Refer to the following document for additional information:

For overview of the initial Stateful NAT capability please refer to:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftsnat.htm

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://www.cisco.com/go/fn/


Product Management Contact: mdenny@cisco.com

2.8.18) NAT—Stateful Failover for Embedded Addressing

Description

Stateful Failover Embedded Addressing enhancement allows the Secondary (backup) NAT router to properly handle NAT and deliver IP traffic.

This feature is an enhancement to the Stateful Network Address Translation (NAT) feature introduced in Release 12.2(13)T. The initial Stateful NAT feature targeted IP header translations only, with a plan to deliver embedded translation support in a phase 2 release.

Cisco IOS NAT inspects all IP traffic entering interfaces which have been configured with the NAT feature. The inspection consists of matching the incoming traffic against a rule set or set of translation rules and perform an address translation if a match occurs. For example:

Matching a source address range.

Matching a specific destination address range. Matching a list of applications known to NAT which might.

·  Require a specific source port for control plane negotiation.

·  Embed source IP addresses within the application protocol.

Some of the applications and protocols which embed Source Port or IP Address information include:

H.323 RAS

DNS A and PTR queries

NetMeeting Internet Locator Server (ILS)

ICMP

SMTP

PPTP

Cisco Selsius Skinny Client Protocol (SCCP)

A complete list of current Applications Layers Gateways (ALGs) supported by Cisco IOS NAT can be found at: http://www.cisco.com/en/US/tech/tk648/tk361/tech_brief09186a00801af2b9.html

Figure 33

Cisco IOS NAT ALG Support

When the Stateful NAT capability performs a failover, all of the Application Layer Gateways (applications and protocols) supported by Cisco IOS NAT at the time of this release seamlessly failover.

Figure 34

Stateful NAT—Primary to Secondary State Synchronization

Figure 35

Stateful NAT—Failover to the Secondary NAT

Benefits

Ability to seamlessly failover translated IP sessions with traffic that includes embedded IP addressing (VoIP applications, FTP, DNS—refer to ALG chart and URL provided).

Refer to the following document for additional information:

For overview of the initial Stateful NAT capability please refer to:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftsnat.htm

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://www.cisco.com/go/fn/


Product Management Contact: mdenny@cisco.com

2.8.19) NAT—Static IP Support

Description

The majority of users on public WLAN networks use DHCP for dynamic addresses assignment, however some percentage of users will have a statically assigned IP Address. This static assignment is specific to their "home" network.

With a static address assignment these users will not able to be access a public WLAN network and gain access to the IP network and services offered.

Figure 36

Public WLAN Access for Static IP Users Before NAT—Static IP Support

The NAT—Static IP enhancement allows public WLAN providers to offer service to customers that use static IP address assignment for their users.

No reconfiguration is required on the part of the user with the statically assigned IP Address. The user can roam into a public WLAN "hotspot", login to the public WLAN network and immediately gain access to services offered.

Cisco IOS NAT feature detects the user trying to access the network and dynamically assigns the user a unique routable IP address for the life of the session.

Works with ARP to ensure proper reachability.

Translates to and from the static source IP address and a routable unique IP address on the public WLAN network.

Generates user accounting information processed by the Cisco Service Selection Gateway (SSG) feature.

Handles all clean up when the user has logged off.

Figure 37

Public WLAN Access for Static IP Users with NAT—Static IP Support

Benefits

Ability for static IP address users to connect to a public WLAN network.

Ability to prevent malicious client from preventing access to valid host on the outside domain.

No client reconfiguration needed for clients configured with static IP addresses.

Accounting information generated per user session.

Access Zone Router assists to support the following cases.

Web login using static IP address.

802.1x login using static IP address.

Hardware

Routers

See Feature Navigator for supported platforms: http://www.cisco.com/go/fn/


Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.20) ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry

Description

Prior to this enhancement, multiple application ports could be listed on the same Access Control Entry (ACE) but they had to be contiguous. If they weren't contiguous, a separate ACE was required for each non-contiguous port.

This enhancement enables customers to specify an ACE with non-contiguous application ports, which will reduce the number of ACE's within an Access Control List (ACL) group and simplify management of their ACL groups.

There is a maximum or 10 source ports and 10 destination ports per ACE.

Example of ACL—Support for non-contiguous Port Ranges on an ACE. 

access-list host 100.52.65.11 host 172.23.56.194 eq www smtp lpd telnet tftp

access-list host 100.52.65.11 host 172.23.56.10 eq www

access-list host 100.52.65.11 host 172.23.56.10 eq smtp

access-list host 100.52.65.11 host 172.23.56.10 eq lpd

access-list host 100.52.65.11 host 172.23.56.10 eq telnet

access-list host 100.52.65.11 host 172.23.56.10 eq tftp

With the enhancement 

access-list host 100.52.65.11 host 172.23.56.194 eq www smtp lpd telnet tftp

Benefits

Reduction in the number of entries within an ACL group.

Improved management of large ACL groups.

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://www.cisco.com/go/fn/


Product Management Contact: mdenny@cisco.com

2.8.21) Rate Based Satellite Control Protocol (RBSCP)

Description

Two well-known characteristics of satellite links cause very poor TCP performance:

Higher bit-error rates over the satellite link as compared to hard links cause an increase in lost packets.

Long round-trip time (RTT) over the satellite link, typically > 500ms.

These characteristics cause the following problems:

The slow start time is much longer (due to the long RTT), increasing the time it takes for a TCP sender to fully ramp up its sending rate.

The incorrect interpretation of packet loss by TCP as congestion results in a congestion window collapse such that only one MTU of data may be allowed to be outstanding. In addition, the long RTT prevents the use of localized link retransmissions as an effective method to mitigate the packet loss.

The combination of these two issues keep a TCP sender in a perpetual slow start, sending well below the available bandwidth of the satellite link. The traditional solution to this problem is to utilize a disruptive Performance Enhancing Proxy (PEP) in order to improve TCP performance across satellite links.

Figure 38

IP Over Satellite Before—Disruptive TCP Performance Enhancing Proxy Model

Note that there are multiple boxes in a customer PEP configuration. Basically hosts on the remote side connect to the Internet through their default router. The router has two links, one to the network of hosts the other leading to a PEP box. The router considers its upstream gateway to the internet to be the PEP, thus it routes all traffic to the PEP. PEP terminates any TCP connection flowing to the Internet, spoofing all internet addresses and ports. Traffic is buffered and then retransmitted through a single PEP connection over satellite. The PEP on the other side of the satellite connection receives the data and transmits incoming data over separate TCP connections to the destination host on the Internet1 for each connection between the remote side and the network side. Data coming from the network side is translated in a similar manner to the remote side. Any non-TCP traffic2 is intercepted and forwarded as well.

The advantages the customer gains using this disruptive PEP configuration are the following:

Elimination of the TCP flows across the satellite misidentifying dropped packets as congestion.

Full bandwidth utilization of the satellite link by the elimination of the classic TCP slow-start and initial cwnd variables.

Increased bandwidth by minimizing the amount of TCP-Ack traffic transmitted over the satellite link (allowing for any overhead).

Greatly reduced TCP slow start time from the end host perspective by generating TCP ACKs at each local router.

The disadvantages to this configuration are quite numerous including (refer to Section 4 of RFC 3135 for more):

Each new protocol introduced to the Internet needs special handling to assure the PEPs know and can handle the new type of traffic (examples of upcoming protocols include SCTP and DCCP).

Any encrypted traffic such as IPsec or AES cannot be enhanced since the end hosts control the encryption. The only exception to this is if the end hosts are willing to terminate the IPsec connection at the PEP and trust the provider to send the data in some secure fashion over the satellite link. Alternatively, IPsec traffic may be tunneled inside TCP flows, requiring client and server software to be present at the end hosts.

Loss of shared fate in an end-to-end communication path. Fate is shared because if one of the end hosts fails, the transport will also fail and provide an appropriate indication to the peer end host. In a disruptive PEP, the PEP will provide a local ACK for data that has not been delivered to the end host. This has the consequence that the end hosts may not be aware of a crash or other path failure for some time.

A simple protocol, Rate Based Satellite Control Protocol (RBSCP), will be used in place of PEP. This protocol will allow two routers to control and monitor the sending rates of the satellite link, thus acquiring better bandwidth utilization. RBSCP will also retransmit lost packets over the satellite link to increase link reliability and help keep the end host TCP senders out of slow start.

Figure 39

IP Over Satellite After with Rate Based Satellite Control Protocol (RBSCP)

RBSCP as a Virtual Interface

RBSCP is implemented with a virtual tunnel interface in Cisco IOS Software, and it will look and behave like any other tunnel interface within the router. IP traffic will be sent across the satellite link with appropriate modifications and/or enhancements, as determined by the router configuration.

Time Warp Delay Insertion

One side of the router pair will delay frames in transit between the two sides. This delay will increase the RTT time that the end host's TCP (or any other protocol) stack estimates; this will "time-warp" the sender into allowing RBSCP to attempt localized, limited retransmission and recovery of lost TCP (or other protocol) frames. The delay allows for a single retransmission before the end host's TCP sender attempts retransmission and congestion window collapse.

TCP ACK Splitting

Additional performance improvements can be made for clear-text TCP senders. When the satellite link is under utilized, each router may perform ACK splitting for clear-text TCP ACKs traversing the link. This causes the end host TCP sender to open the congestion window more quickly and thus increases bandwidth utilization.

Benefits

Single device handles both routing and optimized IP over the satellite network.

Non-disruptive software solution preserves the end-to-end IP session.

Maximizes link bandwidth utilization while reducing slow start.

Supports IPsec encryption of end host clear text traffic across the satellite link (e.g. a VPN service configuration).

Does not require any stack/software changes or additional software at the end hosts (e.g. TCP stack changes, additional client-server software, etc.).

Supports the use of existing Cisco IOS Software features such as QoS, IPsec, and others.

Hardware

Routers

Use Feature Navigator for find the latest supported platform information:
http://www.cisco.com/go/fn/


Product Management Contact: mdenny@cisco.com

2.8.22) IPv6 Anycast Address

An IPv6 Anycast address is an address that is assigned to a set of interfaces that typically belong to different nodes. A packet sent to an Anycast address is delivered to the closest interface—as defined by the routing protocols in use—identified by the anycast address. Anycast addresses are syntactically indistinguishable from unicast addresses because anycast addresses are allocated from the unicast address space. Assigning an IPv6 unicast address to more than one interface makes a unicast address an anycast address.

Example ( Figure 40): Cisco IOS Software routers set as 6to4 Relay [see RFC 3056] can be configured with the 6to4 Relay Anycast address as defined in RFC 3068.

Figure 40

Anycast Prefix for 6to4 Relay

Benefits

Compliancy with the IPv6 addressing architecture document.

Enhanced scalability, discovery and failure recovery of 6to4 Relay.

Hardware

Routers

Cisco 830—7500 Series


Additional Information: http://www.cisco.com/warp/public/732/Tech/ipv6/

RFC 3068—An Anycast Prefix for 6to4 Relay Routers

Product Management Contact: ipv6-pm@cisco.com

2.8.23) Border Gateway Protocol—Policy Accounting Output Interface Accounting

Border Gateway Protocol (BGP) policy accounting measures and classifies IP traffic that is sent to, or received from, different peers. Policy accounting was previously available on an input interface only. BGP Policy Accounting Output Interface Accounting introduces several extensions to enable BGP policy accounting on an output interface, and to include accounting based on a source address for both input and output traffic on an interface. Counters based on parameters such as community list, autonomous system number, or autonomous system path are assigned to identify the IP traffic.

Benefits

Account for IP Traffic Differentially

BGP policy accounting classifies IP traffic by autonomous system number, autonomous system path or community list string, and increments packet and byte counters. Policy accounting can also be based on the source address. Service Providers can account for traffic and apply billing, according to the origin of the traffic or the route that specific traffic traverses.

Efficient Network Circuit Peering and Transit Agreement Design

Implementing BGP policy accounting on an edge router can highlight potential design improvements for peering and transit agreements.

Hardware

Routers

Cisco 2600—7500 Series Routers


Product Management Contact: routing-pm@external.cisco.com

2.8.24) ACL—Filtering IP Options and IP Options Selective Drop

IP Options provide control functions that are required in some situations but unnecessary for the most common communications. IP Options include provisions for timestamps, security, and special routing.

IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and gateways). What is optional is their transmission in any particular datagram, not their implementation.

ACL Support for Filtering IP Options and ACL IP Options Selective Drop are separate enhancements that provide the customer total flexibility in determining how to best filter on IP traffic that include IP Options fields.

ACL Support for Filtering IP Options, allows you to filter packets based on a particular "option" value.

ACL IP Options Selective Drop, allows you to either `Drop' all packets that contain IP Options or `Ignore' in which case the packets are forwarded as usual.

Benefits

Filters packets that contain IP Options from the network and relieves downstream routers and hosts of the load from options packets.

Reduced load to the Route Processor (RP) for packets with IP Options that require RP processing on distributed systems. Previously, the packets were always routed to or processed by the RP CPU. Filtering the packets prevents them from impacting the RP.

Drop mode filters packets from the network and relieves downstream routers and hosts of the load from options packets.

Reduced load to the Route Processor (RP) for options that require RP processing on distributed systems. Previously, the packets were always routed to or processed by the RP CPU. Now, the ignore and drop forms keep the packets from impacting the RP.

Hardware


Restrictions

Resource Reservation Protocol (RSVP) Multiprotocol Label Switching terminal equipment (MPLS TE), Internet Group Management Protocol Version 2 (IGMPV2), and other protocols that use IP Options packets may not function in drop or ignore mode if this feature is configured.

Turbo ACLs do not support ACLs with entries that filter using the option keyword and such ACLs will not get Turbo compiled. This option keyword restriction will not affect any other ACLs on the router. In general, not using Turbo ACLs in such cases is not considered a performance issue because as of Release 12.3(2)T performance of software based ACLs is considerably faster in the order of Turbo ACLs or faster

The ACL—Support for Filtering IP Options feature can be used only with named, extended ACLs

Additional Information:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtipofil.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s23/sel_drop.htm

RFC 791: complete list and description of IP Options
http://www.faqs.org/rfcs/rfc791.html

Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.25) NAT—Performance Related Enhancements

Collection of enhancements aimed at improving overall performance of the Network Address Translation (NAT) feature within Cisco IOS Software

Majority of the effort will be transparent to the end customer, however under certain circumstances they should see

Optimized CPU utilization—taking longer to ramp to higher CPU percentages

Will vary based on the IP type of traffic inspected by NAT, Specific platform in question, and other features active within the router

Improved throughput when using NAT

The specific enhancements are

Support for Cisco Express Forwarding (CEF)

TCP Flags—SYN, FIN and RST now handled in CEF

- Translation entry creation in the CEF path under

- Support for CEF

Translation table optimization

- Improved creation and searching of translations

- Pool and Port List optimization

Support of Fragmented Packets

Benefits

Improved efficiency of CPU utilization when Network Address Translation is enabled in a router.

Overall improved throughput, may vary slightly depending on the type and complexity of protocols NAT is inspecting.

Hardware


Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.26) NAT—Rate Limiting NAT Translation

This enhancement, "NAT—Rate Limiting NAT Translation", enhances the existing capability within Cisco IOS Network Address Translation (NAT) to configure a maximum number of concurrent NAT Translations within the router. This original capability was sufficient for the initial implementation of NAT, but with the increase in DoS attacks and different provider edge aggregation designs, there has been a need for a more flexible method for controlling how to whom NAT addresses are deployed

The enhancement allows customers to configure a NAT Rate Limiting hierarchy within each NAT router:

Maximum number of concurrent translations for the router

Maximum number of concurrent translations applied to each MPLS VPNs (assuming the router is part of an MPLS network)

Maximum number of concurrent translations for an individual MPLS VPNs (assuming the router is part of an MPLS network)

Maximum number of concurrent translations applied to an ACL

The ACL might be used to describe a specific subnet to apply this maximum to, or a specific prefix list, or prefix lists

Rate limiting can be applied to multiple ACLs with the router

Maximum number of concurrent translations applied to all IP Hosts (All-hosts) transiting the router

Maximum number of concurrent translations for an individual IP Host

This value will override the `All-hosts' maximum if configured for the specific IP host

Examples

Setting a General NAT Limit

The following example shows how to limit the maximum number of allowed NAT entries to 300: 

Router(config)# ip nat translation max-entries 300

Setting NAT Limits for VRF Instances

The following example shows how to limit each VRF instance to 200 NAT entries: 

Router(config)# ip nat translation max-entries all-vrf 200

The following example shows how to limit the VRF instance named "vrf1" to 150 NAT entries: 

Router(config)# ip nat translation max-entries vrf vrf1 150

The following example shows how to limit the VRF instance named "vrf2" to 225 NAT entries, but limit all other VRF instances to 100 NAT entries each: 

Router(config)# ip nat translation max-entries all-vrf 100 

Router(config)# ip nat translation max-entries vrf vrf2 225

Setting NAT Limits for Access Control Lists

The following example shows how to limit the access control list named "vrf3" to 100 NAT entries: 

Router(config)# ip nat translation max-entries list vrf3 100

Setting NAT Limits for an IP Address

The following example shows how to limit the host at IP address 127.0.0.1 to 300 NAT entries: 

Router(config)# ip nat translation max-entries host 127.0.0.1 300

Benefits

Allows customers a great deal of control over how their NAT Address pools and translation table is allocated and made us of.

Option to implement a hierarchy of Rate Limiting to tailor to the specific network or devices requirements and concerns.

Control how many concurrent translation all users can have.

Additionally control how many translations a specific individual IP host can have.

Limit across all MPLS VPNs, and set limits for a specific MPLS VPN.

Helps control and mitigate Denial-of-Service Attacks in the form of Viruses and Worms that indirectly can use up the routers NAT resources and seriously effect the overall performance of that router.

Hardware


Additional Information:
 http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt_natrl.htm

Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.27) NAT—Translation of External IP Addresses only

Previous to this feature, any IP addresses embedded in the packet payload were translated according to the configured NAT rules and the list protocols or applications that NAT supports.

With this enhancement, Cisco IOS Network Address Translation (NAT) can be configured to ignore all embedded IP addresses for any application and traffic type.

Translation of external IP addressing will still be occur according to the NAT rules configured within the router.

Main driver for this enhancement is where IP addresses for a source and destination pairs is based on public routable addresses, but the network they traverse is privately addressed.

Any embedded addressing is valid between the source and destination already and requires no translation. The only translation required is on the external addresses to allow the IP sessions to pass properly over the privately address network in between.

Figure 41

Benefits

Provides customer increased flexibility to adapt the NAT functionality to their specific network design.

Typically only appropriate where

Source and Destination pair have IP addresses from the same addressing scheme, but the network they are traversing has a completely different addressing scheme.

Any IP addresses and ports embedded within the payload are already relevant to the source and destination networks.

Simplifies NAT processing performed within each NAT router.

Hardware


Additional Information:
 http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnatxip.htm

Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.28) FHRP—Enhanced Object Tracking—Integration with SAA

Cisco First Hop Redundancy Protocols (FHRP) is a collection of three separate features in Cisco IOS Software:

Hot Standby Routing Protocol (HSRP)

Gateway Load Balancing Protocol (GLBP)

Virtual Router Redundancy Protocol (VRRP)

Cisco enables each protocol to "track" events within a router that can be used to influence which router is the "Active" router, or with GLBP change the load sharing metric or change which router is the lead Active router along with the load sharing metric.

The `Enhanced Object Tracking—integration with SAA' enhancement, significantly expands the number of "objects" or "events" that can now be tracked by HSRP, GLBP and VRRP.

SAA is a network performance measurement agent within Cisco IOS Software, and provides a scalable, cost-effective solution for service level monitoring. It eliminates the deployment of dedicated monitoring devices by including the "probe" capabilities in the routers.

SAA collects network performance information in real time: response time, one-way latency, jitter, packet loss, website download time, as well as other network statistics. It also provides the mechanism to monitor performance for different class of traffic over the same connection.

SAA objects include:

1. UDP Echo; Round-trip delay

2. UDP Jitter; Round-trip delay, one-way delay, jitter, packet loss. One-way delay requires time synchronization between the SAA source and target routers.

3. TCP Connect; Connection Time

4. DNS; DNS Lookup Time

5. DHCP; Round-trip time to get an IP address

6. FTP; Round-trip time to transfer a file

7. HTTP; Round-trip time to get a web page

8. ICMP Echo; Round-trip delay

9. ICMP Path Echo; Round-trip delay for the full path. The path can be discovered by "trace route" or Loose Source Routing (LSR).

10. ICMP Path Jitter; Round-trip delay, jitter and packet loss for the full path

11. DLSw+; Peer tunnel performance; Frame Relay; Circuit availability, round-trip delay and frame delivery ratio

12. ATM; Availability, round-trip delay and delivery ratio. Supported through Visual Network UpTime.

FHRP protocols can track a single object or event at a time.

IP Host Tracking: Example

The following example shows SAA tracking on router 1: 

rtr 1

  type echo protocol ipIcmpEcho 10.51.12.4

  timeout 1000

  frequency 3

  threshold 2

  request-data-size 1400

rtr sched 1 start-time now life forever


!

track 2 rtr 1 state

track 3 rtr 1 reachability

!

interface e0/1

  ip address 10.21.0.4 255.255.0.0

  no shutdown

  standby 3 ip 10.21.0.10d

  standby 3 priority 120

  standby 3 preempt

  standby 3 track 2 decrement 10

  standby 3 track 3 decrement 10

Benefits

Increased flexibility when designing high availability into the network.

Expands tracking off the FHRP router for the first time, customer can track a specific destination or the latency within the network path and alter the characteristics of their redundancy group.

Redirect traffic around network failures.

Ensure VoIP or Video applications have the most optimal path for latency.

Hardware


Additional Information:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtfhrp.htm

http://www.cisco.com/warp/public/732/Tech/nmp/ipsla/

Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.29) ACL-TCP Flags Filtering

This feature provides a flexible mechanism for filtering on TCP flags. The ACL TCP Flags Filtering feature allows you to select any desired combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags, thus enhancing security.

Before Cisco IOS Release 12.3(4)T, only ORing of TCP flags was supported in Cisco IOS Software.

Two new keywords are introduced "match-all" or "match-any" which indicates the type of matching. Also, customers can specify whether to match on a flag set as well as on a flag not set.

To enable this, the TCP flags can be prefixed with a + or a - sign to indicate that the flag to be matched on should be set or not set respectively. These two mechanisms give the user a great degree of control for filtering on TCP flags.

Configuring the ACE to Filter TCP Packets Based on TCP Flags: Example

The following ACE has been configured to allow TCP packets only if the TCP flags SYN and ACK are set and the FIN flag is not set: 

Router> enable

Router# configure terminal

Router(config)# ip access-list extended aaa

Router(config-ext-nacl)# permit tcp any any match-all +ack +syn

Router(config-ext-nacl)# permit tcp any any match-any -urg +syn -psh

Router(config-ext-nacl)# end

The show access-list command has been entered to show the following matches based on the configured ACLs: 

Router# show access-list aaa

Extended IP access list aaa 

 1o permit tcp any any match-all +ack +syn

 20 permit tcp any any match-any -psh +syn -urg

Benefits

Provides customer more flexibility in dealing with various attacks involving TCP packets, which can be sent as false synchronization packets that can be accepted by a listening port. It is recommended that administrators of firewall devices set up some filtering rules to drop false TCP packets.

The customer can configure an ACL to detect and drop unauthorized TCP packets by allowing only the packets that have very specific group of TCP flags set or not set.

Users can select any desired combination of TCP flags on which to filter TCP packets.

Users can configure ACEs in order to allow matching on a flag set as well as on a flag not set

Hardware


Additional Information:
 http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtaclflg.htm

Product Management Contact: Mark Denny, mdenny@cisco.com

2.8.30) Cisco Express Forwarding Switching for IPv6 Tunnels (Configured, Automatic, 6to4, ISATAP)

Overlay tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4 infrastructure. By using overlay tunnels, IPv6 hosts and routers can communicate with each other without a need to upgrade the IPv4 infrastructure between them.

Cisco IOS Software introduced support for IPv6 overlay tunnels in Release 12.2(2)T (Configured, automatic and 6to4) and Release 12.2(15)T (ISATAP).

Cisco Express Forwarding for IPv6 (CEFv6) is advanced, Layer 3 IP switching technology for the fast switching forwarding of IPv6 packets as introduced in Cisco IOS Software Release 12.2(13)T.

In Cisco IOS Software Release 12.3(4)T, IPv6 tunnels—Configured, automatic, 6to4 and ISATAP—are now Cisco Express Forwarding version 6 switched.

Benefits

Improved performances of the IPv6 tunneled traffic to scale the integration of IPv6 applications.

Hardware

Routers

Cisco 830—7500 Series Routers


Additional Information: http://www.cisco.com/warp/public/732/Tech/ipv6/

Product Management Contact: ipv6-pm@cisco.com

2.9) IPv6

Table 10  IPv6 Feature Highlights


2.9.1) Dynamic Host Configuration Protocol version 6 Prefix Delegation Using Authentication, Authorization, and Accounting

An IPv6 prefix-delegating router (DHCPv6 server) selects prefixes to be assigned to a requesting router (DHCPv6 client) upon receiving a request from the client. Prior to this feature, these prefixes could be obtained only using one of the following:

A statically configured client-specific binding

A locally configured IPv6 prefix pool

This feature enables a third option. It allows the prefix assignment to originate from a RADIUS/AAA Server using the Framed-IPv6-Prefix attribute as described in RFC 3162.

Cisco IOS Software Release 12.3(4)T added support for the Framed-IPv6-Prefix attribute (see DDTS CSCdy19621). The DHCPv6 Prefix Delegation Using AAA feature enables the DHCPv6 server to interface with AAA to obtain the prefix assignment using an AAA/RADIUS authorization request.

Benefits

More flexibility and control of IPv6 address assignments.

Centralized control and management of IPv6 prefix assignments using AAA/RADIUS.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/tech/tk872/technologies_white_paper09186a00801e199d.shtml

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.9.2) Mobile IP: Mobile IPv6 Home Agent

This feature provides support for the Mobile IPv6 Home Agent (HA). It includes the following:

Home Agent

Home agent functionality allows an IPv6 router to act as a home agent for one or more mobile nodes when they are away from home.

Advertisement Interval Option

Allows a configurable Advertisement Interval option to help mobile nodes perform movement detection.

Duplicate Address Detection

Enables verification of the mobile node (MN) IP address by performing duplicate address detection (DAD) when processing a request for registration from an MN.

Dynamic Home Agent Address Discovery

Allows home agents in a subnet to learn of each other's presence and capabilities by listening to router advertisements.

Access Control Lists

Supports use of ACLs to limit sources of binding updates, Dynamic Home Agent Address Discovery (DHAAD) requests, and prefix solicitations. Allows control over roaming.

Benefits

RFC 3775-compliant support for Mobile IPv6 Home Agent.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Does not include full support for correspondent node.

This phase will not deliver support the use of IPsec (ESP) in binding updates and binding acknowledgements between a mobile node and its home agent. However, this phase will not prevent end-to-end IPsec being used to secure communication between a mobile node and a correspondent node when Cisco IOS Software is acting as the home agent.

Additional Information: http://www.cisco.com/warp/public/732/Tech/ipv6/docs/mobileipv6.pdf

Cisco IOS Packaging

Mobile IP: Mobile IPv6 Home Agent is positioned in the Advanced IP Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.9.3) Cisco Express Forwarding Support for Network Address Translation-Protocol Translation

Cisco IOS Network Address Translation-Protocol Translation (NAT-PT) translates packets that traverse between IPv4-only and IPv6-only networks in either direction. NAT-PT translates the IP header and source and destination ports if needed. It also translates the embedded IP addresses and ports for application protocols of which it is aware.

Prior to the introduction of this feature, packets undergoing NAT-PT were process-switched, which limited the throughput that could be achieved while using this feature. Now packets that undergo NAT-PT are processed in the interrupt path and use Cisco Express Forwarding.

Benefits

Better performance when translation between IPv4 and IPv6 networks is necessary.

Hardware

Routers

Cisco 800, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information:
 http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_data_sheet09186a008011ff51.html

Cisco IOS Packaging

Cisco Express Forwarding Support for NAT-PT is positioned in the IP Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Patrick Grossette ( pgrosset@cisco.com)

2.9.4) Simple Network Management Protocol Using IPv6 Transport

IPv6 networks are becoming more prominent, as are the requirements for management in an all-IPv6 environment. To date, most IPv6 networks have been deployed with support for IPv4 and with the assumption that network management was based on IPv4.

SNMP over IPv6 Transport allows network management to be performed from a station running only IPv6.

The feature includes:

Support for SNMP get/set requests and responses on IPv6 transport

SNMP notifications to IPv6 destinations

Modification to snmp-server host CLI to configure IPv6 hosts as trap receiver

SNMPv3 configuration*

Support of MIBs for configuration of SNMPv3 users, groups, and views and configuration of SNMPv3 engines or endstations for use in either an IPv4 or IPv6 environment

SNMP proxy forwarder

Support of SNMP proxy forwarder using IPv6 transport

MIB Changes

MIB updates for IPv6

CISCO-FLASH-MIB

CISCO-CONFIG-COPY-MIB

CISCO-CONFIG-MAN-MIB

CISCO-CONFIG-COPY-CAPABILITY

ENTITY-MIB

NOTIFICATION-LOG-MIB

New MIB

CISCO-SNMP-TARGET-EXT-MIB (extension from SNMP-TARGET-MIB)

Modification of MIB implementation for IPv6

SNMP-USM-MIB

SNMP-VACM-MIB

Benefits

Provides base function needed to enable management of all IPv6 networks.

Includes support for RFC 3419: Textual Conventions for Transport Addresses.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Provides for support of IPv6 using an internal proxy method.

Cisco IOS Packaging

SNMP Using IPv6 Transport is positioned in the Advanced IP Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contacts: IPv6—Patrick Grossette ( pgrosset@cisco.com), SNMP—Michael Cheung ( cheung@cisco.com)

2.9.5) IPv6 Bootstrap Router Bidirectional Support

This feature improves upon the IPv6 Bootstrap Router (BSR) implementation by offering support for bidirectionality in BSR.

Benefits

Supports the advertising of bidirectional rendezvous points in C-RP messages and bidirectional ranges in the band splitter module (BSM).

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

All the routers in the system must be upgraded to be able to understand the bidirectional range. Just upgrading candidate RP and candidate BSR routers is not sufficient.

Cisco IOS Packaging

IPv6 BSR Bidirectional Support is positioned in the Advanced IP Services and Enterprise Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)

2.9.6) IPv6 Bootstrap Router Scoped Zone Support

IPv6 Bootstrap Router (BSR) Scoped Zone Support enhances IPv6 BSR, allowing for distribution of group-to-RP mappings in networks using administratively scoped multicast.

Benefits

Allows the customer to configure candidate BSRs and a set of candidate RPs for each administratively scoped region in the domain.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

IPv6 BSR Scoped Zone Support is positioned in the Advanced IP Services and Enterprise Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)

2.10) Management Instrumentation

Table 11  Management Instrumentation

Sections
2.10.1) Multicast VPN MIB
2.10.2) Exclusive Configuration Change Access
2.10.3) Selective Enabling of Applications Using HTTP Server
2.10.4) Bandwidth Estimation Using Corvil Bandwidth Technology
2.10.5) IP Service Level Agreements Voice over IP Call Setup (Postdial Delay) Monitoring
2.10.6) IP Service Level Agreements—Voice over IP Gatekeeper Delay Monitoring
2.10.7) IP Service Level Agreements CLI Introduction
2.10.8) IP Service Level Agreement Sub-Millisecond Accuracy Improvements
2.10.9) Egress Netflow
2.10.10) Netflow MIB and Top N Talkers
2.10.11) Service Selection Gateway Support of Overlapping IP Addresses
2.10.12) Service Selection Gateway Support for Radius Attributes 27 and 29
2.10.13) Service Selection Gateway Default Quota for Prepaid Billing Server Failure
2.10.14) Service Selection Gateway Support for Dynamic Load Balancing
2.10.15) Cisco IOS Service Assurance Agent Multiple Operation Scheduling
2.10.16) MPLS Aware NetFlow
2.10.17) Service Selection Gateway Interface Redundancy
2.10.18) SSG Permanent TCP Redirection
2.10.19) SSG Transparent Auto-Logon
2.10.20) SSG TCP Re-direct Exclusion List
2.10.21) Service Assurance Agent VoIP Proactive Monitoring
2.10.22) NetFlow MIB
2.10.23) Configuration Rollback/Configuration Replace
2.10.24) Cisco IOS Service Assurance Agent for VoIP UDP Operation
2.10.25) Cisco IOS Embedded Event Manager 1.0
2.10.26) Contextual Configuration Diff Utility
2.10.27) Service Selection Gateway Unconfig
2.10.28) SSG to Accommodate New L2TP Error Codes
2.10.29) SSG Support of NAS Port ID
2.10.30) Extensible Authentication Protocol Transparency and Extensible Authentication Protocol-SIM Enhancements
2.10.31) SSG Complete ID
2.10.32) SSG L2TP Dialout
2.10.33) SSG Auto Logoff Enhancement
2.10.34) SSG Open Garden Configuration Enhancements
2.10.35) SSG Direction Command for Interfaces and Ranges
2.10.36) SSG Prepaid Idle Timeout
2.10.37) SSG Suppression of Unused Accounting Records
2.10.38) SSG Unique Session ID
2.10.39) Embedded Syslog Manager Version 1.0
2.10.40) Cisco IOS Scripting with Tool Command Language

2.10.1) Multicast VPN MIB

Multicast VPN MIB provides enhancements and support for SNMP Multicast VPN MIB.

Benefits

Improves management for Multicast VPN deployments.

Provides interfaces to Cisco AutoSecure.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: Gurvinder Singh ( g_singh@cisco.com)

2.10.2) Exclusive Configuration Change Access

The Cisco IOS Software CLI has offered a familiar and effective interface for configuration and troubleshooting for many years. With the increased importance and proliferation of network connections and equipment, management and maintenance activities have grown. Some organizations have segmented their network engineering and operations teams, with multiple groups or systems now requiring access to the CLI.

The feature introduces a configuration session locking mechanism. It allows a user to have exclusive access to the Cisco IOS Software configuration mode, preventing any other user from changing the system configuration for the duration of the lock.

Benefits

Ensures consistent and error-free configuration changes by preventing conflicts.

Prevents conflicts between programmatic interfaces and back-end systems.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: Mark Basinski ( mbasinsk@cisco.com)

2.10.3) Selective Enabling of Applications Using HTTP Server

Cisco IOS Software incorporates an internal HTTP server that permits easy configuration using a browser interface. A number of Cisco IOS Software subsystems and features use the included server. However, until now, each feature could not individually be controlled with respect to the HTTP server interface. For example, a user can now enable one particular subsystem for Web-based configuration and control, but not another.

The feature enables selective enabling of Cisco IOS Software applications or subsystems that use the internal HTTP server in Cisco IOS Software.

Benefits

Provides more secure environment for configuration and control of network devices.

Enables specific control over applications that use the internal HTTP server in Cisco IOS Software.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: Mark Basinski ( mbasinsk@cisco.com)

2.10.4) Bandwidth Estimation Using Corvil Bandwidth Technology

Allocating adequate bandwidth is crucial to ensuring the network performance required for applications. However, allocating too much bandwidth can be costly. Bandwidth Estimation in Cisco IOS Software, using Corvil Bandwidth technology, allows network managers to determine the correct bandwidth requirements to achieve user-specified Quality of Service (QoS) targets for networked applications.

Corvil Bandwidth can determine the minimum bandwidth required to meet a customer-specified QoS target with statistical reliability. From a network manager's perspective, an application's QoS requirements are characterized with respect to its sensitivity to packet loss and delay. Corvil Bandwidth gives the network manager a way to specify limits for delay and packet loss and to get a close estimate of the minimum bandwidth essential to achieve desired application performance.

Figure 42

Corvil Bandwidth

Benefits

Users can set service-level objectives for the desired performance of networked applications.

Network managers can eliminate operational overhead and guesswork in bandwidth provisioning and QoS configuration.

Potentially significant bandwidth cost savings while meeting QoS requirements are possible.

Increased capability and flexibility to offer bandwidth-on-demand types of services are possible.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3700, 3800, 7200, and 7301 Series Routers


Cisco IOS Packaging

Bandwidth Estimation Using Corvil Bandwidth Technology is positioned in the SP Services packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tim McSweeney ( timcswee@cisco.com)

2.10.5) IP Service Level Agreements Voice over IP Call Setup (Postdial Delay) Monitoring

Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS IP Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco IOS IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.

This feature enhances Cisco IOS IP SLAs further by including a capability to monitor the call setup delay for VoIP calls. With this feature, Cisco IOS SLAs measure the call setup time using the H.323/Session Initiation Protocol (SIP) over an IP network.

The Jitter operation in IP SLAs offers the ability to configure various codec types and provide the corresponding Impairment/Calculated Impairment Planning Factor (ICPIF) and mean opinion scores (MOSs). This capability is widely used to monitor VoIP performance. This enhancement focuses on measuring call setup time. It provides the capability to send an H.323 or SIP call setup message and to measure the time to ringing, busy, or connect. The typical setup time measured is from setup/INVITE message is sent to the time the alert/ringing message is received.

Figure 43

Cisco IOS IP SLAs VoIP Call Setup (Postdial Delay) Monitoring

Benefits

Measures call setup delay for VoIP calls.

Extends the functionality provided by IP SLAs.

Adds to the already strong VoIP-monitoring capabilities.

Provides performance visibility for VoIP, video, business-critical applications, MPLS, and VPN networks.

Monitors SLAs.

Monitors network performance.

Provides IP service network health readiness or assessment.

Monitors edge-to-edge network availability.

Monitors business-critical applications performance.

Troubleshoots network operation.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Cisco IOS IP SLAs VoIP Call Setup (Postdial Delay) Monitoring is positioned in the IP Voice packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tom Zingale ( tomz@cisco.com)

2.10.6) IP Service Level Agreements—Voice over IP Gatekeeper Delay Monitoring

Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS IP Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco IOS IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.

With Voice over IP (VoIP) deployments accelerating, even more requirements are being placed on the operations staff to ensure that service meets or exceeds the required levels. A converged network with VoIP Gatekeeper functionality adds another aspect to performance monitoring.

This feature adds a VoIP Gatekeeper (GK) registration delay monitoring operation to the IP SLAs feature set. This operation measures the "lightweight registration time" from an H.323 Gateway (GW) to the GK. The lightweight registration time is the time from the sending of a registration request (RRQ) to the time a registration confirmation (RCF) is received by the GW.

Figure 44

IP SLAs VoIP Gatekeeper Delay Monitoring

Benefits

Adds to the already strong VoIP-monitoring capabilities.

Provides performance visibility for VoIP, video, business-critical applications, MPLS, and VPN networks.

Monitors SLAs.

Monitors network performance.

Provides IP service network health readiness assessment.

Monitors edge-to-edge network availability.

Monitors business-critical applications performance.

Troubleshoots network operations.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Cisco IOS IP SLAs VoIP Gatekeeper Delay Monitoring is positioned in the IP Voice packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tom Zingale ( tomz@cisco.com)

2.10.7) IP Service Level Agreements CLI Introduction

Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS IP Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco IOS IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.

IP SLAs used past Cisco IOS Software service assurance functionality and added recent enhancements. The new CLI is being implemented to ease the deployment of service monitoring and will simplify configuration of IP SLAs measurements and enhance command-line views for service-level measurement data.

The transition to the new configuration command set is made easy because support for the previous configuration commands is included. In future releases the command structure will be simplified more based on customer input.

Other new commands are also included with this Cisco IOS Software release.

Benefits

Ease-of-use improvements.

Improved show commands with more detailed and useful information.

Performance visibility for VoIP, video, business-critical applications, MPLS, and VPN networks.

SLA monitoring.

Network performance monitoring.

IP service network health readiness assessment.

Edge-to-edge network availability monitoring.

Business-critical applications performance monitoring.

Network operation troubleshooting.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Because some display commands are changed, automated scripts that parse output of the commands may need to be modified. Consult the documentation for details.

Cisco IOS Packaging

Cisco IOS IP SLAs CLI Introduction is positioned in the IP Voice, Advanced Security, and Enterprise Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tom Zingale ( tomz@cisco.com)

2.10.8) IP Service Level Agreement Sub-Millisecond Accuracy Improvements

Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS Software IP Service Level Agreements are a capability embedded in Cisco IOS Software that allows Cisco customers to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are converging, and extending IP performance monitoring to be application aware is critical for new IP network applications such as VoIP, audio and video, VPN, and other business-critical applications. Cisco IOS Software IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and assist administrators with network troubleshooting. Cisco IOS Software IP SLAs use unique service-level assurance metrics and methodology to provide highly accurate, precise service-level assurance measurements.

This feature adds granular and highly accurate measurements to the robust set functions included in Cisco IOS Software IP SLAs. The functions within IP SLAs measure various performance parameters such as round-trip time, one-way latency, jitter (interpacket delay variance), packet loss, and so on.

Improvements such as increased link speeds and the deployment of higher performing routers and switches have reduced the latency, increased capacity, and enormously expanded the throughput in today's high-speed networks. Because of these facts, the accuracy of the measurements provided in IP SLAs is likewise being improved upon.

Improvements have been made in two primary areas:

The accuracy of measurements is improved from one millisecond to one-tenth of a millisecond.

More efficient time stamping also results in greater accuracy of measurements.

Benefits

Provides very accurate performance data.

Offers more granular and accurate results to reflect the characteristics of networks being deployed now and into the future.

Allows more efficient use of internal resources for enhanced performance.

Provides performance visibility for VoIP, video, business-critical applications, MPLS, and VPN networks.

Monitors SLAs.

Monitors network performance.

Provides IP service network health readiness assessment.

Monitors edge-to-edge network availability.

Monitors business-critical applications performance.

Troubleshoots network operation.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

IP SLAs Sub-millisecond Accuracy Improvements is positioned in the IP Voice packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Considerations

In order to utilize the accuracy enhancements, the source and destination endpoints of the measurements must have Cisco IOS Software Release 12.3(14)T or later.

Product Management Contact: Tom Zingale ( tomz@cisco.com)

2.10.9) Egress Netflow

Understanding who is using the network and for how long, what protocols and applications are being utilized, and where the network data is flowing is a necessity for today's IP network managers. NetFlow data can be used for a variety of purposes: network management and planning, user and security monitoring, protocol and application monitoring, enterprise accounting, departmental charge backs, Internet Service Provider (ISP) billing, data warehousing, and data mining for marketing purposes.

NetFlow traditionally monitors IP flows entering or ingress to a Cisco IOS Software device; however, it does not track egress information. Egress NetFlow can track egress IP flows or flows exiting a Cisco IOS Software device. This new capability will ease IP accounting and flow monitoring in some network topologies. For example, egress NetFlow will simplify the tracking of all IP traffic going to a server farm.

With Egress NetFlow also enables the tracking of flows after features such as QoS or NAT have made changes to the IP packet. Egress NetFlow can be used with an MPLS or IP network.

Benefits

Ingress and egress NetFlow accounting within Cisco IOS Software.

Tracking of flow information after other Cisco IOS Software features such as QoS or NAT have changed packet characteristics.

Tracking of all flows egress or exiting a specific interface.

Tracking of all flows entering a specific interface destined to a specific egress interface.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, 7200, and 7500 Series Routers


Additional Information: http://www.cisco.com/go/netflow

Product Management Contact: Tom Zingale, tomz@cisco.com

2.10.10) Netflow MIB and Top N Talkers

Understanding who is using the network and for how long, what protocols and applications are being utilized and where the network data is flowing is a necessity for today's IP network managers. NetFlow data can be used for a variety of purposes: network management and planning, user and security monitoring, protocol and application monitoring, enterprise accounting, departmental charge backs, Internet Service Provider (ISP) billing, data warehousing, and data mining for marketing purposes.

NetFlow information is traditionally exported from the router and persistently stored and analyzed by network management applications. An additional method to retrieve NetFlow data is now available: NetFlow MIB (cisco-netflow-mib) allows access to NetFlow data. The MIB will provide the ability to configure and modify NetFlow using an SNMP interface. The user can retrieve a snapshot of IP flow, protocol and packet size distribution information easily with SNMP. The NetFlow MIB will be very useful for security monitoring and detection of attacks by monitoring flow information. One of the key features of the NetFlow MIB will be the availability of Top N Talkers and the top conversations (NetFlow cache) information. A new show command, which is part of the Top N Talkers feature, enables users to monitor top conversations in the network using CLI.

Benefits

A new additional method to retrieve NetFlow information beyond traditional UDP export.

Top N Talker NetFlow information using the CLI and MIB.

MIB access to IP flow, protocol and packet size distribution information.

Retrieval of NetFlow information when the traditional export may not be practical.

Useful security information directly from an SNMP MIB.

Remote configuration of NetFlow features without using CLI.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, 7200, and 7500 Series Routers


Additional Information:

http://www.cisco.com/go/netflow

http://tools.cisco.com/ITDIT/MIBS/servlet/index

Product Management Contact: Tom Zingale, tomz@cisco.com

2.10.11) Service Selection Gateway Support of Overlapping IP Addresses

Service Selection Gateway (SSG) enables Service Providers to offer services in which the provider assigns IP addresses to subscribers. Because Service Providers assign IP addresses from private IP address pools, identical IP addresses could be assigned to different subscribers. The SSG Support for Overlapping Subscriber IP Addresses feature enables SSG to support overlapping subscriber IP addresses by adding VRF support to SSG downlink interfaces. VRF support on SSG downlink interfaces allows the same IP address to be assigned to different subscribers that are bound to different downlink interfaces and connected to different uplink services. VRF support on downlink interfaces also eliminates the need for SSG to perform NAT on the subscriber traffic.

SSG allows subscribers with overlapping IP addresses to access multiple services, so that a subscriber who is assigned an IP address for one service will be able to access other services. To provide access to multiple services, NAT will be performed on the subscriber traffic by SSG or through the Cisco IOS NAT configuration on the router.

Multiple subscribers with overlapping IP addresses can simultaneously connect to a common service, but SSG must perform NAT on all the connections to provide non-overlapping IP addresses.

Benefits

Sometimes Service Providers assign IP addresses from private IP address pools. When subscribers of multiple Service Providers are aggregated on a single platform, different subscribers could be assigned the same IP address. This SSG Support for Overlapping Subscriber IP Addresses feature enables SSG to support overlapping subscriber IP addresses and hence will let providers assign IP addresses from their private address pools.

This feature also avoids NAT for subscribers connecting into their provider's network where IP address conflict does not arise (even though they are private IP addresses, they are within same private IP address pool).

Hardware

Routers

Cisco 2651XM, 3745, 7200, 7301, and 7600 MWAM


Restrictions

The SSG Support for Overlapping Subscriber IP Addresses feature does not support downlink interface redundancy.

The SSG Support for Overlapping Subscriber IP Addresses feature does not add support for uplink VRFs. The next-hops for services must be globally routable; however, if a service is bound to an Ethernet interface, SSG uses the downlink interface VRF for upstream routing. In such cases, the uplink interface could be within a VRF, but the downlink interface must also be on the same VRF.

Cisco IOS VRF-aware NAT for overlapping users cannot be configured for subscribed services. It can be used for open garden services and services bound to Ethernet interfaces (broadcast interfaces). For all other cases in which services are bound to next-hops, SSG NAT must be used. SSG does not support Cisco IOS NAT for open garden services bound by next-hops.

Product Management Contact: mkolli@cisco.com

2.10.12) Service Selection Gateway Support for Radius Attributes 27 and 29

The Service Selection Gateway (SSG) Support for Radius Attributes 27 and 29 feature introduces SSG compliance with RFC-3580 with respect to RADIUS attributes #27 (Session-Timeout) and #29 (Termination-Action). RFC-3580 recommends using attributes #27 and #29 in Access-Accept packets during authentication to enforce periodic re-authentication of users. See RFC-3580 "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines" for details.

For instances that indicate re-authentication after the session timeout, SSG uses the cached username and password while performing re-authentication. If SSG does not have these credentials, the session is brought down as if re-authentication has failed. If a particular deployment makes use of one-time passwords for authenticating users, SSG re-authentication will fail and the session will be brought down.

For SSG transparent auto-logon (TAL) hosts (TAL users who have host objects created on SSG), SSG will perform TAL reauthorization upon session timeout whenever attribute #29 is present in the RADIUS profile of the user. (Note that for TAL users, SSG performs re-authorization and not re-authentication because the user profile is downloaded on the basis of the IP address and service password).

In SSG RADIUS proxy deployments, SSG will not perform session timeout processing when attribute #29 is present in the Access-Accept packet and is set to re-authenticate.

Benefits

Service Providers can implement time based pre-paid billing model with standard RADIUS attributes (unlike SSG's prepaid model which is proprietary and extensive).

If Service Providers already have a billing system that is implemented based on these RADIUS attributes, they can introduce SSG into that Business System easily.

Hardware

Routers

Cisco 2651XM, 3745, 7200, 7301, and 7600 MWAM


Restrictions

In SSG RADIUS proxy deployments, SSG will not perform session timeout processing when attribute #29 is present in the Access-Accept packet and is set to re-authenticate.

SSG uses the cached username and password while performing re-authentication. If SSG does not have these credentials, the session is brought down as if re-authentication has failed. If a particular deployment makes use of one-time passwords for authenticating users, SSG re-authentication will fail and the session will be brought down.

Product Management Contact: mkolli@cisco.com

2.10.13) Service Selection Gateway Default Quota for Prepaid Billing Server Failure

The Service Selection Gateway (SSG) default quota for prepaid billing server failure allows Service Selection Gateway (SSG) to allocate a default quota when the prepaid server fails to respond to an authorization request. This functionality allows prepaid users to connect to a service even when the prepaid server is unavailable during authorization. SSG can be configured to allocate multiple default quotas up to a configured maximum. SSG will also allocate default quotas when the prepaid server is unresponsive to reauthorization requests, thus preventing existing connections from being terminated.

SSG can be configured to allocate a default quota when the prepaid server fails to respond to an authorization request. The default quota for a service is specified in the service profile. SSG stores the value when the service profile is downloaded from the AAA server. If the prepaid server is not accessible during initial authorization, SSG allocates the default quota and activates the connection, thus allowing the prepaid user to connect to the respective service.

When a default quota expires, SSG attempts to reauthorize the user. If the prepaid server still does not respond, SSG will allocate another default quota. SSG will allocate multiple default quotas up to a configured maximum. Once SSG has allocated the configured maximum number of default quotas, no further default quota allocations will be made, and the user's connection to the service will be terminated.

SSG will also allocate default quotas when the prepaid server fails during the reauthorization of existing connections. Allocation of a default quota for the reauthorization of an existing connection prevents the connection from being terminated due to the unavailability of the prepaid server.

Benefits

This enhancement ensures continued subscriber connectivity against any temporary connection failures with pre-paid billing servers.

Hardware

Routers

Cisco 2651XM, 3745, 7200, 7301, and 7600 MWAM


Considerations

The default quota is applicable for prepaid services only.

The default quota will be used only when the prepaid billing server is not available; that is, when the RADIUS packet retransmit times out.

Product Management Contact: mkolli@cisco.com

2.10.14) Service Selection Gateway Support for Dynamic Load Balancing

The Service Selection Gateway (SSG) Support for Dynamic Load Balancing feature enables the Dynamic Feedback Protocol (DFP) to be used to facilitate dynamic load balancing among multiple Service Selection Gateways (SSGs). When DFP support is configured on SSG, SSG registers with the DFP agent and hands over weights at configured intervals. The DFP agent conveys the weights to a DFP manager, such as a Cisco IOS Server Load Balancing device, which uses the weights to determine load balancing among the SSGs.

When multiple SSGs are deployed with Cisco IOS Server Load Balancing, DFP enables the real servers (the SSGs) to communicate server health to the DFP manager. SSG registers with the DFP agent and hands over weights at configured intervals. The DFP agent calculates relative weights for SSG on the basis of three factors:

The DFP weight configured for the SSG

CPU load

Memory utilization

The weights are conveyed by the DFP agent to the load balancer, which uses the weights in an algorithm to determine load balancing among the SSG devices. A higher weight for a server indicates higher availability; a weight of zero indicates that a server has no availability.

SLB always uses weights to balance loads. If DFP is not configured or if the DFP connection has been terminated and the DFP agent cannot relay the current weights, SLB uses static weights that have been configured for the server. If weights have not been configured, SLB uses default weights.

Benefits

Allows multiple SSGs with different CPU power and memory to be used together easily in a single SSG network with a load balancer.

Increased session reliability by preventing a busy SSG from receiving too many new connection requests.

Allows a new SSG that is being introduced into an existing SSG farm to come up to equal load as the other SSGs dynamically.

Hardware

Routers

Cisco 2651XM, 3745, 7200, 7301, and 7600 MWAM


Product Management Contact: mkolli@cisco.com

2.10.15) Cisco IOS Service Assurance Agent Multiple Operation Scheduling

Cisco IOS Service Assurance Agent (SAA) uses various metrics to assess network's performance and availability. It can perform network assessments, verify service level agreements, and assist administrators with troubleshooting. It automates service level monitoring for both end customers and Service Providers. Cisco IOS SAA uses unique service level assurance metrics and methodology to provide highly accurate, precise service level assurance measurements.

Cisco IOS SAA will inform users if the Quality of Service (QoS) is working and configured correctly. It reduces operational costs by identifying issues and tests the network infrastructure continuously. It also reduces the time required to track and isolate network performance problems, thus decreasing operating expenses. Cisco IOS SAA sends data across the network to measure performance between multiple network locations or across multiple network paths. It simulates network data and IP services, collecting network performance information in real time. Collected information includes response time, one-way latency, jitter, packet loss, voice quality scoring, and server response time.

Cisco IOS SAA Multiple Operation Scheduling allows the user to easily schedule active performance measurements to a group of destination devices from a source device. This capability allows sequential activation of a large number of SAA operations with one CLI command or SNMP MIB set. For example, the user can schedule a set of SAA jitter operations to measure edge to edge jitter, packet loss, and response time from a source router to a large number of destination routers with one CLI command.

Figure 45

Cisco IOS Service Assurance Agent Multiple Operation Scheduling

Benefits

Enhances Cisco IOS SAA scalability and ease of use.

Provides more flexibility in the ability to schedule SAA operations.

Embedded active monitoring in Cisco IOS Software.

Automated real-time, accurate network performance and network health monitoring.

Capable of verifying and measuring IP service levels and parameters needed for service level agreements.

Per-class QoS traffic monitoring.

Flexible scheduling.

Proactive notifications with Simple Network Management Protocol (SNMP) Trap.

Hop-by-hop and end-to-end performance measurement.

Controlled through SNMP or Command Line Interface (CLI).

VoIP codec simulation and VoIP quality measurement (MOS and ICPIF).

MPLS network monitoring.

Integrated into several third-party diagnostic tools.

Hardware

Routers

All routers that support the Cisco IOS Software Release 12.3T family

Switches

All switches that support the Cisco IOS Software Release 12.3T family, except the Cisco Catalyst 4500 Series Switch


Additional Information: http://www.cisco.com/go/saa

Product Management Contact: Tom Zingale, tomz@cisco.com

2.10.16) MPLS Aware NetFlow

Understanding who is using the network and for how long, what protocols and applications are being utilized and where the network data is flowing is a necessity for today's IP networks managers. IP network managers rely on exported NetFlow data for a variety of purposes, including:

Network management and planning

Enterprise accounting

Troubleshooting

Security monitoring and departmental charge back billing

Data warehousing

Data mining for marketing purposes

NetFlow version 9 is a new flexible and extensible format for exporting IP flow information from Cisco routers and switches, providing rapid support for IP accounting of Cisco technologies. New features that leverage NetFlow version 9 include MPLS Aware NetFlow, NetFlow multicast and NetFlow BGP Next Hop. The NetFlow Version 9 extensible format is recognized as a new standard for exporting flow information from IP devices.

Capacity planning is a necessity for Cisco customers using MPLS VPN, MPLS traffic engineering, and MPLS label distribution protocol. MPLS network management and capacity planning has now been enhanced with the addition of MPLS Aware NetFlow, which allows customers to determine the IP destination of labeled switched traffic and to understand the utilization of labeled switched paths.

Figure 46

Feature Name MPLS Aware NetFlow

Benefits

NetFlow version 9 is a flexible and extensible export format and an emerging IETF standard for exporting information from IP devices.

MPLS aware NetFlow enhances MPLS network planning.

Peering arrangements.

Network Planning.

Traffic Engineering.

Accounting and billing.

Security Monitoring.

Internet access monitoring (protocol distribution, where traffic is going/coming).

User Monitoring.

Application monitoring.

Charge back billing for departments.

Hardware

Routers

Cisco 3700, 7200, 7300, 7400, and 7500 Series Routers


Considerations

MPLS Aware NetFlow is also available in Cisco IOS Software Release 12.0(24)S on the Cisco 12000 Series Internet Router, and in Release 12.0(26)S for additional hardware products.

Additional Information: http://www.cisco.com/go/netflow

Product Management Contact: Tom Zingale, tomz@cisco.com

2.10.17) Service Selection Gateway Interface Redundancy

In Service Selection Gateway (SSG), each service is associated with an outbound interface. When a subscriber chooses to use a service, SSG connects the subscriber to the service via the associated outbound interface. SSG interface redundancy allows services to be associated with more than one interface to protect against link failures.

When redundant interfaces are configured for a service, a distance metric is assigned to the service binding. This influences the order in which SSG selects the interface to be used to reach a service. The interface for the service binding with the lowest metric is the primary interface. The interface for the service binding with the second lowest weight is the secondary interface, and so on. If a failure occurs on an active interface, SSG will recognize the failure and switch the service connection to the interface associated with the next lowest metric. When the primary uplink interface or next hop becomes available again, SSG will switch back to using the primary interface.

SSG Uplink Interface Redundancy Topologies

The SSG Interface Redundancy feature supports uplink interface redundancy in the following network topologies:

Figure 47

Multiple Next-Hops per Service Sample Topology

Figure 48

Multiple Uplink Interfaces with a Single Next Hop Sample Topology

Figure 49

Multiple Uplink Interfaces with No Next Hop Sample Topology

Figure 50

Combinations of Directly Connected Uplink Interfaces and Interfaces with Next Hops Sample Topology

Benefits

Reduces Connectivity Downtime

Service Providers can use SSG Interface Redundancy to configure a redundant interface for services they offer to subscribers. Any failures on primary interface will activate the backup interface reducing the service connection downtimes. It also helps subscribers to get an uninterrupted access to services that Service Providers are providing.

Hardware

Routers

Cisco 2651XM, 3745, and 7301 Routers

Cisco 7200 and 7600 MWAM Series Routers


Product Management Contact: Murali Kolli, mkolli@cisco.com

2.10.18) SSG Permanent TCP Redirection

Description

The SSG Permanent TCP Redirection feature enables Service Selection Gateway (SSG), in conjunction with Cisco Subscriber Edge Services Manager (SESM), to provide service selection support to users whose web browsers are configured with HTTP proxy servers. This feature supports plug-and-play functionality in public access networks such as Public Wireless LANs.

Release
Modification

12.3(3)B

This feature was introduced.

12.3(7)T

This feature was implemented in Cisco IOS Release 12.3(7)T.


Benefits

The SSG Permanent TCP Redirection feature enables SSG to provide service selection support to users whose web browsers are configured with HTTP proxy servers. This solution enables SSG, in conjunction with SESM, to provide an emulation of the HTTP proxy so the experience of the user is as if the user's web browser were exchanging traffic with the user's real HTTP proxy server. This feature supports plug-and-play functionality in public access networks such as Public Wireless LANs.

Restrictions:

The following restrictions apply to the SSG Auto-logoff Enhancement feature:

SSG will not provide concurrent service selection to the HTTP proxy user who uses web traffic to reach more than one service. SSG can redirect web traffic to only one service or server.

SSG will not provide TCP redirection for unauthorized services for HTTP proxy users who are unauthenticated because SSG will not know the destination of the traffic.

SSG simulates the proxy for HTTP traffic, so if a user tries to send any traffic other than HTTP traffic, the connection will fail. For example, a user will be unable to use FTP to access the HTTP proxy server configured in the browser.

If a user changes his HTTP proxy settings after authentication, SSG will not be able to detect the changes.

Hardware

Routers

Cisco 2651XM, Cisco 2691 Routers

Cisco 3725 and 3745 Routers

Cisco 7200 Series Routers

Cisc0 7301 Router


Product Management Contact: mkolli@cisco.com

2.10.19) SSG Transparent Auto-Logon

Description

The Transparent Auto-Logon (TAL) feature enables SSG to authenticate/authorize users based on IP packets received from the user. SSG authorizes users by using information from the Authentication, Authorization, and Accounting (AAA) server when a first IP packet is received from the user.

Users can be activated on SSG through Web-based login procedures using Service Edge Subscriber Management (SESM), RADIUS Proxy, and PPP session termination. The Transparent Auto-Logon feature provides an additional activation method. Transparent Auto-Logon provides SSG services to a user who is authorized based on the source IP address of packets received on a downlink interface of SSG, without any previous authentication phase. Depending on the customer deployment, there can still be user access via Web-based login, RADIUS Proxy, and PPP session termination. The SSG provides the flexibility to allow the coexistence of these different authentication methods.

Figure 51

User-to-Service Packet Flow

Release
Modification

12.3(3)B

This feature was introduced.

12.3(7)T

This feature was implemented in Cisco IOS Release 12.3(7)T.


Benefits

The SSG application (which includes the TAL function described in this document) provides the following benefits:

Prevents interactive subscriber authentication where subscriber identity is verified by other means.

Enables always-on access to network services, to specific classes of users (transparent, flat-rate users.

Provides an authentication model to support Pay-per-use users to still require interactive authentication to network services that are subject to explicit sign-on.

Restrictions:

If SSG Transparent Auto Logon is used, a subscriber's identity is solely tied to his/her source IP address. To provide proper security, service providers have to ensure that the subscriber connections are secure and the IP addresses are not spoofed for illegal use.

Hardware

Routers

Cisco 2651XM and 2691 Routers

Cisco 3725 and 3745 Routers

Cisco 7200 Series Routers

Cisco 7301 Router


Product Management Contact: mkolli@cisco.com

2.10.20) SSG TCP Re-direct Exclusion List

Description

Existing TCP Redirect feature is enhanced to allow access lists to be associated with server groups. This enhancement can be used to limit the kind of traffic that is redirected based on the source or destination IP address and TCP ports. It can also be used to redirect different sets of users to different dashboards for unauthenticated users and unauthorized service redirection. The access list can be a simple or extended access list. It can also be a named or numbered access list.

Release
Modification