|
Table Of Contents
Cisco IOS Software Release 12.4T Features and Hardware Support
1) Introduction: Cisco IOS Software Release 12.4T
1.2) Release 12.4T Additional Information
2) Release 12.4(15)T Highlights
2.6) Management, Instrumentation, and User Interface
3) Release 12.4(11)T Highlights
3.3) Multiprotocol Label Switching Management
4) Release 12.4(9)T Highlights
4.3) Management Instrumentation
5) Release 12.4(6)T Highlights
5.5) Management Instrumentation
6) Release 12.4(4)T Highlights
6.5) Management Instrumentation
7) Release 12.4(2)T Feature Technology Highlights
7.6) Management Instrumentation
Product Bulletin No. 3001
Cisco IOS Software Release 12.4T Features and Hardware Support
LAST UPDATED: July 2007
This Product Bulletin introduces Cisco IOS Software Release 12.4T, and includes the following sections:
1) Introduction: Cisco IOS Software Release 12.4T
Cisco IOS® Software is the world's premiere network infrastructure software, delivering seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, from small home office routers to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.
Cisco IOS® Software Release 12.4T integrates a comprehensive portfolio of new capabilities, including security, voice, and IP services, with powerful hardware support to deliver advanced services for Enterprise and access customers.
Release 12.4(15)T, the sixth release of the 12.4T family, streamlines the Cisco IOS Software upgrade process, provides sub-second link failure detection and faster convergence, delivers next-generation Layer 2-7 flexible packet classification, enhances intrusion protection and SSL VPN capabilities, and provides support for the new Cisco 7201 Router.
Release 12.4(11)T, the fifth release of the 12.4T family, delivers new Layer 2 VPN transport over MPLS capabilities, enhanced MPLS management, Mobile IPv6 authorization and identity support, and support for the high performance Network Processing Engine G2 (NPE-G2) and VPN Service Adapter (VSA) for the Cisco 7200 Series Router.
Release 12.4(9)T, the fourth release of the 12.4T family, delivers improved manageability, integrated IP communications capability, enhanced HTTP and P2P security, and faster routing protocol convergence.
Release 12.4(6)T, the third release of the 12.4T family, delivers highly available firewalls, comprehensive endpoint and network security for SSL VPN environments, and optimized bandwidth management for improved VoIP call quality.
Release 12.4(4)T, the second 12.4T release, enhances threat protection against malicious worm and virus attacks, improves performance monitoring of VoIP networks, and extends support for secure concurrent services on the Cisco 1800 Series Router.
Figure 1
New Technology and Maintenance Release Relationship
1.1) Migration Guide
Cisco recommends that customers running Release 12.3T or 12.3 (or prior) releases upgrade to the latest version of Release 12.4T or 12.4. Cisco IOS Software Release 12.4T continues to undergo rigorous ongoing testing and review cycles to continuously improve and increase reliability and quality.
Note:
Release 12.3T reached End of Software Maintenance on June 7, 2007. Release 12.3 reached End of Sale on March 15, 2007, and will reach end of Software Maintenance on March 15, 2008. For additional information about milestones, please visit Product Bulletin No. 2214, Cisco IOS Software Product Lifecycle Dates & Milestones:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.htmlFigure 2 illustrates the current migration path from Cisco IOS Software Release 12.3T or 12.3 (or prior) into Release 12.4T or 12.4.
Figure 2
Release 12.4T Migration Plan
Customers interested in upgrading to Release 12.4 or 12.4T (or successor releases when they become available) should determine their functionality needs and choose the appropriate release.
1.2) Release 12.4T Additional Information
•
Cisco IOS Software Releases 12.4 T—Products & Services—Cisco Systems
•
http://www.cisco.com/en/US/products/ps6441/prod_bulletin0900aecd801eda8a.html
•
http://www.cisco.com/go/124thardware/
•
Download Cisco IOS Software releases and access software upgrade planners.
http://www.cisco.com/public/sw-center/sw-ios.shtml
•
A web-based application that allows you to quickly match Cisco IOS Software releases to features to hardware.
•
Determine the minimum supported software for selected hardware.
http://tools.cisco.com/Support/Fusion/FusionHome.do
•
View all major releases, hardware, and software features from a single interface.
http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi
1.3) Cisco IOS Packaging
Figure 3
Cisco IOS Packaging for Cisco Routers
2) Release 12.4(15)T Highlights
Table 1 Release 12.4(15)T Feature Highlights
* Indicates Key Highlight
2.1) Cisco IOS Security
2.1.1) Cisco IOS Intrusion Prevention System (IPS) Support for Microsoft Vulnerabilities
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based feature that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. As a core facet of the self-defending network, Cisco IOS IPS enables the network to defend itself with the intelligence to accurately identify, classify, and stop or block malicious or damaging traffic in real time.
While it is common practice to defend against attacks by inspecting traffic at the data centers and corporate headquarters, distributing the defense to stop malicious traffic close to its entry point at the branch offices is also critical. Deploying inline Cisco IOS IPS at the branch enables gateways to drop offending traffic, send an alarm, block an attacker or reset a potentially malicious client-server connection as needed to stop attacking traffic at its point of origin.
Key benefits of Cisco IOS IPS features include:
•
•
•
•
•
•
In Cisco IOS Software Release 12.4(15)T, Cisco IOS Intrusion Prevention System (IPS) provides support for the Cisco IPS Software Version 5.x/6.0 signature format, which is also used by the latest Cisco appliance-based IPS products. The Cisco IPS version 5.x signature format is improved to support encrypted signature parameters and other features such as signature Risk Rating. In this release, Cisco IOS IPS feature will also support signatures for many vulnerabilities found in Microsoft Server Message Block (SMB) and Microsoft Remote Procedure Call (MSRPC) protocols. Both of those protocols are widely and frequently used by most of Microsoft's computer applications and software packages.
New Cisco IOS IPS features in Cisco IOS Release 12.4(15)T provides:
•
•
•
•
•
•
•
•
Figure 4
IPS Now Supports Microsoft SMB and MSRPC Signatures Natively
Benefits of IPS Features in Cisco IOS Software Release 12.4(15)T
Enhanced Microsoft Signature Support (MSRPC and SMB):
Cisco IOS IPS adds support for ~95 signatures for vulnerabilities in Microsoft Remote Procedure Call (MSRPC) and Microsoft Small Message Block (SMB) protocols.
Support for Encrypted Signatures Released Under NDA:
Cisco IOS IPS can now scan for encrypted signatures for certain vulnerabilities as provided by vendors under NDA (such as Microsoft) sometimes even before their public release.
More Accurate and Efficient Event Monitoring with Reduced False Positives:
Event Risk Rating value provided in IPS alarms are calculated based on signature severity, signature fidelity (high fidelity signatures have a lower rate of false positives) and a "target value rating" defined by users. Event monitoring/correlation applications or devices such as CS-MARS may use the Risk Rating (RR) value in IPS alarms to filter out events below a certain RR threshold and/or trigger event correlation/action rules based on relative importance of IPS events indicated by their Risk Rating value.
Quick and Automated Adjustment of Signature Event Actions Based on Calculated Risk:
The Signature Event Action Processor (SEAP) feature allows overriding of default signature actions based on calculated Risk Rating value. For instance, signatures generating events with a Risk Rating value of 90 or higher (on a scale of 1 to 100) may be configured to drop offending packets and/or deny traffic from the attacker's address in addition to the default action of simply sending an alarm.
Common Operational Model for Cisco IPS Appliances, Modules and Cisco IOS IPS:
In this release, Cisco IOS IPS starts using the same signature format and deployment/update/provisioning mechanism as all other Cisco IPS devices allowing Cisco Security Manager 3.1 to apply the same policy changes (signature tunings) to all Cisco IOS routers, IPS appliances and modules in a customer network.
Secure and Scalable Management of Signature Policies for Any Kind of Deployment:
Security Device Manager 2.4 and Cisco Security Manager 3.1 provides complete IPS provisioning capabilities for a single router and multiple routers and IPS devices, respectively. Both management applications use IDCONF protocol running securely over HTTPS. Granular customization and tuning of signatures is also possible via CLI and custom CLI scripts. For large scale deployments, it is possible to distribute signature selection and action tunings applied to a single router to a large number of routers using Cisco Configuration Engine.
Timely Protection from the Latest Threats with Minimal User Intervention:
Automated and periodic signature updates from a local TFTP or HTTP(S) server.
Hardware
Additional Information: http://www.cisco.com/go/iosips
Product Management Contact: Kemal Akozer ( kemal@cisco.com)
2.1.2) Flexible Packet Matching (FPM) Full Packet Filtering
Flexible Packet Matching (FPM) is the next-generation Access Control List (ACL) technology that provides a flexible and rapid first line of defense against malicious traffic at the entry point into the network. It features powerful custom pattern matching deep within the packet header or payload, minimizing inadvertent blocking of legitimate business traffic.
FPM is a packet classification feature that allows users to define one or more classes of network traffic by pairing a rich set of standard matching operators with user-defined protocol header fields. FPM further extends the network traffic class definition capability to include new CLI syntax to offset into a user-defined protocol header and, furthermore, into the data portion of the packet.
FPM provides network security administrators with powerful tools to identify miscreant traffic as it enters the network, and to immediately drop and/or keep a log for audit purposes. Administrators can specify custom match patterns at multiple offsets within the packet. FPM includes ready-made definitions for standard protocols via Protocol Header Definition Files (PHDF), which simplify deployment. Customers can also customize and add extensions to PHDFs at device run time.
FPM was first introduced in Cisco IOS Release 12.4(4)T. In the initial release, FPM was limited to searching for patterns 32 bytes long within the first 256 bytes of a packet. Release 12.4(15)T extends the FPM matching capability by allowing network security administrators the ability to search for strings up to 256 bytes long anywhere within the entire packet. This provides greater flexibility for defining filters for miscreant traffic targeting your network.
Figure 5
Flexible Packet Matching Process
Benefits
•
•
•
•
•
Hardware
Considerations
The Flexible Packet Matching feature is only available in Cisco IOS Software Release 12.4(15)T (and higher) Advanced Security, Advanced IP Services, and Advanced Enterprise Software packages.
Additional Information: http://www.cisco.com/go/fpm
Product Management Contact: ask-stg-ios-pm@cisco.com
2.1.3) Cisco IOS SSL VPN Enhancements
Unlike IPsec-VPN, SSL VPN in clientless mode is an application-aware technology. Using SSL VPN on the routers, companies can securely and transparently extend their companies' networks to any Internet-enabled location. SSL VPN is compelling because the security is transparent to the end user and easy for IT to administer. Using only a Web browser, companies can extend their secure Enterprise networks to any Internet-enabled location, including home computers, Internet kiosks, and wireless hotspots-thereby enabling higher employee productivity and protecting corporate data. Cisco IOS SSL VPN supports clientless access to applications such as HTML-based intranet content, email, network file shares, and Citrix. While this allows for a great end-user experience, it must be balanced with proper access-control so end-users have access to only those resources dictated by corporate policy. Figure 6 provides a use-case scenario for customers to implement Cisco IOS SSL VPN effectively at the branch.
Figure 6
IOS SSL VPN Use Case Scenario
Cisco IOS® SSL VPN is a licensed feature supported on Cisco® 871, 1800, 2800, 3700, 3800, 7200, and 7301 routers running the Advanced Security image since Cisco IOS Software Release 12.4(6)T (and higher). You can purchase the feature license in packs of 10, 25, or 100 simultaneous users directly from the Cisco.com ordering tool or through your Cisco partner/account team. Figure 7 provides more portfolio and license pricing details.
Figure 7
Cisco IOS SSL VPN Portfolio and Pricing
New SSL VPN features in Cisco IOS Software Release 12.4(15)T include the following:
1.
2.
3.
4.
2.1.3.1) SSL VPN Clientless Performance Enhancements
Prior to this feature, traffic from clientless SSL VPN users was processed switched. Clientless performance enhancements bring CEF support to clientless SSL VPN traffic through this Cisco IOS SSL VPN gateway. Cisco Express Forwarding (CEF) technology for IP is a scalable, distributed, layer 3 switching solution designed to meet the future performance requirements of the Internet and Enterprise networks. Hardware acceleration is also now supported, offloading the processor from extensive cryptographic computations.
Reduction of the overall load of the processor allows for greater scalability and throughput providing for an improved user experience and user density per router. Reducing the CPU load also allows for configuration of other concurrent features on the router. CEF and hardware support are enabled by default.
Benefits
Increased Scalability and Performance—Increased number of concurrent users and throughput.
2.1.3.2) SSL VPN GUI Enhancements
Ergonomic improvements of the GUI user interface of the Cisco IOS SSL VPN gateway have been added. Improved customization of the user interface provide for greater flexibility and ability to tailor the portal pages for an individualized look and feel. Features are more clearly delineated, making for a more intuitive and less cluttered interface. The portal page now spawns new pages for mangled links or URLs, eliminating any need to navigate back to the portal page. The separate toolbar window has been replaced with an integrated floating toolbar that floats in either the upper left or right (dynamically configurable) of pages spawned from the portal page. Previous interface configurations are still available.
Figure 8
SSL VPN GUI Enhancements
User Configurable Enhancements:
•
•
GUI Improvements:
•
•
Previous Configurable Elements:
•
•
•
•
•
Benefits
Ease of use/Customization—The improved GUI takes into account the latest Cisco IOS SSL VPN features and presents them in a layout that is more intuitive and aesthetic. Integration of the toolbar reduces clutter of the desktop by removing an extra window.
2.1.3.3) SSL VPN User-Level Bookmarking
User level bookmarking allows individual users to customize the portal page with their own bookmarks. Bookmarks are stored on the router and are linked to the individual user id's so the user's bookmarks are location/machine independent. The user profile location can be stored on any of the file systems on the router as well as externally such as a Trivial File Transfer Protocol (TFTP) server. In addition to administrator defined bookmarks, Cisco IOS SSL VPN users can create, edit, and delete their own individual bookmark list and have access to them on any computer at any location.
Figure 9
SSLVPN User-Level Bookmarking
Benefits
Increased Usability—The user level bookmarking feature gives flexibility to users to customize the portal page to suit their individual needs. In addition to predefined links configured by the administrator, users can create a list of bookmarks that are most useful for them.
2.1.3.4) Front door-VRF (fVRF) Support
Front door-VRF (fVRF) support, coupled with the already supported internal VRF (iVRF) capability in Cisco IOS Software Release 12.4T, allows the Cisco IOS SSL VPN gateway to be fully integrated into an MPLS network. The virtual gateway can be placed into a VRF, separate from the Internet to avoid internal MPLS/IP network exposure. This reduces the vulnerability of the router by separating the Internet routes and/or the global routing table. Clients can now reach the gateway via the fVRF which can be separate from the global VRF. The backend or iVRF functionality remains the same.
Figure 10
Front door-VRF Support
Benefits
Increased Security—Cisco IOS SSL VPN virtual gateway can be placed and accessed on a separate VRF to reduce network exposure and provide support for overlapping IP addresses.
Hardware
Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com
2.1.4) Cisco IOS Software Support for AnyConnect VPN Client
The Cisco AnyConnect VPN Client is the Cisco next generation VPN client providing secure remote access through an SSL VPN tunnel. It provides similar functionality and features as traditional IPsec clients. As with clientless access, no provisioning on the client machine is required. The AnyConnect client is pushed from the Cisco IOS SSL VPN gateway to the client where it is installed and a secure tunnel is established. Initial installation requires admin rights, but upgrading an existing install does not.
AnyConnect supports 32-bit Microsoft Windows 2000, Windows XP, Windows Vista (64-bit platforms to follow as well as Windows Mobile 5), Mac, and Linux platforms.
Figure 11
Cisco IOS Software Support for AnyConnect VPN Client
Benefits
Increased Functionality and Flexibility—the Cisco AnyConnect VPN Client provides a secure remote access alternative for non-Web based traffic. It compliments clientless operations, allowing for traditional IPsec like connectivity between clients and the secure Cisco IOS Software gateway.
Hardware
Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com
2.1.5) Reverse Route Injection Distance Metric Enhancements
Reverse Route Injection (RRI) is the ability for static routes to be automatically inserted into the routing process for those networks and hosts that are protected by a remote tunnel endpoint. The RRI Distance Metric Enhancement defines a distance metric for each static route created by RRI.
RRI is supported on both ipsec-profile and crypto map configuration (CLI) profiles:
•
crypto map mymap 1 ipsec-isakmpset reverse-route distance 20•
crypto ipsec profile myprofset reverse-route distance 20Benefits
Increased Flexibility—Improves RRI flexibility when used in dynamic routing scenarios. Static routes can be tailored so dynamic routes can have priority in the routing table.
Hardware
Additional Information: http://www.cisco.com/go/iossecurity
Product Management Contact: ask-stg-ios-pm@cisco.com
2.2) Routing and Multicast
2.2.1) OSPF Mechanism to Exclude Connected Prefixes
By default, when an OSPF router is connected to other OSPF routers via an IP numbered link, it automatically includes prefixes of IP numbered links in its advertisements. The OSPF Mechanism to Exclude Connected Prefixes feature enhancement provides the ability to exclude directly connected prefixes from advertising throughout the network.
When this feature is configured, IP numbered link prefixes will not be advertised into the network, resulting in improved convergence times and enhanced security by excluding internal network prefixes from being exposed outside of the network.
Key Benefits:
•
•
Hardware
Product Management Contact: Suresh Katukam ( skatukam@cisco.com)
2.2.2) Optimized Edge Routing (OER) Application Aware Routing
Previously Optimized Edge Routing (OER) allowed users to optimize traffic based upon IP Prefixes, DSCP values, and Access Control Lists (ACLs). This feature allows OER the ability to optimize well known applications without having to configure ACLs to classify the traffic. Application optimization can be divided into three important tasks; application detection (learning), application performance measurement, and application route control. With this feature, you can specify an application by name for learning, performance measurement and route optimization.
Table 2 is a list of some of the applications that can be defined in OER policies for performance routing:
Table 2 Application List for OER Application Aware Routing
Hardware
Product Management Contact: Scott Van de Houten ( svandeho@cisco.com)
2.2.3) OER Link Grouping
OER automates routing in order to select the best path based upon cost minimization, load distribution policy, and overall network performance. This enables intelligent network traffic load distribution and dynamic failure detection of data-paths at the WAN edge (for multi-homing to the Internet or intranet connectivity). OER is unique in that it can make adaptive and dynamic routing adjustments based on criteria other than static routing metrics: response time, packet loss, jitter, MOS scores, path availability, traffic load distribution, and financial cost minimization policies.
OER Link Grouping allows one or more interfaces on the border router to be assigned to a link group. By assigning interfaces to a link group, applications can be directed to only traverse interfaces within a link group. Policies are used to select an exit interface from a given link group. Fallback link groups can be used by the Policy if no interface within a link group is available or meets the policy requirements.
Hardware
Product Management Contact: Scott Van de Houten ( svandeho@cisco.com)
2.2.4) Bandwidth Call Admission Control (CAC) for IP Multicast
In multicast enabled networks, monitoring and controlling the amount of bandwidth utilized is critical for service efficiency. In corporate communications or IP video environments, it is important that the network link is not oversubscribed or video services might degrade for a set of users. Cisco understands this problem and has implemented a method to control and monitor the total bandwidth consumed at the network edge. In today's networks voice, video and data need to be allocated respective bandwidth and bandwidth based CAC allows seamless integration of video services.
The Bandwidth Based Call Admission Control (CAC) for IP Multicast feature allows the monitoring of bandwidth per set of multicast groups per interface in the network. Bandwidth based CAC has the ability to control how much bandwidth various content providers can use across a network by assigning specific multicast groups allowable bandwidth consumption.
Figure 12
Bandwidth Based Call Admission Control (CAC) for IP Multicast—Details
Benefits
•
•
Hardware
Additional Information: http://www.cisco.com/go/multicast
Product Management Contact: Scott Van de Houten ( svandeho@cisco.com)
2.3) IP Services
2.3.1) Gateway Load Balancing Protocol (GLBP) Client Cache
Gateway Load Balancing Protocol (GLBP) protects data traffic from a failed router or circuit, while allowing packet load sharing between a group of redundant routers. GLBP differentiates itself from Virtual Router Redundancy Protocol (VRRP) in that GLBP offers the ability to concurrently use more than one gateway, significantly reducing the cost of a First Hop Routing solution.
GLBP is enhanced with the ability to display more information about individual network clients that are using GLBP as their default gateway. This makes it easier to understand:
•
•
•
•
To achieve the above mentioned benefits, the following data is provided through a Cisco IOS CLI "show command" on the Active Virtual Gateway for the group:
•
•
•
•
Benefits
•
Hardware
Additional Information: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008042fb97.html
Product Management Contact: Benoit Lourdelet ( blourdel@cisco.com)
2.3.2) Dynamic Host Configuration Protocol (DHCP) Server Multiple Subnet
The Dynamic Host Configuration Protocol (DHCP) server now supports the configuration of multiple subnets under a single pool name. This enables large deployments where common DHCP parameters configuration can be grouped under a single pool, while subnet specific parameters can be set as well.
Benefits
•
Hardware
Additional Information: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804419eb.html#wp1084769
Product Management Contact: Benoit Lourdelet ( blourdel@cisco.com)
2.3.3) Hot Standby Routing Protocol (HSRP) Bidirectional Forwarding Detection (BFD) Peering
Bidirectional Forwarding Detection (BFD) is introduced in the Hot Standby Routing Protocol (HSRP) group member health monitoring system. Previously, group member monitoring relied exclusively on HSRP multicast messages. These messages are relatively large, hence CPU consuming to produce and check. In architectures where a single interface hosts hundreds of groups there is a need for a lighter protocol. BFD addresses this issue and offers sub-second health monitoring at a relatively low CPU impact.
Figure 13
HSRP BFD Peering Topology
Benefits
•
Hardware
Additional Information: http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tsd_technology_support_sub-protocol_home.html
Product Management Contact: Benoit Lourdelet ( blourdel@cisco.com)
2.3.4) DHCPv6 Stateless Enhancements
Stateless DHCPv6 is enhanced to support new options in the Client and the Server component. Cisco IOS Release 12.4(15)T adds support for new DHCPv6 options for configuration of the DHCP Server:
•
•
•
•
•
•
Special attention must be paid to "INFORMATION REFRESH TIME" as it provides the end-host the capability to regularly refresh the content of stateless options that don't carry a lease time with them.
The above mentioned options are requested by the DHCPv6 Client and INFORMATION REFRESH TIME is taken into account to refresh the content on stateless DHCP options received by the Client.
In scenarios where a router is a DHCPv6 client toward its upstream router and a DHCPv6 Server toward downstream hosts, it is now possible to import received options from the Client side to automatically populate the DHCPv6 Server configuration with those options. The choice of imported options is set on a pool basis.
Figure 14
Hierarchical Stateless DHCPv6
Benefits
•
•
Hardware
Additional Information: http://www/en/US/products/sw/iosswrel/ps5187/products_configuration_guide_chapter09186a00806f542d.html
Product Management Contact: Benoit Lourdelet ( blourdel@cisco.com)
2.4) High Availability
2.4.1) Bidirectional Forward Detection (BFD) Support for Cisco Integrated Services Routers
BFD is a detection protocol that is designed to provide fast forwarding path failure detection times for all media types.
The convergence of business-critical applications onto a common IP infrastructure in Enterprise and Service Provider networks is becoming more common. Given the criticality of the data, these networks are typically constructed with a high degree of redundancy. While such redundancy is desirable to increase network availability, its effectiveness is dependant upon the ability of individual network devices to quickly detect failures and reroute traffic to an alternate path.
Routing protocol convergence is a key issue in these converged network designs since it determines the routes available to send data packets on and the reachability of the network. In order to maintain the integrity of routing data, it is vital to have accurate information regarding the status of links and whether they are up or down. Bidirectional Forwarding Detection (BFD) is an IETF draft based mechanism used to detect link failures for routing protocols. It addresses some of the important problems in link status detection:
•
•
•
BFD provides a low-overhead, short-duration method of detecting failures in the forwarding path between two adjacent routers, including the interfaces, data links, and forwarding planes. BFD delivers fast router peer failure detection times independent of all media types, encapsulations, topologies, and routing protocols including EIGRP, IS-IS, OSPF, and BGP (single-hop peers over Ethernet interfaces). Cisco currently supports the BFD Asynchronous mode, which depends on the sending of BFD control packets between two systems for liveness detection between the forwarding engines of the BFD neighbors.
Figure 15
Bidirectional Forward Detection (BFD) Support for Cisco Integrated Services Routers
Benefits
•
•
•
Considerations
•
•
•
•
Hardware
Product Management Contact: Harmen Van Der Linde ( havander@cisco.com)
2.5) Connectivity
2.5.1) Multiple PPP-over-Ethernet (PPPoE) Clients per VC Support
The Multiple PPPoE Client feature is an enhancement over the existing PPPoE client support for ATM Virtual Circuits. Previously, an ATM PVC could only be configured with one PPPoE dialer interface. Now, multiple Dialer interfaces may be configured on a single Virtual Circuit (VC). This can be used to configure redundancy to multiple L2TP Network Servers (LNS's), providing an easy backup path, should the primary LNS stop responding. This capability is especially useful in situations where only one PVC can be configured between Customer Premises Equipment (CPE) and the Asynchronous Transfer Mode (ATM) aggregator.
Key benefits for using Multiple PPPoE Clients per VC include:
•
•
•
Figure 16
Multiple PPPoE Clients
Hardware
Product Management Contact: Ben Strickland ( bstrickl@cisco.com)
2.5.2) Layer 2 Tunneling Protocol (L2TP) Forwarding of PPPoE Tags
In an Ethernet access aggregation network, there are no unique mappings between subscriber line ID and Ethernet interface like the Virtual Circuit (VC) in an ATM based network, especially when a separate Virtual LAN (VLAN) per subscriber is not used. DSL Forum TR-101 proposed a method by which the Digital Subscriber Line Access Multiplexer (DSLAM) sends a DSL Remote-ID and circuit-id in the discovery phase. By obtaining this information, future subscriber decisions can be made at later points during the call set-up phase. However, before this feature was introduced, the implementation did not extend to the LNS in a VPDN environment. This feature allows for the PPPoE tag information containing the DSL-Forum attributes to be forwarded from the L2TP Access Concentrator (LAC) to the LNS.
The DSLAM port information contained within the PPPoE tags can be used by the local Authentication, Authorization, and Accounting (AAA) servers on the LNS in addition to the LAC. This is especially useful in wholesale environments where the LAC and LNS may belong to different owners.
Key benefit for using Multiple L2TP Forwarding of PPPoE Tags:
•
Figure 17
Forwarding the DSLAM Circuit-id over L2TP
Hardware
Product Management Contact: Ben Strickland (bstrickl@cisco.com)
2.6) Management, Instrumentation, and User Interface
2.6.1) Cisco IOS Auto-Upgrade Manager
Cisco IOS Auto-Upgrade Manager simplifies the Cisco IOS Software upgrade process by providing a simple interface to specify, download, and upgrade (or downgrade) to a new Cisco IOS Software image. Cisco IOS Auto-Upgrade Manager includes CLI-based management of automatic software downloads and upgrades, including:
•
•
•
•
•
•
New software images can be automatically downloaded from Cisco with a valid Cisco.com login via SSL, or any other Trivial File Transfer Protocol (TFTP) or File Transfer Protocol (FTP) server in the user's network or elsewhere that contains the desired software image. The software upgrade is scheduled either immediately or at a convenient future time using a "Warm-Upgrade" to minimize down time.
Automatic notifications can include a status email sent upon completion of successful warm upgrade or failure and roll-back, error messages indicating any incompatible CLI statements, and should the upgrade fail for any reason, error messages are generated and sent to the console and syslog buffers.
Cisco IOS Auto-Upgrade Manager can be invoked with either an interactive dialog that will walk a novice user through the upgrade process and options, or a single line CLI User Interface for more experienced users.
Figure 18
Cisco IOS Auto-Upgrade Manager Simplifies Cisco IOS Software Upgrades
Benefits
•
•
•
Hardware
Product Management Contact: Tom Cramer ( tcramer@cisco.com)
2.6.2) Cisco IOS Embedded Resource Manager
The Embedded Resource Manager (ERM) feature provides a method to monitor internal system resource utilization. Finite resources such as buffer, memory, and processor utilization are monitored.
ERM works by monitoring resource utilization from the perspective of resource owners and resources users. These owners and users are various subsystems within Cisco IOS Software. Network administrators can define thresholds to create notifications according to the real-time resource consumption.
The ERM infrastructure is designed to be extensible and to allow for very granular monitoring on an IOS task basis. It goes beyond simply monitoring for total CPU utilization for example. Through the use of ERM, network administrators and operators can gain a better understanding of the device's operational characteristics leading to better insight into system scalability and improved system availability.
Features and Benefits
The Embedded Resource Manager (ERM) infrastructure tracks resource utilization, depletion and resource dependencies across processes and within a system. ERM represents a framework for monitoring any finite resource within the software. Support for monitoring CPU, buffer, and memory utilization at the global or task level is available today. The ERM framework is extensible and will be further enhanced to provide more function in future software releases.
The ERM framework provides a mechanism to send notifications whenever the specified threshold values are violated by any Resource User (RU). This notification helps in diagnosing any CPU, buffer, and memory utilization issues.
The Embedded Resource Manager feature allows you to:
•
•
•
•
•
Resource Accounting and Thresholds
ERM tracks the resource usage and allocation for each Resource User (RU) internally. A RU is a subsystem or process task within the Cisco IOS Software. As an example, the OSPF hello process is a resource user. Threshold limits are used to notify network operations of specific conditions. The ERM infrastructure provides a means to notify the internal RU subsystem of threshold indications as well. The resource accounting is performed by individual Resource Owners (ROs). ROs are part of the Cisco IOS Software responsible for certain resources such as the memory manager. When the utilization for each of the RUs crosses the threshold value you have set, the ROs send internal notifications to the RUs and to network administrators in the form of Syslog messages or SNMP alerts.
You can set rising and falling values for critical, major, and minor levels of thresholds. When the resource utilization crosses the rising threshold level, an Up notification is sent. When the resource utilization falls below the falling threshold level, a Down notification is sent.
ERM provides for three types of thresholds to be defined:
•
•
•
Table 3 ERM Features and Benefits
Flexible facility for monitoring finite resources
ERM provides a common facility for monitoring various finite resources within the system. CPU, buffer, and memory resources are monitored.
Embedded within Cisco IOS Software
ERM is part of the Cisco IOS Software infrastructure.
Granular, per subsystem statistics
ERM accounts for resource utilization on both a system level as well as on a per subsystem task level.
User defined thresholds
Network administrators can set the thresholds for specific conditions.
Multiple threshold levels
You can set rising and falling threshold values for minor, major, and critical levels of resource utilization for buffer, CPU, and memory ROs.
Loadometer process
The loadometer process generates an extended load monitor report every 5 seconds. The loadometer function, which calculates process CPU usage percentages, is enhanced to generate the loadometer process reports.
Snapshot Management using event trace
Snapshot management manages the buffer where snapshots of reports are stored. The snapshot management infrastructure stores, displays, and releases the snapshots.
Automatic CPUHOG profiling
Troubleshooting data is collected automatically by the system to aid in problem resolution. The timer ISR starts profiling a process when it notices that the process has taken more than the configured value or a default of 2x (maximum scheduling quantum).
Improved memory statistics
Embedded Resource Manager enhances the memory manager in Cisco IOS Software to include memory usage history and memory accounting
Improved buffer management
Embedded Resource Manager addresses the most frequently faced problems to the Buffer Manager. They are: buffer manager tuning, buffer leak detection, buffer accounting and buffer usage thresholds.
EEM integration
ERM is integrated with Cisco IOS Embedded Event Manager (EEM). ERM threshold violations are detected by the ERM Event Detector and can be used to trigger automated actions.
Embedded Resource Manager MIB
ERM SNMP support is added beginning with Cisco IOS Software version 12.4(15)T and 12.2(33)SRB. The ERM MIB will be available on Cisco.com Visit: http://www.cisco.com/public/sw-center/sw-netmgmt.shtml
Product Architecture
ERM is a feature within the Cisco IOS Software infrastructure. The ERM framework and architecture defines components in terms of Resource Owners (ROs) and Resource Users (RUs). An ERM Resource Manager (RM) component is also part of the infrastructure. ROs account for utilization by the resource users. The RM provides control and notification functions.
Figure 19
Cisco IOS Embedded Resource Manager Architecture
Hardware
System Requirements
The ERM software subsystem does not consume any significant amount of resources.
Additional Information:
For more information about the Cisco IOS Embedded Resource Manager, visit http://www.cisco.com/public/support/tac/documentation.html and browse the appropriate Cisco IOS Software documentation.Product Management Contact: Rick Williams ( rwill@cisco.com)
2.6.3) Toolkit Command Language (TCL) Signing
Toolkit Command Language (TCL) was first introduced in Cisco IOS Software in 1994. Many components of Cisco IOS Software like EEM, ESM and IVR use TCL scripts. Signing of TCL scripts enables customers to execute only authenticated and approved scripts on the Cisco devices. It provides a mechanism for the customers to verify the source of the TCL scripts.
TCL is an interpreted language and scripts written in TCL do not have to be compiled before execution. TCL scripts can be created and modified dynamically. TCL provides a fundamental command set which can be expanded by adding "extensions" to the language to perform specific operations. As a result TCL is highly portable and extensible. It is used for rapid prototyping, scripted applications and testing.
Cisco is now innovating TCL scripts to a new level by introducing state of the art, reliable and web based "Signing Tool" application to verify the authenticity.
Key advantages to using the TCL Signing Tool include:
•
•
•
•
•
•
Figure 20
Verification of Signed TCL Scripts Process
Hardware
Additional Information: http://forums.cisco.com/eforum/servlet/EEM?page=main
Product Management Contact: Madhu Vulpala ( mulpala@cisco.com)
2.7) Mobility and Wireless
2.7.1) Mobile Ad Hoc Networking (MANET) Networking Enhancements for Router Radio Links
Cisco Mobile Ad Hoc Networking (MANET) enhancements address several of the issues faced when merging IP routing and mobile radio communications in ad hoc networking applications. In a MANET, highly mobile "nodes" communicate with each other across bandwidth-constrained radio links. An individual node includes both a radio and a network router, with the two devices interconnected via Ethernet. Key challenges in a MANET environment include:
•
•
•
•
This feature enables a Cisco router to use Layer 2 feedback from its partner radio to optimize Layer 3 processing. Intra-nodal communications between router and radio are supported by means of PPP-over-Ethernet (PPPoE) sessions (see Figure 21). A PPPoE session is established between router and its partner radio on behalf of every other router/radio neighbor located in the MANET. Once the PPPoE sessions are established, a PPP session is established end to end. These Layer 2 sessions are the means by which radio network status gets reported to the router's Layer 3 processes. The Cisco IOS MANET enhancements provide several new capabilities for optimizi
