Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 11.1

Cisco IOS Software Release 11.1 New Features No. 402

Downloads

IOS Product Bulletin - Public #402

Cisco IOS (tm) Software Release 11.1 New Features February 1, 1996

Introduction

This Product Bulletin describes new features available in the Cisco Internetwork Operating System (Cisco IOS) Release 11.1. Please note that this bulletin is being distributed approximately two months prior to Release 11.1 FCS. As a result, some features listed here may appear in a maintenance release of 11.1 instead of the FCS release. Where this is already known, such features are indicated.

Please refer to Product Bulletin #403, which will be available at the time of Cisco IOS Release 11.1 FCS, for information regarding the procedures for ordering Release 11.1 as well as a summary of platform support and platform-specific features.

1. Backbone Protocols

1.1 TCP/IP Features

1.1.1 Next Hop Resolution Protocol (NHRP) Enhancements for IPX

Description: NHRP allows routers to dynamically discover data link addresses for other routers on a WAN cloud. Today it is necessary to configure network layer and datalink layer addresses for all neighbors on a WAN cloud. NHRP enables Cisco routers to discover these addresses dynamically.

NHRP has been enhanced to support IPX in addition to the IP support introduced in Cisco IOS software version 10.3

Benefits: NHRP is a critical requirement for building large scale WAN clouds using emerging switching technologies. Cisco is editing the NHRP standard and will be the first router vendor to support the protocol.

With NHRP, customers may dynamically resolve IPX addresses in large scale WAN environments in addition to resolving IP addresses.

Considerations: Currently, NHRP will operate using ATM, SMDS, or GRE tunneling. Future releases will support NHRP across X.25 and Frame Relay.

Product Marketing Contact: Peter Long

1.1.2 Fast Install for Static Routes

Description: Floating static routes are static routes which have a higher administrative distance than other dynamic or static routes, and are often used to back-up a leased-line or Frame Relay service, in conjunction with the Cisco IOS software dial-on-demand routing (DDR) functionality.

This feature ensures that the floating static route is installed as soon as either the routing protocol or interface reports a loss of connectivity.

Benefits: Customers will experience considerably shorter times to have floating static routes installed, resulting in faster convergence when utilizing dial-on-demand circuits to back-up, for example, a leased-line or Frame Relay service.

Considerations: The time taken to converge on the dial-on-demand circuit will still include the time taken for the routing protocols or interface to detect the inoperability of the primary circuit.

Product Marketing Contact: Peter Long

1.1.3 Fast-Switched Generic Route Encapsulation (GRE)

Description: Generic Route Encapsulation (GRE) provides the ability to handle multiple network protocols in the same tunnel. In addition, GRE includes optional sequencing and an optional security key.

This feature enables fast switching for GRE tunnels. Previously, encapsulation and de-encapsulation were process-switched.

Benefits: The increase in the performance of the GRE tunnels will greatly aid those customers using GRE tunnels today on the Cisco 2500, 4000 and 7500 families of routers.

Considerations: This performance enhancement is not currently available on the Cisco 7000 and AGS+ series of routers.

Product Marketing Contact: Peter Long

1.1.4 Routing Information Protocol v2 (RIPv2)

Description: While RIPv2 shares the same basic algorithms as RIPv1, it supports several new features:

Subnet Masks

Subnet mask information makes RIP more useful in a variety of environments and allows the use of variable subnet masks on the network. Subnet masks are also necessary for implementation of "classless" addressing, such as CIDR (classless interdomain routing).

Authentication

One significant improvement offered by RIPv2 over RIPv1 is the addition of an authentication mechanism. Currently, customers can choose between a plain-text password or an MD5 signature for authentication.

Multicasting

RIPv2 packets can be multicasted instead of being broadcasted. The use of an IP multicast address reduces the load on hosts that do not support routing protocols. It also allows RIPv2 routers to share information that RIPv1 routers cannot hear. This is useful since a RIPv1 router may misinterpret route information because it cannot apply the supplied subnet mask.

External Route Tags

The route tag field may be used to propagate information acquired from an EGP.

Benefits: Customers choosing to implement RIP can now make more efficient use of their allocated address space by implementing Variable Length Subnet Masks (VLSM) within their networks.

RIPv2 adds to the choices of classless routing protocols supported by Cisco IOS software. This is the primary mechanism to improve scaling of the Internet routing system as a whole.

Considerations: Care must be taken when combining RIPv2 routers and RIPv1-compatible hosts. Because it cannot apply the supplied subnet mask, a RIPv1 host may misinterpret route information.

In some multi-homed environments, hosts listen to RIPv1 broadcasts to enable them to switch their traffic to a new router, should the main router or connection fail.

Cisco recommends the choice of alternative technologies such as RFC 792 ICMP Router Discovery Protocol, or Hot Standby Router Protocol (HSRP) as alternatives for hosts.

Product Marketing Contact: Peter Long

1.2 Transparent Bridging Features

1.2.1 Virtual LAN (VLAN) Routing

Description: Communications between switched virtual LANs (VLANs) are enhanced by Cisco IOS VLAN services with the introduction of IP and IPX routing and transparent 802.1d bridging between IEEE 802.10 or Cisco ISL encapsulated switched virtual LANs.

VLAN routing is equally applicable in LAN switched and ATM switched environments, however this discussion focuses on the implementation for switched LAN networks.

A group of VLAN-enabled switches can logically segment end-user ports into autonomous virtual workgroups, commonly referred to as virtual LANs (VLAN). While logical segmentation provides benefits in address administration, security, and management of network broadcast activity across the enterprise, communications between VLANs and the subsequent interoperability between switches and routers must be considered prior to VLAN deployment. To communicate between VLANs, a routing function is required (or bridging between VLANs, in the case of non-routeable protocol types). Cisco IOS software offers two inter-VLAN communication alternatives: dedicated VLAN ports and VLAN subinterfaces.

Dedicated VLAN ports, which Cisco has historically provided, allows users to connect distinct VLAN groups by assigning a physical router interface to each VLAN group. For example, five VLANs that require inter-VLAN communication would each have an undivided pair of switch and router interfaces. For bandwidth intense inter-VLAN applications, this provides the most cost-effective approach. It initially provides higher layer-3 forwarding performance, and for early VLAN users, this leverages many of the existing embedded features of Cisco's routing products.

VLAN subinterfaces, introduced in this release, is an alternative to dedicated VLAN ports that enable multiple VLANs to be configured on a single physical interface. The interface, referred to as a trunk interface, logically transports multiple VLANs across Fast Ethernet or FDDI media by encapsulating with Cisco ISL or IEEE 802.10, respectively. The Cisco IOS VLAN implementation leverages the subinterface (or virtual interface) mechanism, and views ISL and 802.10 as particular encapsulation types. On a physical router interface receiving and transmitting VLAN packets, referred to as a VLAN trunk or simply as a trunk, a subinterface is defined and mapped to the particular VLAN group. This allow for selective control over which VLAN traffic is routed or switched outside of its own VLAN domain and allows for most Cisco IOS functionality to be applied on a subinterface basis. Though the Cisco IOS software supports 255 subinterfaces (logical ports) per router, the number of VLANs within the enterprise is unlimited. The benefit of trunked VLAN subinterfaces is that it conserves router/switch physical ports and is a cost effective solution for environments where the majority of traffic is intra-VLAN.

Cisco IOS VLAN services can route between two or more subnets on the same VLAN or on different VLANs. The router first determines if a packet's protocol has been configured for routing. If so, the router routes the packet. If not, the router checks if bridging is enabled and, if so, bridges the packet. This mechanism provides the ability to concurrently route and bridge packets based on protocol types, a function required for VLANs based on the underlying protocols.

Routing between two separate subnets within a single VLAN is possible with the implementation of secondary addressing on the VLAN subinterface. Consistent with IP design guidelines, a single subnet spans only one VLAN.

Configured in a bridge mode, the router handles VLAN packets similarly to the switch. MAC addresses are examined against a bridging table; if the packet requires forwarding, the bridging table makes the determination. "Bridging" VLAN packets is required for protocols without layer 3 routing capabilities, such as LAT,  NetBIOS, and LLC2.

To bridge workgroups together as a VLAN, a spanning tree must be formed to eliminate the possibility of loops and to establish a single data path throughout the network. There are two approaches for implementing spanning tree relative to VLANs: sharing a single common tree spread across all VLANs and a separate spanning tree exclusive to each VLAN topology. Cisco chooses the latter approach because it favors scalability and reliability.

There is considerable advantage in establishing a separate spanning tree across each VLAN topology instead of sharing a common tree throughout. A single spanning tree per VLAN provides better network resilience and stability. Because each VLAN's spanning tree operates autonomously, it is not interrupted with spanning tree recomputations that occur elsewhere in the network topology.

Security access lists for controlling the type of access within or outside of a VLAN can be configured using subinterfaces within Cisco routers. This provides an additional layer of security when VLANs are interconnected.

Cisco is taking a proactive approach toward vendor interoperability by sharing interswitch protocol specifications with other internetworking, network interface, and hub vendors. Cisco has establish 802.10 as its interoperable VLANs standard, making it available to third-party vendors interested in inter-VLAN and cross-vendor communications.

Cisco is also working with the 802.1 IEEE standards working committee to evaluate, modify, and ratify VLAN trunking, VLAN management, and VLAN distribution protocols.

Benefits:

VLAN routing:

  • Enables communications between logically defined VLAN groups, while maintaining the integrity of VLAN firewalls (security, traffic isolation, and common logical addressing)

  • Performs a central role in planning and configuring VLANs within a switched internetwork.

  • Conserves router and switch physical interfaces inter-VLAN communication

  • Provides VLAN communications within workgroups, across the campus, and across wide-area networks (WANs).

  • Supports up to 255 VLANs within each router (unlimited within the infrastructure) using Cisco's leading subinterface technology.

  • Allows bridging mode (layer 2) for end-station protocols that function only at layer 2 (NetBIOS, LAT, etc.).

  • Enables security access lists for controlling the type of access within or outside a VLAN.

  • Provides a wide range of VLAN configuration options with concurrent routing and VLAN forwarding where both layer 2 and layer 3 applications reside within the network.

  • Available to third-party vendors interested in inter-VLAN and cross-vendor communications via 802.10.

Considerations: Dedicated VLAN ports optimize layer-3 forwarding bandwidth and leverage many of the existing embedded features of Cisco's routing products.

Shared VLAN ports have a finite rate of route forwarding, considerably less than that of dedicated VLAN ports, therefore consideration should be made to ensure proper acquisition of routing bandwidth.

ISL over HSRP is not currently allowed because it invokes the risk of generating duplicate packets over the internet during 802.1d topology changes or normal flooding of unknown destination MAC addresses.

Support for additional protocols and hardware platforms will follow the initial support of IP and IPX routing and transparent bridging on the Cisco 7000 FEIP.

Product Marketing Contact: Tony Moraros

2. Desktop Protocols

2.1 AppleTalk Features

2.1.1 Simple Multicast Routing Protocol (SMRP) Fast Switching

Description: Fast switching of the AppleTalk multicast routing protocol, SMRP, has been implemented for Cisco 4000 and Cisco 7500 series routers.

Simple Multicast Routing Protocol (SMRP) optimizes Apple Quicktime Conferencing (QTC) traffic flow of audio, video, and shared data over AppleTalk-based routed networks. Apple Computer Inc.'s QTC is a powerful multimedia application that enables multiple end-stations to participate in multipoint, collaborative, multimedia operations. SMRP is the networking complement of QTC. SMRP optimizes communications among QTC end-systems with reduced CPU utilization by eliminating the duplicate transmission of identical packets to multiple receivers. SMRP streamlines network throughput by eliminating duplicate and unnecessary traffic propagation. It dynamically establishes unique shortest-path distribution trees to restrict traffic propagation to only those parts of the network that contain receiving end-stations. SMRP provides just-in-time packet duplication upon encountering a branch in the distribution tree.

Cisco routers have been SMRP-enabled since Cisco IOS Software Release 11.0 (Oct. 95). New in this release is enhanced performance.

Benefits: Cisco SMRP-enabled routers are the networking complement of QTC. SMRP performance is significantly enhanced on Cisco 4000 and Cisco 7500 series routers.

Considerations: Future releases will include enhanced performance of SMRP on Cisco 7000 platforms.

Product Marketing Contact: Roger Farnsworth

2.2 Novell Features

2.2.1 Enhanced IGRP (EIGRP) to NLSP Route Redistribution

Description: Enhanced IGRP (EIGRP) to NLSP Route Redistribution is the method by which routing information is passed between Enhanced IGRP and NLSP routing domains in IPX networks. While route redistribution between Enhanced IGRP and IPX RIP is automatic by default, (as is redistribution between NLSP and IPX RIP,) this new feature of Cisco IOS software has added comprehensive tools for enabling the direct flow of routing information between Enhanced IGRP and NLSP networks.

Benefits: Enhanced IGRP to NLSP Route Redistribution provides unparalleled flexibility to users of large IPX networks. Previously, when IPX networks grew to the point where RIP and SAP were no longer able to adequately support them, users were forced to upgrade to either Enhanced IGRP or NLSP in order to gain the scalability benefits inherent to these protocols. Through the use of Enhanced IGRP to NLSP route redistribution, users may now select the routing protocol, or combination of routing protocols, which meets their needs. For example, an IPX network can now be built which uses a combination of RIP and NLSP on the NetWare servers and uses Enhanced IGRP as the single backbone protocol.


Figure 1.: EIGRP to NLSP Route Redistribution

Product Marketing Contact: Roger Farnsworth

2.2.2 IPX Input Access Lists

Description: This is a security enhancement feature that provides the capability of applying access lists to incoming router interfaces.

Benefits: IPX Input Access Lists provide added flexibility in building secure IPX networks. They can be used to validate user information at the borders of networks and build more sophisticated firewalls. By moving the filter process from an outgoing to an incoming interface, IPX Input Access Lists enhance security and reduce processor overhead by denying packets before they transit the router. They also provide the capability of filtering traffic at the originating end of GRE-tunnelled networks.

Considerations: IPX Input Access Lists can be fast switched but cannot be enabled on a cBus-based router configured for autonomous or SSE switching.


Figure 2.: IPX Input Access Lists

Product Marketing Contact: Roger Farnsworth

2.2.3 IPX Per-Host Load Balancing

Description: Per-Host Load Sharing is a load sharing process that transmits successive packets (or a traffic stream) for a given destination host over the same path when multiple equal-cost paths are present. Load sharing is achieved when traffic streams use different paths.

Benefits: Previous implementations of load sharing relied on a round-robin algorithm which transmits successive packets over alternate, equal-cost paths without regard to the destination host. Round robin load sharing increases the likelihood of packets being received out of order at the destination host. Out of order packets must often be retransmitted in IPX environments, leading to much higher application delay and network congestion.

Since Per Host Load Sharing sends all packets destined for an end host over the same media interface, the likelihood of packets being received out of order is greatly reduced, thus minimizing retransmissions and network overhead.

Considerations: Equal usage of multiple paths is not guaranteed because the same path is used for the duration of the session; however, the reduced response time and more efficient link usage provided by this feature should more than offset this limitation.


Figure 3.: Load Balancing

Product Marketing Contact: Roger Farnsworth

2.2.4 NLSP Route Aggregation

Description: NetWare Link Services Protocol (NLSP) is the link-state routing protocol for IPX networks. Cisco IOS Software now includes additional functionality for NLSP that permits multiple NLSP areas to directly and succinctly share information without the requirement of using IPX RIP between groups as was the case in the past. NLSP Route Aggregation has been implemented in accordance with the NLSP Specification Version 1.1 from Novell.

Benefits: NLSP Route Aggregation provides several important benefits to users of large IPX networks. The first benefit is the ability to divide IPX networks into multiple NLSP areas. It is recommended that large IPX networks (conservatively estimated as those containing over 400 network addresses according to Novell design guidelines) be split into smaller NLSP areas. Previously, NLSP was specified as a single area routing protocol, meaning that individual NLSP areas had to use IPX RIP to communicate routing information. Cisco's new implementation of NLSP allows multiple instances of NLSP to run on the same router, and allows routing information to be shared, or "leaked" between areas. This allows much larger NLSP networks to exist.

In addition, NLSP Route Aggregation allows routing information to be shared more efficiently in properly designed hierarchically addressed networks. When possible, ranges of addresses within an area can be aggregated (or summarized) into a single, much smaller route entry. Because the number of these entries in the routing databases are minimized, and update traffic is reduced, aggregation results in a much more efficient routing process.

Considerations: To derive the maximum benefit from NLSP Route Aggregation it is important that network addresses be assigned properly in IPX environments. Network addresses should be assigned in a structured, hierarchical manner. Additionally, since other IPX routing protocols can not interpret summarized route entries, the use of NLSP Route Aggregation in a Cisco router which is also using IPX RIP or Enhanced IGRP must be carefully planned and implemented.


Figure 4.: NLSP Route Aggregation

Product Marketing Contact: Roger Farnsworth

2.2.5 Raw FDDI IPX Encapsulation

Description: Cisco is introducing router support for an additional IPX encapsulation on FDDI media. This encapsulation, FDDI_RAW, is most often encountered when bridges or switches are used to connect Ethernet-based Novell networks using the 802.3_Ethernet encapsulation to FDDI-based networks. The FDDI_RAW encapsulation is not currently supported by Novell networking standards, but is becoming more common with the deployment of switched networks. Cisco now supports routing of FDDI_RAW along with two standard FDDI encapsulations: FDDI_SNAP and FDDI_802.2.

Benefits: Without routing support for FDDI_RAW IPX encapsulation, packets of this format were recognized only by switches or bridges on the FDDI ring. Neither clients, servers, nor routers directly connected to the ring could recognize this type of packet. By implementing FDDI_RAW encapsulation, Cisco makes it possible to recognize and route these packets, either to other LAN or WAN media, or back onto FDDI in one of the Novell-approved FDDI formats. Routing support for FDDI_RAW can eliminate the requirement of changing Ethernet encapsulation on servers and clients when deploying switched internetworks.


Figure 5.: Raw FDDI IPX Encapsulation

Product Marketing Contact: Roger Farnsworth

2.2.6 IPX Header Compression

Description: This feature permits the compression of IPX packet headers over various WAN media. IPX Header Compression (CIPX) is described in RFC 1553, "Compressing IPX Headers Over WAN Media." CIPX is based on Van Jacobson's TCP/IP header compression. CIPX will operate over PPP WAN links using either the IPXCP or IPXWAN communications protocols.

Benefits: IPX header compression can reduce header information from 30 bytes down to as little as 1 byte in size. This can save bandwidth and reduce costs associated with IPX routing over wide area network links. In addition, the use of CIPX is negotiated automatically on WAN links using the IPXWAN protocol, thus reducing the complexity of implementing these circuits.

Product Marketing Contact: Roger Farnsworth

2.3 OSI Features

2.3.1 Target Identifier Address Resolution Protocol (TARP) Support

Description: Target Identifier Address Resolution Protocol (TARP) is an address resolution protocol for mapping SONET identifiers to OSI NSAPs (much like a DNS, which will return an NSAP given a name string, or the reverse). Some applications (typically used by telephone companies) that run on SONET devices identify these devices by a target identifier (TID). Cisco TARP enabled routers cache TID-to-network address mapping. Because these applications usually run over OSI, the network addresses are OSI NSAPs.

When a device needs to send a packet to another device it does not know (that is, it does not have information about the NSAP address corresponding to the remote device's TID), the device needs a way to request this information directly from the device or from an intermediate device in the network.

Request for information and associated responses are sent as TARP PDUs, which are sent as CLNP data packets. TARP PDUs are distinguished by a unique N-selector in the NSAP address. There are five types of TARP PDUs, briefly described below:

Type 1 - sent when a device has a TID for which it has no matching NSAP. Type 1 PDUs are sent to all Level 1 (IS-IS and ES-IS) neighbors. If no response is received within the specified time limit, a Type 2 PDU is sent. To prevent packet looping, a looping detection buffer (LDB) is maintained on the router.

Type 2 - sent when a device has a TID for which it has no matching NSAP and no response was received from a Type 1 PDU. Type 2 PDUs are sent to all Level 1 and Level 2 neighbors. A time limit for Type 2 PDUs can also be specified.

Type 3 - sent as a response to a Type 1, Type 2, or Type 5 PDU. Type 2 PDUs are sent directly to the originator of the request.

Type 4 - sent as a notification when a change occurs locally (for example, a TID or NSAP change).

Type 5 - sent when a device needs a TID that corresponds to a specified NSAP. Unlike Type 1 and Type 2 PDUs that are flooded, a Type 5 PDU is sent only to a particular router.

In addition to the type, TARP PDUs contain the sender's NSAP, the sender's TID, and the target's TID (if the PDU is a Type 1 of Type 2).

Benefits:

  • Full implementation of Bellcore TARP specification for Intermediate Systems.

  • Provides networking support for applications (typically used by telephone companies) running on SONET devices.

  • Maps SONET identifies (i.e., TID) to OSI NSAPs (much like a DNS, which will return an NSAP given a name string, or the reverse).

  • Propagates TARP PDU not destined for the router.

Product Marketing Contact: Peter Long

3. Wide-Area Networking Features

3.1 ISDN/DDR Enhancements

3.1.1 Asynchronous ISDN Access (V.120 Support)

Description: Asynchronous ISDN Access allows an ISDN Terminal Adapter (TA) connected to the serial port of a Personal Computer (PC) to call into an ISDN BRI or PRI hub router and be recognized as if it were connected to a Cisco Access Server.

One requirement is that the ISDN TA be configured to place V.120 calls. When the ISDN interface identifies this type of call in the bearer capability of the ISDN call setup message, it passes the call to the Access Server software. A VTY is then assigned and an Access Server session is initiated. From the user's perspective the service will appear identical to an analog modem call, with almost instantaneous call setup and higher throughput.

It is possible for the hub router's ISDN interface to be configured to accept both synchronous and asynchronous ISDN calls simultaneously. Fig 1. below shows how both Cisco 1000 series routers and ISDN TA's can call the same ISDN number to get network access via a BRI or PRI interface.

This functionality is compatible with both individual dial-up and rotary grouped ISDN interfaces.


Figure 6.: V.120 Support

Benefits: In many instances, customers see ISDN dial-up as a straight-forward replacement for analog modem dial-up. Low-cost ISDN terminal adapters are now a commodity purchase and have almost reached price parity with high speed modems. However, it is important that customers switching from analog to digital dial-up retain a common set of Access Server functionality. Asynchronous ISDN access allows Cisco customers to migrate to asynchronous digital dial-up with Access Server functionality and combine this with synchronous dial-up to a single or rotary-grouped ISDN interface.

Considerations: A number of ISDN TAs claim to support V.120 calls but do not indicate this correctly in the call setup message. When using these TAs it is impossible to use the hub ISDN interface for both synchronous and asynchronous calls simultaneously.

Note that the hub router must be a Cisco 4000 series or Cisco 7000 series product. The Cisco 4000 platform supports the full set of Access Server functionality. The Cisco 7000 supports a subset of Access Server functionality.

Product Marketing Contact: Kevin Dickson

3.2 SMDS

3.2.1 Fast-Switched Transparent Bridging over SMDS

Description: This feature allows Transparent Bridging over SMDS to be fast switched using IEEE 802.6i encapsulation.

Benefits: This feature allows for better bridging performance and enhances bridged media support.

Considerations: Only IEEE 802.3, IEEE 802.5, and FDDI with or without Frame Check Sequence (FCS) frames will be supported in the fast-switched and process-switched modes. Previously, only IEEE 802.3 frames were process-switched.

Product Marketing Contact: Sanjay Bhardwaj

3.2.2 Fast-Switched IPX over SMDS

Description: This feature allows for fast-switching of Novell IPX packets over SMDS.

Benefits: This feature provides better performance for IPX over SMDS.

Considerations: This feature will be enabled by default. The existing ipx route-cache commands will work for SMDS interfaces.

Product Marketing Contact: Sanjay Bhardwaj

3.3 ATM Enhancements

3.3.1 Classic IP over ATM Enhancements

Please contact David Benham, ATM Product Manager, for information on this Cisco IOS software feature.

3.3.2 Bridged ELANs

Please contact David Benham, ATM Product Manager, for information on this Cisco IOS software feature.

3.3.3 LANE MIBs

Please contact David Benham, ATM Product Manager, for information on this Cisco IOS software feature.

3.4 Core Enhancements

3.4.1 VIP Distributed IP Flow Switching

Description: VIP Distributed Switching enables the new Versatile Interface Processor (VIP) to make its own switching decisions. With this release, the VIP can now be configured to support distributed IP switching.

Benefits: The primary goal of distributed switching is to provide scalable switching performance for the Cisco 7500 series of high-end multiprotocol routers. With the introduction of distributed switching Cisco 7500 switching performance scales, as more and more VIPs are introduced into the system.

Considerations: VIP Distributed Switching requires the architecture of the Cisco 7500 series Route Switch Processor (RSP). Therefore this feature is not available for VIPs installed in Cisco 7000 series platforms.

VIP Distributed Switching of IP is supported for the EIP and FIP. This feature is also supported for the FSIP, HIP, and MIP with HDLC encapsulations.

Product Marketing Contact: Dale Boehm

3.4.2 VIP-1FE, VIP-1FE/FE, and VIP-1FE/4E Support

Description: The Versatile Interface Processor (VIP) is a new class of Interface Processor for the Cisco 7000 series and Cisco 7500 series. The VIP is a modular, RISC-based, intelligent interface processor that can accept up to two port adapters (PA). Port Adapters provide the media specific interface, while the VIP motherboard provides support for high performance switching and other value-added features.

The VIP-1FE is based on a single one-port Fast Ethernet port adapter. The VIP-1FE/1FE is based on two one-port Fast Ethernet port adapters. Both the VIP-1FE and VIP-1FE/1FE support IEEE 802.3u Fast Ethernet specifications for half- and full-duplex operation.

The VIP-1FE/4E is based on a one-port Fast Ethernet port adapter supporting the features described in 3.4.1, and a four-port (10BASE-T) Ethernet port adapter.

Benefits: Each Fast Ethernet port is provided with an RJ-45 connector (100BASE-TX, two pair Category 5 UTP), and a MII connector which can provide connectivity to 100BASE-FX and 100BASE-T4 through customer-provided external transceivers. The Fast Ethernet port adapters can be configured for ISL, supporting VLANs between Catalyst 5000 high-performance switches, and IEEE 802.1000 TB-VLAN for transparently bridging VLANs.

Because of its modular design, the VIP can be configured to support mixed media. Since this version of the VIP supports both Ethernet and Fast Ethernet, customers can now realize much better slot utilization in either the Cisco 7000 series or the Cisco 7500 series.

For full-duplex operation the VIP-1FE is recommended.

For a complete description of the features and benefits of the VIP, please refer to the Cisco 7500 Product Announcement.

Considerations: The VIP is supported on the Cisco 7000 series and the Cisco 7500 series. VIP Distributed IP Flow Switching (see section 3.4.1) requires the architecture of the Cisco 7500 series and is therefore not supported on the Cisco 7000 series.

Product Marketing Contact: Dale Boehm

3.4.3 HSA Phase 1

Description: High System Availability (HSA) is an advanced software feature of the Cisco 7500 architecture. HSA increases the availability and uptime of the Cisco 7500 router. This is accomplished through a master/slave relationship between two RSPs. If the Slave RSP detects an error condition it will automatically take control and reboot the system without user intervention thus minimizing network interruption and increasing system availability.

Benefits: HSA can be used in a variety of situations, including:

  • Hardware backup: To protect against single processor failure.

  • Software error protection: To protect against critical software errors by keeping different software images on each RSP.

  • Configuration Switching: To enable users to store different configurations in each RSP. If the new feature configuration on the master causes a system failure, the slave RSP takes over routing function after system reboot.

Considerations: HSA is available for the Cisco 7507 and Cisco 7513 routers. Support is not available on the Cisco 7505 or the Cisco 7000 series since these platforms do not support two RSPs.

This feature will be available in a future Cisco IOS 11.1 software maintenance release.

Product Marketing Contact: Dale Boehm

3.4.4 Standard Serial Interface Processor (SSIP) and Service Provider Multichannel Interface Processor (SMIP)

Description: The SSIP and SMIP are intended to further encourage the growth of large scale Cisco IOS software-based internetworks.

The SSIP is an 8-port serial card and supports the same physical interfaces and port speeds as the FSIP8.

The SMIP is a 2-port channelized Interface Processor which supports T1 and E1 interfaces and offers the same port configuration options as the MIP.

Benefits: In conjunction with the Cisco 1000 series, the SSIP and SMIP provide the capability to cost-effectively network even the smallest branches. For Internet Service Providers, the SSIP, SMIP, and Cisco 1000 series significantly reduce the cost of adding customers, and hence allow Internet services to be profitably provided to a larger market.

Considerations: The SSIP and SMIP do not currently support full Cisco IOS software functionality. A limited software license has been created which enables Cisco to provide a lower price point. Please refer to Product Bulletin 397 which details the Cisco IOS software functionality supported by the SSIP and SMIP.

Although these features will be introduced with the release of Cisco IOS Software Release 11.1, the SSIP and SMIP will be also supported in 10.3(6) and 11.0(4) or later.

Product Marketing Contact: Morgan Littlewood

3.4.5 SRB over FDDI on Cisco 7500

Description: Cisco IOS Software Release 11.1 supports source-route bridging from Token Ring to Token Ring over FDDI on the Cisco 7500 series. In the past, the only way to transport SNA and NetBIOS over FDDI was with RSRB, which is process- switched. With SRB over FDDI, traffic is autonomously switched.

Benefits: Greatly improves performance for source-route bridged traffic that uses FDDI as a backbone. Eliminates the need for RSRB peer definitions and simplifies network design.

Considerations: A Cisco router does not support SRB over FDDI when it is an end station on an FDDI LAN.

Product Marketing Contact: Dale Boehm

3.4.6 Flash MIB on Cisco 7500

Description: The Cisco 7500 supports dual Flash banks (DFB). This feature enables various SNMP operations on system Flash devices that normally require manual console access to the router.

Benefits: Dual Flash bank, enables a user to download new images into the file system in one bank of Flash, while another image is being executed form the file system in the other bank. In addition, one system can hold two images, one acting as a backup for the other. With MIB support, this feature is now SNMP manageable.

Product Marketing Contact: Dale Boehm

4. IBM Functionality

4.1 Downstream Physical Unit (DSPU) Network Management Events

Description: DSPU has been enhanced to support 6 new network management events. These events are mapped to SNMP Traps and SNA Messages and are used to notify network management when:

  • an upstream PU changes state

  • a downstream PU changes state

  • an upstream LU changes state

  • a downstream LU changes state

  • DSPU is unable to activate a downstream PU

  • DSPU is unable to activate a downstream LU

All of these events are mapped to SNMP Traps. Only events 2 (a down stream PU changes state), 5 (DSPU is unable to activate a downstream PU), and 6 (DSPU is unable to activate a downstream LU), are mapped to SNA Messages sent to a host operator which will generally appear in a NetView or NetMaster log. To minimize unnecessary "noise" across the network and in SNMP and NetView/NetMaster logs, there are four configurable notification levels (off, low, medium, and high).

Benefits: In a DSPU environment, this feature simplifies network management by providing additional visibility of SNA network resources and by sending notifications about problems with PU and LU connectivity.

Product Marketing Contact: Martin Thomas

4.2 Advanced Peer-to-Peer Networking (APPN) Phase 2

Description: APPN for Phase 2 will include Data Link Layer enhancements and enhanced logging and debugging functions.

Data Link Layer enhancements include:

  • APPN over Asynchronous Transport Mode (ATM) using RFC 1483.

  • APPN over the Point-to-Point Protocol (PPP) using RFC 1661.

  • APPN over Switched Multimegabit Digital Services (SMDS) using a Cisco-proprietary encapsulation.

  • APPN over Integrated Switched Digital Network (ISDN) using the Point-to-Point Protocol (PPP) (RFC 1661).

Enhanced logging and debugging functions enable debug output that is more meaningful and useful to customers and CEs. This includes better documentation of the error and debug output, more user control of the type and amount of debug output generated, and more descriptive information in the messages.

Benefits: The Data Link Layer enhancements provide additional ways to transport APPN on a wide area network. APPN over ATM, PPP, and ISDN will be implemented via standard methods defined by RFCs, enabling multivendor interoperability.

There is no standard way for transporting APPN over SMDS, so a Cisco-proprietary method will be used. Cisco provides market leadership by implementing an efficient way to support APPN traffic over SMDS. This allows customers to transport APPN using cost-effective SMDS services.

By improving logging and debugging functions the customers and Cisco Customer Engineers (CEs) can more quickly diagnose problems. With a knowledge of APPN, customers and CEs should be able to read the debug information and resolve problems without consulting source code.

Considerations: In some cases, APPN over SMDS may not interoperate with other vendors' SMDS implementations, since a proprietary method is being implemented.

Product Marketing Contact: Betsy Huber

4.3 Frame Relay Access Server (FRAS) Boundary Access Node (BAN) Support

Description: BAN provides a means to connect remote SNA offices over frame relay directly into a front end processor. Unlike the Frame Relay Access Support (FRAS) boundary network node (BNN) feature supported in Cisco IOS Software Release 10.3, BAN includes the MAC address in every frame, eliminating the need to do SAP multiplexing if there are multiple SNA PUs sharing a single PVC. BAN uses the RFC 1490 bridged frame format.

Benefits: BAN simplifies configuration in an environment where multiple remote SNA devices need to share a single PVC, and where there are no central site routers for SNA. It offers load-balancing and provides the flexibility to build redundant path to the NCPs.

Considerations: BAN only applies to SNA devices on Ethernet or Token Ring. It does not apply to SDLC-attached devices. BAN requires NCP 7.3 at the central site. BNN and BAN can share the same DLCI to the NCP.


Figure 7.: FRAS BAN


Support

Product Marketing Contact: Donna Kidder

4.4 Data Link Switching+ (DLSw+) Features and Enhancements

4.4.1 DLSw+ LNM Support

Description: DLSw+ has been enhanced to support IBM's LAN Network Manager (LNM). Thus LNM can communicate to a remote DLSw+ router and can manage or monitor any Token Ring connected to the Cisco router.

LNM support includes Configuration Report Services (CRS), Ring Error Monitor (REM), and the Ring Parameter Server (RPS). In addition, the DLSw+ router will notify LNM of certain events that can occur on a Token Ring. Examples of these events include notification of a new station joining the Token Ring, or of the ring entering failure mode, known as beaconing.

Benefits: Many IBM environments use IBM's LNM to manage their Token Ring networks. With this enhancement, those environments can protect their investment in management applications and training while taking advantage of Cisco's DLSw+.

Considerations: This feature will be available in a future Cisco IOS 11.1 software maintenance release.

Product Marketing Contact: Donna Kidder

4.4.2 DLSw+ Support on Cisco 7500

Description: DLSw+ Fast-Sequenced Transport (FST) and Direct now work in the Cisco 7500 series routers.

Benefits: This feature increases network design flexibility of Cisco 7500 series routers.

Product Marketing Contact: Donna Kidder

4.4.3 DLSw+ MIB

Description: DLSw+ now offers a MIB.

Benefits: Allows faster problem determination and is the basis for DLSw+ Logical Maps.

Product Marketing Contact: Donna Kidder

4.4.4 DLSw+ Multidrop PU 2.0/2.1 Support

Description: Multidrop PU 2.0 and PU 2.1 support enables multiple PU 2.1 devices to share the same SDLC line. In addition, PU 2.0 and PU 2.1 devices can also now share the same SDLC line.

Benefits: Provides more design flexibility with a minimum of serial interfaces.


Figure 8.: DLSw+ Multidrop PU 2.0/2.1 Support

Product Marketing Contact: Donna Kidder

4.4.5 80D5 (Ethernet v2) Support

Description: 80D5 (Ethernet V2) is now supported by DLSw+.

Benefits: Extends DLSw+ to environments that have not converted to IEEE 802.3.

Considerations: 80D5 is a global Ethernet option.

Product Marketing Contact: Donna Kidder

4.4.6 Local DLC Conversion over DLSw+

Description: DLSw+ now supports local conversion between SDLC or QLLC and LLC2. With local conversion, only one DLSw+ router is required for conversion of a link level protocol. Prior to this feature, a remote peer was required to perform this conversion.

Benefits: Increases network design options. Many network configurations use DLSw+ simply for DLC conversion and not for WAN transport.


Figure 9.: Local DLC Conversion over DLSw+

Product Marketing Contact: Donna Kidder

4.4.7 DLSw+ Backup Peer Enhancements

Description: DLSw+ allows you to specify a backup peer to use in the event that a primary peer fails. Today, when the primary peer recovers, the backup peer connection is terminated along with any sessions using that peer. The backup peer feature has been enhanced to allow the backup peer to remain active after the primary recovers, to prevent disrupting SNA and NetBIOS sessions a second time. Once the primary peer is active, all new sessions are established using the primary peer. The backup peer connection remains active until there are no active LLC2 connections on it or after a user configurable idle time.

Benefits: Availability for SNA sessions is improved in backup scenarios.

Considerations: The default for backup peers operates differently than it did in previous Cisco IOS Software Releases. Earlier, when the primary user came back up, existing SNA sessions were always terminated and the backup peer connection was disabled. With this enhancement, the default is to keep the backup peer connection alive until the sessions using that peer terminate. To have this feature operate as it did in the past requires an additional configuration option.

Product Marketing Contact: Donna Kidder

4.4.8 DLSw+ Enhancements for ISDN/Switched Environments

Description: DLSw+ has been enhanced to allow more effective use of ISDN/switched lines:

  • ISDN links are allowed to terminate during idle periods, while maintaining SNA sessions.

  • The router can be configured to activate a peer dynamically under certain conditions (e.g. when there is an SNA test frame or a NetBIOS Name Query for a preconfigured device). When there is no traffic on that peer, the peer connection is disabled.

Benefits: These enhancements minimize WAN costs in switched environments. In addition, peer connections are only established when needed, maximizing scalability and minimizing cost.

Considerations: Many NetBIOS applications have both a DLC keepalive and a session layer keepalive. Since DLSw+ only spoofs the DLC keepalive, when transmitting NetBIOS over ISDN, the link may never terminate.

Product Marketing Contact: Donna Kidder

5. Access and Communication Server Features

5.1 NetBEUI over PPP

Definition: Microsoft has published a draft RFC that defines a protocol for passing NetBEUI over PPP. Application of this RFC allows remote PCs with remote access client software to dial into network access servers connecting into NetBEUI networks. The protocol used in these connections is a Point-to-Point Protocol (PPP) Network Control Protocol (NCP) called NetBIOS Frames Control Protocol (NBFCP).

NBFCP:

  • Supports both asynchronous and ISDN interfaces

  • Is compatible with Microsoft's remote access client with NBFCP

  • Supports NetBIOS name caching for superior performance

  • Supports NetBIOS name filtering

Benefits:

With NBFCP:

  • PCs with NetBIOS applications and NBFCP-capable remote access clients can dial into Cisco Access Servers for access into NetBEUI networks.

  • Microsoft's remote access clients with NBFCP can dial into Cisco access servers for access into NetBEUI networks.


Figure 10.: NetBEUI over PPP

Product Marketing Contact: Michael Safly

5.2 Modem Auto-configuring

Definition: Modem Auto-configuring adds the ability for Cisco Access Servers to discover and identify an attached modem and configure it with the appropriate modem command strings.

  • Identification and configuration are performed for each line reset.

  • Modem strings are kept in an internal database with can be added to by administrators.

Benefits:

  • No direct configuration of modems is required.

  • All modems with a modem database entry will be automatically recognized.

  • Modems not found in the modem database can be defined clearly and quickly as the access server prompts for specific modem command strings.

Product Marketing Contact: Michael Safly

5.3 Novell Asynchronous Services Interface (NASI) Support

Definition: Novell Connection Services (NCS) Server uses Novell Asynchronous Services Interface (NASI) to provide out-going serial line access for PCs with NASI client drivers. This functionality is generally used to provide dial-out modem services to PCs on SPX/IPX networks. Cisco Access Servers can now function as NCS servers providing dial-out over IPX for PCs. This allows Cisco Access Servers to:

  • Advertise their Novell Connection Services via SAPs,

  • Support NASI out-of-band, encrypted surname and password authentication, and

  • Support Cisco SAP filters and management controls.

Benefits: Using the NCS Server network, managers can offer IPX dial-in and dial-out services on the same Cisco Access Server.

Considerations: Because of Novell split-horizon rules it is necessary to disable all other NCS servers on the same network where the Cisco Access Server is deployed for NASI outbound connections.


Figure 11.: NASI Support

Product Marketing Contact: Michael Safly

5.4 Ident Protocol Support

Definition: The Identification Protocol (a.k.a., "ident" or "the Ident Protocol"), specified in RFC 1413, is a protocol for reporting the identity of a TCP connection initiator to the connection-receiving host.

Benefits: This feature allows the identification of a username associated with a TCP connection.

Considerations: The Ident Protocol is not useful for securing access servers. It is a protocol for identifying the other end of a TCP connection. It does not authenticate or authorize the connection.

Product Marketing Contact: Michael Safly

5.5 Kerberos Authentication

Description: Kerberos is an authentication protocol developed by MIT. Its primary use is to authenticate users and the network services they use. This is accomplished by the issuance of "tickets" to both services and users by a trusted Kerberos server. These "tickets" have a limited life span and can be used in place of the standard "user/password" authentication mechanism if a service trusts the Kerberos server from which the ticket was issued. Cisco's implementation of Kerberos is based on code developed by CyberSafe, derived from the MIT code.

Cisco is implementing a two phased approach to the implementation of Kerberos. Phase 1, delivered in Cisco IOS Software Release 11.1, will permit authentication on the router using Kerberos. Phase 2, delivered in the next major Cisco IOS Software Release, will allow a user to carry credentials to other services such as Telnet, without having to re-authenticate.

Benefits: Kerberos has gained support among a distinctive customer base. Many Cisco customers are currently using Kerberos as a security service and have significant investments in their Kerberos solution. To fully implement a Kerberos security system, all of the devices in the network should be "Kerberized", including the Cisco routers and Access Servers.

A Cisco white paper explaining Kerberos in more detail can be found on the Web at: http://cio.cisco.com/warp/customer/789/1.html

Product Marketing Contact: Charles Yager

5.6 RADIUS - Remote Authentication Dial-In User Service

Description: RADIUS is an access server authentication, authorization, and accounting protocol developed by Livingston, Inc. It is a system of distributed security that secures remote access to networks and network services against unauthorized access.

RADIUS is comprised of three components:

  • a protocol with a frame format that utilizes UDP/IP

  • a server

  • a client.

The server resides on a central computer typically at the customer's site, while the clients reside in the dial-up access servers and can be distributed throughout the network. The RADIUS client is available in Cisco IOS Software Release 11.1.

Cisco's implementation of RADIUS is currently defined in draft documents on ftp.livingston.com:pub/radius/draft-ietf-radius-radius-03.txt. Cisco's implementation is based on this version of the draft. Cisco will attempt to keep current with any newer drafts issued. A sample RADIUS server can also be obtained from Livingston's FTP site.

Radius is configured on the Network Access Server in a similar way as TACACS+.

Benefits: RADIUS has gained support among a wide customer base. Many Cisco customers are currently using RADIUS servers and have significant investments in their RADIUS solutions. These customers also want to use Cisco dial-up Access Servers. For a customer who has not invested in RADIUS and needs an access security system, Cisco recommends TACACS+.


Figure 12.: RADIUS

Product Marketing Contact: Charles Yager

5.7 MAC Security for Hublets (Cisco 2505, 2507, and 2516)

Description: Security is increasingly important in today's growing networks. MAC Security for Hublets goes down a layer into the OSI model to provide security detection and protection at the (Media Access Control) MAC layer. Each repeater port on the Hub can be assigned an acceptable source MAC address. The Hublet will detect if the source address is different from the legal source address. If there is a violation, the port will be shut down (partitioned) for 1 minute and an optional trap will be sent to the Network Management System (NMS). This capability is already available.

In Cisco IOS Software Release 11.1 the network manager can have a trap message sent when the source MAC address violation occurs. The SNMP trap message may be sent once, or at a decaying rate. The decaying rate options provides the first SNMP trap message immediately, 2nd trap at 2 minutes, 3rd trap at 4 minutes, etc. until 32 minutes has expired. The decaying trap messages can be terminated by the NMS setting the MIB variable "TrapAcked".

Additional MIB variables are provided in the agent for the NMS to interrogate the violation. MAC Security MIB variables provide information such as Last Illegal Source Address, TimeStamp of first Violation, TimeStamp of last Violation, and Number of Violation Frames.

Benefits: Network managers can get immediate notification of a MAC address security violation via the SNMP trap method. Many network management platforms allow alarms to be set on specific traps received. The alarms, in turn, could dial a pager or send email for immediate notification.

Since SNMP uses UDP, a single trap notification might get lost. It is possible to configure the router to send multiple traps at a decaying rate. This insures that the trap message will be received by the NMS.


Figure 13.: MAC Security for Hublets

Product Marketing Contact: Charles Yager

5.8 LANE on 4500

Description: The LAN emulation feature emulates an Ethernet segment over ATM that allows higher-layer protocols and their applications to operate without modification. LAN emulation features service components - LAN emulation configuration server (LECS), LAN emulation server (LES) and broadcast and unknown server (BUS) - as well as a client component called the LAN emulation client (LEC). LAN emulation includes a connectionless broadcast service not otherwise available in ATM networks that can support important protocol mechanisms such as ARP. In LAN emulation, LE_ARP requests resolve MAC addresses to ATM addresses. The LECS, LES, BUS, and LEC will be supported on the router ATM interfaces.

Benefits: Without LAN emulation, an ATM customer is forced to purchase new network protocol stacks and applications (most of which do not exist today) to use networks mixed with ATM-attached hosts, routers, and LAN switching devices. This is a potentially costly and disruptive undertaking. LAN emulation is also the underlying technology that supports Virtual LANs (VLANs) over ATM networks. By providing the needed layer 3 routing connection between layer 2 VLANs, a Cisco 4500 or 4700 with an NP-1A ATM Network Processor Module and LAN emulation technology provides standards-based routing between VLANs over ATM.

Considerations: Cisco's NP-1A Network Processor Module supports up to 256 VLANs (a.k.a. emulated LANs), although good network design should not attempt to support that many emulated LANs in one place. Performance and reliability optimization are two good reasons to avoid configuring the maximum number of emulated LAN services on one ATM router.

LAN emulation requires ILMI and point-to-multipoint signaling capabilities on the switches it is operating over (VP tunneling is acceptable where signaling isn't offered, such as a ATM WAN). Because some third party point-to-multipoint switches may not be available at software FCS, the potential customer's network—specifically ATM switching capabilities—should be investigated prior to installing our LAN emulation in networks with ATM switches other than the LightStream 100. The LAN emulation services on the router ATM interfaces will interoperate with Cisco LECs, including Cisco's ATM NICs and the Catalyst™ 5000. Interoperability with other third-party ATM LECs is being pursued and Cisco will publish results upon the completion of testing.

Product Marketing Contact: Dan Ove Skaalerud

6. Network Management

6.1 RMON Support

Description: The Remote MONitoring Management Information Base (MIB), RFC 1757 (obsoletes 1271), is being added as an option to several IOS software feature sets for use in Cisco Access routers (25xx). Full 9 group Ethernet support is available and includes:

  • statistics - tracks segment usage, errors, and frame size distribution information.

  • history - logs historical snapshots of RMON statistics at user-defined time intervals.

  • alarms - detects changes in network behavior based on increasing and decreasing thresholds of performance and error statistics.

  • hosts - provides basic traffic statistics, such as packets and octets in and out, broadcast, and total error counts for each network node/device based on MAC addresses.

  • hostTopN - keeps a sorted list of top "talkers" by node level statistics.

  • matrix - tracks basic traffic information between physical source and destination pairs.

  • filter - allows focused analysis by selectively reducing the number of packets to be captured remotely based on address, protocol, and user-defined data patterns.

  • capture1 - acquires and buffers complete or partial packets for protocol decoding and detailed analysis with a console application.

  • event - logs alarms and generates SNMP traps as a result of thresholds being crossed or capture buffers being filled.

All IOS software images explicitly ordered without the RMON option will include limited RMON support (RMON alarm and events groups only) at no additional cost. These groups can be coupled with existing Cisco MIB variables allowing customers to set thresholds and alarms on any and all MIB variables supported by Cisco.

Benefits: RMON not only provides visibility of individual nodal activity, it allows for monitoring of all nodes and their interaction on a LAN segment. RMON specifically used as an agent in the router allows customers to view both traffic that flows through the router as well as segment traffic not necessarily destined for the router. Coupling RMON alarms and events with existing MIBs gives customers the flexibility to choose where proactive monitoring will occur.

Considerations: RMON can be very data and processor-intensive. Users should measure usage effects to avoid router performance degradation and to minimize excessive management traffic overhead.

A generic RMON console application such as NetScout Manager(TM) by Frontier Software Development, Inc., is required in order to take full advantage of the embedded RMON's network management capabilities.

Product Marketing Contact: David Quan

7. Security Features

7.1 Lock and Key Security

Description: Lock and Key allows per-user authorization and authentication in a shared media environment.

Until Lock and Key, access lists were created and maintained by manually defining lists on a router and then distributing them to all other routers in the network. In networks with large numbers of hosts, this task could consume both time and resources. Access lists do not provide for any challenge mechanisms beyond a static network address, making it possible for an unauthorized user to access network resources through any authorized network address. The concepts behind the Lock and Key security software make it an ideal solution for the proliferation of remote networks. Lock and Key supports various WAN technologies such as ISDN, Frame Relay, X.25, dial-on-demand routing (DDR), and Point-to-Point Protocol (PPP) to connect to the corporate office.

When users want to cross the Lock and Key security perimeter, Lock and Key will challenge users to respond to a login and password prompt before enabling a unique access list into the local or remote router. The network administrator can dictate an idle time-out or an absolute period for authorization and reauthorization.

Benefits:

  • Allows per-user authorization and authentication in a shared media environment.

  • Authenticates a user beyond an IP network address.

  • Maintains authentication information at a central network access server such as TACACS, XTACACS, TACACS+, and RADIUS.

  • Provides application independence—Lock and Key does not require modification to user applications.

  • Supports one-time password token cards.

  • Provides a flexible policy mechanism to require remote reauthorization during periods of inactivity.

  • Understands the concept of organizational templates, which allow the network administrator to create an access list for a group of users with similar access requirements, but provides unique authentication challenges to each.

Considerations:

WARNING: Lock and Key allows an external event to place an opening in the firewall. Once this opening is placed, the router is susceptible to source address spoofing. To prevent this, one needs to provide encryption support using IP authentication or encryption. See Product Bulletin #308 for high level encryption overview.

Lock and Key is dependent on Telnet. Standard Telnet is the required application on the host platform that activates a Lock and Key session.

Further information on Lock and Key can be found on the Web in the "Cisco IOS Lock and Key" whitepaper (Product Bulletin 308).


Figure 14.: Lock and Key Security

Product Marketing Contact: Matt Howard


1As a security precaution, support for the "packet capture" group allows for capture of useful packet header information only; data payloads will not be captured.